fluent-plugin-parser-winevt_xml 0.2.0 → 0.2.1

data/test/data/eventlog-with-qualifiers.xml

@@ -0,0 +1 @@
+<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-SPP' Guid='{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}' EventSourceName='Software Protection Platform Service'/><EventID Qualifiers='49152'>16394</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2020-01-16T09:57:18.013693700Z'/><EventRecordID>150731</EventRecordID><Correlation/><Execution ProcessID='0' ThreadID='0'/><Channel>Application</Channel><Computer>DESKTOP-G457RDR</Computer><Security/></System><EventData></EventData></Event>

data/test/data/eventlog.xml

@@ -1 +1 @@
-<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2019-06-13T09:21:23.345889600Z'/><EventRecordID>80688</EventRecordID><Correlation ActivityID='{587F0743-1F71-0006-5007-7F58711FD501}'/><Execution ProcessID='912' ThreadID='24708'/><Channel>Security</Channel><Computer>Fluentd-Developing-Windows</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>Fluentd-Developing-Windows$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='TargetUserSid'>S-1-5-18</Data><Data Name='TargetUserName'>SYSTEM</Data><Data Name='TargetDomainName'>NT AUTHORITY</Data><Data Name='TargetLogonId'>0x3e7</Data><Data Name='LogonType'>5</Data><Data Name='LogonProcessName'>Advapi  </Data><Data Name='AuthenticationPackageName'>Negotiate</Data><Data Name='WorkstationName'>-</Data><Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x344</Data><Data Name='ProcessName'>C:\Windows\System32\services.exe</Data><Data Name='IpAddress'>-</Data><Data Name='IpPort'>-</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data Name='ElevatedToken'>%%1842</Data></EventData></Event>
+<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2019-06-13T09:21:23.345889600Z'/><EventRecordID>80688</EventRecordID><Correlation ActivityID='{587F0743-1F71-0006-5007-7F58711FD501}'/><Execution ProcessID='912' ThreadID='24708'/><Channel>Security</Channel><Computer>Fluentd-Developing-Windows</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>Fluentd-Developing-Windows$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='TargetUserSid'>S-1-5-18</Data><Data Name='TargetUserName'>SYSTEM</Data><Data Name='TargetDomainName'>NT AUTHORITY</Data><Data Name='TargetLogonId'>0x3e7</Data><Data Name='LogonType'>5</Data><Data Name='LogonProcessName'>Advapi  </Data><Data Name='AuthenticationPackageName'>Negotiate</Data><Data Name='WorkstationName'>-</Data><Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x344</Data><Data Name='ProcessName'>C:\Windows\System32\services.exe</Data><Data Name='IpAddress'>-</Data><Data Name='IpPort'>-</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data Name='ElevatedToken'>%%1842</Data></EventData></Event>

data/test/helper.rb

@@ -1,24 +1,24 @@
-require 'rubygems'
-require 'bundler'
-begin
-  Bundler.setup(:default, :development)
-rescue Bundler::BundlerError => e
-  $stderr.puts e.message
-  $stderr.puts "Run `bundle install` to install missing gems"
-  exit e.status_code
-end
-require 'test/unit'
-
-$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
-$LOAD_PATH.unshift(File.dirname(__FILE__))
-require 'fluent/test'
-
-require 'fluent/test/driver/parser'
-require 'fluent/plugin/parser_winevt_xml'
-require 'fluent/plugin/parser_winevt_sax'
-
-class Test::Unit::TestCase
-end
-require 'fluent/test/helpers'
-
-include Fluent::Test::Helpers
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'test/unit'
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'fluent/test'
+
+require 'fluent/test/driver/parser'
+require 'fluent/plugin/parser_winevt_xml'
+require 'fluent/plugin/parser_winevt_sax'
+
+class Test::Unit::TestCase
+end
+require 'fluent/test/helpers'
+
+include Fluent::Test::Helpers

data/test/plugin/test_parser_winevt_sax.rb

@@ -1,43 +1,79 @@
-require 'helper'
-
-class WinevtSAXparserTest < Test::Unit::TestCase
-
-  def setup
-    Fluent::Test.setup
-  end
-
-  CONFIG = %[]
-  XMLLOG = File.open(File.join(__dir__, "..", "data", "eventlog.xml") )
-
-  def create_driver(conf = CONFIG)
-    Fluent::Test::Driver::Parser.new(Fluent::Plugin::WinevtSAXparser).configure(conf)
-  end
-
-  def test_parse
-    d = create_driver
-    xml = XMLLOG
-    expected = {"PrividerName"      => "Microsoft-Windows-Security-Auditing",
-                "ProviderGUID"      => "{54849625-5478-4994-A5BA-3E3B0328C30D}",
-                "EventID"           => "4624",
-                "Qualifiers"        => nil,
-                "Level"             => "0",
-                "Task"              => "12544",
-                "Opcode"            => "0",
-                "Keywords"          => "0x8020000000000000",
-                "TimeCreated"       => "2019-06-13T09:21:23.345889600Z",
-                "EventRecordID"     => "80688",
-                "ActivityID"        => "{587F0743-1F71-0006-5007-7F58711FD501}",
-                "RelatedActivityID" => nil,
-                "ProcessID"         => "912",
-                "ThreadID"          => "24708",
-                "Channel"           => "Security",
-                "Computer"          => "Fluentd-Developing-Windows",
-                "UserID"            => nil,
-                "Version"           => "2",}
-    d.instance.parse(xml) do |time, record|
-      assert_equal(expected, record)
-    end
-
-    assert_true(d.instance.winevt_xml?)
-  end
-end
+require_relative '../helper'
+
+class WinevtSAXparserTest < Test::Unit::TestCase
+
+  def setup
+    Fluent::Test.setup
+  end
+
+  CONFIG = %[]
+  XMLLOG = File.open(File.join(__dir__, "..", "data", "eventlog.xml") )
+
+  def create_driver(conf = CONFIG)
+    Fluent::Test::Driver::Parser.new(Fluent::Plugin::WinevtSAXparser).configure(conf)
+  end
+
+  def test_parse
+    d = create_driver
+    xml = XMLLOG
+    expected = {"ProviderName"      => "Microsoft-Windows-Security-Auditing",
+                "ProviderGUID"      => "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+                "EventID"           => "4624",
+                "Qualifiers"        => nil,
+                "Level"             => "0",
+                "Task"              => "12544",
+                "Opcode"            => "0",
+                "Keywords"          => "0x8020000000000000",
+                "TimeCreated"       => "2019-06-13T09:21:23.345889600Z",
+                "EventRecordID"     => "80688",
+                "ActivityID"        => "{587F0743-1F71-0006-5007-7F58711FD501}",
+                "RelatedActivityID" => nil,
+                "ProcessID"         => "912",
+                "ThreadID"          => "24708",
+                "Channel"           => "Security",
+                "Computer"          => "Fluentd-Developing-Windows",
+                "UserID"            => nil,
+                "Version"           => "2",}
+    d.instance.parse(xml) do |time, record|
+      assert_equal(expected, record)
+    end
+
+    assert_true(d.instance.winevt_xml?)
+  end
+
+  class QualifiersTest < self
+    def setup
+      @xml = File.open(File.join(__dir__, "..", "data", "eventlog-with-qualifiers.xml"))
+    end
+
+    def teardown
+      @xml.close
+    end
+
+    def test_parse_without_qualifiers
+      d = create_driver CONFIG + %[preserve_qualifiers false]
+      expected = {"ActivityID"        => nil,
+                  "Channel"           => "Application",
+                  "Computer"          => "DESKTOP-G457RDR",
+                  "EventID"           => "3221241866",
+                  "EventRecordID"     => "150731",
+                  "Keywords"          => "0x80000000000000",
+                  "Level"             => "4",
+                  "Opcode"            => "0",
+                  "ProcessID"         => "0",
+                  "ProviderGUID"      => "{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}",
+                  "ProviderName"      => "Microsoft-Windows-Security-SPP",
+                  "RelatedActivityID" => nil,
+                  "Task"              => "0",
+                  "ThreadID"          => "0",
+                  "TimeCreated"       => "2020-01-16T09:57:18.013693700Z",
+                  "UserID"            => nil,
+                  "Version"           => "0"}
+      d.instance.parse(@xml) do |time, record|
+        assert_equal(expected, record)
+      end
+
+      assert_true(d.instance.winevt_xml?)
+    end
+  end
+end

data/test/plugin/test_parser_winevt_xml.rb

@@ -1,43 +1,80 @@
-require 'helper'
-
-class WinevtXMLparserTest < Test::Unit::TestCase
-
-  def setup
-    Fluent::Test.setup
-  end
-
-  CONFIG = %[]
-  XMLLOG = File.open(File.join(__dir__, "..", "data", "eventlog.xml") )
-
-  def create_driver(conf = CONFIG)
-    Fluent::Test::Driver::Parser.new(Fluent::Plugin::WinevtXMLparser).configure(conf)
-  end
-
-  def test_parse
-    d = create_driver
-    xml = XMLLOG
-    expected = {"ProviderName"      => "Microsoft-Windows-Security-Auditing",
-                "ProviderGUID"      => "{54849625-5478-4994-A5BA-3E3B0328C30D}",
-                "EventID"           => "4624",
-                "Qualifiers"        => nil,
-                "Level"             => "0",
-                "Task"              => "12544",
-                "Opcode"            => "0",
-                "Keywords"          => "0x8020000000000000",
-                "TimeCreated"       => "2019-06-13T09:21:23.345889600Z",
-                "EventRecordID"     => "80688",
-                "ActivityID"        => "{587F0743-1F71-0006-5007-7F58711FD501}",
-                "RelatedActivityID" => nil,
-                "ProcessID"         => "912",
-                "ThreadID"          => "24708",
-                "Channel"           => "Security",
-                "Computer"          => "Fluentd-Developing-Windows",
-                "UserID"            => nil,
-                "Version"           => "2",}
-    d.instance.parse(xml) do |time, record|
-      assert_equal(expected, record)
-    end
-
-    assert_true(d.instance.winevt_xml?)
-  end
-end
+require_relative '../helper'
+
+class WinevtXMLparserTest < Test::Unit::TestCase
+
+  def setup
+    Fluent::Test.setup
+  end
+
+  CONFIG = %[]
+  XMLLOG = File.open(File.join(__dir__, "..", "data", "eventlog.xml"))
+
+  def create_driver(conf = CONFIG)
+    Fluent::Test::Driver::Parser.new(Fluent::Plugin::WinevtXMLparser).configure(conf)
+  end
+
+  def test_parse
+    d = create_driver
+    xml = XMLLOG
+    expected = {"ProviderName"      => "Microsoft-Windows-Security-Auditing",
+                "ProviderGUID"      => "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+                "EventID"           => "4624",
+                "Qualifiers"        => nil,
+                "Level"             => "0",
+                "Task"              => "12544",
+                "Opcode"            => "0",
+                "Keywords"          => "0x8020000000000000",
+                "TimeCreated"       => "2019-06-13T09:21:23.345889600Z",
+                "EventRecordID"     => "80688",
+                "ActivityID"        => "{587F0743-1F71-0006-5007-7F58711FD501}",
+                "RelatedActivityID" => nil,
+                "ProcessID"         => "912",
+                "ThreadID"          => "24708",
+                "Channel"           => "Security",
+                "Computer"          => "Fluentd-Developing-Windows",
+                "UserID"            => nil,
+                "Version"           => "2",}
+    d.instance.parse(xml) do |time, record|
+      assert_equal(expected, record)
+    end
+    xml.close
+
+    assert_true(d.instance.winevt_xml?)
+  end
+
+  class QualifiersTest < self
+    def setup
+      @xml = File.open(File.join(__dir__, "..", "data", "eventlog-with-qualifiers.xml"))
+    end
+
+    def teardown
+      @xml.close
+    end
+
+    def test_without_qualifiers
+      d = create_driver CONFIG + %[preserve_qualifiers false]
+      expected = {"ActivityID"        => nil,
+                  "Channel"           => "Application",
+                  "Computer"          => "DESKTOP-G457RDR",
+                  "EventID"           => "3221241866",
+                  "EventRecordID"     => "150731",
+                  "Keywords"          => "0x80000000000000",
+                  "Level"             => "4",
+                  "Opcode"            => "0",
+                  "ProcessID"         => "0",
+                  "ProviderGUID"      => "{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}",
+                  "ProviderName"      => "Microsoft-Windows-Security-SPP",
+                  "RelatedActivityID" => nil,
+                  "Task"              => "0",
+                  "ThreadID"          => "0",
+                  "TimeCreated"       => "2020-01-16T09:57:18.013693700Z",
+                  "UserID"            => nil,
+                  "Version"           => "0"}
+      d.instance.parse(@xml) do |time, record|
+        assert_equal(expected, record)
+      end
+
+      assert_true(d.instance.winevt_xml?)
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: fluent-plugin-parser-winevt_xml
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.2.1
 platform: ruby
 authors:
 - Hiroshi Hatake
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-10-11 00:00:00.000000000 Z
+date: 2020-03-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -106,6 +106,7 @@ files:
 - lib/fluent/plugin/parser_winevt_sax.rb
 - lib/fluent/plugin/parser_winevt_xml.rb
 - lib/fluent/plugin/winevt_sax_document.rb
+- test/data/eventlog-with-qualifiers.xml
 - test/data/eventlog.xml
 - test/helper.rb
 - test/plugin/test_parser_winevt_sax.rb
@@ -129,11 +130,13 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubyforge_project: 
+rubygems_version: 2.7.6.2
 signing_key: 
 specification_version: 4
 summary: Fluentd Parser plugin to parse XML rendered windows event log.
 test_files:
+- test/data/eventlog-with-qualifiers.xml
 - test/data/eventlog.xml
 - test/helper.rb
 - test/plugin/test_parser_winevt_sax.rb