From 57e8e123a1f6676c71d7b7b44e7889c33e908b05 Mon Sep 17 00:00:00 2001
From: Nick Anderson <nanderson7@gmail.com>
Date: Tue, 20 Feb 2018 21:30:54 -0800
Subject: [PATCH] [fix #4140] Removing WEL logger plugin from systemLog due to
 duplicate linkage (#4143)

---
 CMake/CMakeLibs.cmake                                 |  6 ++++--
 .../events/windows/tests/windows_event_log_tests.cpp  |  2 +-
 osquery/events/windows/windows_event_log.cpp          |  2 +-
 osquery/events/windows/windows_event_log.h            |  2 +-
 osquery/logger/CMakeLists.txt                         |  8 ++------
 osquery/logger/logger.cpp                             | 11 +----------
 6 files changed, 10 insertions(+), 21 deletions(-)

diff --git a/CMake/CMakeLibs.cmake b/CMake/CMakeLibs.cmake
index e9f11a8f..0c4fd812 100644
--- a/CMake/CMakeLibs.cmake
+++ b/CMake/CMakeLibs.cmake
@@ -10,9 +10,11 @@
 macro(LOG_PLATFORM NAME)
   if(NOT DEFINED ENV{SKIP_DEPS})
     set(LINK "http://osquery.readthedocs.io/en/stable/development/building/")
-    LOG("Welcome to osquery's build-- thank you for your patience! :)")
+    LOG("Welcome to osquery's build -- thank you for your patience! :)")
     LOG("For a brief tutorial see: ${ESC}[1m${LINK}${ESC}[m")
-    if(NOT WINDOWS)
+    if(WINDOWS)
+      LOG("If at first you dont succeed, perhaps re-run make-win64-dev-env.bat and make-win64-binaries.bat")
+    else()
       LOG("If at first you dont succeed, perhaps: make distclean; make depsclean")
     endif()
   endif()
diff --git a/osquery/events/windows/tests/windows_event_log_tests.cpp b/osquery/events/windows/tests/windows_event_log_tests.cpp
index ec609d42..40ba8847 100644
--- a/osquery/events/windows/tests/windows_event_log_tests.cpp
+++ b/osquery/events/windows/tests/windows_event_log_tests.cpp
@@ -29,7 +29,7 @@ TEST_F(WindowsEventLogTests, test_register_event_pub) {
   // Make sure only one event type exists
   EXPECT_EQ(EventFactory::numEventPublishers(), 1U);
   // And deregister
-  status = EventFactory::deregisterEventPublisher("windows_event_log");
+  status = EventFactory::deregisterEventPublisher("windows_events");
   EXPECT_TRUE(status.ok());
 }
 }
diff --git a/osquery/events/windows/windows_event_log.cpp b/osquery/events/windows/windows_event_log.cpp
index 3c361331..5db0308d 100644
--- a/osquery/events/windows/windows_event_log.cpp
+++ b/osquery/events/windows/windows_event_log.cpp
@@ -26,7 +26,7 @@ namespace pt = boost::property_tree;
 
 namespace osquery {
 
-REGISTER(WindowsEventLogEventPublisher, "event_publisher", "windows_event_log");
+REGISTER(WindowsEventLogEventPublisher, "event_publisher", "windows_events");
 
 const std::chrono::milliseconds kWinEventLogPause(200);
 
diff --git a/osquery/events/windows/windows_event_log.h b/osquery/events/windows/windows_event_log.h
index a4d5b2b0..796d0a4a 100644
--- a/osquery/events/windows/windows_event_log.h
+++ b/osquery/events/windows/windows_event_log.h
@@ -71,7 +71,7 @@ using WindowsEventLogSubscriptionContextRef =
 class WindowsEventLogEventPublisher
     : public EventPublisher<WindowsEventLogSubscriptionContext,
                             WindowsEventLogEventContext> {
-  DECLARE_PUBLISHER("windows_event_log");
+  DECLARE_PUBLISHER("windows_events");
 
  public:
   /// Checks to see if a Event Log channel matches a given subscriber
diff --git a/osquery/logger/CMakeLists.txt b/osquery/logger/CMakeLists.txt
index 007480b9..ab91bd24 100644
--- a/osquery/logger/CMakeLists.txt
+++ b/osquery/logger/CMakeLists.txt
@@ -8,12 +8,6 @@
 
 file(GLOB OSQUERY_LOGGER "*.cpp")
 
-if(WINDOWS)
-  # The Windows Event Log plugin is also used for the built-in systemLog call. This
-  # is why we are listing it as a core source file.
-  list(APPEND OSQUERY_LOGGER "plugins/windows_event_log.cpp")
-endif()
-
 ADD_OSQUERY_LIBRARY_CORE(osquery_logger ${OSQUERY_LOGGER})
 
 file(GLOB OSQUERY_LOGGER_TESTS "tests/*.cpp")
@@ -29,6 +23,8 @@ set(OSQUERY_LOGGER_PLUGINS
 if(LINUX)
   list(APPEND OSQUERY_LOGGER_PLUGINS "plugins/syslog_logger.cpp")
   ADD_OSQUERY_TEST_ADDITIONAL("logger/plugins/tests/syslog_logger_tests.cpp")
+elseif(WINDOWS)
+  list(APPEND OSQUERY_LOGGER_PLUGINS "plugins/windows_event_log.cpp")
 endif()
 
 ADD_OSQUERY_LIBRARY_ADDITIONAL(osquery_logger_plugins ${OSQUERY_LOGGER_PLUGINS})
diff --git a/osquery/logger/logger.cpp b/osquery/logger/logger.cpp
index ffe5c520..f2ea6deb 100644
--- a/osquery/logger/logger.cpp
+++ b/osquery/logger/logger.cpp
@@ -722,16 +722,7 @@ void relayStatusLogs(bool async) {
 }
 
 void systemLog(const std::string& line) {
-#ifdef WIN32
-  REGHANDLE registration_handle = 0;
-  if (!WindowsEventLoggerPlugin::acquireHandle(registration_handle).ok()) {
-    return;
-  }
-
-  WindowsEventLoggerPlugin::emitLogRecord(registration_handle, line);
-  WindowsEventLoggerPlugin::releaseHandle(registration_handle);
-
-#else
+#ifndef WIN32
   syslog(LOG_NOTICE, "%s", line.c_str());
 #endif
 }