fluent-plugin-windows-eventlog 0.2.1 → 0.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 44561910d111a16a85de6b5d9faee8cf052fed71
-  data.tar.gz: 2bc58308403d20000efe50f2b6f73e86a9a6585a
+  metadata.gz: 31b8825e93acb7560e0faf0ccd8805c5536c4abe
+  data.tar.gz: '09d0929c2d91a475ea74b4f2cd5ec8691c2cd62c'
 SHA512:
-  metadata.gz: 194172daa6b8dd788a785d89e392e3698fe7ed6b8ffa0de360ddc89bf2bd9d37818d8abd43bf5c6e71434cffdd603a91126f674ab80c45455aeffe969a5101c2
-  data.tar.gz: 2b45ac6f8ce1c4d142ce1aae21104945c2bdb706db26c57eb6f9a0e2ef90ba468a7b3fd5172242817c6e43f3b1575b2167bcd5f65ebd52600f4f461f3c0780ad
+  metadata.gz: 6563ea82ba4b3ca319e04d477d58ba7e14ff171fccd3b01a74172ada116766f3fb8782c41e62b02c950e0ee1708a1e16579c6aa334a63b9eed70fede15a5c8be
+  data.tar.gz: 597d95a5fb7e09723bfd12a59c57863759b24764e3572b25835ec80c241245809a2db089b328d8ea957df53b7e9e99fa40420f2ebf76cae0bc95e8fbf11716e0

data/README.md

@@ -2,7 +2,7 @@
 
 ## Component
 
-#### fluentd Input plugin for the Windows Event Log
+### fluentd Input plugin for the Windows Event Log
 
 [Fluentd](http://fluentd.org) plugin to read the Windows Event Log.
 
@@ -10,7 +10,8 @@
     gem install fluent-plugin-windows-eventlog
 
 ## Configuration
-#### fluentd Input plugin for the Windows Event Log
+
+### fluentd Input plugin for the Windows Event Log
 
     <source>
       @type windows_eventlog
@@ -26,19 +27,21 @@
       </storage>
     </source>
 
-#### parameters
+### parameters
 
 |name      | description |
 |:-----    |:-----       |
-|`channels`      | (option) 'application' as default. One or more of {'application', 'system', 'setup', 'security'}. If you want to read 'setup' or 'security' logs, you must launch fluentd with administrator privileges.|
-|`keys`          | (option) A subset of [keys](#read-keys) to read. Defaults to all keys.|
-|`read_interval` | (option) Read interval in seconds. 2 seconds as default.|
-|`from_encoding` | (option) Input character encoding. `nil` as default.|
-|`encoding`      | (option) Output character encoding. `nil` as default.|
-|`read_from_head`| (option) Start to read the entries from the oldest, not from when fluentd is started. Defaults to `false`.|
-|`<storage>`     | Setting for `storage` plugin for recording read position like `in_tail`'s `pos_file`.|
-
-#### read keys
+|`channels`         | (option) 'application' as default. One or more of {'application', 'system', 'setup', 'security'}. If you want to read 'setup' or 'security' logs, you must launch fluentd with administrator privileges.|
+|`keys`             | (option) A subset of [keys](#read-keys) to read. Defaults to all keys.|
+|`read_interval`    | (option) Read interval in seconds. 2 seconds as default.|
+|`from_encoding`    | (option) Input character encoding. `nil` as default.|
+|`encoding`         | (option) Output character encoding. `nil` as default.|
+|`read_from_head`   | (option) Start to read the entries from the oldest, not from when fluentd is started. Defaults to `false`.|
+|`<storage>`        | Setting for `storage` plugin for recording read position like `in_tail`'s `pos_file`.|
+|`parse_description`| (option) parse `description` field and set parsed result into the record. `parse` and `string_inserts` fields are removed|
+
+#### Available keys
+
 This plugin reads the following fields from Windows Event Log entries. Use the `keys` configuration option to select a subset. No other customization is allowed for now.
 
 |key|
@@ -55,9 +58,75 @@ This plugin reads the following fields from Windows Event Log entries. Use the `
 |`description`   |
 |`string_inserts`|
 
+#### `parse_description` details
+
+Here is an example with `parse_description true`.
+
+```
+{
+  "channel": "security",
+  "record_number": "91698",
+  "time_generated": "2017-08-29 20:12:29 +0000",
+  "time_written": "2017-08-29 20:12:29 +0000",
+  "event_id": "4798",
+  "event_type": "audit_success",
+  "event_category": "13824",
+  "source_name": "Microsoft-Windows-Security-Auditing",
+  "computer_name": "TEST",
+  "user": "",
+  "description": "A user's local group membership was enumerated.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-XXX\r\n\tAccount Name:\t\tTEST$\r\n\tAccount Domain:\t\tWORKGROUP\r\n\tLogon ID:\t\t0x3e7\r\n\r\nUser:\r\n\tSecurity ID:\t\tS-XXX-YYY-ZZZ\r\n\tAccount Name:\t\tAdministrator\r\n\tAccount Domain:\t\tTEST\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x7dc\r\n\tProcess Name:\t\tC:\\Windows\\System32\\LogonUI.exe\r\n",
+  "string_inserts": [
+    "Administrator",
+    "TEST",
+    "S-XXX-YYY-ZZZ",
+    "S-XXX",
+    "TEST$",
+    "WORKGROUP",
+    "0x3e7",
+    "0x7dc",
+    "C:\\Windows\\System32\\LogonUI.exe"
+  ]
+}
+```
+
+This record is transformed to
+
+```
+{
+  "channel": "security",
+  "record_number": "91698",
+  "time_generated": "2017-08-29 20:12:29 +0000",
+  "time_written": "2017-08-29 20:12:29 +0000",
+  "event_id": "4798",
+  "event_type": "audit_success",
+  "event_category": "13824",
+  "source_name": "Microsoft-Windows-Security-Auditing",
+  "computer_name": "TEST",
+  "user": "",
+  "description_title": "A user's local group membership was enumerated.",
+  "subject.security_id": "S-XXX",
+  "subject.account_name": "TEST$",
+  "subject.account_domain": "WORKGROUP",
+  "subject.logon_id": "0x3e7",
+  "user.security_id": "S-XXX-YYY-ZZZ",
+  "user.account_name": "Administrator",
+  "user.account_domain": "TEST",
+  "process_information.process_id": "0x7dc",
+  "process_information.process_name": "C:\\Windows\\System32\\LogonUI.exe\r\n"
+}
+```
+
+NOTE: This feature assumes `description` field has following formats:
+
+- group delimiter: `\r\n\r\n`
+- record delimiter: `\r\n\t`
+- field delimiter: `\t\t`
+
+If your `description` doesn't follow this format, the parsed result is only `description_title` field with same `description` content.
+
 ## Copyright
-#### Copyright
+### Copyright
 Copyright(C) 2014- @okahashi117
-#### License
+### License
 Apache License, Version 2.0
 

data/appveyor.yml

@@ -5,10 +5,11 @@ version: '{build}'
 
 install:
   - SET PATH=C:\Ruby%ruby_version%\bin;%PATH%
-  - "%devkit%\\devkitvars.bat"
+  - IF %ridk%==0 "%devkit%\\devkitvars.bat"
   - ruby --version
   - gem --version
-  - bundle install
+  - IF %ridk%==1 ridk.cmd exec bundle install
+  - IF %ridk%==0 bundle install
 build: off
 test_script:
   - bundle exec rake test
@@ -23,5 +24,11 @@ environment:
   matrix:
     - ruby_version: "23-x64"
       devkit: C:\Ruby23-x64\DevKit
+      ridk: 0
     - ruby_version: "23"
       devkit: C:\Ruby23\DevKit
+      ridk: 0
+    - ruby_version: "24-x64"
+      ridk: 1
+    - ruby_version: "24"
+      ridk: 1

data/fluent-plugin-winevtlog.gemspec

@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 
 Gem::Specification.new do |spec|
   spec.name          = "fluent-plugin-windows-eventlog"
-  spec.version       = "0.2.1"
+  spec.version       = "0.2.2"
   spec.authors       = ["okahashi117", "Hiroshi Hatake", "Masahiro Nakagawa"]
   spec.email         = ["naruki_okahashi@jbat.co.jp", "cosmo0920.oucc@gmail.com", "repeatedly@gmail.com"]
   spec.summary       = %q{Fluentd Input plugin to read windows event log.}

data/lib/fluent/plugin/in_windows_eventlog.rb

@@ -30,6 +30,8 @@ module Fluent::Plugin
     config_param :read_from_head, :bool, default: false
     config_param :from_encoding, :string, default: nil
     config_param :encoding, :string, default: nil
+    desc "Parse 'description' field and set parsed result into event record. 'description' and 'string_inserts' fields are removed from the record"
+    config_param :parse_description, :bool, default: false
 
     config_section :storage do
       config_set_default :usage, "positions"
@@ -56,6 +58,8 @@ module Fluent::Plugin
       if @keynames.empty?
         @keynames = KEY_MAP.keys
       end
+      @keynames.delete('string_inserts') if @parse_description
+
       @tag = tag
       @stop = false
       configure_encoding
@@ -136,6 +140,7 @@ module Fluent::Plugin
                    raise "Unknown value type: #{type}"
                  end
           end
+          parse_desc(h) if @parse_description
           #h = Hash[@keynames.map {|k| [k, r.send(KEY_MAP[k][0]).to_s]}]
           router.emit(@tag, Fluent::Engine.now, h)
         end
@@ -183,5 +188,47 @@ module Fluent::Plugin
     ensure
       el.close
     end
+
+    GROUP_DELIMITER = "\r\n\r\n".freeze
+    RECORD_DELIMITER = "\r\n\t".freeze
+    FIELD_DELIMITER = "\t\t".freeze
+    NONE_FIELD_DELIMITER = "\t".freeze
+
+    def parse_desc(record)
+      desc = record.delete('description'.freeze)
+      return if desc.nil?
+
+      elems = desc.split(GROUP_DELIMITER)
+      record['description_title'] = elems.shift
+      elems.each { |elem|
+        parent_key = nil
+        elem.split(RECORD_DELIMITER).each { |r|
+          key, value = if r.index(FIELD_DELIMITER)
+                         r.split(FIELD_DELIMITER)
+                       else
+                         r.split(NONE_FIELD_DELIMITER)
+                       end
+          key.chop!  # remove ':' from key
+          if value.nil?
+            parent_key = to_key(key)
+          else
+            # parsed value sometimes contain unexpected "\t". So remove it.
+            value.strip!
+            if parent_key.nil?
+              record[to_key(key)] = value
+            else
+              k = "#{parent_key}.#{to_key(key)}"
+              record[k] = value
+            end
+          end
+        }
+      }
+    end
+
+    def to_key(key)
+      key.downcase!
+      key.gsub!(' '.freeze, '_'.freeze)
+      key
+    end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: fluent-plugin-windows-eventlog
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.2.2
 platform: ruby
 authors:
 - okahashi117
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-06-06 00:00:00.000000000 Z
+date: 2017-09-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler