From e854e35c92c0ce2f793c09f875fc84147379ffa9 Mon Sep 17 00:00:00 2001 From: chemamartinez Date: Thu, 26 Oct 2023 19:06:12 +0200 Subject: [PATCH] Minor fixes for ETW input --- x-pack/filebeat/input/etw/config.go | 2 ++ x-pack/filebeat/input/etw/input.go | 10 ++++++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/x-pack/filebeat/input/etw/config.go b/x-pack/filebeat/input/etw/config.go index 22e260453d23..002abea265bd 100644 --- a/x-pack/filebeat/input/etw/config.go +++ b/x-pack/filebeat/input/etw/config.go @@ -2,6 +2,8 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. +//go:build windows + package etw_input import ( diff --git a/x-pack/filebeat/input/etw/input.go b/x-pack/filebeat/input/etw/input.go index 5cb31370448b..ede576666c10 100644 --- a/x-pack/filebeat/input/etw/input.go +++ b/x-pack/filebeat/input/etw/input.go @@ -2,6 +2,8 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. +//go:build windows + package etw_input import ( @@ -92,10 +94,10 @@ func (e *etw_input) Run(ctx input.Context, publisher stateless.Publisher) error // Define callback that will process ETW events // Callback which receives every ETW event from the reading source - eventReceivedCallback := func(er *etw.EventRecord) { + eventReceivedCallback := func(er *etw.EventRecord) uintptr { if er == nil { e.log.Error("received null event record") - return + return 1 } e.log.Debugf("received event %d with length %d", er.EventHeader.EventDescriptor.Id, er.UserDataLength) @@ -107,7 +109,7 @@ func (e *etw_input) Run(ctx input.Context, publisher stateless.Publisher) error event["EventProperties"] = data } else { e.log.Errorf("failed to read event properties: %s", err) - return + return 1 } evt := beat.Event{ @@ -119,7 +121,7 @@ func (e *etw_input) Run(ctx input.Context, publisher stateless.Publisher) error } publisher.Publish(evt) - return + return 0 } e.etwSession.Callback = syscall.NewCallback(eventReceivedCallback)