RubyGems - fluent-plugin-parser-winevt_xml - Versions diffs - 0.1.2 → 0.2.0 - Mend

fluent-plugin-parser-winevt_xml 0.1.2 → 0.2.0

Files changed (10) hide show

checksums.yaml +4 -4
data/README.md +12 -0
data/fluent-plugin-parser-winevt_xml.gemspec +1 -1
data/lib/fluent/plugin/parser_winevt_sax.rb +21 -0
data/lib/fluent/plugin/parser_winevt_xml.rb +3 -2
data/lib/fluent/plugin/winevt_sax_document.rb +50 -0
data/test/helper.rb +1 -0
data/test/plugin/test_parser_winevt_sax.rb +43 -0
data/test/plugin/test_parser_winevt_xml.rb +3 -2
metadata +6 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7411e3cffa23808b75834b504b3c72aef7d9d23ad2d39a26455b9e7ff5a3c3ae
-  data.tar.gz: 71cdf36beee23db60f832a6aad6544e06799df70e2863fd9eea5ce28ea653b69
+  metadata.gz: 0c3d11e84c92255ce5fbe0813857d38a5f59824985a0453b0f2fd7880d0a9000
+  data.tar.gz: 0fae4fa404654a30cfa0c101a34074c3ece238be70bdb79cd19ceeea3a1206e0
 SHA512:
-  metadata.gz: bafcecd0c1e43f66fd96250a9f0c0268389534324091c1b67813bec7474d93f88b4c7869d6cada2ec79f1733c319d2a14d9fc9cc1089cb1b3324a75dc12126d6
-  data.tar.gz: ac0d44e0f2680dc364d377f94aca62b94e384441ab4c05b81f115b4963aecaf2baed8945725d21ac3b06d5bb166dcadf08c4ed0def8bf226779ac5603fdb47ad
+  metadata.gz: 7b08784bd72df92216146953b49dd69d559e6d40373326e54f72cca6ca981b192901aca427ca3a61064c37ab9aebb82379bf6be72675021748e784f95c62f486
+  data.tar.gz: 9a0c3fede86321a65baa5373123a085c72a6bbb81e146b29383bd9c979d4c71e5f865bb97387743619e87f56bcfdfd375e193dd3015525bd323c3d5f2e95d07a

data/README.md CHANGED Viewed

@@ -17,12 +17,24 @@ gem install fluent-plugin-parser-winevt_xml
 ## Configuration
+### parser_winevt_xml
 ```aconf
 <parse>
   @type winevt_xml
 </parse>
 ```
+### parser_winevt_sax
+This plugin is a bit faster than `winevt_xml`.
+```aconf
+<parse>
+  @type winevt_sax
+</parse>
+```
 ## Copyright
 ### Copyright

data/fluent-plugin-parser-winevt_xml.gemspec CHANGED Viewed

@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 Gem::Specification.new do |spec|
   spec.name          = "fluent-plugin-parser-winevt_xml"
-  spec.version       = "0.1.2"
+  spec.version       = "0.2.0"
   spec.authors       = ["Hiroshi Hatake", "Masahiro Nakagawa"]
   spec.email         = ["cosmo0920.oucc@gmail.com", "repeatedly@gmail.com"]
   spec.summary       = %q{Fluentd Parser plugin to parse XML rendered windows event log.}

data/lib/fluent/plugin/parser_winevt_sax.rb ADDED Viewed

@@ -0,0 +1,21 @@
+require 'fluent/plugin/parser'
+require 'fluent/plugin/winevt_sax_document'
+require 'nokogiri'
+module Fluent::Plugin
+  class WinevtSAXparser < Parser
+    Fluent::Plugin.register_parser('winevt_sax', self)
+    def winevt_xml?
+      true
+    end
+    def parse(text)
+      evtxml = WinevtXMLDocument.new
+      parser = Nokogiri::XML::SAX::Parser.new(evtxml)
+      parser.parse(text)
+      time = @estimate_current_event ? Fluent::EventTime.now : nil
+      yield time, evtxml.result
+    end
+  end
+end

data/lib/fluent/plugin/parser_winevt_xml.rb CHANGED Viewed

@@ -23,9 +23,10 @@ module Fluent::Plugin
       record["Keywords"]              = (system_elem/'Keywords').text rescue nil
       record["TimeCreated"]           = (system_elem/'TimeCreated').attribute("SystemTime").text rescue nil
       record["EventRecordID"]         = (system_elem/'EventRecordID').text rescue nil
-      record["ActivityID"]            = (system_elem/'ActivityID').text rescue nil
-      record["RelatedActivityID"]     = (system_elem/'Correlation').attribute("ActivityID").text rescue nil
+      record["ActivityID"]            = (system_elem/'Correlation').attribute('ActivityID').text rescue nil
+      record["RelatedActivityID"]     = (system_elem/'Correlation').attribute("RelatedActivityID").text rescue nil
       record["ThreadID"]              = (system_elem/'Execution').attribute("ThreadID").text rescue nil
+      record["ProcessID"]             = (system_elem/'Execution').attribute("ProcessID").text rescue nil
       record["Channel"]               = (system_elem/'Channel').text rescue nil
       record["Computer"]              = (system_elem/"Computer").text rescue nil
       record["UserID"]                = (system_elem/'Security').attribute("UserID").text rescue nil

data/lib/fluent/plugin/winevt_sax_document.rb ADDED Viewed

@@ -0,0 +1,50 @@
+require 'nokogiri'
+class WinevtXMLDocument < Nokogiri::XML::SAX::Document
+  attr_reader :result
+  def initialize
+    @stack = []
+    @result = {}
+    super
+  end
+  def start_document
+  end
+  def start_element(name, attributes = [])
+    @stack << name
+    if name == "Provider"
+      @result["PrividerName"] = attributes[0][1] rescue nil
+      @result["ProviderGUID"] = attributes[1][1] rescue nil
+    elsif name == "EventID"
+      @result["Qualifiers"] = attributes[0][1] rescue nil
+    elsif name == "TimeCreated"
+      @result["TimeCreated"] = attributes[0][1] rescue nil
+    elsif name == "Correlation"
+      @result["ActivityID"] = attributes[0][1] rescue nil
+      @result["RelatedActivityID"] = attributes[1][1] rescue nil
+    elsif name == "Execution"
+      @result["ProcessID"] = attributes[0][1] rescue nil
+      @result["ThreadID"] = attributes[1][1] rescue nil
+    elsif name == "Security"
+      @result["UserID"] = attributes[0][1] rescue nil
+    end
+  end
+  def characters(string)
+    element = @stack.last
+    if /^EventID|Level|Task|Opcode|Keywords|EventRecordID|
+        ActivityID|Channel|Computer|Security|Version$/ === element
+      @result[element] = string
+    end
+  end
+  def end_element(name, attributes = [])
+  end
+  def end_document
+  end
+end

data/test/helper.rb CHANGED Viewed

@@ -15,6 +15,7 @@ require 'fluent/test'
 require 'fluent/test/driver/parser'
 require 'fluent/plugin/parser_winevt_xml'
+require 'fluent/plugin/parser_winevt_sax'
 class Test::Unit::TestCase
 end

data/test/plugin/test_parser_winevt_sax.rb ADDED Viewed

@@ -0,0 +1,43 @@
+require 'helper'
+class WinevtSAXparserTest < Test::Unit::TestCase
+  def setup
+    Fluent::Test.setup
+  end
+  CONFIG = %[]
+  XMLLOG = File.open(File.join(__dir__, "..", "data", "eventlog.xml") )
+  def create_driver(conf = CONFIG)
+    Fluent::Test::Driver::Parser.new(Fluent::Plugin::WinevtSAXparser).configure(conf)
+  end
+  def test_parse
+    d = create_driver
+    xml = XMLLOG
+    expected = {"PrividerName"      => "Microsoft-Windows-Security-Auditing",
+                "ProviderGUID"      => "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+                "EventID"           => "4624",
+                "Qualifiers"        => nil,
+                "Level"             => "0",
+                "Task"              => "12544",
+                "Opcode"            => "0",
+                "Keywords"          => "0x8020000000000000",
+                "TimeCreated"       => "2019-06-13T09:21:23.345889600Z",
+                "EventRecordID"     => "80688",
+                "ActivityID"        => "{587F0743-1F71-0006-5007-7F58711FD501}",
+                "RelatedActivityID" => nil,
+                "ProcessID"         => "912",
+                "ThreadID"          => "24708",
+                "Channel"           => "Security",
+                "Computer"          => "Fluentd-Developing-Windows",
+                "UserID"            => nil,
+                "Version"           => "2",}
+    d.instance.parse(xml) do |time, record|
+      assert_equal(expected, record)
+    end
+    assert_true(d.instance.winevt_xml?)
+  end
+end

data/test/plugin/test_parser_winevt_xml.rb CHANGED Viewed

@@ -26,8 +26,9 @@ class WinevtXMLparserTest < Test::Unit::TestCase
                 "Keywords"          => "0x8020000000000000",
                 "TimeCreated"       => "2019-06-13T09:21:23.345889600Z",
                 "EventRecordID"     => "80688",
-                "ActivityID"        => "",
-                "RelatedActivityID" => "{587F0743-1F71-0006-5007-7F58711FD501}",
+                "ActivityID"        => "{587F0743-1F71-0006-5007-7F58711FD501}",
+                "RelatedActivityID" => nil,
+                "ProcessID"         => "912",
                 "ThreadID"          => "24708",
                 "Channel"           => "Security",
                 "Computer"          => "Fluentd-Developing-Windows",

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: fluent-plugin-parser-winevt_xml
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.2.0
 platform: ruby
 authors:
 - Hiroshi Hatake
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-10-10 00:00:00.000000000 Z
+date: 2019-10-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -103,9 +103,12 @@ files:
 - Rakefile
 - appveyor.yml
 - fluent-plugin-parser-winevt_xml.gemspec
+- lib/fluent/plugin/parser_winevt_sax.rb
 - lib/fluent/plugin/parser_winevt_xml.rb
+- lib/fluent/plugin/winevt_sax_document.rb
 - test/data/eventlog.xml
 - test/helper.rb
+- test/plugin/test_parser_winevt_sax.rb
 - test/plugin/test_parser_winevt_xml.rb
 homepage: https://github.com/fluent/fluent-plugin-parser-winevt_xml
 licenses:
@@ -133,4 +136,5 @@ summary: Fluentd Parser plugin to parse XML rendered windows event log.
 test_files:
 - test/data/eventlog.xml
 - test/helper.rb
+- test/plugin/test_parser_winevt_sax.rb
 - test/plugin/test_parser_winevt_xml.rb