[fix #4140] Removing WEL logger plugin from systemLog due to duplicate linkage (#4143)

CMake/CMakeLibs.cmake

@@ -10,9 +10,11 @@
 macro(LOG_PLATFORM NAME)
   if(NOT DEFINED ENV{SKIP_DEPS})
     set(LINK "http://osquery.readthedocs.io/en/stable/development/building/")
-    LOG("Welcome to osquery's build-- thank you for your patience! :)")
+    LOG("Welcome to osquery's build -- thank you for your patience! :)")
     LOG("For a brief tutorial see: ${ESC}[1m${LINK}${ESC}[m")
-    if(NOT WINDOWS)
+    if(WINDOWS)
+      LOG("If at first you dont succeed, perhaps re-run make-win64-dev-env.bat and make-win64-binaries.bat")
+    else()
       LOG("If at first you dont succeed, perhaps: make distclean; make depsclean")
     endif()
   endif()

osquery/events/windows/tests/windows_event_log_tests.cpp

@@ -29,7 +29,7 @@ TEST_F(WindowsEventLogTests, test_register_event_pub) {
   // Make sure only one event type exists
   EXPECT_EQ(EventFactory::numEventPublishers(), 1U);
   // And deregister
-  status = EventFactory::deregisterEventPublisher("windows_event_log");
+  status = EventFactory::deregisterEventPublisher("windows_events");
   EXPECT_TRUE(status.ok());
 }
 }

osquery/events/windows/windows_event_log.cpp

@@ -26,7 +26,7 @@ namespace pt = boost::property_tree;
 
 namespace osquery {
 
-REGISTER(WindowsEventLogEventPublisher, "event_publisher", "windows_event_log");
+REGISTER(WindowsEventLogEventPublisher, "event_publisher", "windows_events");
 
 const std::chrono::milliseconds kWinEventLogPause(200);
 

osquery/events/windows/windows_event_log.h

@@ -71,7 +71,7 @@ using WindowsEventLogSubscriptionContextRef =
 class WindowsEventLogEventPublisher
     : public EventPublisher<WindowsEventLogSubscriptionContext,
                             WindowsEventLogEventContext> {
-  DECLARE_PUBLISHER("windows_event_log");
+  DECLARE_PUBLISHER("windows_events");
 
  public:
   /// Checks to see if a Event Log channel matches a given subscriber

osquery/logger/CMakeLists.txt

@@ -8,12 +8,6 @@
 
 file(GLOB OSQUERY_LOGGER "*.cpp")
 
-if(WINDOWS)
-  # The Windows Event Log plugin is also used for the built-in systemLog call. This
-  # is why we are listing it as a core source file.
-  list(APPEND OSQUERY_LOGGER "plugins/windows_event_log.cpp")
-endif()
-
 ADD_OSQUERY_LIBRARY_CORE(osquery_logger ${OSQUERY_LOGGER})
 
 file(GLOB OSQUERY_LOGGER_TESTS "tests/*.cpp")
@@ -29,6 +23,8 @@ set(OSQUERY_LOGGER_PLUGINS
 if(LINUX)
   list(APPEND OSQUERY_LOGGER_PLUGINS "plugins/syslog_logger.cpp")
   ADD_OSQUERY_TEST_ADDITIONAL("logger/plugins/tests/syslog_logger_tests.cpp")
+elseif(WINDOWS)
+  list(APPEND OSQUERY_LOGGER_PLUGINS "plugins/windows_event_log.cpp")
 endif()
 
 ADD_OSQUERY_LIBRARY_ADDITIONAL(osquery_logger_plugins ${OSQUERY_LOGGER_PLUGINS})

osquery/logger/logger.cpp

@@ -722,16 +722,7 @@ void relayStatusLogs(bool async) {
 }
 
 void systemLog(const std::string& line) {
-#ifdef WIN32
-  REGHANDLE registration_handle = 0;
-  if (!WindowsEventLoggerPlugin::acquireHandle(registration_handle).ok()) {
-    return;
-  }
-
-  WindowsEventLoggerPlugin::emitLogRecord(registration_handle, line);
-  WindowsEventLoggerPlugin::releaseHandle(registration_handle);
-
-#else
+#ifndef WIN32
   syslog(LOG_NOTICE, "%s", line.c_str());
 #endif
 }