Skip to content

Add windows event regex filtering to CWAgent #1764

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 17 commits into
base: main
Choose a base branch
from

Conversation

Paamicky
Copy link
Collaborator

@Paamicky Paamicky commented Jul 9, 2025

Description of the issue

The CloudWatch Agent currently filters Windows Event Logs based on security levels (i.e Error, Critical, Information...). This does not allow customers to collect specific and relevant logs to CloudWatch

This PR is draft; waiting on the event_id feature PR to be merged first.

Description of changes

  • Add regex filtering to the CWAgent Windows logs collection
  • Add rule for filtering validation
  • Add new files for testing purposes

sample configuration of regex filtering

"logs": {
    "logs_collected": {
      "windows_events": {
        "collect_list": [
          {
            "event_name": "Application",
            "log_group_name": "{instance_id}",
            "log_stream_name": "ApplicationEvents",
            "filters": [
              {
                "type": "include",
                "expression": "Database.*failed|Authentication.*|login.*"
              }
            ]
          },
          {
            "event_name": "Application", 
            "log_group_name": "{instance_id}",
            "log_stream_name": "ApplicationEvents2",
            "filters": [
              {
                "type": "include",
                "expression": ".*user.*"
              },
              {
                "type": "exclude",
                "expression": ".*failed.*"
              }
            ]
          }
      }
    }
}

Caution

This PR has a testing PR linked to here:aws/amazon-cloudwatch-agent-test#555, merge this first.

License

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Tests

  • Added unit tests for regex validation and processing
  • Manually tested on Windows servers to verify events are properly filtered by regex
  • Verified backward compatibility with existing configurations.

Integration test showing Regex filtering passed for all Windows OS Regex Filtering

Requirements

Before commiting your code, please do the following steps.

  1. Run make fmt and make fmt-sh
  2. Run make lint

Integration Tests

To run integration tests against this PR, add the ready for testing label.

@Paamicky Paamicky requested review from lisguo, dricross and okankoAMZ July 9, 2025 20:27
@Paamicky Paamicky changed the title Add windows event regex filtering Add windows event regex filtering to CWAgent Jul 9, 2025
@Paamicky Paamicky force-pushed the feature/windows-regex-filtering branch from 17f2d7f to a198283 Compare July 10, 2025 18:36
@Paamicky Paamicky force-pushed the feature/windows-regex-filtering branch 2 times, most recently from a5f4df9 to f7337c8 Compare July 11, 2025 16:54
@Paamicky Paamicky force-pushed the feature/windows-eventId-filtering branch from 5c8f615 to 10f9f0a Compare July 11, 2025 18:28
@Paamicky Paamicky force-pushed the feature/windows-regex-filtering branch from f7337c8 to 1fd0ae9 Compare July 11, 2025 19:01
@okankoAMZ okankoAMZ marked this pull request as ready for review July 11, 2025 19:02
@okankoAMZ okankoAMZ requested a review from a team as a code owner July 11, 2025 19:02
@okankoAMZ okankoAMZ added the ready for testing Indicates this PR is ready for integration tests to run label Jul 11, 2025
@Paamicky Paamicky force-pushed the feature/windows-regex-filtering branch 2 times, most recently from 1927170 to 0783b84 Compare July 15, 2025 15:45
@Paamicky Paamicky force-pushed the feature/windows-regex-filtering branch from 0783b84 to 94fcd20 Compare July 15, 2025 16:05
Base automatically changed from feature/windows-eventId-filtering to main July 21, 2025 18:29
@Paamicky Paamicky force-pushed the feature/windows-regex-filtering branch 2 times, most recently from 27765e3 to 615200a Compare July 21, 2025 22:11
@Paamicky Paamicky force-pushed the feature/windows-regex-filtering branch from 615200a to 9fb255f Compare July 22, 2025 16:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
ready for testing Indicates this PR is ready for integration tests to run
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants