fluent-plugin-parser-winevt_xml 0.2.0 → 0.2.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (18) hide show
  1. checksums.yaml +4 -4
  2. data/.gitignore +14 -14
  3. data/.travis.yml +16 -16
  4. data/Gemfile +4 -4
  5. data/LICENSE +201 -201
  6. data/README.md +56 -46
  7. data/Rakefile +10 -10
  8. data/appveyor.yml +24 -24
  9. data/fluent-plugin-parser-winevt_xml.gemspec +25 -25
  10. data/lib/fluent/plugin/parser_winevt_sax.rb +27 -21
  11. data/lib/fluent/plugin/parser_winevt_xml.rb +63 -38
  12. data/lib/fluent/plugin/winevt_sax_document.rb +73 -50
  13. data/test/data/eventlog-with-qualifiers.xml +1 -0
  14. data/test/data/eventlog.xml +1 -1
  15. data/test/helper.rb +24 -24
  16. data/test/plugin/test_parser_winevt_sax.rb +79 -43
  17. data/test/plugin/test_parser_winevt_xml.rb +80 -43
  18. metadata +6 -3
data/test/data/eventlog-with-qualifiers.xml ADDED
@@ -0,0 +1 @@
1
+ <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-SPP' Guid='{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}' EventSourceName='Software Protection Platform Service'/><EventID Qualifiers='49152'>16394</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2020-01-16T09:57:18.013693700Z'/><EventRecordID>150731</EventRecordID><Correlation/><Execution ProcessID='0' ThreadID='0'/><Channel>Application</Channel><Computer>DESKTOP-G457RDR</Computer><Security/></System><EventData></EventData></Event>
data/test/data/eventlog.xml CHANGED
@@ -1 +1 @@
1
- <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2019-06-13T09:21:23.345889600Z'/><EventRecordID>80688</EventRecordID><Correlation ActivityID='{587F0743-1F71-0006-5007-7F58711FD501}'/><Execution ProcessID='912' ThreadID='24708'/><Channel>Security</Channel><Computer>Fluentd-Developing-Windows</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>Fluentd-Developing-Windows$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='TargetUserSid'>S-1-5-18</Data><Data Name='TargetUserName'>SYSTEM</Data><Data Name='TargetDomainName'>NT AUTHORITY</Data><Data Name='TargetLogonId'>0x3e7</Data><Data Name='LogonType'>5</Data><Data Name='LogonProcessName'>Advapi </Data><Data Name='AuthenticationPackageName'>Negotiate</Data><Data Name='WorkstationName'>-</Data><Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x344</Data><Data Name='ProcessName'>C:\Windows\System32\services.exe</Data><Data Name='IpAddress'>-</Data><Data Name='IpPort'>-</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data Name='ElevatedToken'>%%1842</Data></EventData></Event>
1
+ <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2019-06-13T09:21:23.345889600Z'/><EventRecordID>80688</EventRecordID><Correlation ActivityID='{587F0743-1F71-0006-5007-7F58711FD501}'/><Execution ProcessID='912' ThreadID='24708'/><Channel>Security</Channel><Computer>Fluentd-Developing-Windows</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>Fluentd-Developing-Windows$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='TargetUserSid'>S-1-5-18</Data><Data Name='TargetUserName'>SYSTEM</Data><Data Name='TargetDomainName'>NT AUTHORITY</Data><Data Name='TargetLogonId'>0x3e7</Data><Data Name='LogonType'>5</Data><Data Name='LogonProcessName'>Advapi </Data><Data Name='AuthenticationPackageName'>Negotiate</Data><Data Name='WorkstationName'>-</Data><Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x344</Data><Data Name='ProcessName'>C:\Windows\System32\services.exe</Data><Data Name='IpAddress'>-</Data><Data Name='IpPort'>-</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data Name='ElevatedToken'>%%1842</Data></EventData></Event>
data/test/helper.rb CHANGED
@@ -1,24 +1,24 @@
1
- require 'rubygems'
2
- require 'bundler'
3
- begin
4
- Bundler.setup(:default, :development)
5
- rescue Bundler::BundlerError => e
6
- $stderr.puts e.message
7
- $stderr.puts "Run `bundle install` to install missing gems"
8
- exit e.status_code
9
- end
10
- require 'test/unit'
11
-
12
- $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
13
- $LOAD_PATH.unshift(File.dirname(__FILE__))
14
- require 'fluent/test'
15
-
16
- require 'fluent/test/driver/parser'
17
- require 'fluent/plugin/parser_winevt_xml'
18
- require 'fluent/plugin/parser_winevt_sax'
19
-
20
- class Test::Unit::TestCase
21
- end
22
- require 'fluent/test/helpers'
23
-
24
- include Fluent::Test::Helpers
1
+ require 'rubygems'
2
+ require 'bundler'
3
+ begin
4
+ Bundler.setup(:default, :development)
5
+ rescue Bundler::BundlerError => e
6
+ $stderr.puts e.message
7
+ $stderr.puts "Run `bundle install` to install missing gems"
8
+ exit e.status_code
9
+ end
10
+ require 'test/unit'
11
+
12
+ $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
13
+ $LOAD_PATH.unshift(File.dirname(__FILE__))
14
+ require 'fluent/test'
15
+
16
+ require 'fluent/test/driver/parser'
17
+ require 'fluent/plugin/parser_winevt_xml'
18
+ require 'fluent/plugin/parser_winevt_sax'
19
+
20
+ class Test::Unit::TestCase
21
+ end
22
+ require 'fluent/test/helpers'
23
+
24
+ include Fluent::Test::Helpers
data/test/plugin/test_parser_winevt_sax.rb CHANGED
@@ -1,43 +1,79 @@
1
- require 'helper'
2
-
3
- class WinevtSAXparserTest < Test::Unit::TestCase
4
-
5
- def setup
6
- Fluent::Test.setup
7
- end
8
-
9
- CONFIG = %[]
10
- XMLLOG = File.open(File.join(__dir__, "..", "data", "eventlog.xml") )
11
-
12
- def create_driver(conf = CONFIG)
13
- Fluent::Test::Driver::Parser.new(Fluent::Plugin::WinevtSAXparser).configure(conf)
14
- end
15
-
16
- def test_parse
17
- d = create_driver
18
- xml = XMLLOG
19
- expected = {"PrividerName" => "Microsoft-Windows-Security-Auditing",
20
- "ProviderGUID" => "{54849625-5478-4994-A5BA-3E3B0328C30D}",
21
- "EventID" => "4624",
22
- "Qualifiers" => nil,
23
- "Level" => "0",
24
- "Task" => "12544",
25
- "Opcode" => "0",
26
- "Keywords" => "0x8020000000000000",
27
- "TimeCreated" => "2019-06-13T09:21:23.345889600Z",
28
- "EventRecordID" => "80688",
29
- "ActivityID" => "{587F0743-1F71-0006-5007-7F58711FD501}",
30
- "RelatedActivityID" => nil,
31
- "ProcessID" => "912",
32
- "ThreadID" => "24708",
33
- "Channel" => "Security",
34
- "Computer" => "Fluentd-Developing-Windows",
35
- "UserID" => nil,
36
- "Version" => "2",}
37
- d.instance.parse(xml) do |time, record|
38
- assert_equal(expected, record)
39
- end
40
-
41
- assert_true(d.instance.winevt_xml?)
42
- end
43
- end
1
+ require_relative '../helper'
2
+
3
+ class WinevtSAXparserTest < Test::Unit::TestCase
4
+
5
+ def setup
6
+ Fluent::Test.setup
7
+ end
8
+
9
+ CONFIG = %[]
10
+ XMLLOG = File.open(File.join(__dir__, "..", "data", "eventlog.xml") )
11
+
12
+ def create_driver(conf = CONFIG)
13
+ Fluent::Test::Driver::Parser.new(Fluent::Plugin::WinevtSAXparser).configure(conf)
14
+ end
15
+
16
+ def test_parse
17
+ d = create_driver
18
+ xml = XMLLOG
19
+ expected = {"ProviderName" => "Microsoft-Windows-Security-Auditing",
20
+ "ProviderGUID" => "{54849625-5478-4994-A5BA-3E3B0328C30D}",
21
+ "EventID" => "4624",
22
+ "Qualifiers" => nil,
23
+ "Level" => "0",
24
+ "Task" => "12544",
25
+ "Opcode" => "0",
26
+ "Keywords" => "0x8020000000000000",
27
+ "TimeCreated" => "2019-06-13T09:21:23.345889600Z",
28
+ "EventRecordID" => "80688",
29
+ "ActivityID" => "{587F0743-1F71-0006-5007-7F58711FD501}",
30
+ "RelatedActivityID" => nil,
31
+ "ProcessID" => "912",
32
+ "ThreadID" => "24708",
33
+ "Channel" => "Security",
34
+ "Computer" => "Fluentd-Developing-Windows",
35
+ "UserID" => nil,
36
+ "Version" => "2",}
37
+ d.instance.parse(xml) do |time, record|
38
+ assert_equal(expected, record)
39
+ end
40
+
41
+ assert_true(d.instance.winevt_xml?)
42
+ end
43
+
44
+ class QualifiersTest < self
45
+ def setup
46
+ @xml = File.open(File.join(__dir__, "..", "data", "eventlog-with-qualifiers.xml"))
47
+ end
48
+
49
+ def teardown
50
+ @xml.close
51
+ end
52
+
53
+ def test_parse_without_qualifiers
54
+ d = create_driver CONFIG + %[preserve_qualifiers false]
55
+ expected = {"ActivityID" => nil,
56
+ "Channel" => "Application",
57
+ "Computer" => "DESKTOP-G457RDR",
58
+ "EventID" => "3221241866",
59
+ "EventRecordID" => "150731",
60
+ "Keywords" => "0x80000000000000",
61
+ "Level" => "4",
62
+ "Opcode" => "0",
63
+ "ProcessID" => "0",
64
+ "ProviderGUID" => "{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}",
65
+ "ProviderName" => "Microsoft-Windows-Security-SPP",
66
+ "RelatedActivityID" => nil,
67
+ "Task" => "0",
68
+ "ThreadID" => "0",
69
+ "TimeCreated" => "2020-01-16T09:57:18.013693700Z",
70
+ "UserID" => nil,
71
+ "Version" => "0"}
72
+ d.instance.parse(@xml) do |time, record|
73
+ assert_equal(expected, record)
74
+ end
75
+
76
+ assert_true(d.instance.winevt_xml?)
77
+ end
78
+ end
79
+ end
data/test/plugin/test_parser_winevt_xml.rb CHANGED
@@ -1,43 +1,80 @@
1
- require 'helper'
2
-
3
- class WinevtXMLparserTest < Test::Unit::TestCase
4
-
5
- def setup
6
- Fluent::Test.setup
7
- end
8
-
9
- CONFIG = %[]
10
- XMLLOG = File.open(File.join(__dir__, "..", "data", "eventlog.xml") )
11
-
12
- def create_driver(conf = CONFIG)
13
- Fluent::Test::Driver::Parser.new(Fluent::Plugin::WinevtXMLparser).configure(conf)
14
- end
15
-
16
- def test_parse
17
- d = create_driver
18
- xml = XMLLOG
19
- expected = {"ProviderName" => "Microsoft-Windows-Security-Auditing",
20
- "ProviderGUID" => "{54849625-5478-4994-A5BA-3E3B0328C30D}",
21
- "EventID" => "4624",
22
- "Qualifiers" => nil,
23
- "Level" => "0",
24
- "Task" => "12544",
25
- "Opcode" => "0",
26
- "Keywords" => "0x8020000000000000",
27
- "TimeCreated" => "2019-06-13T09:21:23.345889600Z",
28
- "EventRecordID" => "80688",
29
- "ActivityID" => "{587F0743-1F71-0006-5007-7F58711FD501}",
30
- "RelatedActivityID" => nil,
31
- "ProcessID" => "912",
32
- "ThreadID" => "24708",
33
- "Channel" => "Security",
34
- "Computer" => "Fluentd-Developing-Windows",
35
- "UserID" => nil,
36
- "Version" => "2",}
37
- d.instance.parse(xml) do |time, record|
38
- assert_equal(expected, record)
39
- end
40
-
41
- assert_true(d.instance.winevt_xml?)
42
- end
43
- end
1
+ require_relative '../helper'
2
+
3
+ class WinevtXMLparserTest < Test::Unit::TestCase
4
+
5
+ def setup
6
+ Fluent::Test.setup
7
+ end
8
+
9
+ CONFIG = %[]
10
+ XMLLOG = File.open(File.join(__dir__, "..", "data", "eventlog.xml"))
11
+
12
+ def create_driver(conf = CONFIG)
13
+ Fluent::Test::Driver::Parser.new(Fluent::Plugin::WinevtXMLparser).configure(conf)
14
+ end
15
+
16
+ def test_parse
17
+ d = create_driver
18
+ xml = XMLLOG
19
+ expected = {"ProviderName" => "Microsoft-Windows-Security-Auditing",
20
+ "ProviderGUID" => "{54849625-5478-4994-A5BA-3E3B0328C30D}",
21
+ "EventID" => "4624",
22
+ "Qualifiers" => nil,
23
+ "Level" => "0",
24
+ "Task" => "12544",
25
+ "Opcode" => "0",
26
+ "Keywords" => "0x8020000000000000",
27
+ "TimeCreated" => "2019-06-13T09:21:23.345889600Z",
28
+ "EventRecordID" => "80688",
29
+ "ActivityID" => "{587F0743-1F71-0006-5007-7F58711FD501}",
30
+ "RelatedActivityID" => nil,
31
+ "ProcessID" => "912",
32
+ "ThreadID" => "24708",
33
+ "Channel" => "Security",
34
+ "Computer" => "Fluentd-Developing-Windows",
35
+ "UserID" => nil,
36
+ "Version" => "2",}
37
+ d.instance.parse(xml) do |time, record|
38
+ assert_equal(expected, record)
39
+ end
40
+ xml.close
41
+
42
+ assert_true(d.instance.winevt_xml?)
43
+ end
44
+
45
+ class QualifiersTest < self
46
+ def setup
47
+ @xml = File.open(File.join(__dir__, "..", "data", "eventlog-with-qualifiers.xml"))
48
+ end
49
+
50
+ def teardown
51
+ @xml.close
52
+ end
53
+
54
+ def test_without_qualifiers
55
+ d = create_driver CONFIG + %[preserve_qualifiers false]
56
+ expected = {"ActivityID" => nil,
57
+ "Channel" => "Application",
58
+ "Computer" => "DESKTOP-G457RDR",
59
+ "EventID" => "3221241866",
60
+ "EventRecordID" => "150731",
61
+ "Keywords" => "0x80000000000000",
62
+ "Level" => "4",
63
+ "Opcode" => "0",
64
+ "ProcessID" => "0",
65
+ "ProviderGUID" => "{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}",
66
+ "ProviderName" => "Microsoft-Windows-Security-SPP",
67
+ "RelatedActivityID" => nil,
68
+ "Task" => "0",
69
+ "ThreadID" => "0",
70
+ "TimeCreated" => "2020-01-16T09:57:18.013693700Z",
71
+ "UserID" => nil,
72
+ "Version" => "0"}
73
+ d.instance.parse(@xml) do |time, record|
74
+ assert_equal(expected, record)
75
+ end
76
+
77
+ assert_true(d.instance.winevt_xml?)
78
+ end
79
+ end
80
+ end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: fluent-plugin-parser-winevt_xml
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.0
4
+ version: 0.2.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Hiroshi Hatake
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2019-10-11 00:00:00.000000000 Z
12
+ date: 2020-03-16 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: bundler
@@ -106,6 +106,7 @@ files:
106
106
  - lib/fluent/plugin/parser_winevt_sax.rb
107
107
  - lib/fluent/plugin/parser_winevt_xml.rb
108
108
  - lib/fluent/plugin/winevt_sax_document.rb
109
+ - test/data/eventlog-with-qualifiers.xml
109
110
  - test/data/eventlog.xml
110
111
  - test/helper.rb
111
112
  - test/plugin/test_parser_winevt_sax.rb
@@ -129,11 +130,13 @@ required_rubygems_version: !ruby/object:Gem::Requirement
129
130
  - !ruby/object:Gem::Version
130
131
  version: '0'
131
132
  requirements: []
132
- rubygems_version: 3.0.3
133
+ rubyforge_project:
134
+ rubygems_version: 2.7.6.2
133
135
  signing_key:
134
136
  specification_version: 4
135
137
  summary: Fluentd Parser plugin to parse XML rendered windows event log.
136
138
  test_files:
139
+ - test/data/eventlog-with-qualifiers.xml
137
140
  - test/data/eventlog.xml
138
141
  - test/helper.rb
139
142
  - test/plugin/test_parser_winevt_sax.rb