Merge branch 'improving-initial-performance-windows-module-logevent' into 'develop'

Improve performance module_logevent Windows

See merge request !855

pandora_agents/win32/modules/pandora_module_logevent.cc

@@ -169,7 +169,7 @@ Pandora_Module_Logevent::run () {
 	this->openLogEvent();
     
 	// Read events
-	this->getLogEvents (event_list, 0);
+	this->getLogEvents (event_list);
 
 	// No data
 	if (event_list.size () < 1) {
@@ -215,7 +215,7 @@ Pandora_Module_Logevent::openLogEvent () {
     if (this->first_run == 1) {
 		this->first_run = 0;
 		if (Pandora::getPandoraDebug() == false) {
-			this->getLogEvents (event_list, 1);
+			this->seekAtTop (event_list);
 		}
     }
 
@@ -237,11 +237,86 @@ Pandora_Module_Logevent::closeLogEvent () {
     this->log_event = NULL;
 }
 
+/** 
+ * Puts the event handler on top of event list
+ * avoiding the use of EVENTLOG_SEEK_READ because it is buggy
+ */
+int
+Pandora_Module_Logevent::seekAtTop (list<string> &event_list) {
+	BYTE *buffer = NULL, *new_buffer = NULL;
+	DWORD to_read, read, needed;
+	EVENTLOGRECORD *pevlr = NULL;
+	bool rc = false;
+	DWORD last_error;
+	DWORD direction = EVENTLOG_BACKWARDS_READ;
+	
+	if (this->log_event == NULL) {
+	    return -1;
+	}
+	
+	// Initialize the event record buffer
+	to_read = BUFFER_SIZE;
+	buffer = (BYTE *) malloc (sizeof (BYTE) * BUFFER_SIZE);
+	if (buffer == NULL) {
+	    	return -1;
+	}
+	pevlr = (EVENTLOGRECORD *) buffer;
+
+	// Read events
+	while (1) {
+
+		rc = ReadEventLog (this->log_event, direction | EVENTLOG_SEQUENTIAL_READ, 0, pevlr, to_read, &read, &needed);
+		direction = EVENTLOG_FORWARDS_READ;
+		if (!rc) {
+
+			// Get error details
+			last_error = GetLastError();
+
+			// Not enough space in the buffer
+			if(last_error == ERROR_INSUFFICIENT_BUFFER) {
+
+				// Initialize the new event record buffer
+				to_read = needed;
+				new_buffer = (BYTE *) realloc (buffer, sizeof (BYTE) * needed);
+				if (new_buffer == NULL) {
+					free ((void *) buffer);
+					return -1;
+				}
+				
+				buffer = new_buffer;
+				pevlr = (EVENTLOGRECORD *) buffer;
+
+				// Try to read the event again
+				continue;
+			// File corrupted or cleared
+			} else if (last_error == ERROR_EVENTLOG_FILE_CORRUPT || last_error == ERROR_EVENTLOG_FILE_CHANGED) {
+				closeLogEvent ();
+				free ((void *) buffer);
+				return -1;
+			}
+			// Unknown error
+			else {
+				free ((void *) buffer);
+				return -1;
+			}
+		}
+		
+		// No more events
+		if (read == 0) {
+			free ((void *) buffer);
+			return 0;
+		}
+	}
+
+	free ((void *) buffer);
+	return 0;
+}
+
 /** 
  * Reads available events from the event log.
  */
 int
-Pandora_Module_Logevent::getLogEvents (list<string> &event_list, unsigned char discard) {
+Pandora_Module_Logevent::getLogEvents (list<string> &event_list) {
 	char message[BUFFER_SIZE], timestamp[TIMESTAMP_LEN + 1];
 	struct tm *time_info = NULL;
 	time_t epoch;
@@ -313,11 +388,6 @@ Pandora_Module_Logevent::getLogEvents (list<string> &event_list, unsigned char d
 			free ((void *) buffer);
 			return 0;
 		}
-		
-		// Discard existing events
-		if (discard == 1) {
-			continue;
-		}
 
 		// Process read events
 		while (read > 0) {           

pandora_agents/win32/modules/pandora_module_logevent.h

@@ -69,7 +69,8 @@ namespace Pandora_Modules {
 
         HANDLE openLogEvent ();
         void closeLogEvent ();
-        int getLogEvents (list<string> &event_list, unsigned char discard);
+        int getLogEvents (list<string> &event_list);
+        int seekAtTop (list<string> &event_list);
         void timestampToSystemtime (string timestamp, SYSTEMTIME *system_time);
         void getEventDescription (PEVENTLOGRECORD pevlr, char *message, DWORD flags);
 		string getEventDescriptionXPATH (PEVENTLOGRECORD pevlr);