RubyGems - fluent-plugin-windows-eventlog - Versions diffs - 0.2.2 → 0.3.0 - Mend

fluent-plugin-windows-eventlog 0.2.2 → 0.3.0

Files changed (19) hide show

checksums.yaml +5 -5
data/.gitignore +14 -14
data/CHANGELOG.md +16 -0
data/Gemfile +4 -4
data/LICENSE.txt +203 -203
data/README.md +279 -132
data/Rakefile +10 -10
data/appveyor.yml +24 -34
data/fluent-plugin-winevtlog.gemspec +27 -25
data/lib/fluent/plugin/in_windows_eventlog.rb +234 -234
data/lib/fluent/plugin/in_windows_eventlog2.rb +169 -0
data/lib/fluent/plugin/parser_winevt_xml.rb +34 -0
data/test/data/eventlog.xml +1 -0
data/test/generate-windows-event.rb +47 -47
data/test/helper.rb +35 -32
data/test/plugin/test_in_windows_eventlog2.rb +182 -0
data/test/plugin/test_in_winevtlog.rb +48 -48
data/test/plugin/test_parser_winevt_xml.rb +42 -0
metadata +41 -4

data/fluent-plugin-winevtlog.gemspec CHANGED

@@ -1,25 +1,27 @@
-# coding: utf-8
-lib = File.expand_path('../lib', __FILE__)
-$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-Gem::Specification.new do |spec|
-  spec.name          = "fluent-plugin-windows-eventlog"
-  spec.version       = "0.2.2"
-  spec.authors       = ["okahashi117", "Hiroshi Hatake", "Masahiro Nakagawa"]
-  spec.email         = ["naruki_okahashi@jbat.co.jp", "cosmo0920.oucc@gmail.com", "repeatedly@gmail.com"]
-  spec.summary       = %q{Fluentd Input plugin to read windows event log.}
-  spec.description   = %q{Fluentd Input plugin to read windwos event log.}
-  spec.homepage      = "https://github.com/fluent/fluent-plugin-windows-eventlog"
-  spec.license       = "Apache-2.0"
-  spec.files         = `git ls-files -z`.split("\x0")
-  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
-  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
-  spec.require_paths = ["lib"]
-  spec.add_development_dependency "bundler"
-  spec.add_development_dependency "rake"
-  spec.add_development_dependency "test-unit", "~> 3.2.0"
-  spec.add_runtime_dependency "fluentd", [">= 0.14.12", "< 2"]
-  spec.add_runtime_dependency "win32-eventlog"
-end
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+Gem::Specification.new do |spec|
+  spec.name          = "fluent-plugin-windows-eventlog"
+  spec.version       = "0.3.0"
+  spec.authors       = ["okahashi117", "Hiroshi Hatake", "Masahiro Nakagawa"]
+  spec.email         = ["naruki_okahashi@jbat.co.jp", "cosmo0920.oucc@gmail.com", "repeatedly@gmail.com"]
+  spec.summary       = %q{Fluentd Input plugin to read windows event log.}
+  spec.description   = %q{Fluentd Input plugin to read windows event log.}
+  spec.homepage      = "https://github.com/fluent/fluent-plugin-windows-eventlog"
+  spec.license       = "Apache-2.0"
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+  spec.add_development_dependency "bundler"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "test-unit", "~> 3.2.0"
+  spec.add_runtime_dependency "fluentd", [">= 0.14.12", "< 2"]
+  spec.add_runtime_dependency "win32-eventlog"
+  spec.add_runtime_dependency "winevt_c"
+  spec.add_runtime_dependency "nokogiri", "~> 1.10"
+end

data/lib/fluent/plugin/in_windows_eventlog.rb CHANGED

@@ -1,234 +1,234 @@
-require 'win32/eventlog'
-require 'fluent/plugin/input'
-require 'fluent/plugin'
-module Fluent::Plugin
-  class WindowsEventLogInput < Input
-    Fluent::Plugin.register_input('windows_eventlog', self)
-    helpers :timer, :storage
-    DEFAULT_STORAGE_TYPE = 'local'
-    KEY_MAP = {"record_number" => [:record_number, :string],
-                 "time_generated" => [:time_generated, :string],
-                 "time_written" => [:time_written, :string],
-                 "event_id" => [:event_id, :string],
-                 "event_type" => [:event_type, :string],
-                 "event_category" => [:category, :string],
-                 "source_name" => [:source, :string],
-                 "computer_name" => [:computer, :string],
-                 "user" => [:user, :string],
-                 "description" => [:description, :string],
-                 "string_inserts" => [:string_inserts, :array]}
-    config_param :tag, :string
-    config_param :read_interval, :time, default: 2
-    config_param :pos_file, :string, default: nil,
-                 obsoleted: "This section is not used anymore. Use 'store_pos' instead."
-    config_param :channels, :array, default: ['application']
-    config_param :keys, :array, default: []
-    config_param :read_from_head, :bool, default: false
-    config_param :from_encoding, :string, default: nil
-    config_param :encoding, :string, default: nil
-    desc "Parse 'description' field and set parsed result into event record. 'description' and 'string_inserts' fields are removed from the record"
-    config_param :parse_description, :bool, default: false
-    config_section :storage do
-      config_set_default :usage, "positions"
-      config_set_default :@type, DEFAULT_STORAGE_TYPE
-      config_set_default :persistent, true
-    end
-    attr_reader :chs
-    def initialize
-      super
-      @chs = []
-      @keynames = []
-      @tails = {}
-    end
-    def configure(conf)
-      super
-      @chs = @channels.map {|ch| ch.strip.downcase }.uniq
-      if @chs.empty?
-        raise Fluent::ConfigError, "windows_eventlog: 'channels' parameter is required on windows_eventlog input"
-      end
-      @keynames = @keys.map {|k| k.strip }.uniq
-      if @keynames.empty?
-        @keynames = KEY_MAP.keys
-      end
-      @keynames.delete('string_inserts') if @parse_description
-      @tag = tag
-      @stop = false
-      configure_encoding
-      @receive_handlers = if @encoding
-                            method(:encode_record)
-                          else
-                            method(:no_encode_record)
-                          end
-      @pos_storage = storage_create(usage: "positions")
-    end
-    def configure_encoding
-      unless @encoding
-        if @from_encoding
-          raise Fluent::ConfigError, "windows_eventlog: 'from_encoding' parameter must be specied with 'encoding' parameter."
-        end
-      end
-      @encoding = parse_encoding_param(@encoding) if @encoding
-      @from_encoding = parse_encoding_param(@from_encoding) if @from_encoding
-    end
-    def parse_encoding_param(encoding_name)
-      begin
-        Encoding.find(encoding_name) if encoding_name
-      rescue ArgumentError => e
-        raise Fluent::ConfigError, e.message
-      end
-    end
-    def encode_record(record)
-      if @encoding
-        if @from_encoding
-          record.encode!(@encoding, @from_encoding)
-        else
-          record.force_encoding(@encoding)
-        end
-      end
-    end
-    def no_encode_record(record)
-      record
-    end
-    def start
-      super
-      @chs.each do |ch|
-        start, num = @pos_storage.get(ch)
-        if @read_from_head || (!num || num.zero?)
-          el = Win32::EventLog.open(ch)
-          @pos_storage.put(ch, [el.oldest_record_number - 1, 1])
-          el.close
-        end
-        timer_execute("in_windows_eventlog_#{escape_channel(ch)}".to_sym, @read_interval) do
-          on_notify(ch)
-        end
-      end
-    end
-    def escape_channel(ch)
-      ch.gsub(/[^a-zA-Z0-9]/, '_')
-    end
-    def receive_lines(ch, lines)
-      return if lines.empty?
-      begin
-        for r in lines
-          h = {"channel" => ch}
-          @keynames.each do |k|
-            type = KEY_MAP[k][1]
-            value = r.send(KEY_MAP[k][0])
-            h[k]=case type
-                 when :string
-                   @receive_handlers.call(value.to_s)
-                 when :array
-                   value.map {|v| @receive_handlers.call(v.to_s)}
-                 else
-                   raise "Unknown value type: #{type}"
-                 end
-          end
-          parse_desc(h) if @parse_description
-          #h = Hash[@keynames.map {|k| [k, r.send(KEY_MAP[k][0]).to_s]}]
-          router.emit(@tag, Fluent::Engine.now, h)
-        end
-      rescue => e
-        log.error "unexpected error", error: e
-        log.error_backtrace
-      end
-    end
-    def on_notify(ch)
-      el = Win32::EventLog.open(ch)
-      current_oldest_record_number = el.oldest_record_number
-      current_total_records = el.total_records
-      read_start, read_num = @pos_storage.get(ch)
-      # if total_records is zero, oldest_record_number has no meaning.
-      if current_total_records == 0
-        return
-      end
-      if read_start == 0 && read_num == 0
-        @pos_storage.put(ch, [current_oldest_record_number, current_total_records])
-        return
-      end
-      current_end = current_oldest_record_number + current_total_records - 1
-      old_end = read_start + read_num - 1
-      if current_oldest_record_number < read_start
-        # may be a record number rotated.
-        current_end += 0xFFFFFFFF
-      end
-      if current_end < old_end
-        # something occured.
-        @pos_storage.put(ch, [current_oldest_record_number, current_total_records])
-        return
-      end
-      winlogs = el.read(Win32::EventLog::SEEK_READ | Win32::EventLog::FORWARDS_READ, old_end + 1)
-      receive_lines(ch, winlogs)
-      @pos_storage.put(ch, [read_start, read_num + winlogs.size])
-    ensure
-      el.close
-    end
-    GROUP_DELIMITER = "\r\n\r\n".freeze
-    RECORD_DELIMITER = "\r\n\t".freeze
-    FIELD_DELIMITER = "\t\t".freeze
-    NONE_FIELD_DELIMITER = "\t".freeze
-    def parse_desc(record)
-      desc = record.delete('description'.freeze)
-      return if desc.nil?
-      elems = desc.split(GROUP_DELIMITER)
-      record['description_title'] = elems.shift
-      elems.each { |elem|
-        parent_key = nil
-        elem.split(RECORD_DELIMITER).each { |r|
-          key, value = if r.index(FIELD_DELIMITER)
-                         r.split(FIELD_DELIMITER)
-                       else
-                         r.split(NONE_FIELD_DELIMITER)
-                       end
-          key.chop!  # remove ':' from key
-          if value.nil?
-            parent_key = to_key(key)
-          else
-            # parsed value sometimes contain unexpected "\t". So remove it.
-            value.strip!
-            if parent_key.nil?
-              record[to_key(key)] = value
-            else
-              k = "#{parent_key}.#{to_key(key)}"
-              record[k] = value
-            end
-          end
-        }
-      }
-    end
-    def to_key(key)
-      key.downcase!
-      key.gsub!(' '.freeze, '_'.freeze)
-      key
-    end
-  end
-end
+require 'win32/eventlog'
+require 'fluent/plugin/input'
+require 'fluent/plugin'
+module Fluent::Plugin
+  class WindowsEventLogInput < Input
+    Fluent::Plugin.register_input('windows_eventlog', self)
+    helpers :timer, :storage
+    DEFAULT_STORAGE_TYPE = 'local'
+    KEY_MAP = {"record_number" => [:record_number, :string],
+                 "time_generated" => [:time_generated, :string],
+                 "time_written" => [:time_written, :string],
+                 "event_id" => [:event_id, :string],
+                 "event_type" => [:event_type, :string],
+                 "event_category" => [:category, :string],
+                 "source_name" => [:source, :string],
+                 "computer_name" => [:computer, :string],
+                 "user" => [:user, :string],
+                 "description" => [:description, :string],
+                 "string_inserts" => [:string_inserts, :array]}
+    config_param :tag, :string
+    config_param :read_interval, :time, default: 2
+    config_param :pos_file, :string, default: nil,
+                 obsoleted: "This section is not used anymore. Use 'store_pos' instead."
+    config_param :channels, :array, default: ['application']
+    config_param :keys, :array, default: []
+    config_param :read_from_head, :bool, default: false
+    config_param :from_encoding, :string, default: nil
+    config_param :encoding, :string, default: nil
+    desc "Parse 'description' field and set parsed result into event record. 'description' and 'string_inserts' fields are removed from the record"
+    config_param :parse_description, :bool, default: false
+    config_section :storage do
+      config_set_default :usage, "positions"
+      config_set_default :@type, DEFAULT_STORAGE_TYPE
+      config_set_default :persistent, true
+    end
+    attr_reader :chs
+    def initialize
+      super
+      @chs = []
+      @keynames = []
+      @tails = {}
+    end
+    def configure(conf)
+      super
+      @chs = @channels.map {|ch| ch.strip.downcase }.uniq
+      if @chs.empty?
+        raise Fluent::ConfigError, "windows_eventlog: 'channels' parameter is required on windows_eventlog input"
+      end
+      @keynames = @keys.map {|k| k.strip }.uniq
+      if @keynames.empty?
+        @keynames = KEY_MAP.keys
+      end
+      @keynames.delete('string_inserts') if @parse_description
+      @tag = tag
+      @stop = false
+      configure_encoding
+      @receive_handlers = if @encoding
+                            method(:encode_record)
+                          else
+                            method(:no_encode_record)
+                          end
+      @pos_storage = storage_create(usage: "positions")
+    end
+    def configure_encoding
+      unless @encoding
+        if @from_encoding
+          raise Fluent::ConfigError, "windows_eventlog: 'from_encoding' parameter must be specied with 'encoding' parameter."
+        end
+      end
+      @encoding = parse_encoding_param(@encoding) if @encoding
+      @from_encoding = parse_encoding_param(@from_encoding) if @from_encoding
+    end
+    def parse_encoding_param(encoding_name)
+      begin
+        Encoding.find(encoding_name) if encoding_name
+      rescue ArgumentError => e
+        raise Fluent::ConfigError, e.message
+      end
+    end
+    def encode_record(record)
+      if @encoding
+        if @from_encoding
+          record.encode!(@encoding, @from_encoding)
+        else
+          record.force_encoding(@encoding)
+        end
+      end
+    end
+    def no_encode_record(record)
+      record
+    end
+    def start
+      super
+      @chs.each do |ch|
+        start, num = @pos_storage.get(ch)
+        if @read_from_head || (!num || num.zero?)
+          el = Win32::EventLog.open(ch)
+          @pos_storage.put(ch, [el.oldest_record_number - 1, 1])
+          el.close
+        end
+        timer_execute("in_windows_eventlog_#{escape_channel(ch)}".to_sym, @read_interval) do
+          on_notify(ch)
+        end
+      end
+    end
+    def escape_channel(ch)
+      ch.gsub(/[^a-zA-Z0-9]/, '_')
+    end
+    def receive_lines(ch, lines)
+      return if lines.empty?
+      begin
+        for r in lines
+          h = {"channel" => ch}
+          @keynames.each do |k|
+            type = KEY_MAP[k][1]
+            value = r.send(KEY_MAP[k][0])
+            h[k]=case type
+                 when :string
+                   @receive_handlers.call(value.to_s)
+                 when :array
+                   value.map {|v| @receive_handlers.call(v.to_s)}
+                 else
+                   raise "Unknown value type: #{type}"
+                 end
+          end
+          parse_desc(h) if @parse_description
+          #h = Hash[@keynames.map {|k| [k, r.send(KEY_MAP[k][0]).to_s]}]
+          router.emit(@tag, Fluent::Engine.now, h)
+        end
+      rescue => e
+        log.error "unexpected error", error: e
+        log.error_backtrace
+      end
+    end
+    def on_notify(ch)
+      el = Win32::EventLog.open(ch)
+      current_oldest_record_number = el.oldest_record_number
+      current_total_records = el.total_records
+      read_start, read_num = @pos_storage.get(ch)
+      # if total_records is zero, oldest_record_number has no meaning.
+      if current_total_records == 0
+        return
+      end
+      if read_start == 0 && read_num == 0
+        @pos_storage.put(ch, [current_oldest_record_number, current_total_records])
+        return
+      end
+      current_end = current_oldest_record_number + current_total_records - 1
+      old_end = read_start + read_num - 1
+      if current_oldest_record_number < read_start
+        # may be a record number rotated.
+        current_end += 0xFFFFFFFF
+      end
+      if current_end < old_end
+        # something occured.
+        @pos_storage.put(ch, [current_oldest_record_number, current_total_records])
+        return
+      end
+      winlogs = el.read(Win32::EventLog::SEEK_READ | Win32::EventLog::FORWARDS_READ, old_end + 1)
+      receive_lines(ch, winlogs)
+      @pos_storage.put(ch, [read_start, read_num + winlogs.size])
+    ensure
+      el.close
+    end
+    GROUP_DELIMITER = "\r\n\r\n".freeze
+    RECORD_DELIMITER = "\r\n\t".freeze
+    FIELD_DELIMITER = "\t\t".freeze
+    NONE_FIELD_DELIMITER = "\t".freeze
+    def parse_desc(record)
+      desc = record.delete('description'.freeze)
+      return if desc.nil?
+      elems = desc.split(GROUP_DELIMITER)
+      record['description_title'] = elems.shift
+      elems.each { |elem|
+        parent_key = nil
+        elem.split(RECORD_DELIMITER).each { |r|
+          key, value = if r.index(FIELD_DELIMITER)
+                         r.split(FIELD_DELIMITER)
+                       else
+                         r.split(NONE_FIELD_DELIMITER)
+                       end
+          key.chop!  # remove ':' from key
+          if value.nil?
+            parent_key = to_key(key)
+          else
+            # parsed value sometimes contain unexpected "\t". So remove it.
+            value.strip!
+            if parent_key.nil?
+              record[to_key(key)] = value
+            else
+              k = "#{parent_key}.#{to_key(key)}"
+              record[k] = value
+            end
+          end
+        }
+      }
+    end
+    def to_key(key)
+      key.downcase!
+      key.gsub!(' '.freeze, '_'.freeze)
+      key
+    end
+  end
+end