[8.14](backport #4846) [windows] if elastic-agent run fails, log error to Application EventLog (#4919)

* [windows] if `elastic-agent run` fails, log error to Application EventLog (#4846)


(cherry picked from commit 6c20730)


---------

Co-authored-by: Lee E Hinman <57081003+leehinman@users.noreply.github.com>
Co-authored-by: Pierre HILBERT <pierre.hilbert@elastic.co>
Co-authored-by: Lee E. Hinman <lee.e.hinman@elastic.co>

Author: 3 people

changelog/fragments/1717516439-Capture-early-errors-on-Windows.yaml

@@ -0,0 +1,32 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: enhancement
+
+# Change summary; a 80ish characters long description of the change.
+summary: Capture early errors on Windows in Application eventlog.
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+#description:
+
+# Affected component; a word indicating the component this changeset affects.
+component: elastic-agent
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+pr: https://github.com/elastic/elastic-agent/pull/4846
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+issue: https://github.com/elastic/elastic-agent/issues/4627

internal/pkg/agent/cmd/run.go

@@ -60,8 +60,10 @@ const (
 	fleetInitTimeoutName = "FLEET_SERVER_INIT_TIMEOUT"
 )
 
-type cfgOverrider func(cfg *configuration.Configuration)
-type awaiters []<-chan struct{}
+type (
+	cfgOverrider func(cfg *configuration.Configuration)
+	awaiters     []<-chan struct{}
+)
 
 func newRunCommandWithArgs(_ []string, streams *cli.IOStreams) *cobra.Command {
 	cmd := &cobra.Command{
@@ -78,6 +80,7 @@ func newRunCommandWithArgs(_ []string, streams *cli.IOStreams) *cobra.Command {
 			testingMode, _ := cmd.Flags().GetBool("testing-mode")
 			if err := run(nil, testingMode, fleetInitTimeout); err != nil && !errors.Is(err, context.Canceled) {
 				fmt.Fprintf(streams.Err, "Error: %v\n%s\n", err, troubleshootMessage())
+				logExternal(fmt.Sprintf("%s run failed: %s", paths.BinaryName, err))
 				return err
 			}
 			return nil
@@ -132,7 +135,7 @@ func run(override cfgOverrider, testingMode bool, fleetInitTimeout time.Duration
 	// register as a service
 	stop := make(chan bool)
 	ctx, cancel := context.WithCancel(context.Background())
-	var stopBeat = func() {
+	stopBeat := func() {
 		close(stop)
 	}
 

internal/pkg/agent/cmd/run_unix.go

@@ -0,0 +1,11 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+//go:build !windows
+
+package cmd
+
+// logExternal logs the error to an external log.  On non-windows systems this is a no-op.
+func logExternal(msg string) {
+}

internal/pkg/agent/cmd/run_windows.go

@@ -0,0 +1,24 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+//go:build windows
+
+package cmd
+
+import (
+	"golang.org/x/sys/windows/svc/eventlog"
+
+	"github.com/elastic/elastic-agent/internal/pkg/agent/application/paths"
+)
+
+// logExternal logs the error to an external log.  On Windows this is
+// the Application EventLog.  This is a best effort logger and no
+// errors are returned.
+func logExternal(msg string) {
+	eLog, err2 := eventlog.Open(paths.ServiceName)
+	if err2 != nil {
+		return
+	}
+	_ = eLog.Error(1, msg)
+}

internal/pkg/agent/install/install_windows.go

@@ -10,8 +10,10 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 
 	"golang.org/x/sys/windows"
+	"golang.org/x/sys/windows/svc/eventlog"
 
 	"github.com/elastic/elastic-agent/internal/pkg/agent/application/paths"
 	"github.com/elastic/elastic-agent/internal/pkg/agent/perms"
@@ -80,6 +82,12 @@ func withServiceOptions(username string, groupName string) ([]serviceOpt, error)
 // gives user the ability to control the service, needed when installed with --unprivileged or
 // ReExec is not possible on Windows.
 func servicePostInstall(ownership utils.FileOwner) error {
+	// Modify registry to allow logging to eventlog as "Elastic Agent".
+	err := eventlog.InstallAsEventCreate(paths.ServiceName, eventlog.Info|eventlog.Warning|eventlog.Error)
+	if err != nil && !strings.Contains(err.Error(), "registry key already exists") {
+		return fmt.Errorf("unable to create registry key for logging: %w", err)
+	}
+
 	if ownership.UID == "" {
 		// no user, running with LOCAL SYSTEM (do nothing)
 		return nil

internal/pkg/agent/install/uninstall.go

@@ -230,7 +230,6 @@ func containsString(str string, a []string, caseSensitive bool) bool {
 }
 
 func uninstallComponents(ctx context.Context, cfgFile string, uninstallToken string, log *logp.Logger, pt *progressbar.ProgressBar, unprivileged bool) error {
-
 	platform, err := component.LoadPlatformDetail()
 	if err != nil {
 		return fmt.Errorf("failed to gather system information: %w", err)