fluent-plugin-parser-winevt_xml 0.1.1 → 0.2.3.rc1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (18) hide show
  1. checksums.yaml +4 -4
  2. data/.gitignore +14 -14
  3. data/.travis.yml +15 -16
  4. data/Gemfile +4 -4
  5. data/LICENSE +201 -201
  6. data/README.md +56 -34
  7. data/Rakefile +10 -10
  8. data/appveyor.yml +24 -24
  9. data/fluent-plugin-parser-winevt_xml.gemspec +25 -25
  10. data/lib/fluent/plugin/parser_winevt_sax.rb +27 -0
  11. data/lib/fluent/plugin/parser_winevt_xml.rb +63 -34
  12. data/lib/fluent/plugin/winevt_sax_document.rb +73 -0
  13. data/test/data/eventlog-with-qualifiers.xml +1 -0
  14. data/test/data/eventlog.xml +1 -1
  15. data/test/helper.rb +24 -23
  16. data/test/plugin/test_parser_winevt_sax.rb +79 -0
  17. data/test/plugin/test_parser_winevt_xml.rb +80 -41
  18. metadata +22 -9
data/test/plugin/test_parser_winevt_sax.rb ADDED
@@ -0,0 +1,79 @@
1
+ require_relative '../helper'
2
+
3
+ class WinevtSAXparserTest < Test::Unit::TestCase
4
+
5
+ def setup
6
+ Fluent::Test.setup
7
+ end
8
+
9
+ CONFIG = %[]
10
+ XMLLOG = File.open(File.join(__dir__, "..", "data", "eventlog.xml") )
11
+
12
+ def create_driver(conf = CONFIG)
13
+ Fluent::Test::Driver::Parser.new(Fluent::Plugin::WinevtSAXparser).configure(conf)
14
+ end
15
+
16
+ def test_parse
17
+ d = create_driver
18
+ xml = XMLLOG
19
+ expected = {"ProviderName" => "Microsoft-Windows-Security-Auditing",
20
+ "ProviderGUID" => "{54849625-5478-4994-A5BA-3E3B0328C30D}",
21
+ "EventID" => "4624",
22
+ "Qualifiers" => nil,
23
+ "Level" => "0",
24
+ "Task" => "12544",
25
+ "Opcode" => "0",
26
+ "Keywords" => "0x8020000000000000",
27
+ "TimeCreated" => "2019-06-13T09:21:23.345889600Z",
28
+ "EventRecordID" => "80688",
29
+ "ActivityID" => "{587F0743-1F71-0006-5007-7F58711FD501}",
30
+ "RelatedActivityID" => nil,
31
+ "ProcessID" => "912",
32
+ "ThreadID" => "24708",
33
+ "Channel" => "Security",
34
+ "Computer" => "Fluentd-Developing-Windows",
35
+ "UserID" => nil,
36
+ "Version" => "2",}
37
+ d.instance.parse(xml) do |time, record|
38
+ assert_equal(expected, record)
39
+ end
40
+
41
+ assert_true(d.instance.winevt_xml?)
42
+ end
43
+
44
+ class QualifiersTest < self
45
+ def setup
46
+ @xml = File.open(File.join(__dir__, "..", "data", "eventlog-with-qualifiers.xml"))
47
+ end
48
+
49
+ def teardown
50
+ @xml.close
51
+ end
52
+
53
+ def test_parse_without_qualifiers
54
+ d = create_driver CONFIG + %[preserve_qualifiers false]
55
+ expected = {"ActivityID" => nil,
56
+ "Channel" => "Application",
57
+ "Computer" => "DESKTOP-G457RDR",
58
+ "EventID" => "3221241866",
59
+ "EventRecordID" => "150731",
60
+ "Keywords" => "0x80000000000000",
61
+ "Level" => "4",
62
+ "Opcode" => "0",
63
+ "ProcessID" => "0",
64
+ "ProviderGUID" => "{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}",
65
+ "ProviderName" => "Microsoft-Windows-Security-SPP",
66
+ "RelatedActivityID" => nil,
67
+ "Task" => "0",
68
+ "ThreadID" => "0",
69
+ "TimeCreated" => "2020-01-16T09:57:18.013693700Z",
70
+ "UserID" => nil,
71
+ "Version" => "0"}
72
+ d.instance.parse(@xml) do |time, record|
73
+ assert_equal(expected, record)
74
+ end
75
+
76
+ assert_true(d.instance.winevt_xml?)
77
+ end
78
+ end
79
+ end
data/test/plugin/test_parser_winevt_xml.rb CHANGED
@@ -1,41 +1,80 @@
1
- require 'helper'
2
-
3
- class WinevtXMLparserTest < Test::Unit::TestCase
4
-
5
- def setup
6
- Fluent::Test.setup
7
- end
8
-
9
- CONFIG = %[]
10
- XMLLOG = File.open(File.join(__dir__, "..", "data", "eventlog.xml") )
11
-
12
- def create_driver(conf = CONFIG)
13
- Fluent::Test::Driver::Parser.new(Fluent::Plugin::WinevtXMLparser).configure(conf)
14
- end
15
-
16
- def test_parse
17
- d = create_driver
18
- xml = XMLLOG
19
- expected = {"ProviderName" => "Microsoft-Windows-Security-Auditing",
20
- "ProviderGUID" => "{54849625-5478-4994-A5BA-3E3B0328C30D}",
21
- "EventID" => "4624",
22
- "Qualifiers" => nil,
23
- "Level" => "0",
24
- "Task" => "12544",
25
- "Opcode" => "0",
26
- "Keywords" => "0x8020000000000000",
27
- "TimeCreated" => "2019-06-13T09:21:23.345889600Z",
28
- "EventRecordID" => "80688",
29
- "ActivityID" => "",
30
- "RelatedActivityID" => "{587F0743-1F71-0006-5007-7F58711FD501}",
31
- "ThreadID" => "24708",
32
- "Channel" => "Security",
33
- "Computer" => "Fluentd-Developing-Windows",
34
- "UserID" => nil,
35
- "Version" => "2",
36
- "InsertStrings" => []}
37
- d.instance.parse(xml) do |time, record|
38
- assert_equal(expected, record)
39
- end
40
- end
41
- end
1
+ require_relative '../helper'
2
+
3
+ class WinevtXMLparserTest < Test::Unit::TestCase
4
+
5
+ def setup
6
+ Fluent::Test.setup
7
+ end
8
+
9
+ CONFIG = %[]
10
+ XMLLOG = File.open(File.join(__dir__, "..", "data", "eventlog.xml"))
11
+
12
+ def create_driver(conf = CONFIG)
13
+ Fluent::Test::Driver::Parser.new(Fluent::Plugin::WinevtXMLparser).configure(conf)
14
+ end
15
+
16
+ def test_parse
17
+ d = create_driver
18
+ xml = XMLLOG
19
+ expected = {"ProviderName" => "Microsoft-Windows-Security-Auditing",
20
+ "ProviderGUID" => "{54849625-5478-4994-A5BA-3E3B0328C30D}",
21
+ "EventID" => "4624",
22
+ "Qualifiers" => nil,
23
+ "Level" => "0",
24
+ "Task" => "12544",
25
+ "Opcode" => "0",
26
+ "Keywords" => "0x8020000000000000",
27
+ "TimeCreated" => "2019-06-13T09:21:23.345889600Z",
28
+ "EventRecordID" => "80688",
29
+ "ActivityID" => "{587F0743-1F71-0006-5007-7F58711FD501}",
30
+ "RelatedActivityID" => nil,
31
+ "ProcessID" => "912",
32
+ "ThreadID" => "24708",
33
+ "Channel" => "Security",
34
+ "Computer" => "Fluentd-Developing-Windows",
35
+ "UserID" => nil,
36
+ "Version" => "2",}
37
+ d.instance.parse(xml) do |time, record|
38
+ assert_equal(expected, record)
39
+ end
40
+ xml.close
41
+
42
+ assert_true(d.instance.winevt_xml?)
43
+ end
44
+
45
+ class QualifiersTest < self
46
+ def setup
47
+ @xml = File.open(File.join(__dir__, "..", "data", "eventlog-with-qualifiers.xml"))
48
+ end
49
+
50
+ def teardown
51
+ @xml.close
52
+ end
53
+
54
+ def test_without_qualifiers
55
+ d = create_driver CONFIG + %[preserve_qualifiers false]
56
+ expected = {"ActivityID" => nil,
57
+ "Channel" => "Application",
58
+ "Computer" => "DESKTOP-G457RDR",
59
+ "EventID" => "3221241866",
60
+ "EventRecordID" => "150731",
61
+ "Keywords" => "0x80000000000000",
62
+ "Level" => "4",
63
+ "Opcode" => "0",
64
+ "ProcessID" => "0",
65
+ "ProviderGUID" => "{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}",
66
+ "ProviderName" => "Microsoft-Windows-Security-SPP",
67
+ "RelatedActivityID" => nil,
68
+ "Task" => "0",
69
+ "ThreadID" => "0",
70
+ "TimeCreated" => "2020-01-16T09:57:18.013693700Z",
71
+ "UserID" => nil,
72
+ "Version" => "0"}
73
+ d.instance.parse(@xml) do |time, record|
74
+ assert_equal(expected, record)
75
+ end
76
+
77
+ assert_true(d.instance.winevt_xml?)
78
+ end
79
+ end
80
+ end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: fluent-plugin-parser-winevt_xml
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.1
4
+ version: 0.2.3.rc1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Hiroshi Hatake
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2019-10-10 00:00:00.000000000 Z
12
+ date: 2020-06-25 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: bundler
@@ -77,16 +77,22 @@ dependencies:
77
77
  name: nokogiri
78
78
  requirement: !ruby/object:Gem::Requirement
79
79
  requirements:
80
- - - "~>"
80
+ - - ">="
81
81
  - !ruby/object:Gem::Version
82
- version: '1.10'
82
+ version: 1.11.pre
83
+ - - "<"
84
+ - !ruby/object:Gem::Version
85
+ version: '1.12'
83
86
  type: :runtime
84
87
  prerelease: false
85
88
  version_requirements: !ruby/object:Gem::Requirement
86
89
  requirements:
87
- - - "~>"
90
+ - - ">="
91
+ - !ruby/object:Gem::Version
92
+ version: 1.11.pre
93
+ - - "<"
88
94
  - !ruby/object:Gem::Version
89
- version: '1.10'
95
+ version: '1.12'
90
96
  description: Fluentd Parser plugin to parse XML rendered windows event log.
91
97
  email:
92
98
  - cosmo0920.oucc@gmail.com
@@ -103,9 +109,13 @@ files:
103
109
  - Rakefile
104
110
  - appveyor.yml
105
111
  - fluent-plugin-parser-winevt_xml.gemspec
112
+ - lib/fluent/plugin/parser_winevt_sax.rb
106
113
  - lib/fluent/plugin/parser_winevt_xml.rb
114
+ - lib/fluent/plugin/winevt_sax_document.rb
115
+ - test/data/eventlog-with-qualifiers.xml
107
116
  - test/data/eventlog.xml
108
117
  - test/helper.rb
118
+ - test/plugin/test_parser_winevt_sax.rb
109
119
  - test/plugin/test_parser_winevt_xml.rb
110
120
  homepage: https://github.com/fluent/fluent-plugin-parser-winevt_xml
111
121
  licenses:
@@ -122,15 +132,18 @@ required_ruby_version: !ruby/object:Gem::Requirement
122
132
  version: '0'
123
133
  required_rubygems_version: !ruby/object:Gem::Requirement
124
134
  requirements:
125
- - - ">="
135
+ - - ">"
126
136
  - !ruby/object:Gem::Version
127
- version: '0'
137
+ version: 1.3.1
128
138
  requirements: []
129
- rubygems_version: 3.0.3
139
+ rubyforge_project:
140
+ rubygems_version: 2.7.6.2
130
141
  signing_key:
131
142
  specification_version: 4
132
143
  summary: Fluentd Parser plugin to parse XML rendered windows event log.
133
144
  test_files:
145
+ - test/data/eventlog-with-qualifiers.xml
134
146
  - test/data/eventlog.xml
135
147
  - test/helper.rb
148
+ - test/plugin/test_parser_winevt_sax.rb
136
149
  - test/plugin/test_parser_winevt_xml.rb