RubyGems - fluent-plugin-windows-eventlog - Versions diffs - 0.2.2 → 0.3.0 - Mend

fluent-plugin-windows-eventlog 0.2.2 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

checksums.yaml +5 -5
data/.gitignore +14 -14
data/CHANGELOG.md +16 -0
data/Gemfile +4 -4
data/LICENSE.txt +203 -203
data/README.md +279 -132
data/Rakefile +10 -10
data/appveyor.yml +24 -34
data/fluent-plugin-winevtlog.gemspec +27 -25
data/lib/fluent/plugin/in_windows_eventlog.rb +234 -234
data/lib/fluent/plugin/in_windows_eventlog2.rb +169 -0
data/lib/fluent/plugin/parser_winevt_xml.rb +34 -0
data/test/data/eventlog.xml +1 -0
data/test/generate-windows-event.rb +47 -47
data/test/helper.rb +35 -32
data/test/plugin/test_in_windows_eventlog2.rb +182 -0
data/test/plugin/test_in_winevtlog.rb +48 -48
data/test/plugin/test_parser_winevt_xml.rb +42 -0
metadata +41 -4

data/fluent-plugin-winevtlog.gemspec CHANGED

@@ -1,25 +1,27 @@
-# coding: utf-8
-lib = File.expand_path('../lib', __FILE__)
-$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-Gem::Specification.new do |spec|
-  spec.name          = "fluent-plugin-windows-eventlog"
-  spec.version       = "0.2.2"
-  spec.authors       = ["okahashi117", "Hiroshi Hatake", "Masahiro Nakagawa"]
-  spec.email         = ["naruki_okahashi@jbat.co.jp", "cosmo0920.oucc@gmail.com", "repeatedly@gmail.com"]
-  spec.summary       = %q{Fluentd Input plugin to read windows event log.}
-  spec.description   = %q{Fluentd Input plugin to read windwos event log.}
-  spec.homepage      = "https://github.com/fluent/fluent-plugin-windows-eventlog"
-  spec.license       = "Apache-2.0"
-  spec.files         = `git ls-files -z`.split("\x0")
-  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
-  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
-  spec.require_paths = ["lib"]
-  spec.add_development_dependency "bundler"
-  spec.add_development_dependency "rake"
-  spec.add_development_dependency "test-unit", "~> 3.2.0"
-  spec.add_runtime_dependency "fluentd", [">= 0.14.12", "< 2"]
-  spec.add_runtime_dependency "win32-eventlog"
-end
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+Gem::Specification.new do |spec|
+  spec.name          = "fluent-plugin-windows-eventlog"
+  spec.version       = "0.3.0"
+  spec.authors       = ["okahashi117", "Hiroshi Hatake", "Masahiro Nakagawa"]
+  spec.email         = ["naruki_okahashi@jbat.co.jp", "cosmo0920.oucc@gmail.com", "repeatedly@gmail.com"]
+  spec.summary       = %q{Fluentd Input plugin to read windows event log.}
+  spec.description   = %q{Fluentd Input plugin to read windows event log.}
+  spec.homepage      = "https://github.com/fluent/fluent-plugin-windows-eventlog"
+  spec.license       = "Apache-2.0"
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+  spec.add_development_dependency "bundler"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "test-unit", "~> 3.2.0"
+  spec.add_runtime_dependency "fluentd", [">= 0.14.12", "< 2"]
+  spec.add_runtime_dependency "win32-eventlog"
+  spec.add_runtime_dependency "winevt_c"
+  spec.add_runtime_dependency "nokogiri", "~> 1.10"
+end

data/lib/fluent/plugin/in_windows_eventlog.rb CHANGED

@@ -1,234 +1,234 @@
-require 'win32/eventlog'
-require 'fluent/plugin/input'
-require 'fluent/plugin'
-module Fluent::Plugin
-  class WindowsEventLogInput < Input
-    Fluent::Plugin.register_input('windows_eventlog', self)
-    helpers :timer, :storage
-    DEFAULT_STORAGE_TYPE = 'local'
-    KEY_MAP = {"record_number" => [:record_number, :string],
-                 "time_generated" => [:time_generated, :string],
-                 "time_written" => [:time_written, :string],
-                 "event_id" => [:event_id, :string],
-                 "event_type" => [:event_type, :string],
-                 "event_category" => [:category, :string],
-                 "source_name" => [:source, :string],
-                 "computer_name" => [:computer, :string],
-                 "user" => [:user, :string],
-                 "description" => [:description, :string],
-                 "string_inserts" => [:string_inserts, :array]}
-    config_param :tag, :string
-    config_param :read_interval, :time, default: 2
-    config_param :pos_file, :string, default: nil,
-                 obsoleted: "This section is not used anymore. Use 'store_pos' instead."
-    config_param :channels, :array, default: ['application']
-    config_param :keys, :array, default: []
-    config_param :read_from_head, :bool, default: false
-    config_param :from_encoding, :string, default: nil
-    config_param :encoding, :string, default: nil
-    desc "Parse 'description' field and set parsed result into event record. 'description' and 'string_inserts' fields are removed from the record"
-    config_param :parse_description, :bool, default: false
-    config_section :storage do
-      config_set_default :usage, "positions"
-      config_set_default :@type, DEFAULT_STORAGE_TYPE
-      config_set_default :persistent, true
-    end
-    attr_reader :chs
-    def initialize
-      super
-      @chs = []
-      @keynames = []
-      @tails = {}
-    end
-    def configure(conf)
-      super
-      @chs = @channels.map {|ch| ch.strip.downcase }.uniq
-      if @chs.empty?
-        raise Fluent::ConfigError, "windows_eventlog: 'channels' parameter is required on windows_eventlog input"
-      end
-      @keynames = @keys.map {|k| k.strip }.uniq
-      if @keynames.empty?
-        @keynames = KEY_MAP.keys
-      end
-      @keynames.delete('string_inserts') if @parse_description
-      @tag = tag
-      @stop = false
-      configure_encoding
-      @receive_handlers = if @encoding
-                            method(:encode_record)
-                          else
-                            method(:no_encode_record)
-                          end
-      @pos_storage = storage_create(usage: "positions")
-    end
-    def configure_encoding
-      unless @encoding
-        if @from_encoding
-          raise Fluent::ConfigError, "windows_eventlog: 'from_encoding' parameter must be specied with 'encoding' parameter."
-        end
-      end
-      @encoding = parse_encoding_param(@encoding) if @encoding
-      @from_encoding = parse_encoding_param(@from_encoding) if @from_encoding
-    end
-    def parse_encoding_param(encoding_name)
-      begin
-        Encoding.find(encoding_name) if encoding_name
-      rescue ArgumentError => e
-        raise Fluent::ConfigError, e.message
-      end
-    end
-    def encode_record(record)
-      if @encoding
-        if @from_encoding
-          record.encode!(@encoding, @from_encoding)
-        else
-          record.force_encoding(@encoding)
-        end
-      end
-    end
-    def no_encode_record(record)
-      record
-    end
-    def start
-      super
-      @chs.each do |ch|
-        start, num = @pos_storage.get(ch)
-        if @read_from_head || (!num || num.zero?)
-          el = Win32::EventLog.open(ch)
-          @pos_storage.put(ch, [el.oldest_record_number - 1, 1])
-          el.close
-        end
-        timer_execute("in_windows_eventlog_#{escape_channel(ch)}".to_sym, @read_interval) do
-          on_notify(ch)
-        end
-      end
-    end
-    def escape_channel(ch)
-      ch.gsub(/[^a-zA-Z0-9]/, '_')
-    end
-    def receive_lines(ch, lines)
-      return if lines.empty?
-      begin
-        for r in lines
-          h = {"channel" => ch}
-          @keynames.each do |k|
-            type = KEY_MAP[k][1]
-            value = r.send(KEY_MAP[k][0])
-            h[k]=case type
-                 when :string
-                   @receive_handlers.call(value.to_s)
-                 when :array
-                   value.map {|v| @receive_handlers.call(v.to_s)}
-                 else
-                   raise "Unknown value type: #{type}"
-                 end
-          end
-          parse_desc(h) if @parse_description
-          #h = Hash[@keynames.map {|k| [k, r.send(KEY_MAP[k][0]).to_s]}]
-          router.emit(@tag, Fluent::Engine.now, h)
-        end
-      rescue => e
-        log.error "unexpected error", error: e
-        log.error_backtrace
-      end
-    end
-    def on_notify(ch)
-      el = Win32::EventLog.open(ch)
-      current_oldest_record_number = el.oldest_record_number
-      current_total_records = el.total_records
-      read_start, read_num = @pos_storage.get(ch)
-      # if total_records is zero, oldest_record_number has no meaning.
-      if current_total_records == 0
-        return
-      end
-      if read_start == 0 && read_num == 0
-        @pos_storage.put(ch, [current_oldest_record_number, current_total_records])
-        return
-      end
-      current_end = current_oldest_record_number + current_total_records - 1
-      old_end = read_start + read_num - 1
-      if current_oldest_record_number < read_start
-        # may be a record number rotated.
-        current_end += 0xFFFFFFFF
-      end
-      if current_end < old_end
-        # something occured.
-        @pos_storage.put(ch, [current_oldest_record_number, current_total_records])
-        return
-      end
-      winlogs = el.read(Win32::EventLog::SEEK_READ | Win32::EventLog::FORWARDS_READ, old_end + 1)
-      receive_lines(ch, winlogs)
-      @pos_storage.put(ch, [read_start, read_num + winlogs.size])
-    ensure
-      el.close
-    end
-    GROUP_DELIMITER = "\r\n\r\n".freeze
-    RECORD_DELIMITER = "\r\n\t".freeze
-    FIELD_DELIMITER = "\t\t".freeze
-    NONE_FIELD_DELIMITER = "\t".freeze
-    def parse_desc(record)
-      desc = record.delete('description'.freeze)
-      return if desc.nil?
-      elems = desc.split(GROUP_DELIMITER)
-      record['description_title'] = elems.shift
-      elems.each { |elem|
-        parent_key = nil
-        elem.split(RECORD_DELIMITER).each { |r|
-          key, value = if r.index(FIELD_DELIMITER)
-                         r.split(FIELD_DELIMITER)
-                       else
-                         r.split(NONE_FIELD_DELIMITER)
-                       end
-          key.chop!  # remove ':' from key
-          if value.nil?
-            parent_key = to_key(key)
-          else
-            # parsed value sometimes contain unexpected "\t". So remove it.
-            value.strip!
-            if parent_key.nil?
-              record[to_key(key)] = value
-            else
-              k = "#{parent_key}.#{to_key(key)}"
-              record[k] = value
-            end
-          end
-        }
-      }
-    end
-    def to_key(key)
-      key.downcase!
-      key.gsub!(' '.freeze, '_'.freeze)
-      key
-    end
-  end
-end
+require 'win32/eventlog'
+require 'fluent/plugin/input'
+require 'fluent/plugin'
+module Fluent::Plugin
+  class WindowsEventLogInput < Input
+    Fluent::Plugin.register_input('windows_eventlog', self)
+    helpers :timer, :storage
+    DEFAULT_STORAGE_TYPE = 'local'
+    KEY_MAP = {"record_number" => [:record_number, :string],
+                 "time_generated" => [:time_generated, :string],
+                 "time_written" => [:time_written, :string],
+                 "event_id" => [:event_id, :string],
+                 "event_type" => [:event_type, :string],
+                 "event_category" => [:category, :string],
+                 "source_name" => [:source, :string],
+                 "computer_name" => [:computer, :string],
+                 "user" => [:user, :string],
+                 "description" => [:description, :string],
+                 "string_inserts" => [:string_inserts, :array]}
+    config_param :tag, :string
+    config_param :read_interval, :time, default: 2
+    config_param :pos_file, :string, default: nil,
+                 obsoleted: "This section is not used anymore. Use 'store_pos' instead."
+    config_param :channels, :array, default: ['application']
+    config_param :keys, :array, default: []
+    config_param :read_from_head, :bool, default: false
+    config_param :from_encoding, :string, default: nil
+    config_param :encoding, :string, default: nil
+    desc "Parse 'description' field and set parsed result into event record. 'description' and 'string_inserts' fields are removed from the record"
+    config_param :parse_description, :bool, default: false
+    config_section :storage do
+      config_set_default :usage, "positions"
+      config_set_default :@type, DEFAULT_STORAGE_TYPE
+      config_set_default :persistent, true
+    end
+    attr_reader :chs
+    def initialize
+      super
+      @chs = []
+      @keynames = []
+      @tails = {}
+    end
+    def configure(conf)
+      super
+      @chs = @channels.map {|ch| ch.strip.downcase }.uniq
+      if @chs.empty?
+        raise Fluent::ConfigError, "windows_eventlog: 'channels' parameter is required on windows_eventlog input"
+      end
+      @keynames = @keys.map {|k| k.strip }.uniq
+      if @keynames.empty?
+        @keynames = KEY_MAP.keys
+      end
+      @keynames.delete('string_inserts') if @parse_description
+      @tag = tag
+      @stop = false
+      configure_encoding
+      @receive_handlers = if @encoding
+                            method(:encode_record)
+                          else
+                            method(:no_encode_record)
+                          end
+      @pos_storage = storage_create(usage: "positions")
+    end
+    def configure_encoding
+      unless @encoding
+        if @from_encoding
+          raise Fluent::ConfigError, "windows_eventlog: 'from_encoding' parameter must be specied with 'encoding' parameter."
+        end
+      end
+      @encoding = parse_encoding_param(@encoding) if @encoding
+      @from_encoding = parse_encoding_param(@from_encoding) if @from_encoding
+    end
+    def parse_encoding_param(encoding_name)
+      begin
+        Encoding.find(encoding_name) if encoding_name
+      rescue ArgumentError => e
+        raise Fluent::ConfigError, e.message
+      end
+    end
+    def encode_record(record)
+      if @encoding
+        if @from_encoding
+          record.encode!(@encoding, @from_encoding)
+        else
+          record.force_encoding(@encoding)
+        end
+      end
+    end
+    def no_encode_record(record)
+      record
+    end
+    def start
+      super
+      @chs.each do |ch|
+        start, num = @pos_storage.get(ch)
+        if @read_from_head || (!num || num.zero?)
+          el = Win32::EventLog.open(ch)
+          @pos_storage.put(ch, [el.oldest_record_number - 1, 1])
+          el.close
+        end
+        timer_execute("in_windows_eventlog_#{escape_channel(ch)}".to_sym, @read_interval) do
+          on_notify(ch)
+        end
+      end
+    end
+    def escape_channel(ch)
+      ch.gsub(/[^a-zA-Z0-9]/, '_')
+    end
+    def receive_lines(ch, lines)
+      return if lines.empty?
+      begin
+        for r in lines
+          h = {"channel" => ch}
+          @keynames.each do |k|
+            type = KEY_MAP[k][1]
+            value = r.send(KEY_MAP[k][0])
+            h[k]=case type
+                 when :string
+                   @receive_handlers.call(value.to_s)
+                 when :array
+                   value.map {|v| @receive_handlers.call(v.to_s)}
+                 else
+                   raise "Unknown value type: #{type}"
+                 end
+          end
+          parse_desc(h) if @parse_description
+          #h = Hash[@keynames.map {|k| [k, r.send(KEY_MAP[k][0]).to_s]}]
+          router.emit(@tag, Fluent::Engine.now, h)
+        end
+      rescue => e
+        log.error "unexpected error", error: e
+        log.error_backtrace
+      end
+    end
+    def on_notify(ch)
+      el = Win32::EventLog.open(ch)
+      current_oldest_record_number = el.oldest_record_number
+      current_total_records = el.total_records
+      read_start, read_num = @pos_storage.get(ch)
+      # if total_records is zero, oldest_record_number has no meaning.
+      if current_total_records == 0
+        return
+      end
+      if read_start == 0 && read_num == 0
+        @pos_storage.put(ch, [current_oldest_record_number, current_total_records])
+        return
+      end
+      current_end = current_oldest_record_number + current_total_records - 1
+      old_end = read_start + read_num - 1
+      if current_oldest_record_number < read_start
+        # may be a record number rotated.
+        current_end += 0xFFFFFFFF
+      end
+      if current_end < old_end
+        # something occured.
+        @pos_storage.put(ch, [current_oldest_record_number, current_total_records])
+        return
+      end
+      winlogs = el.read(Win32::EventLog::SEEK_READ | Win32::EventLog::FORWARDS_READ, old_end + 1)
+      receive_lines(ch, winlogs)
+      @pos_storage.put(ch, [read_start, read_num + winlogs.size])
+    ensure
+      el.close
+    end
+    GROUP_DELIMITER = "\r\n\r\n".freeze
+    RECORD_DELIMITER = "\r\n\t".freeze
+    FIELD_DELIMITER = "\t\t".freeze
+    NONE_FIELD_DELIMITER = "\t".freeze
+    def parse_desc(record)
+      desc = record.delete('description'.freeze)
+      return if desc.nil?
+      elems = desc.split(GROUP_DELIMITER)
+      record['description_title'] = elems.shift
+      elems.each { |elem|
+        parent_key = nil
+        elem.split(RECORD_DELIMITER).each { |r|
+          key, value = if r.index(FIELD_DELIMITER)
+                         r.split(FIELD_DELIMITER)
+                       else
+                         r.split(NONE_FIELD_DELIMITER)
+                       end
+          key.chop!  # remove ':' from key
+          if value.nil?
+            parent_key = to_key(key)
+          else
+            # parsed value sometimes contain unexpected "\t". So remove it.
+            value.strip!
+            if parent_key.nil?
+              record[to_key(key)] = value
+            else
+              k = "#{parent_key}.#{to_key(key)}"
+              record[k] = value
+            end
+          end
+        }
+      }
+    end
+    def to_key(key)
+      key.downcase!
+      key.gsub!(' '.freeze, '_'.freeze)
+      key
+    end
+  end
+end