RubyGems - fluent-plugin-parser-winevt_xml - Versions diffs - 0.1.2 → 0.2.0 - Mend

fluent-plugin-parser-winevt_xml 0.1.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml +4 -4
data/README.md +12 -0
data/fluent-plugin-parser-winevt_xml.gemspec +1 -1
data/lib/fluent/plugin/parser_winevt_sax.rb +21 -0
data/lib/fluent/plugin/parser_winevt_xml.rb +3 -2
data/lib/fluent/plugin/winevt_sax_document.rb +50 -0
data/test/helper.rb +1 -0
data/test/plugin/test_parser_winevt_sax.rb +43 -0
data/test/plugin/test_parser_winevt_xml.rb +3 -2
metadata +6 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7411e3cffa23808b75834b504b3c72aef7d9d23ad2d39a26455b9e7ff5a3c3ae
-  data.tar.gz: 71cdf36beee23db60f832a6aad6544e06799df70e2863fd9eea5ce28ea653b69
+  metadata.gz: 0c3d11e84c92255ce5fbe0813857d38a5f59824985a0453b0f2fd7880d0a9000
+  data.tar.gz: 0fae4fa404654a30cfa0c101a34074c3ece238be70bdb79cd19ceeea3a1206e0
 SHA512:
-  metadata.gz: bafcecd0c1e43f66fd96250a9f0c0268389534324091c1b67813bec7474d93f88b4c7869d6cada2ec79f1733c319d2a14d9fc9cc1089cb1b3324a75dc12126d6
-  data.tar.gz: ac0d44e0f2680dc364d377f94aca62b94e384441ab4c05b81f115b4963aecaf2baed8945725d21ac3b06d5bb166dcadf08c4ed0def8bf226779ac5603fdb47ad
+  metadata.gz: 7b08784bd72df92216146953b49dd69d559e6d40373326e54f72cca6ca981b192901aca427ca3a61064c37ab9aebb82379bf6be72675021748e784f95c62f486
+  data.tar.gz: 9a0c3fede86321a65baa5373123a085c72a6bbb81e146b29383bd9c979d4c71e5f865bb97387743619e87f56bcfdfd375e193dd3015525bd323c3d5f2e95d07a

data/README.md CHANGED Viewed

@@ -17,12 +17,24 @@ gem install fluent-plugin-parser-winevt_xml
 ## Configuration
+### parser_winevt_xml
 ```aconf
 <parse>
   @type winevt_xml
 </parse>
 ```
+### parser_winevt_sax
+This plugin is a bit faster than `winevt_xml`.
+```aconf
+<parse>
+  @type winevt_sax
+</parse>
+```
 ## Copyright
 ### Copyright

data/fluent-plugin-parser-winevt_xml.gemspec CHANGED Viewed

@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 Gem::Specification.new do |spec|
   spec.name          = "fluent-plugin-parser-winevt_xml"
-  spec.version       = "0.1.2"
+  spec.version       = "0.2.0"
   spec.authors       = ["Hiroshi Hatake", "Masahiro Nakagawa"]
   spec.email         = ["cosmo0920.oucc@gmail.com", "repeatedly@gmail.com"]
   spec.summary       = %q{Fluentd Parser plugin to parse XML rendered windows event log.}

data/lib/fluent/plugin/parser_winevt_sax.rb ADDED Viewed

@@ -0,0 +1,21 @@
+require 'fluent/plugin/parser'
+require 'fluent/plugin/winevt_sax_document'
+require 'nokogiri'
+module Fluent::Plugin
+  class WinevtSAXparser < Parser
+    Fluent::Plugin.register_parser('winevt_sax', self)
+    def winevt_xml?
+      true
+    end
+    def parse(text)
+      evtxml = WinevtXMLDocument.new
+      parser = Nokogiri::XML::SAX::Parser.new(evtxml)
+      parser.parse(text)
+      time = @estimate_current_event ? Fluent::EventTime.now : nil
+      yield time, evtxml.result
+    end
+  end
+end

data/lib/fluent/plugin/parser_winevt_xml.rb CHANGED Viewed

@@ -23,9 +23,10 @@ module Fluent::Plugin
       record["Keywords"]              = (system_elem/'Keywords').text rescue nil
       record["TimeCreated"]           = (system_elem/'TimeCreated').attribute("SystemTime").text rescue nil
       record["EventRecordID"]         = (system_elem/'EventRecordID').text rescue nil
-      record["ActivityID"]            = (system_elem/'ActivityID').text rescue nil
-      record["RelatedActivityID"]     = (system_elem/'Correlation').attribute("ActivityID").text rescue nil
+      record["ActivityID"]            = (system_elem/'Correlation').attribute('ActivityID').text rescue nil
+      record["RelatedActivityID"]     = (system_elem/'Correlation').attribute("RelatedActivityID").text rescue nil
       record["ThreadID"]              = (system_elem/'Execution').attribute("ThreadID").text rescue nil
+      record["ProcessID"]             = (system_elem/'Execution').attribute("ProcessID").text rescue nil
       record["Channel"]               = (system_elem/'Channel').text rescue nil
       record["Computer"]              = (system_elem/"Computer").text rescue nil
       record["UserID"]                = (system_elem/'Security').attribute("UserID").text rescue nil

data/lib/fluent/plugin/winevt_sax_document.rb ADDED Viewed

@@ -0,0 +1,50 @@
+require 'nokogiri'
+class WinevtXMLDocument < Nokogiri::XML::SAX::Document
+  attr_reader :result
+  def initialize
+    @stack = []
+    @result = {}
+    super
+  end
+  def start_document
+  end
+  def start_element(name, attributes = [])
+    @stack << name
+    if name == "Provider"
+      @result["PrividerName"] = attributes[0][1] rescue nil
+      @result["ProviderGUID"] = attributes[1][1] rescue nil
+    elsif name == "EventID"
+      @result["Qualifiers"] = attributes[0][1] rescue nil
+    elsif name == "TimeCreated"
+      @result["TimeCreated"] = attributes[0][1] rescue nil
+    elsif name == "Correlation"
+      @result["ActivityID"] = attributes[0][1] rescue nil
+      @result["RelatedActivityID"] = attributes[1][1] rescue nil
+    elsif name == "Execution"
+      @result["ProcessID"] = attributes[0][1] rescue nil
+      @result["ThreadID"] = attributes[1][1] rescue nil
+    elsif name == "Security"
+      @result["UserID"] = attributes[0][1] rescue nil
+    end
+  end
+  def characters(string)
+    element = @stack.last
+    if /^EventID|Level|Task|Opcode|Keywords|EventRecordID|
+        ActivityID|Channel|Computer|Security|Version$/ === element
+      @result[element] = string
+    end
+  end
+  def end_element(name, attributes = [])
+  end
+  def end_document
+  end
+end

data/test/helper.rb CHANGED Viewed

@@ -15,6 +15,7 @@ require 'fluent/test'
 require 'fluent/test/driver/parser'
 require 'fluent/plugin/parser_winevt_xml'
+require 'fluent/plugin/parser_winevt_sax'
 class Test::Unit::TestCase
 end

data/test/plugin/test_parser_winevt_sax.rb ADDED Viewed

@@ -0,0 +1,43 @@
+require 'helper'
+class WinevtSAXparserTest < Test::Unit::TestCase
+  def setup
+    Fluent::Test.setup
+  end
+  CONFIG = %[]
+  XMLLOG = File.open(File.join(__dir__, "..", "data", "eventlog.xml") )
+  def create_driver(conf = CONFIG)
+    Fluent::Test::Driver::Parser.new(Fluent::Plugin::WinevtSAXparser).configure(conf)
+  end
+  def test_parse
+    d = create_driver
+    xml = XMLLOG
+    expected = {"PrividerName"      => "Microsoft-Windows-Security-Auditing",
+                "ProviderGUID"      => "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+                "EventID"           => "4624",
+                "Qualifiers"        => nil,
+                "Level"             => "0",
+                "Task"              => "12544",
+                "Opcode"            => "0",
+                "Keywords"          => "0x8020000000000000",
+                "TimeCreated"       => "2019-06-13T09:21:23.345889600Z",
+                "EventRecordID"     => "80688",
+                "ActivityID"        => "{587F0743-1F71-0006-5007-7F58711FD501}",
+                "RelatedActivityID" => nil,
+                "ProcessID"         => "912",
+                "ThreadID"          => "24708",
+                "Channel"           => "Security",
+                "Computer"          => "Fluentd-Developing-Windows",
+                "UserID"            => nil,
+                "Version"           => "2",}
+    d.instance.parse(xml) do |time, record|
+      assert_equal(expected, record)
+    end
+    assert_true(d.instance.winevt_xml?)
+  end
+end

data/test/plugin/test_parser_winevt_xml.rb CHANGED Viewed

@@ -26,8 +26,9 @@ class WinevtXMLparserTest < Test::Unit::TestCase
                 "Keywords"          => "0x8020000000000000",
                 "TimeCreated"       => "2019-06-13T09:21:23.345889600Z",
                 "EventRecordID"     => "80688",
-                "ActivityID"        => "",
-                "RelatedActivityID" => "{587F0743-1F71-0006-5007-7F58711FD501}",
+                "ActivityID"        => "{587F0743-1F71-0006-5007-7F58711FD501}",
+                "RelatedActivityID" => nil,
+                "ProcessID"         => "912",
                 "ThreadID"          => "24708",
                 "Channel"           => "Security",
                 "Computer"          => "Fluentd-Developing-Windows",

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: fluent-plugin-parser-winevt_xml
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.2.0
 platform: ruby
 authors:
 - Hiroshi Hatake
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-10-10 00:00:00.000000000 Z
+date: 2019-10-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -103,9 +103,12 @@ files:
 - Rakefile
 - appveyor.yml
 - fluent-plugin-parser-winevt_xml.gemspec
+- lib/fluent/plugin/parser_winevt_sax.rb
 - lib/fluent/plugin/parser_winevt_xml.rb
+- lib/fluent/plugin/winevt_sax_document.rb
 - test/data/eventlog.xml
 - test/helper.rb
+- test/plugin/test_parser_winevt_sax.rb
 - test/plugin/test_parser_winevt_xml.rb
 homepage: https://github.com/fluent/fluent-plugin-parser-winevt_xml
 licenses:
@@ -133,4 +136,5 @@ summary: Fluentd Parser plugin to parse XML rendered windows event log.
 test_files:
 - test/data/eventlog.xml
 - test/helper.rb
+- test/plugin/test_parser_winevt_sax.rb
 - test/plugin/test_parser_winevt_xml.rb