Merge pull request #136 from Icinga:fix/eventlog_plugin_time_filter

Fix: Improves EventLog time filter and fixes issue on filtering

Improves the general filtering for `-After` and `-Before` values by using our generic plugin threshold method. Instead of having to write `2021/01/30` (which is still possible) you can now use `-After 5h` to go back 5 hours within the event log.

In addition the explanation of the `-After` and `-Before` argument is now more clear.

Author: LordHepipud

config/director/Invoke-IcingaCheckEventlog.json

@@ -3,7 +3,7 @@ object CheckCommand "Invoke-IcingaCheckEventlog" {
 
     arguments += {
         "-Before" = {
-            description = "Used to specify a date like dd.mm.yyyy and every eventlog entry before that date will be considered."
+            description = "Used to specify time data of which point the plugin should stop considering event logs. You can either use a fixed date and time like '2021/01/30 12:00:00', a fixed day '2021/01/30' or use more dynamic approaches like '1d', '10h' and so on.  By using '2h' for example, log files of the last 2 hours will be ignored. Please ensure to manually set the `-After` argument and ensure you go back further in time with the `-After` argument than the `-Before` argument.  Allowed units: ms, s, m, h, d, w, M, y"
             value = "$IcingaCheckEventlog_Object_Before$"
             order = 16
         }
@@ -34,7 +34,7 @@ object CheckCommand "Invoke-IcingaCheckEventlog" {
             order = 13
         }
         "-After" = {
-            description = "Used to specify a date like dd.mm.yyyy and every eventlog entry after that date will be considered."
+            description = "Used to specify time data of which point the plugin should start to read event logs from. You can either use a fixed date and time like '2021/01/30 12:00:00', a fixed day '2021/01/30' or use more dynamic approaches like '1d', '10h' and so on.  Allowed units: ms, s, m, h, d, w, M, y"
             value = "$IcingaCheckEventlog_Object_After$"
             order = 15
         }

config/director/Plugins_Bundle.json

@@ -1235,7 +1235,7 @@ object CheckCommand "Invoke-IcingaCheckEventlog" {
 
     arguments += {
         "-Before" = {
-            description = "Used to specify a date like dd.mm.yyyy and every eventlog entry before that date will be considered."
+            description = "Used to specify time data of which point the plugin should stop considering event logs. You can either use a fixed date and time like '2021/01/30 12:00:00', a fixed day '2021/01/30' or use more dynamic approaches like '1d', '10h' and so on.  By using '2h' for example, log files of the last 2 hours will be ignored. Please ensure to manually set the `-After` argument and ensure you go back further in time with the `-After` argument than the `-Before` argument.  Allowed units: ms, s, m, h, d, w, M, y"
             value = "$IcingaCheckEventlog_Object_Before$"
             order = 16
         }
@@ -1266,7 +1266,7 @@ object CheckCommand "Invoke-IcingaCheckEventlog" {
             order = 13
         }
         "-After" = {
-            description = "Used to specify a date like dd.mm.yyyy and every eventlog entry after that date will be considered."
+            description = "Used to specify time data of which point the plugin should start to read event logs from. You can either use a fixed date and time like '2021/01/30 12:00:00', a fixed day '2021/01/30' or use more dynamic approaches like '1d', '10h' and so on.  Allowed units: ms, s, m, h, d, w, M, y"
             value = "$IcingaCheckEventlog_Object_After$"
             order = 15
         }

config/icinga/Invoke-IcingaCheckEventlog.conf

@@ -6,9 +6,11 @@ Specific version upgrades are described below. Please note that version updates
 
 For upgrading plugins, please have a look on the [installation docs](02-Installation.md).
 
-## Upgrading to v1.4.0 (pending)
+## Upgrading to v1.4.0 (2021-03-02)
 
-*No special steps required*
+### Invoke-IcingaCheckEventLog
+
+We made some slight adjustments to `Invoke-IcingaCheckEventLog` for the `-After` and `-Before` argument, which will now not only allow a fixed time stamp, like `2021/01/30`, but also threshold inputs like `5h` (to go back 5 hours), `1d` (to go back 1 day), and so on. There should be no impact on current implementations but you might wanna have a look on your checks and results after uprading.
 
 ## Upgrading to v1.3.0 (2020-12-01)
 

config/icinga/Plugins_Bundle.conf

@@ -18,6 +18,8 @@ Released closed milestones can be found on [GitHub](https://github.com/Icinga/ic
 
 ### Bugfixes
 
+* [#136](https://github.com/Icinga/icinga-powershell-plugins/pull/136) Improves `Invoke-IcingaCheckEventLog` time filter by allowing simple input like `-After 5h` and fixes issue on filtering by formatting the time data into required format `yyyy/MM/dd HH:mm:ss`
+
 ## 1.3.1 (2021-02-04)
 
 [Issue and PRs](https://github.com/Icinga/icinga-powershell-plugins/milestone/6?closed=1)

doc/30-Upgrading-Plugins.md

@@ -39,8 +39,8 @@ To execute this plugin you will require to grant the following user permissions.
 | ExcludeMessage | Array | false |  | Used to specify an array of messages within the eventlog to be excluded. |
 | IncludeSource | Array | false |  | Used to specify an array of message sources within the eventlog to be included. |
 | ExcludeSource | Array | false |  | Used to specify an array of message sources within the eventlog to be excluded. |
-| After | Object | false |  | Used to specify a date like dd.mm.yyyy and every eventlog entry after that date will be considered. |
-| Before | Object | false |  | Used to specify a date like dd.mm.yyyy and every eventlog entry before that date will be considered. |
+| After | Object | false |  | Used to specify time data of which point the plugin should start to read event logs from. You can either use a fixed date and time like "2021/01/30 12:00:00", a fixed day "2021/01/30" or use more dynamic approaches like "1d", "10h" and so on.  Allowed units: ms, s, m, h, d, w, M, y |
+| Before | Object | false |  | Used to specify time data of which point the plugin should stop considering event logs. You can either use a fixed date and time like "2021/01/30 12:00:00", a fixed day "2021/01/30" or use more dynamic approaches like "1d", "10h" and so on.  By using "2h" for example, log files of the last 2 hours will be ignored. Please ensure to manually set the `-After` argument and ensure you go back further in time with the `-After` argument than the `-Before` argument.  Allowed units: ms, s, m, h, d, w, M, y |
 | DisableTimeCache | SwitchParameter | false | False | Switch to disable the time cache on a check. If this parameter is set the time cache is disabled. After the check has been run once, the next check instance will filter through the eventlog from the point the last check ended. This is due to the time cache, when disabled the whole eventlog is checked instead. |
 | NoPerfData | SwitchParameter | false | False | Used to disable PerfData. |
 | Verbosity | Int32 | false | 0 |  |
@@ -56,7 +56,7 @@ Invoke-IcingaCheckEventlog -LogName Application -IncludeEntryType Warning -Warni
 ### Example Output 1
 
 ```powershell
-[CRITICAL] Check package "EventLog" - [CRITICAL] EventId 642 [WARNING] EventId 1008, EventId 2002, EventId 642\_ [WARNING] Check package "Between: [16.08.2020 09:31:35] - [27.08.2020 22:57:39] there occured 242 event(s)." \_ [WARNING] EventId 2002: Value "242" is greater than threshold "100"\_ [WARNING] Check package "Between: [16.08.2020 09:31:35] - [27.08.2020 22:57:39] there occured 242 event(s)." \_ [WARNING] EventId 1008: Value "242" is greater than threshold "100"\_ [WARNING] Check package "Between: [16.08.2020 09:31:35] - [27.08.2020 22:57:39] there occured 242 event(s)." \_ [WARNING] EventId 1008: Value "242" is greater than threshold "100"\_ [WARNING] Check package "Between: [16.08.2020 09:31:36] - [27.08.2020 22:57:40] there occured 242 event(s)." \_ [WARNING] EventId 1008: Value "242" is greater than threshold "100"\_ [WARNING] Check package "Between: [16.08.2020 14:50:37] - [17.08.2020 19:41:00] there occured 391 event(s)." \_ [WARNING] EventId 642: Value "391" is greater than threshold "100"\_ [WARNING] Check package "Between: [16.08.2020 14:50:37] - [17.08.2020 19:41:00] there occured 391 event(s)." \_ [WARNING] EventId 642: Value "391" is greater than threshold "100"\_ [WARNING] Check package "Between: [16.08.2020 15:51:00] - [17.08.2020 19:41:00] there occured 298 event(s)." \_ [WARNING] EventId 642: Value "298" is greater than threshold "100"\_ [CRITICAL] Check package "Between: [17.08.2020 19:56:38] - [27.08.2020 09:56:35] there occured 3539 event(s)." \_ [CRITICAL] EventId 642: Value "3539" is greater than threshold "1000"\_ [CRITICAL] Check package "Between: [17.08.2020 19:56:38] - [27.08.2020 09:56:35] there occured 3539 event(s)." \_ [CRITICAL] EventId 642: Value "3539" is greater than threshold "1000"\_ [CRITICAL] Check package "Between: [17.08.2020 20:03:07] - [27.08.2020 09:56:35] there occured 2757 event(s)." \_ [CRITICAL] EventId 642: Value "2757" is greater than threshold "1000"
+[CRITICAL] Check package "EventLog" - [CRITICAL] EventId 642 [WARNING] EventId 1008, EventId 2002, EventId 642\_ [WARNING] Check package "Between: [16.08.2020 09:31:35] - [27.08.2020 22:57:39] there occurred 242 event(s)." \_ [WARNING] EventId 2002: Value "242" is greater than threshold "100"\_ [WARNING] Check package "Between: [16.08.2020 09:31:35] - [27.08.2020 22:57:39] there occurred 242 event(s)." \_ [WARNING] EventId 1008: Value "242" is greater than threshold "100"\_ [WARNING] Check package "Between: [16.08.2020 09:31:35] - [27.08.2020 22:57:39] there occurred 242 event(s)." \_ [WARNING] EventId 1008: Value "242" is greater than threshold "100"\_ [WARNING] Check package "Between: [16.08.2020 09:31:36] - [27.08.2020 22:57:40] there occurred 242 event(s)." \_ [WARNING] EventId 1008: Value "242" is greater than threshold "100"\_ [WARNING] Check package "Between: [16.08.2020 14:50:37] - [17.08.2020 19:41:00] there occurred 391 event(s)." \_ [WARNING] EventId 642: Value "391" is greater than threshold "100"\_ [WARNING] Check package "Between: [16.08.2020 14:50:37] - [17.08.2020 19:41:00] there occurred 391 event(s)." \_ [WARNING] EventId 642: Value "391" is greater than threshold "100"\_ [WARNING] Check package "Between: [16.08.2020 15:51:00] - [17.08.2020 19:41:00] there occurred 298 event(s)." \_ [WARNING] EventId 642: Value "298" is greater than threshold "100"\_ [CRITICAL] Check package "Between: [17.08.2020 19:56:38] - [27.08.2020 09:56:35] there occurred 3539 event(s)." \_ [CRITICAL] EventId 642: Value "3539" is greater than threshold "1000"\_ [CRITICAL] Check package "Between: [17.08.2020 19:56:38] - [27.08.2020 09:56:35] there occurred 3539 event(s)." \_ [CRITICAL] EventId 642: Value "3539" is greater than threshold "1000"\_ [CRITICAL] Check package "Between: [17.08.2020 20:03:07] - [27.08.2020 09:56:35] there occurred 2757 event(s)." \_ [CRITICAL] EventId 642: Value "2757" is greater than threshold "1000"
 ```
 
 ### Example Command 2
@@ -68,5 +68,5 @@ Invoke-IcingaCheckEventlog -LogName Application -IncludeEntryType Warning -Warni
 ### Example Output 2
 
 ```powershell
-[WARNING] Check package "EventLog" - [WARNING] EventId 1008\_ [WARNING] Check package "Between: [16.08.2020 09:31:35] - [27.08.2020 22:57:39] there occured 242 event(s)." \_ [WARNING] EventId 1008: Value "242" is greater than threshold "100"\_ [WARNING] Check package "Between: [16.08.2020 09:31:35] - [27.08.2020 22:57:39] there occured 242 event(s)." \_ [WARNING] EventId 1008: Value "242" is greater than threshold "100"\_ [WARNING] Check package "Between: [16.08.2020 09:31:36] - [27.08.2020 22:57:40] there occured 242 event(s)." \_ [WARNING] EventId 1008: Value "242" is greater than threshold "100"| 'eventid_1008'=726c;;
+[WARNING] Check package "EventLog" - [WARNING] EventId 1008\_ [WARNING] Check package "Between: [16.08.2020 09:31:35] - [27.08.2020 22:57:39] there occurred 242 event(s)." \_ [WARNING] EventId 1008: Value "242" is greater than threshold "100"\_ [WARNING] Check package "Between: [16.08.2020 09:31:35] - [27.08.2020 22:57:39] there occurred 242 event(s)." \_ [WARNING] EventId 1008: Value "242" is greater than threshold "100"\_ [WARNING] Check package "Between: [16.08.2020 09:31:36] - [27.08.2020 22:57:40] there occurred 242 event(s)." \_ [WARNING] EventId 1008: Value "242" is greater than threshold "100"| 'eventid_1008'=726c;;
 ```

doc/31-Changelog.md

@@ -77,9 +77,18 @@
 .PARAMETER ExcludeSource
    Used to specify an array of message sources within the eventlog to be excluded.
 .PARAMETER After
-   Used to specify a date like dd.mm.yyyy and every eventlog entry after that date will be considered.
+   Used to specify time data of which point the plugin should start to read event logs from.
+   You can either use a fixed date and time like "2021/01/30 12:00:00", a fixed day "2021/01/30" or use more dynamic approaches like "1d", "10h" and so on.
+
+   Allowed units: ms, s, m, h, d, w, M, y
 .PARAMETER Before
-   Used to specify a date like dd.mm.yyyy and every eventlog entry before that date will be considered.
+   Used to specify time data of which point the plugin should stop considering event logs.
+   You can either use a fixed date and time like "2021/01/30 12:00:00", a fixed day "2021/01/30" or use more dynamic approaches like "1d", "10h" and so on.
+
+   By using "2h" for example, log files of the last 2 hours will be ignored. Please ensure to manually set the `-After` argument and ensure you go back
+   further in time with the `-After` argument than the `-Before` argument.
+
+   Allowed units: ms, s, m, h, d, w, M, y
 .PARAMETER DisableTimeCache
    Switch to disable the time cache on a check. If this parameter is set the time cache is disabled.
    After the check has been run once, the next check instance will filter through the eventlog from the point the last check ended.
@@ -119,10 +128,13 @@ function Invoke-IcingaCheckEventlog()
         [int]$Verbosity           = 0
     );
 
+    $After  = Convert-IcingaPluginThresholds $After;
+    $Before = Convert-IcingaPluginThresholds $Before;
+
     $EventLogPackage = New-IcingaCheckPackage -Name 'EventLog' -OperatorAnd -Verbose $Verbosity;
     $EventLogData    = Get-IcingaEventLog -LogName $LogName -IncludeEventId $IncludeEventId -ExcludeEventId $ExcludeEventId -IncludeUsername $IncludeUsername -ExcludeUsername $ExcludeUsername `
                            -IncludeEntryType $IncludeEntryType -ExcludeEntryType $ExcludeEntryType -IncludeMessage $IncludeMessage -ExcludeMessage $ExcludeMessage `
-                           -IncludeSource $IncludeSource -ExcludeSource $ExcludeSource -After $After -Before $Before -DisableTimeCache $DisableTimeCache;
+                           -IncludeSource $IncludeSource -ExcludeSource $ExcludeSource -After $After.Value -Before $Before.Value -DisableTimeCache $DisableTimeCache;
 
     [hashtable]$EventLogSource = @{};
 

doc/plugins/06-Invoke-IcingaCheckEventlog.md

@@ -28,20 +28,38 @@ function Get-IcingaEventLog()
     };
 
     # This will generate a unique hash for each possible configured EventLog check to store the last check time for each of these checks
-    [string]$CheckHash = (Get-StringSha1 ($LogName + $IncludeEventId + $ExcludeEventId + $IncludeUsername + $ExcludeUsername + $IncludeEntryType + $ExcludeEntryType + $IncludeMessage + $ExcludeMessage)) + '.lastcheck';
+    [string]$CheckHash    = (Get-StringSha1 ($LogName + $IncludeEventId + $ExcludeEventId + $IncludeUsername + $ExcludeUsername + $IncludeEntryType + $ExcludeEntryType + $IncludeMessage + $ExcludeMessage)) + '.lastcheck';
+    [string]$EventsAfter  = $null;
+    [string]$EventsBefore = $null;
 
-    if ($null -eq $After -and $DisableTimeCache -eq $FALSE) {
+    if ([string]::IsNullOrEmpty($After) -and $DisableTimeCache -eq $FALSE) {
         $time = Get-IcingaCacheData -Space 'provider' -CacheStore 'eventlog' -KeyName $CheckHash;
         Set-IcingaCacheData -Space 'provider' -CacheStore 'eventlog' -KeyName $CheckHash -Value ((Get-Date).ToFileTime());
 
         if ($null -ne $time) {
-            $After = [datetime]::FromFileTime($time);
+            $EventsAfter = ([datetime]::FromFileTime($time)).ToString('yyyy\/MM\/dd HH:mm:ss');
         }
     }
 
     # In case we are not having cached time execution and not have not overwritten the timestamp, only fetch values from 2 hours in the past
-    if ($null -eq $After) {
-        $After = [datetime]::Now.Subtract([TimeSpan]::FromHours(2));
+    if ([string]::IsNullOrEmpty($EventsAfter)) {
+        if ([string]::IsNullOrEmpty($After)) {
+            [string]$EventsAfter = ([datetime]::Now.Subtract([TimeSpan]::FromHours(2))).ToString('yyyy\/MM\/dd HH:mm:ss');
+        } else {
+            if ((Test-Numeric $After)) {
+                $EventsAfter = ([datetime]::Now.Subtract([TimeSpan]::FromSeconds($After))).ToString('yyyy\/MM\/dd HH:mm:ss');
+            } else {
+                $EventsAfter = $After;
+            }
+        }
+    }
+
+    if ([string]::IsNullOrEmpty($Before) -eq $FALSE) {
+        if ((Test-Numeric $Before)) {
+            $EventsBefore = ([datetime]::Now.Subtract([TimeSpan]::FromSeconds($Before))).ToString('yyyy\/MM\/dd HH:mm:ss');
+        } else {
+            $EventsBefore = $Before;
+        }
     }
 
     if ($null -ne $IncludeUsername -And $IncludeUsername.Count -ne 0) {
@@ -50,11 +68,11 @@ function Get-IcingaEventLog()
     if ($null -ne $IncludeEntryType -And $IncludeEntryType.Count -ne 0) {
         $EventLogArguments.Add('EntryType', $IncludeEntryType);
     }
-    if ($null -ne $After) {
-        $EventLogArguments.Add('After', $After);
+    if ([string]::IsNullOrEmpty($EventsAfter) -eq $FALSE) {
+        $EventLogArguments.Add('After', $EventsAfter);
     }
-    if ($null -ne $Before) {
-        $EventLogArguments.Add('Before', $Before);
+    if ([string]::IsNullOrEmpty($EventsBefore) -eq $FALSE) {
+        $EventLogArguments.Add('Before', $EventsBefore);
     }
 
     try {