fluent-plugin-parser-winevt_xml 0.2.0 → 0.2.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +14 -14
- data/.travis.yml +16 -16
- data/Gemfile +4 -4
- data/LICENSE +201 -201
- data/README.md +56 -46
- data/Rakefile +10 -10
- data/appveyor.yml +24 -24
- data/fluent-plugin-parser-winevt_xml.gemspec +25 -25
- data/lib/fluent/plugin/parser_winevt_sax.rb +27 -21
- data/lib/fluent/plugin/parser_winevt_xml.rb +63 -38
- data/lib/fluent/plugin/winevt_sax_document.rb +73 -50
- data/test/data/eventlog-with-qualifiers.xml +1 -0
- data/test/data/eventlog.xml +1 -1
- data/test/helper.rb +24 -24
- data/test/plugin/test_parser_winevt_sax.rb +79 -43
- data/test/plugin/test_parser_winevt_xml.rb +80 -43
- metadata +6 -3
@@ -0,0 +1 @@
|
|
1
|
+
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-SPP' Guid='{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}' EventSourceName='Software Protection Platform Service'/><EventID Qualifiers='49152'>16394</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2020-01-16T09:57:18.013693700Z'/><EventRecordID>150731</EventRecordID><Correlation/><Execution ProcessID='0' ThreadID='0'/><Channel>Application</Channel><Computer>DESKTOP-G457RDR</Computer><Security/></System><EventData></EventData></Event>
|
data/test/data/eventlog.xml
CHANGED
@@ -1 +1 @@
|
|
1
|
-
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2019-06-13T09:21:23.345889600Z'/><EventRecordID>80688</EventRecordID><Correlation ActivityID='{587F0743-1F71-0006-5007-7F58711FD501}'/><Execution ProcessID='912' ThreadID='24708'/><Channel>Security</Channel><Computer>Fluentd-Developing-Windows</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>Fluentd-Developing-Windows$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='TargetUserSid'>S-1-5-18</Data><Data Name='TargetUserName'>SYSTEM</Data><Data Name='TargetDomainName'>NT AUTHORITY</Data><Data Name='TargetLogonId'>0x3e7</Data><Data Name='LogonType'>5</Data><Data Name='LogonProcessName'>Advapi </Data><Data Name='AuthenticationPackageName'>Negotiate</Data><Data Name='WorkstationName'>-</Data><Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x344</Data><Data Name='ProcessName'>C:\Windows\System32\services.exe</Data><Data Name='IpAddress'>-</Data><Data Name='IpPort'>-</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data Name='ElevatedToken'>%%1842</Data></EventData></Event>
|
1
|
+
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2019-06-13T09:21:23.345889600Z'/><EventRecordID>80688</EventRecordID><Correlation ActivityID='{587F0743-1F71-0006-5007-7F58711FD501}'/><Execution ProcessID='912' ThreadID='24708'/><Channel>Security</Channel><Computer>Fluentd-Developing-Windows</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>Fluentd-Developing-Windows$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='TargetUserSid'>S-1-5-18</Data><Data Name='TargetUserName'>SYSTEM</Data><Data Name='TargetDomainName'>NT AUTHORITY</Data><Data Name='TargetLogonId'>0x3e7</Data><Data Name='LogonType'>5</Data><Data Name='LogonProcessName'>Advapi </Data><Data Name='AuthenticationPackageName'>Negotiate</Data><Data Name='WorkstationName'>-</Data><Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x344</Data><Data Name='ProcessName'>C:\Windows\System32\services.exe</Data><Data Name='IpAddress'>-</Data><Data Name='IpPort'>-</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data Name='ElevatedToken'>%%1842</Data></EventData></Event>
|
data/test/helper.rb
CHANGED
@@ -1,24 +1,24 @@
|
|
1
|
-
require 'rubygems'
|
2
|
-
require 'bundler'
|
3
|
-
begin
|
4
|
-
Bundler.setup(:default, :development)
|
5
|
-
rescue Bundler::BundlerError => e
|
6
|
-
$stderr.puts e.message
|
7
|
-
$stderr.puts "Run `bundle install` to install missing gems"
|
8
|
-
exit e.status_code
|
9
|
-
end
|
10
|
-
require 'test/unit'
|
11
|
-
|
12
|
-
$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
|
13
|
-
$LOAD_PATH.unshift(File.dirname(__FILE__))
|
14
|
-
require 'fluent/test'
|
15
|
-
|
16
|
-
require 'fluent/test/driver/parser'
|
17
|
-
require 'fluent/plugin/parser_winevt_xml'
|
18
|
-
require 'fluent/plugin/parser_winevt_sax'
|
19
|
-
|
20
|
-
class Test::Unit::TestCase
|
21
|
-
end
|
22
|
-
require 'fluent/test/helpers'
|
23
|
-
|
24
|
-
include Fluent::Test::Helpers
|
1
|
+
require 'rubygems'
|
2
|
+
require 'bundler'
|
3
|
+
begin
|
4
|
+
Bundler.setup(:default, :development)
|
5
|
+
rescue Bundler::BundlerError => e
|
6
|
+
$stderr.puts e.message
|
7
|
+
$stderr.puts "Run `bundle install` to install missing gems"
|
8
|
+
exit e.status_code
|
9
|
+
end
|
10
|
+
require 'test/unit'
|
11
|
+
|
12
|
+
$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
|
13
|
+
$LOAD_PATH.unshift(File.dirname(__FILE__))
|
14
|
+
require 'fluent/test'
|
15
|
+
|
16
|
+
require 'fluent/test/driver/parser'
|
17
|
+
require 'fluent/plugin/parser_winevt_xml'
|
18
|
+
require 'fluent/plugin/parser_winevt_sax'
|
19
|
+
|
20
|
+
class Test::Unit::TestCase
|
21
|
+
end
|
22
|
+
require 'fluent/test/helpers'
|
23
|
+
|
24
|
+
include Fluent::Test::Helpers
|
@@ -1,43 +1,79 @@
|
|
1
|
-
|
2
|
-
|
3
|
-
class WinevtSAXparserTest < Test::Unit::TestCase
|
4
|
-
|
5
|
-
def setup
|
6
|
-
Fluent::Test.setup
|
7
|
-
end
|
8
|
-
|
9
|
-
CONFIG = %[]
|
10
|
-
XMLLOG = File.open(File.join(__dir__, "..", "data", "eventlog.xml") )
|
11
|
-
|
12
|
-
def create_driver(conf = CONFIG)
|
13
|
-
Fluent::Test::Driver::Parser.new(Fluent::Plugin::WinevtSAXparser).configure(conf)
|
14
|
-
end
|
15
|
-
|
16
|
-
def test_parse
|
17
|
-
d = create_driver
|
18
|
-
xml = XMLLOG
|
19
|
-
expected = {"
|
20
|
-
"ProviderGUID" => "{54849625-5478-4994-A5BA-3E3B0328C30D}",
|
21
|
-
"EventID" => "4624",
|
22
|
-
"Qualifiers" => nil,
|
23
|
-
"Level" => "0",
|
24
|
-
"Task" => "12544",
|
25
|
-
"Opcode" => "0",
|
26
|
-
"Keywords" => "0x8020000000000000",
|
27
|
-
"TimeCreated" => "2019-06-13T09:21:23.345889600Z",
|
28
|
-
"EventRecordID" => "80688",
|
29
|
-
"ActivityID" => "{587F0743-1F71-0006-5007-7F58711FD501}",
|
30
|
-
"RelatedActivityID" => nil,
|
31
|
-
"ProcessID" => "912",
|
32
|
-
"ThreadID" => "24708",
|
33
|
-
"Channel" => "Security",
|
34
|
-
"Computer" => "Fluentd-Developing-Windows",
|
35
|
-
"UserID" => nil,
|
36
|
-
"Version" => "2",}
|
37
|
-
d.instance.parse(xml) do |time, record|
|
38
|
-
assert_equal(expected, record)
|
39
|
-
end
|
40
|
-
|
41
|
-
assert_true(d.instance.winevt_xml?)
|
42
|
-
end
|
43
|
-
|
1
|
+
require_relative '../helper'
|
2
|
+
|
3
|
+
class WinevtSAXparserTest < Test::Unit::TestCase
|
4
|
+
|
5
|
+
def setup
|
6
|
+
Fluent::Test.setup
|
7
|
+
end
|
8
|
+
|
9
|
+
CONFIG = %[]
|
10
|
+
XMLLOG = File.open(File.join(__dir__, "..", "data", "eventlog.xml") )
|
11
|
+
|
12
|
+
def create_driver(conf = CONFIG)
|
13
|
+
Fluent::Test::Driver::Parser.new(Fluent::Plugin::WinevtSAXparser).configure(conf)
|
14
|
+
end
|
15
|
+
|
16
|
+
def test_parse
|
17
|
+
d = create_driver
|
18
|
+
xml = XMLLOG
|
19
|
+
expected = {"ProviderName" => "Microsoft-Windows-Security-Auditing",
|
20
|
+
"ProviderGUID" => "{54849625-5478-4994-A5BA-3E3B0328C30D}",
|
21
|
+
"EventID" => "4624",
|
22
|
+
"Qualifiers" => nil,
|
23
|
+
"Level" => "0",
|
24
|
+
"Task" => "12544",
|
25
|
+
"Opcode" => "0",
|
26
|
+
"Keywords" => "0x8020000000000000",
|
27
|
+
"TimeCreated" => "2019-06-13T09:21:23.345889600Z",
|
28
|
+
"EventRecordID" => "80688",
|
29
|
+
"ActivityID" => "{587F0743-1F71-0006-5007-7F58711FD501}",
|
30
|
+
"RelatedActivityID" => nil,
|
31
|
+
"ProcessID" => "912",
|
32
|
+
"ThreadID" => "24708",
|
33
|
+
"Channel" => "Security",
|
34
|
+
"Computer" => "Fluentd-Developing-Windows",
|
35
|
+
"UserID" => nil,
|
36
|
+
"Version" => "2",}
|
37
|
+
d.instance.parse(xml) do |time, record|
|
38
|
+
assert_equal(expected, record)
|
39
|
+
end
|
40
|
+
|
41
|
+
assert_true(d.instance.winevt_xml?)
|
42
|
+
end
|
43
|
+
|
44
|
+
class QualifiersTest < self
|
45
|
+
def setup
|
46
|
+
@xml = File.open(File.join(__dir__, "..", "data", "eventlog-with-qualifiers.xml"))
|
47
|
+
end
|
48
|
+
|
49
|
+
def teardown
|
50
|
+
@xml.close
|
51
|
+
end
|
52
|
+
|
53
|
+
def test_parse_without_qualifiers
|
54
|
+
d = create_driver CONFIG + %[preserve_qualifiers false]
|
55
|
+
expected = {"ActivityID" => nil,
|
56
|
+
"Channel" => "Application",
|
57
|
+
"Computer" => "DESKTOP-G457RDR",
|
58
|
+
"EventID" => "3221241866",
|
59
|
+
"EventRecordID" => "150731",
|
60
|
+
"Keywords" => "0x80000000000000",
|
61
|
+
"Level" => "4",
|
62
|
+
"Opcode" => "0",
|
63
|
+
"ProcessID" => "0",
|
64
|
+
"ProviderGUID" => "{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}",
|
65
|
+
"ProviderName" => "Microsoft-Windows-Security-SPP",
|
66
|
+
"RelatedActivityID" => nil,
|
67
|
+
"Task" => "0",
|
68
|
+
"ThreadID" => "0",
|
69
|
+
"TimeCreated" => "2020-01-16T09:57:18.013693700Z",
|
70
|
+
"UserID" => nil,
|
71
|
+
"Version" => "0"}
|
72
|
+
d.instance.parse(@xml) do |time, record|
|
73
|
+
assert_equal(expected, record)
|
74
|
+
end
|
75
|
+
|
76
|
+
assert_true(d.instance.winevt_xml?)
|
77
|
+
end
|
78
|
+
end
|
79
|
+
end
|
@@ -1,43 +1,80 @@
|
|
1
|
-
|
2
|
-
|
3
|
-
class WinevtXMLparserTest < Test::Unit::TestCase
|
4
|
-
|
5
|
-
def setup
|
6
|
-
Fluent::Test.setup
|
7
|
-
end
|
8
|
-
|
9
|
-
CONFIG = %[]
|
10
|
-
XMLLOG = File.open(File.join(__dir__, "..", "data", "eventlog.xml")
|
11
|
-
|
12
|
-
def create_driver(conf = CONFIG)
|
13
|
-
Fluent::Test::Driver::Parser.new(Fluent::Plugin::WinevtXMLparser).configure(conf)
|
14
|
-
end
|
15
|
-
|
16
|
-
def test_parse
|
17
|
-
d = create_driver
|
18
|
-
xml = XMLLOG
|
19
|
-
expected = {"ProviderName" => "Microsoft-Windows-Security-Auditing",
|
20
|
-
"ProviderGUID" => "{54849625-5478-4994-A5BA-3E3B0328C30D}",
|
21
|
-
"EventID" => "4624",
|
22
|
-
"Qualifiers" => nil,
|
23
|
-
"Level" => "0",
|
24
|
-
"Task" => "12544",
|
25
|
-
"Opcode" => "0",
|
26
|
-
"Keywords" => "0x8020000000000000",
|
27
|
-
"TimeCreated" => "2019-06-13T09:21:23.345889600Z",
|
28
|
-
"EventRecordID" => "80688",
|
29
|
-
"ActivityID" => "{587F0743-1F71-0006-5007-7F58711FD501}",
|
30
|
-
"RelatedActivityID" => nil,
|
31
|
-
"ProcessID" => "912",
|
32
|
-
"ThreadID" => "24708",
|
33
|
-
"Channel" => "Security",
|
34
|
-
"Computer" => "Fluentd-Developing-Windows",
|
35
|
-
"UserID" => nil,
|
36
|
-
"Version" => "2",}
|
37
|
-
d.instance.parse(xml) do |time, record|
|
38
|
-
assert_equal(expected, record)
|
39
|
-
end
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
end
|
1
|
+
require_relative '../helper'
|
2
|
+
|
3
|
+
class WinevtXMLparserTest < Test::Unit::TestCase
|
4
|
+
|
5
|
+
def setup
|
6
|
+
Fluent::Test.setup
|
7
|
+
end
|
8
|
+
|
9
|
+
CONFIG = %[]
|
10
|
+
XMLLOG = File.open(File.join(__dir__, "..", "data", "eventlog.xml"))
|
11
|
+
|
12
|
+
def create_driver(conf = CONFIG)
|
13
|
+
Fluent::Test::Driver::Parser.new(Fluent::Plugin::WinevtXMLparser).configure(conf)
|
14
|
+
end
|
15
|
+
|
16
|
+
def test_parse
|
17
|
+
d = create_driver
|
18
|
+
xml = XMLLOG
|
19
|
+
expected = {"ProviderName" => "Microsoft-Windows-Security-Auditing",
|
20
|
+
"ProviderGUID" => "{54849625-5478-4994-A5BA-3E3B0328C30D}",
|
21
|
+
"EventID" => "4624",
|
22
|
+
"Qualifiers" => nil,
|
23
|
+
"Level" => "0",
|
24
|
+
"Task" => "12544",
|
25
|
+
"Opcode" => "0",
|
26
|
+
"Keywords" => "0x8020000000000000",
|
27
|
+
"TimeCreated" => "2019-06-13T09:21:23.345889600Z",
|
28
|
+
"EventRecordID" => "80688",
|
29
|
+
"ActivityID" => "{587F0743-1F71-0006-5007-7F58711FD501}",
|
30
|
+
"RelatedActivityID" => nil,
|
31
|
+
"ProcessID" => "912",
|
32
|
+
"ThreadID" => "24708",
|
33
|
+
"Channel" => "Security",
|
34
|
+
"Computer" => "Fluentd-Developing-Windows",
|
35
|
+
"UserID" => nil,
|
36
|
+
"Version" => "2",}
|
37
|
+
d.instance.parse(xml) do |time, record|
|
38
|
+
assert_equal(expected, record)
|
39
|
+
end
|
40
|
+
xml.close
|
41
|
+
|
42
|
+
assert_true(d.instance.winevt_xml?)
|
43
|
+
end
|
44
|
+
|
45
|
+
class QualifiersTest < self
|
46
|
+
def setup
|
47
|
+
@xml = File.open(File.join(__dir__, "..", "data", "eventlog-with-qualifiers.xml"))
|
48
|
+
end
|
49
|
+
|
50
|
+
def teardown
|
51
|
+
@xml.close
|
52
|
+
end
|
53
|
+
|
54
|
+
def test_without_qualifiers
|
55
|
+
d = create_driver CONFIG + %[preserve_qualifiers false]
|
56
|
+
expected = {"ActivityID" => nil,
|
57
|
+
"Channel" => "Application",
|
58
|
+
"Computer" => "DESKTOP-G457RDR",
|
59
|
+
"EventID" => "3221241866",
|
60
|
+
"EventRecordID" => "150731",
|
61
|
+
"Keywords" => "0x80000000000000",
|
62
|
+
"Level" => "4",
|
63
|
+
"Opcode" => "0",
|
64
|
+
"ProcessID" => "0",
|
65
|
+
"ProviderGUID" => "{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}",
|
66
|
+
"ProviderName" => "Microsoft-Windows-Security-SPP",
|
67
|
+
"RelatedActivityID" => nil,
|
68
|
+
"Task" => "0",
|
69
|
+
"ThreadID" => "0",
|
70
|
+
"TimeCreated" => "2020-01-16T09:57:18.013693700Z",
|
71
|
+
"UserID" => nil,
|
72
|
+
"Version" => "0"}
|
73
|
+
d.instance.parse(@xml) do |time, record|
|
74
|
+
assert_equal(expected, record)
|
75
|
+
end
|
76
|
+
|
77
|
+
assert_true(d.instance.winevt_xml?)
|
78
|
+
end
|
79
|
+
end
|
80
|
+
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: fluent-plugin-parser-winevt_xml
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.2.
|
4
|
+
version: 0.2.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Hiroshi Hatake
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date:
|
12
|
+
date: 2020-03-16 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: bundler
|
@@ -106,6 +106,7 @@ files:
|
|
106
106
|
- lib/fluent/plugin/parser_winevt_sax.rb
|
107
107
|
- lib/fluent/plugin/parser_winevt_xml.rb
|
108
108
|
- lib/fluent/plugin/winevt_sax_document.rb
|
109
|
+
- test/data/eventlog-with-qualifiers.xml
|
109
110
|
- test/data/eventlog.xml
|
110
111
|
- test/helper.rb
|
111
112
|
- test/plugin/test_parser_winevt_sax.rb
|
@@ -129,11 +130,13 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
129
130
|
- !ruby/object:Gem::Version
|
130
131
|
version: '0'
|
131
132
|
requirements: []
|
132
|
-
|
133
|
+
rubyforge_project:
|
134
|
+
rubygems_version: 2.7.6.2
|
133
135
|
signing_key:
|
134
136
|
specification_version: 4
|
135
137
|
summary: Fluentd Parser plugin to parse XML rendered windows event log.
|
136
138
|
test_files:
|
139
|
+
- test/data/eventlog-with-qualifiers.xml
|
137
140
|
- test/data/eventlog.xml
|
138
141
|
- test/helper.rb
|
139
142
|
- test/plugin/test_parser_winevt_sax.rb
|