fluent-plugin-parser-winevt_xml 0.1.2 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +12 -0
- data/fluent-plugin-parser-winevt_xml.gemspec +1 -1
- data/lib/fluent/plugin/parser_winevt_sax.rb +21 -0
- data/lib/fluent/plugin/parser_winevt_xml.rb +3 -2
- data/lib/fluent/plugin/winevt_sax_document.rb +50 -0
- data/test/helper.rb +1 -0
- data/test/plugin/test_parser_winevt_sax.rb +43 -0
- data/test/plugin/test_parser_winevt_xml.rb +3 -2
- metadata +6 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 0c3d11e84c92255ce5fbe0813857d38a5f59824985a0453b0f2fd7880d0a9000
|
4
|
+
data.tar.gz: 0fae4fa404654a30cfa0c101a34074c3ece238be70bdb79cd19ceeea3a1206e0
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 7b08784bd72df92216146953b49dd69d559e6d40373326e54f72cca6ca981b192901aca427ca3a61064c37ab9aebb82379bf6be72675021748e784f95c62f486
|
7
|
+
data.tar.gz: 9a0c3fede86321a65baa5373123a085c72a6bbb81e146b29383bd9c979d4c71e5f865bb97387743619e87f56bcfdfd375e193dd3015525bd323c3d5f2e95d07a
|
data/README.md
CHANGED
@@ -17,12 +17,24 @@ gem install fluent-plugin-parser-winevt_xml
|
|
17
17
|
|
18
18
|
## Configuration
|
19
19
|
|
20
|
+
### parser_winevt_xml
|
21
|
+
|
20
22
|
```aconf
|
21
23
|
<parse>
|
22
24
|
@type winevt_xml
|
23
25
|
</parse>
|
24
26
|
```
|
25
27
|
|
28
|
+
### parser_winevt_sax
|
29
|
+
|
30
|
+
This plugin is a bit faster than `winevt_xml`.
|
31
|
+
|
32
|
+
```aconf
|
33
|
+
<parse>
|
34
|
+
@type winevt_sax
|
35
|
+
</parse>
|
36
|
+
```
|
37
|
+
|
26
38
|
## Copyright
|
27
39
|
|
28
40
|
### Copyright
|
@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
|
4
4
|
|
5
5
|
Gem::Specification.new do |spec|
|
6
6
|
spec.name = "fluent-plugin-parser-winevt_xml"
|
7
|
-
spec.version = "0.
|
7
|
+
spec.version = "0.2.0"
|
8
8
|
spec.authors = ["Hiroshi Hatake", "Masahiro Nakagawa"]
|
9
9
|
spec.email = ["cosmo0920.oucc@gmail.com", "repeatedly@gmail.com"]
|
10
10
|
spec.summary = %q{Fluentd Parser plugin to parse XML rendered windows event log.}
|
@@ -0,0 +1,21 @@
|
|
1
|
+
require 'fluent/plugin/parser'
|
2
|
+
require 'fluent/plugin/winevt_sax_document'
|
3
|
+
require 'nokogiri'
|
4
|
+
|
5
|
+
module Fluent::Plugin
|
6
|
+
class WinevtSAXparser < Parser
|
7
|
+
Fluent::Plugin.register_parser('winevt_sax', self)
|
8
|
+
|
9
|
+
def winevt_xml?
|
10
|
+
true
|
11
|
+
end
|
12
|
+
|
13
|
+
def parse(text)
|
14
|
+
evtxml = WinevtXMLDocument.new
|
15
|
+
parser = Nokogiri::XML::SAX::Parser.new(evtxml)
|
16
|
+
parser.parse(text)
|
17
|
+
time = @estimate_current_event ? Fluent::EventTime.now : nil
|
18
|
+
yield time, evtxml.result
|
19
|
+
end
|
20
|
+
end
|
21
|
+
end
|
@@ -23,9 +23,10 @@ module Fluent::Plugin
|
|
23
23
|
record["Keywords"] = (system_elem/'Keywords').text rescue nil
|
24
24
|
record["TimeCreated"] = (system_elem/'TimeCreated').attribute("SystemTime").text rescue nil
|
25
25
|
record["EventRecordID"] = (system_elem/'EventRecordID').text rescue nil
|
26
|
-
record["ActivityID"] = (system_elem/'ActivityID').text rescue nil
|
27
|
-
record["RelatedActivityID"] = (system_elem/'Correlation').attribute("
|
26
|
+
record["ActivityID"] = (system_elem/'Correlation').attribute('ActivityID').text rescue nil
|
27
|
+
record["RelatedActivityID"] = (system_elem/'Correlation').attribute("RelatedActivityID").text rescue nil
|
28
28
|
record["ThreadID"] = (system_elem/'Execution').attribute("ThreadID").text rescue nil
|
29
|
+
record["ProcessID"] = (system_elem/'Execution').attribute("ProcessID").text rescue nil
|
29
30
|
record["Channel"] = (system_elem/'Channel').text rescue nil
|
30
31
|
record["Computer"] = (system_elem/"Computer").text rescue nil
|
31
32
|
record["UserID"] = (system_elem/'Security').attribute("UserID").text rescue nil
|
@@ -0,0 +1,50 @@
|
|
1
|
+
require 'nokogiri'
|
2
|
+
|
3
|
+
class WinevtXMLDocument < Nokogiri::XML::SAX::Document
|
4
|
+
attr_reader :result
|
5
|
+
|
6
|
+
def initialize
|
7
|
+
@stack = []
|
8
|
+
@result = {}
|
9
|
+
super
|
10
|
+
end
|
11
|
+
|
12
|
+
def start_document
|
13
|
+
end
|
14
|
+
|
15
|
+
def start_element(name, attributes = [])
|
16
|
+
@stack << name
|
17
|
+
|
18
|
+
if name == "Provider"
|
19
|
+
@result["PrividerName"] = attributes[0][1] rescue nil
|
20
|
+
@result["ProviderGUID"] = attributes[1][1] rescue nil
|
21
|
+
elsif name == "EventID"
|
22
|
+
@result["Qualifiers"] = attributes[0][1] rescue nil
|
23
|
+
elsif name == "TimeCreated"
|
24
|
+
@result["TimeCreated"] = attributes[0][1] rescue nil
|
25
|
+
elsif name == "Correlation"
|
26
|
+
@result["ActivityID"] = attributes[0][1] rescue nil
|
27
|
+
@result["RelatedActivityID"] = attributes[1][1] rescue nil
|
28
|
+
elsif name == "Execution"
|
29
|
+
@result["ProcessID"] = attributes[0][1] rescue nil
|
30
|
+
@result["ThreadID"] = attributes[1][1] rescue nil
|
31
|
+
elsif name == "Security"
|
32
|
+
@result["UserID"] = attributes[0][1] rescue nil
|
33
|
+
end
|
34
|
+
end
|
35
|
+
|
36
|
+
def characters(string)
|
37
|
+
element = @stack.last
|
38
|
+
|
39
|
+
if /^EventID|Level|Task|Opcode|Keywords|EventRecordID|
|
40
|
+
ActivityID|Channel|Computer|Security|Version$/ === element
|
41
|
+
@result[element] = string
|
42
|
+
end
|
43
|
+
end
|
44
|
+
|
45
|
+
def end_element(name, attributes = [])
|
46
|
+
end
|
47
|
+
|
48
|
+
def end_document
|
49
|
+
end
|
50
|
+
end
|
data/test/helper.rb
CHANGED
@@ -0,0 +1,43 @@
|
|
1
|
+
require 'helper'
|
2
|
+
|
3
|
+
class WinevtSAXparserTest < Test::Unit::TestCase
|
4
|
+
|
5
|
+
def setup
|
6
|
+
Fluent::Test.setup
|
7
|
+
end
|
8
|
+
|
9
|
+
CONFIG = %[]
|
10
|
+
XMLLOG = File.open(File.join(__dir__, "..", "data", "eventlog.xml") )
|
11
|
+
|
12
|
+
def create_driver(conf = CONFIG)
|
13
|
+
Fluent::Test::Driver::Parser.new(Fluent::Plugin::WinevtSAXparser).configure(conf)
|
14
|
+
end
|
15
|
+
|
16
|
+
def test_parse
|
17
|
+
d = create_driver
|
18
|
+
xml = XMLLOG
|
19
|
+
expected = {"PrividerName" => "Microsoft-Windows-Security-Auditing",
|
20
|
+
"ProviderGUID" => "{54849625-5478-4994-A5BA-3E3B0328C30D}",
|
21
|
+
"EventID" => "4624",
|
22
|
+
"Qualifiers" => nil,
|
23
|
+
"Level" => "0",
|
24
|
+
"Task" => "12544",
|
25
|
+
"Opcode" => "0",
|
26
|
+
"Keywords" => "0x8020000000000000",
|
27
|
+
"TimeCreated" => "2019-06-13T09:21:23.345889600Z",
|
28
|
+
"EventRecordID" => "80688",
|
29
|
+
"ActivityID" => "{587F0743-1F71-0006-5007-7F58711FD501}",
|
30
|
+
"RelatedActivityID" => nil,
|
31
|
+
"ProcessID" => "912",
|
32
|
+
"ThreadID" => "24708",
|
33
|
+
"Channel" => "Security",
|
34
|
+
"Computer" => "Fluentd-Developing-Windows",
|
35
|
+
"UserID" => nil,
|
36
|
+
"Version" => "2",}
|
37
|
+
d.instance.parse(xml) do |time, record|
|
38
|
+
assert_equal(expected, record)
|
39
|
+
end
|
40
|
+
|
41
|
+
assert_true(d.instance.winevt_xml?)
|
42
|
+
end
|
43
|
+
end
|
@@ -26,8 +26,9 @@ class WinevtXMLparserTest < Test::Unit::TestCase
|
|
26
26
|
"Keywords" => "0x8020000000000000",
|
27
27
|
"TimeCreated" => "2019-06-13T09:21:23.345889600Z",
|
28
28
|
"EventRecordID" => "80688",
|
29
|
-
"ActivityID" => "",
|
30
|
-
"RelatedActivityID" =>
|
29
|
+
"ActivityID" => "{587F0743-1F71-0006-5007-7F58711FD501}",
|
30
|
+
"RelatedActivityID" => nil,
|
31
|
+
"ProcessID" => "912",
|
31
32
|
"ThreadID" => "24708",
|
32
33
|
"Channel" => "Security",
|
33
34
|
"Computer" => "Fluentd-Developing-Windows",
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: fluent-plugin-parser-winevt_xml
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.2.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Hiroshi Hatake
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2019-10-
|
12
|
+
date: 2019-10-11 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: bundler
|
@@ -103,9 +103,12 @@ files:
|
|
103
103
|
- Rakefile
|
104
104
|
- appveyor.yml
|
105
105
|
- fluent-plugin-parser-winevt_xml.gemspec
|
106
|
+
- lib/fluent/plugin/parser_winevt_sax.rb
|
106
107
|
- lib/fluent/plugin/parser_winevt_xml.rb
|
108
|
+
- lib/fluent/plugin/winevt_sax_document.rb
|
107
109
|
- test/data/eventlog.xml
|
108
110
|
- test/helper.rb
|
111
|
+
- test/plugin/test_parser_winevt_sax.rb
|
109
112
|
- test/plugin/test_parser_winevt_xml.rb
|
110
113
|
homepage: https://github.com/fluent/fluent-plugin-parser-winevt_xml
|
111
114
|
licenses:
|
@@ -133,4 +136,5 @@ summary: Fluentd Parser plugin to parse XML rendered windows event log.
|
|
133
136
|
test_files:
|
134
137
|
- test/data/eventlog.xml
|
135
138
|
- test/helper.rb
|
139
|
+
- test/plugin/test_parser_winevt_sax.rb
|
136
140
|
- test/plugin/test_parser_winevt_xml.rb
|