[feat] [pkg/stanza]: add includeProviders to windows input

Signed-off-by: Szilard Parrag <[email protected]>

Author: OverOrion

.chloggen/add-include-providers.yaml

@@ -0,0 +1,27 @@
+# Use this changelog template to create an entry for release notes.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. filelogreceiver)
+component: eventlogreceiver
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: add include_providers parameter to eventlogreceiver
+
+# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
+issues: [38517]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
+
+# If your change doesn't affect end users or the exported elements of any package,
+# you should instead start your pull request title with [chore] or use the "Skip Changelog" label.
+# Optional: The change log or logs in which this entry should be included.
+# e.g. '[user]' or '[user, api]'
+# Include 'user' if the change is relevant to end users.
+# Include 'api' if there is a change to a library API.
+# Default: '[user]'
+change_logs: [user, api]

pkg/stanza/operator/input/windows/config_all.go

@@ -36,6 +36,7 @@ type Config struct {
 	Raw                   bool          `mapstructure:"raw,omitempty"`
 	SuppressRenderingInfo bool          `mapstructure:"suppress_rendering_info,omitempty"`
 	ExcludeProviders      []string      `mapstructure:"exclude_providers,omitempty"`
+	IncludeProviders      []string      `mapstructure:"include_providers,omitempty"`
 	Remote                RemoteConfig  `mapstructure:"remote,omitempty"`
 }
 

pkg/stanza/operator/input/windows/config_windows.go

@@ -50,6 +50,7 @@ func (c *Config) Build(set component.TelemetrySettings) (operator.Operator, erro
 		pollInterval:     c.PollInterval,
 		raw:              c.Raw,
 		excludeProviders: createProvidersSet(c.ExcludeProviders),
+		includeProviders: createProvidersSet(c.IncludeProviders),
 		remote:           c.Remote,
 	}
 	input.startRemoteSession = input.defaultStartRemoteSession

pkg/stanza/operator/input/windows/input.go

@@ -30,6 +30,7 @@ type Input struct {
 	startAt             string
 	raw                 bool
 	excludeProviders    map[string]struct{}
+	includeProviders    map[string]struct{}
 	pollInterval        time.Duration
 	persister           operator.Persister
 	publisherCache      publisherCache
@@ -241,6 +242,14 @@ func (i *Input) getPublisherName(event Event) (name string, excluded bool) {
 		i.Logger().Error("Failed to get provider name", zap.Error(err))
 		return "", true
 	}
+
+	// Check first for includeProviders
+	if len(i.includeProviders) != 0 {
+		if _, include := i.includeProviders[providerName]; !include {
+			return "", true
+		}
+	}
+
 	if _, exclude := i.excludeProviders[providerName]; exclude {
 		return "", true
 	}
@@ -269,7 +278,7 @@ func (i *Input) renderDeepAndSend(ctx context.Context, event Event, publisher Pu
 
 // processEvent will process and send an event retrieved from windows event log.
 func (i *Input) processEventWithoutRenderingInfo(ctx context.Context, event Event) error {
-	if len(i.excludeProviders) == 0 {
+	if len(i.excludeProviders) == 0 && len(i.includeProviders) == 0 {
 		return i.renderSimpleAndSend(ctx, event)
 	}
 	if _, exclude := i.getPublisherName(event); exclude {

receiver/windowseventlogreceiver/README.md

@@ -29,6 +29,7 @@ Tails and parses logs from windows event log API using the [opentelemetry-log-co
 | `raw` | false | If false, the body of emitted log records will contain a structured representation of the event. Otherwise, the body will be the original XML string. |
 | `suppress_rendering_info` | false | If false, [additional syscalls](https://learn.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtformatmessage#remarks) may be made to retrieve detailed information about the event. Otherwise, some unresolved values may be present in the event. |
 | `exclude_providers`                 | []           | One or more event log providers to exclude from processing.                                                                                                                                                                                    |
+| `include_providers`                 | []           | One or more event log providers to include into processing.                                                                                                                                                                                    |
 | `storage`                           | none         | The ID of a storage extension to be used to store bookmarks. Bookmarks allow the receiver to pick up where it left off in the case of a collector restart. If no storage extension is used, the receiver will manage bookmarks in memory only. |
 | `retry_on_failure.enabled`          | `false`      | If `true`, the receiver will pause reading a file and attempt to resend the current batch of logs if it encounters an error from downstream components.                                                                                        |
 | `retry_on_failure.initial_interval` | `1 second`   | Time to wait after the first failure before retrying.                                                                                                                                                                                          |