fluent-plugin-parser-winevt_xml 0.2.0 → 0.2.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (15) hide show
  1. checksums.yaml +4 -4
  2. data/.github/workflows/linux-test.yaml +34 -0
  3. data/.github/workflows/macos-test.yaml +28 -0
  4. data/.github/workflows/windows-test.yaml +28 -0
  5. data/README.md +10 -0
  6. data/appveyor.yml +7 -2
  7. data/fluent-plugin-parser-winevt_xml.gemspec +3 -3
  8. data/lib/fluent/plugin/parser_winevt_sax.rb +7 -1
  9. data/lib/fluent/plugin/parser_winevt_xml.rb +27 -2
  10. data/lib/fluent/plugin/winevt_sax_document.rb +28 -5
  11. data/test/data/eventlog-with-qualifiers.xml +1 -0
  12. data/test/plugin/test_parser_winevt_sax.rb +38 -2
  13. data/test/plugin/test_parser_winevt_xml.rb +39 -2
  14. metadata +20 -10
  15. data/.travis.yml +0 -16
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 0c3d11e84c92255ce5fbe0813857d38a5f59824985a0453b0f2fd7880d0a9000
4
- data.tar.gz: 0fae4fa404654a30cfa0c101a34074c3ece238be70bdb79cd19ceeea3a1206e0
3
+ metadata.gz: cf661a22efc8f59fea1349378dd616e3492f8f744a4b2828ca92bcaa07104ee8
4
+ data.tar.gz: 225be6df196b003016e6ff05ecba7d0860e154ee5e666d8361dd48ea9f40536d
5
5
  SHA512:
6
- metadata.gz: 7b08784bd72df92216146953b49dd69d559e6d40373326e54f72cca6ca981b192901aca427ca3a61064c37ab9aebb82379bf6be72675021748e784f95c62f486
7
- data.tar.gz: 9a0c3fede86321a65baa5373123a085c72a6bbb81e146b29383bd9c979d4c71e5f865bb97387743619e87f56bcfdfd375e193dd3015525bd323c3d5f2e95d07a
6
+ metadata.gz: 8cfb8dd8e674678fcda0d78f56b6ed782e36aae204039d895525905438ad4b2c6fbb0156e439694af778ebd34ba9e2d3028e12871582cbc50c44b06a953a047c
7
+ data.tar.gz: f7092485efbcc4ccf2e45448c604f4cc63663922567aa48200a091fc7e92f14ad4b12fd384d6a760df250574c25643d95624963ca482cc0120e9bd52a36ec049
data/.github/workflows/linux-test.yaml ADDED
@@ -0,0 +1,34 @@
1
+ name: Testing on Ubuntu
2
+
3
+ on:
4
+ push:
5
+ branches: [master]
6
+ pull_request:
7
+ branches: [master]
8
+
9
+ jobs:
10
+ test:
11
+ runs-on: ${{ matrix.os }}
12
+ continue-on-error: ${{ matrix.experimental }}
13
+ strategy:
14
+ fail-fast: false
15
+ matrix:
16
+ ruby: ['3.0', '2.7', '2.6']
17
+ os: [ubuntu-latest]
18
+ experimental: [false]
19
+ include:
20
+ - ruby: head
21
+ os: ubuntu-latest
22
+ experimental: true
23
+
24
+ name: Unit testing with Ruby ${{ matrix.ruby }} on ${{ matrix.os }}
25
+ steps:
26
+ - uses: actions/checkout@v2
27
+ - name: Set up Ruby
28
+ uses: ruby/setup-ruby@v1
29
+ with:
30
+ ruby-version: ${{ matrix.ruby }}
31
+ - name: Install dependencies
32
+ run: bundle install
33
+ - name: Run tests
34
+ run: bundle exec rake test
data/.github/workflows/macos-test.yaml ADDED
@@ -0,0 +1,28 @@
1
+ name: Testing on macOS
2
+
3
+ on:
4
+ push:
5
+ branches: [master]
6
+ pull_request:
7
+ branches: [master]
8
+
9
+ jobs:
10
+ test:
11
+ runs-on: ${{ matrix.os }}
12
+ strategy:
13
+ fail-fast: false
14
+ matrix:
15
+ ruby: ['3.0', '2.7', '2.6']
16
+ os: [macos-latest]
17
+
18
+ name: Unit testing with Ruby ${{ matrix.ruby }} on ${{ matrix.os }}
19
+ steps:
20
+ - uses: actions/checkout@v2
21
+ - name: Set up Ruby
22
+ uses: ruby/setup-ruby@v1
23
+ with:
24
+ ruby-version: ${{ matrix.ruby }}
25
+ - name: Install dependencies
26
+ run: bundle install
27
+ - name: Run tests
28
+ run: bundle exec rake test
data/.github/workflows/windows-test.yaml ADDED
@@ -0,0 +1,28 @@
1
+ name: Testing on Windows
2
+
3
+ on:
4
+ push:
5
+ branches: [master]
6
+ pull_request:
7
+ branches: [master]
8
+
9
+ jobs:
10
+ test:
11
+ runs-on: ${{ matrix.os }}
12
+ strategy:
13
+ fail-fast: false
14
+ matrix:
15
+ ruby: ['3.0', '2.7', '2.6']
16
+ os:
17
+ - windows-latest
18
+ name: Unit testing with Ruby ${{ matrix.ruby }} on ${{ matrix.os }}
19
+ steps:
20
+ - uses: actions/checkout@v2
21
+ - name: Set up Ruby
22
+ uses: ruby/setup-ruby@v1
23
+ with:
24
+ ruby-version: ${{ matrix.ruby }}
25
+ - name: Install dependencies
26
+ run: ridk exec bundle install
27
+ - name: Run tests
28
+ run: bundle exec rake test
data/README.md CHANGED
@@ -22,9 +22,14 @@ gem install fluent-plugin-parser-winevt_xml
22
22
  ```aconf
23
23
  <parse>
24
24
  @type winevt_xml
25
+ preserve_qualifiers true
25
26
  </parse>
26
27
  ```
27
28
 
29
+ #### preserve_qualifiers
30
+
31
+ Preserve Qualifiers key instead of calculating actual EventID with Qualifiers. Default is `true`.
32
+
28
33
  ### parser_winevt_sax
29
34
 
30
35
  This plugin is a bit faster than `winevt_xml`.
@@ -32,9 +37,14 @@ This plugin is a bit faster than `winevt_xml`.
32
37
  ```aconf
33
38
  <parse>
34
39
  @type winevt_sax
40
+ preserve_qualifiers true
35
41
  </parse>
36
42
  ```
37
43
 
44
+ #### preserve_qualifiers
45
+
46
+ Preserve Qualifiers key instead of calculating actual EventID with Qualifiers. Default is `true`.
47
+
38
48
  ## Copyright
39
49
 
40
50
  ### Copyright
data/appveyor.yml CHANGED
@@ -1,4 +1,5 @@
1
1
  version: '{build}'
2
+ image: Visual Studio 2019
2
3
 
3
4
  # init:
4
5
  # - ps: iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/appveyor/ci/master/scripts/enable-rdp.ps1'))
@@ -20,5 +21,9 @@ branches:
20
21
  # https://www.appveyor.com/docs/installed-software/#ruby
21
22
  environment:
22
23
  matrix:
23
- - ruby_version: "24-x64"
24
- - ruby_version: "24"
24
+ - ruby_version: "30-x64"
25
+ - ruby_version: "30"
26
+ - ruby_version: "27-x64"
27
+ - ruby_version: "27"
28
+ - ruby_version: "26-x64"
29
+ - ruby_version: "26"
data/fluent-plugin-parser-winevt_xml.gemspec CHANGED
@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
4
4
 
5
5
  Gem::Specification.new do |spec|
6
6
  spec.name = "fluent-plugin-parser-winevt_xml"
7
- spec.version = "0.2.0"
7
+ spec.version = "0.2.3"
8
8
  spec.authors = ["Hiroshi Hatake", "Masahiro Nakagawa"]
9
9
  spec.email = ["cosmo0920.oucc@gmail.com", "repeatedly@gmail.com"]
10
10
  spec.summary = %q{Fluentd Parser plugin to parse XML rendered windows event log.}
@@ -19,7 +19,7 @@ Gem::Specification.new do |spec|
19
19
 
20
20
  spec.add_development_dependency "bundler"
21
21
  spec.add_development_dependency "rake"
22
- spec.add_development_dependency "test-unit", "~> 3.2.0"
22
+ spec.add_development_dependency "test-unit", "~> 3.4.0"
23
23
  spec.add_runtime_dependency "fluentd", [">= 0.14.12", "< 2"]
24
- spec.add_runtime_dependency "nokogiri", "~> 1.10"
24
+ spec.add_runtime_dependency "nokogiri", [">= 1.12.5", "< 1.13"]
25
25
  end
data/lib/fluent/plugin/parser_winevt_sax.rb CHANGED
@@ -6,12 +6,18 @@ module Fluent::Plugin
6
6
  class WinevtSAXparser < Parser
7
7
  Fluent::Plugin.register_parser('winevt_sax', self)
8
8
 
9
+ config_param :preserve_qualifiers, :bool, default: true
10
+
9
11
  def winevt_xml?
10
12
  true
11
13
  end
12
14
 
15
+ def preserve_qualifiers?
16
+ @preserve_qualifiers
17
+ end
18
+
13
19
  def parse(text)
14
- evtxml = WinevtXMLDocument.new
20
+ evtxml = WinevtXMLDocument.new(@preserve_qualifiers)
15
21
  parser = Nokogiri::XML::SAX::Parser.new(evtxml)
16
22
  parser.parse(text)
17
23
  time = @estimate_current_event ? Fluent::EventTime.now : nil
data/lib/fluent/plugin/parser_winevt_xml.rb CHANGED
@@ -5,18 +5,43 @@ module Fluent::Plugin
5
5
  class WinevtXMLparser < Parser
6
6
  Fluent::Plugin.register_parser('winevt_xml', self)
7
7
 
8
+ config_param :preserve_qualifiers, :bool, default: true
9
+
8
10
  def winevt_xml?
9
11
  true
10
12
  end
11
13
 
14
+ def preserve_qualifiers?
15
+ @preserve_qualifiers
16
+ end
17
+
18
+ def MAKELONG(low, high)
19
+ (low & 0xffff) | (high & 0xffff) << 16
20
+ end
21
+
22
+ def event_id(system_elem)
23
+ return (system_elem/'EventID').text rescue nil if @preserve_qualifiers
24
+
25
+ qualifiers = (system_elem/'EventID').attribute("Qualifiers").text rescue nil
26
+ if qualifiers
27
+ event_id = (system_elem/'EventID').text
28
+ event_id = MAKELONG(event_id.to_i, qualifiers.to_i)
29
+ event_id.to_s
30
+ else
31
+ (system_elem/'EventID').text rescue nil
32
+ end
33
+ end
34
+
12
35
  def parse(text)
13
36
  record = {}
14
37
  doc = Nokogiri::XML(text)
15
38
  system_elem = doc/'Event'/'System'
16
39
  record["ProviderName"] = (system_elem/"Provider").attribute("Name").text rescue nil
17
40
  record["ProviderGUID"] = (system_elem/"Provider").attribute("Guid").text rescue nil
18
- record["EventID"] = (system_elem/'EventID').text rescue nil
19
- record["Qualifiers"] = (system_elem/'EventID').attribute("Qualifiers").text rescue nil
41
+ if @preserve_qualifiers
42
+ record["Qualifiers"] = (system_elem/'EventID').attribute("Qualifiers").text rescue nil
43
+ end
44
+ record["EventID"] = event_id(system_elem)
20
45
  record["Level"] = (system_elem/'Level').text rescue nil
21
46
  record["Task"] = (system_elem/'Task').text rescue nil
22
47
  record["Opcode"] = (system_elem/'Opcode').text rescue nil
data/lib/fluent/plugin/winevt_sax_document.rb CHANGED
@@ -1,12 +1,35 @@
1
1
  require 'nokogiri'
2
2
 
3
3
  class WinevtXMLDocument < Nokogiri::XML::SAX::Document
4
- attr_reader :result
5
-
6
- def initialize
4
+ def initialize(preserve_qualifiers)
7
5
  @stack = []
8
6
  @result = {}
9
- super
7
+ @preserve_qualifiers = preserve_qualifiers
8
+ super()
9
+ end
10
+
11
+ def MAKELONG(low, high)
12
+ (low & 0xffff) | (high & 0xffff) << 16
13
+ end
14
+
15
+ def event_id
16
+ if @result.has_key?("Qualifiers")
17
+ qualifiers = @result.delete("Qualifiers")
18
+ event_id = @result['EventID']
19
+ event_id = MAKELONG(event_id.to_i, qualifiers.to_i)
20
+ @result['EventID'] = event_id.to_s
21
+ else
22
+ @result['EventID']
23
+ end
24
+ end
25
+
26
+ def result
27
+ return @result if @preserve_qualifiers
28
+
29
+ if @result
30
+ @result['EventID'] = event_id
31
+ end
32
+ @result
10
33
  end
11
34
 
12
35
  def start_document
@@ -16,7 +39,7 @@ class WinevtXMLDocument < Nokogiri::XML::SAX::Document
16
39
  @stack << name
17
40
 
18
41
  if name == "Provider"
19
- @result["PrividerName"] = attributes[0][1] rescue nil
42
+ @result["ProviderName"] = attributes[0][1] rescue nil
20
43
  @result["ProviderGUID"] = attributes[1][1] rescue nil
21
44
  elsif name == "EventID"
22
45
  @result["Qualifiers"] = attributes[0][1] rescue nil
data/test/data/eventlog-with-qualifiers.xml ADDED
@@ -0,0 +1 @@
1
+ <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-SPP' Guid='{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}' EventSourceName='Software Protection Platform Service'/><EventID Qualifiers='49152'>16394</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2020-01-16T09:57:18.013693700Z'/><EventRecordID>150731</EventRecordID><Correlation/><Execution ProcessID='0' ThreadID='0'/><Channel>Application</Channel><Computer>DESKTOP-G457RDR</Computer><Security/></System><EventData></EventData></Event>
data/test/plugin/test_parser_winevt_sax.rb CHANGED
@@ -1,4 +1,4 @@
1
- require 'helper'
1
+ require_relative '../helper'
2
2
 
3
3
  class WinevtSAXparserTest < Test::Unit::TestCase
4
4
 
@@ -16,7 +16,7 @@ class WinevtSAXparserTest < Test::Unit::TestCase
16
16
  def test_parse
17
17
  d = create_driver
18
18
  xml = XMLLOG
19
- expected = {"PrividerName" => "Microsoft-Windows-Security-Auditing",
19
+ expected = {"ProviderName" => "Microsoft-Windows-Security-Auditing",
20
20
  "ProviderGUID" => "{54849625-5478-4994-A5BA-3E3B0328C30D}",
21
21
  "EventID" => "4624",
22
22
  "Qualifiers" => nil,
@@ -40,4 +40,40 @@ class WinevtSAXparserTest < Test::Unit::TestCase
40
40
 
41
41
  assert_true(d.instance.winevt_xml?)
42
42
  end
43
+
44
+ class QualifiersTest < self
45
+ def setup
46
+ @xml = File.open(File.join(__dir__, "..", "data", "eventlog-with-qualifiers.xml"))
47
+ end
48
+
49
+ def teardown
50
+ @xml.close
51
+ end
52
+
53
+ def test_parse_without_qualifiers
54
+ d = create_driver CONFIG + %[preserve_qualifiers false]
55
+ expected = {"ActivityID" => nil,
56
+ "Channel" => "Application",
57
+ "Computer" => "DESKTOP-G457RDR",
58
+ "EventID" => "3221241866",
59
+ "EventRecordID" => "150731",
60
+ "Keywords" => "0x80000000000000",
61
+ "Level" => "4",
62
+ "Opcode" => "0",
63
+ "ProcessID" => "0",
64
+ "ProviderGUID" => "{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}",
65
+ "ProviderName" => "Microsoft-Windows-Security-SPP",
66
+ "RelatedActivityID" => nil,
67
+ "Task" => "0",
68
+ "ThreadID" => "0",
69
+ "TimeCreated" => "2020-01-16T09:57:18.013693700Z",
70
+ "UserID" => nil,
71
+ "Version" => "0"}
72
+ d.instance.parse(@xml) do |time, record|
73
+ assert_equal(expected, record)
74
+ end
75
+
76
+ assert_true(d.instance.winevt_xml?)
77
+ end
78
+ end
43
79
  end
data/test/plugin/test_parser_winevt_xml.rb CHANGED
@@ -1,4 +1,4 @@
1
- require 'helper'
1
+ require_relative '../helper'
2
2
 
3
3
  class WinevtXMLparserTest < Test::Unit::TestCase
4
4
 
@@ -7,7 +7,7 @@ class WinevtXMLparserTest < Test::Unit::TestCase
7
7
  end
8
8
 
9
9
  CONFIG = %[]
10
- XMLLOG = File.open(File.join(__dir__, "..", "data", "eventlog.xml") )
10
+ XMLLOG = File.open(File.join(__dir__, "..", "data", "eventlog.xml"))
11
11
 
12
12
  def create_driver(conf = CONFIG)
13
13
  Fluent::Test::Driver::Parser.new(Fluent::Plugin::WinevtXMLparser).configure(conf)
@@ -37,7 +37,44 @@ class WinevtXMLparserTest < Test::Unit::TestCase
37
37
  d.instance.parse(xml) do |time, record|
38
38
  assert_equal(expected, record)
39
39
  end
40
+ xml.close
40
41
 
41
42
  assert_true(d.instance.winevt_xml?)
42
43
  end
44
+
45
+ class QualifiersTest < self
46
+ def setup
47
+ @xml = File.open(File.join(__dir__, "..", "data", "eventlog-with-qualifiers.xml"))
48
+ end
49
+
50
+ def teardown
51
+ @xml.close
52
+ end
53
+
54
+ def test_without_qualifiers
55
+ d = create_driver CONFIG + %[preserve_qualifiers false]
56
+ expected = {"ActivityID" => nil,
57
+ "Channel" => "Application",
58
+ "Computer" => "DESKTOP-G457RDR",
59
+ "EventID" => "3221241866",
60
+ "EventRecordID" => "150731",
61
+ "Keywords" => "0x80000000000000",
62
+ "Level" => "4",
63
+ "Opcode" => "0",
64
+ "ProcessID" => "0",
65
+ "ProviderGUID" => "{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}",
66
+ "ProviderName" => "Microsoft-Windows-Security-SPP",
67
+ "RelatedActivityID" => nil,
68
+ "Task" => "0",
69
+ "ThreadID" => "0",
70
+ "TimeCreated" => "2020-01-16T09:57:18.013693700Z",
71
+ "UserID" => nil,
72
+ "Version" => "0"}
73
+ d.instance.parse(@xml) do |time, record|
74
+ assert_equal(expected, record)
75
+ end
76
+
77
+ assert_true(d.instance.winevt_xml?)
78
+ end
79
+ end
43
80
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: fluent-plugin-parser-winevt_xml
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.0
4
+ version: 0.2.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Hiroshi Hatake
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2019-10-11 00:00:00.000000000 Z
12
+ date: 2021-09-29 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: bundler
@@ -45,14 +45,14 @@ dependencies:
45
45
  requirements:
46
46
  - - "~>"
47
47
  - !ruby/object:Gem::Version
48
- version: 3.2.0
48
+ version: 3.4.0
49
49
  type: :development
50
50
  prerelease: false
51
51
  version_requirements: !ruby/object:Gem::Requirement
52
52
  requirements:
53
53
  - - "~>"
54
54
  - !ruby/object:Gem::Version
55
- version: 3.2.0
55
+ version: 3.4.0
56
56
  - !ruby/object:Gem::Dependency
57
57
  name: fluentd
58
58
  requirement: !ruby/object:Gem::Requirement
@@ -77,16 +77,22 @@ dependencies:
77
77
  name: nokogiri
78
78
  requirement: !ruby/object:Gem::Requirement
79
79
  requirements:
80
- - - "~>"
80
+ - - ">="
81
+ - !ruby/object:Gem::Version
82
+ version: 1.12.5
83
+ - - "<"
81
84
  - !ruby/object:Gem::Version
82
- version: '1.10'
85
+ version: '1.13'
83
86
  type: :runtime
84
87
  prerelease: false
85
88
  version_requirements: !ruby/object:Gem::Requirement
86
89
  requirements:
87
- - - "~>"
90
+ - - ">="
91
+ - !ruby/object:Gem::Version
92
+ version: 1.12.5
93
+ - - "<"
88
94
  - !ruby/object:Gem::Version
89
- version: '1.10'
95
+ version: '1.13'
90
96
  description: Fluentd Parser plugin to parse XML rendered windows event log.
91
97
  email:
92
98
  - cosmo0920.oucc@gmail.com
@@ -95,8 +101,10 @@ executables: []
95
101
  extensions: []
96
102
  extra_rdoc_files: []
97
103
  files:
104
+ - ".github/workflows/linux-test.yaml"
105
+ - ".github/workflows/macos-test.yaml"
106
+ - ".github/workflows/windows-test.yaml"
98
107
  - ".gitignore"
99
- - ".travis.yml"
100
108
  - Gemfile
101
109
  - LICENSE
102
110
  - README.md
@@ -106,6 +114,7 @@ files:
106
114
  - lib/fluent/plugin/parser_winevt_sax.rb
107
115
  - lib/fluent/plugin/parser_winevt_xml.rb
108
116
  - lib/fluent/plugin/winevt_sax_document.rb
117
+ - test/data/eventlog-with-qualifiers.xml
109
118
  - test/data/eventlog.xml
110
119
  - test/helper.rb
111
120
  - test/plugin/test_parser_winevt_sax.rb
@@ -129,11 +138,12 @@ required_rubygems_version: !ruby/object:Gem::Requirement
129
138
  - !ruby/object:Gem::Version
130
139
  version: '0'
131
140
  requirements: []
132
- rubygems_version: 3.0.3
141
+ rubygems_version: 3.2.22
133
142
  signing_key:
134
143
  specification_version: 4
135
144
  summary: Fluentd Parser plugin to parse XML rendered windows event log.
136
145
  test_files:
146
+ - test/data/eventlog-with-qualifiers.xml
137
147
  - test/data/eventlog.xml
138
148
  - test/helper.rb
139
149
  - test/plugin/test_parser_winevt_sax.rb
data/.travis.yml DELETED
@@ -1,16 +0,0 @@
1
- language: ruby
2
-
3
- rvm:
4
- - 2.3
5
- - 2.4.5
6
- - 2.5.3
7
- - 2.6.0
8
-
9
- gemfile:
10
- - Gemfile
11
-
12
- before_install:
13
- - gem update --system=2.7.8
14
-
15
- script: bundle exec rake test
16
- sudo: false