fluent-plugin-windows-eventlog 0.3.0 → 0.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +6 -0
- data/README.md +10 -4
- data/fluent-plugin-winevtlog.gemspec +3 -2
- data/lib/fluent/plugin/in_windows_eventlog2.rb +49 -2
- data/test/helper.rb +0 -2
- data/test/plugin/test_in_windows_eventlog2.rb +32 -0
- metadata +18 -9
- data/lib/fluent/plugin/parser_winevt_xml.rb +0 -34
- data/test/data/eventlog.xml +0 -1
- data/test/plugin/test_parser_winevt_xml.rb +0 -42
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 5ea9a134414a5572bf7d3c9dca355ea53d47d6a8701b6a631f0426bafa0de5c9
|
4
|
+
data.tar.gz: 26d9fa562585f26fdbef294aa6f64a13e7749ed11915390d1822c5367656ccb7
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: e292b037dc58e418aa8b74b1fa8b19db22124c927876e4fbf2e59b457042e08944e912e37104891fdd93f841b306ea8d09d2b1bbf939dad2015f18e26c021a11
|
7
|
+
data.tar.gz: 6d82ed5588b14f92bca8bdf42a8c9a085306ed23717e9b0f0fc6cdc994b376a00195469c51dcb9ddeb5a6a786fc7c5b96e24279037bc20bfa96f42477407851d
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,9 @@
|
|
1
|
+
# Release v0.4.0 - 2019/10/10
|
2
|
+
|
3
|
+
* in_windows_eventlog2: Add new `render_as_xml` parameter to switch rendering as XML or Ruby Hash object
|
4
|
+
* in_windows_eventlog2: Support rate limit with `rate_limit` option
|
5
|
+
* parser_winevt_xml: Separate `parser_winevt_xml` plugin to other repository and published as Fluentd parser plugin
|
6
|
+
|
1
7
|
# Release v0.3.0 - 2019/07/08
|
2
8
|
|
3
9
|
* Add new `in_windows_eventlog2` plugin. This plugin uses newer windows event logging API.
|
data/README.md
CHANGED
@@ -4,10 +4,10 @@
|
|
4
4
|
|
5
5
|
### fluentd Input plugin for the Windows Event Log
|
6
6
|
|
7
|
-
[Fluentd](
|
7
|
+
[Fluentd](https://www.fluentd.org/) plugin to read the Windows Event Log.
|
8
8
|
|
9
9
|
## Installation
|
10
|
-
gem install fluent-plugin-windows-eventlog
|
10
|
+
ridk exec gem install fluent-plugin-windows-eventlog
|
11
11
|
|
12
12
|
## Configuration
|
13
13
|
|
@@ -15,7 +15,7 @@
|
|
15
15
|
|
16
16
|
Check [in_windows_eventlog2](https://github.com/fluent/fluent-plugin-windows-eventlog#in_windows_eventlog2) first. `in_windows_eventlog` will be replaced with `in_windows_eventlog2`.
|
17
17
|
|
18
|
-
|
18
|
+
fluentd Input plugin for the Windows Event Log using old Windows Event Logging API
|
19
19
|
|
20
20
|
<source>
|
21
21
|
@type windows_eventlog
|
@@ -130,7 +130,7 @@ If your `description` doesn't follow this format, the parsed result is only `des
|
|
130
130
|
|
131
131
|
### in_windows_eventlog2
|
132
132
|
|
133
|
-
|
133
|
+
fluentd Input plugin for the Windows Event Log using newer Windows Event Logging API. This is successor to `in_windows_eventlog`. See also [this slide](https://www.slideshare.net/cosmo0920/fluentd-meetup-2019) for the details of `in_windows_eventlog2` plugin.
|
134
134
|
|
135
135
|
<source>
|
136
136
|
@type windows_eventlog2
|
@@ -138,6 +138,8 @@ If your `description` doesn't follow this format, the parsed result is only `des
|
|
138
138
|
channels application,system
|
139
139
|
read_interval 2
|
140
140
|
tag winevt.raw
|
141
|
+
render_as_xml false # default is true.
|
142
|
+
rate_limit 200 # default is -1(Winevt::EventLog::Subscribe::RATE_INFINITE).
|
141
143
|
<storage>
|
142
144
|
@type local # @type local is the default.
|
143
145
|
persistent true # default is true. Set to false to use in-memory storage.
|
@@ -153,6 +155,10 @@ If your `description` doesn't follow this format, the parsed result is only `des
|
|
153
155
|
|
154
156
|
**NOTE:** When `Description` contains error message such as `The message resource is present but the message was not found in the message table.`, eventlog's resource file (.mui) related to error generating event is something wrong. This issue is also occurred in built-in Windows Event Viewer which is the part of Windows management tool.
|
155
157
|
|
158
|
+
**NOTE:** When `render_as_xml` as `false`, the dependent winevt_c gem renders Windows EventLog as Ruby Hash object directly. This reduces bottleneck to consume EventLog. Specifying `render_as_xml` as `false` should be faster consuming than `render_as_xml` as `true` case.
|
159
|
+
|
160
|
+
**NOTE:** If you encountered CPU spike due to massively huge EventLog channel, `rate_limit` parameter may help you. Currently, this paramter can handle the multiples of 10 or -1(`Winevt::EventLog::Subscribe::RATE_INFINITE`).
|
161
|
+
|
156
162
|
#### parameters
|
157
163
|
|
158
164
|
|name | description |
|
@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
|
4
4
|
|
5
5
|
Gem::Specification.new do |spec|
|
6
6
|
spec.name = "fluent-plugin-windows-eventlog"
|
7
|
-
spec.version = "0.
|
7
|
+
spec.version = "0.4.0"
|
8
8
|
spec.authors = ["okahashi117", "Hiroshi Hatake", "Masahiro Nakagawa"]
|
9
9
|
spec.email = ["naruki_okahashi@jbat.co.jp", "cosmo0920.oucc@gmail.com", "repeatedly@gmail.com"]
|
10
10
|
spec.summary = %q{Fluentd Input plugin to read windows event log.}
|
@@ -22,6 +22,7 @@ Gem::Specification.new do |spec|
|
|
22
22
|
spec.add_development_dependency "test-unit", "~> 3.2.0"
|
23
23
|
spec.add_runtime_dependency "fluentd", [">= 0.14.12", "< 2"]
|
24
24
|
spec.add_runtime_dependency "win32-eventlog"
|
25
|
-
spec.add_runtime_dependency "winevt_c"
|
25
|
+
spec.add_runtime_dependency "winevt_c", ">= 0.6.0"
|
26
26
|
spec.add_runtime_dependency "nokogiri", "~> 1.10"
|
27
|
+
spec.add_runtime_dependency "fluent-plugin-parser-winevt_xml", ">= 0.1.2"
|
27
28
|
end
|
@@ -35,6 +35,8 @@ module Fluent::Plugin
|
|
35
35
|
config_param :keys, :array, default: []
|
36
36
|
config_param :read_from_head, :bool, default: false
|
37
37
|
config_param :parse_description, :bool, default: false
|
38
|
+
config_param :render_as_xml, :bool, default: true
|
39
|
+
config_param :rate_limit, :integer, default: Winevt::EventLog::Subscribe::RATE_INFINITE
|
38
40
|
|
39
41
|
config_section :storage do
|
40
42
|
config_set_default :usage, "bookmarks"
|
@@ -60,12 +62,24 @@ module Fluent::Plugin
|
|
60
62
|
if @keynames.empty?
|
61
63
|
@keynames = KEY_MAP.keys
|
62
64
|
end
|
65
|
+
@keynames.delete('Qualifiers') unless @render_as_xml
|
63
66
|
@keynames.delete('EventData') if @parse_description
|
64
67
|
|
65
68
|
@tag = tag
|
66
69
|
@tailing = @read_from_head ? false : true
|
67
70
|
@bookmarks_storage = storage_create(usage: "bookmarks")
|
68
|
-
@
|
71
|
+
@winevt_xml = false
|
72
|
+
if @render_as_xml
|
73
|
+
@parser = parser_create
|
74
|
+
@winevt_xml = @parser.respond_to?(:winevt_xml?) && @parser.winevt_xml?
|
75
|
+
class << self
|
76
|
+
alias_method :on_notify, :on_notify_xml
|
77
|
+
end
|
78
|
+
else
|
79
|
+
class << self
|
80
|
+
alias_method :on_notify, :on_notify_hash
|
81
|
+
end
|
82
|
+
end
|
69
83
|
end
|
70
84
|
|
71
85
|
def start
|
@@ -77,6 +91,8 @@ module Fluent::Plugin
|
|
77
91
|
bookmark = Winevt::EventLog::Bookmark.new(bookmarkXml)
|
78
92
|
subscribe.tail = @tailing
|
79
93
|
subscribe.subscribe(ch, "*", bookmark)
|
94
|
+
subscribe.render_as_xml = @render_as_xml
|
95
|
+
subscribe.rate_limit = @rate_limit
|
80
96
|
timer_execute("in_windows_eventlog_#{escape_channel(ch)}".to_sym, @read_interval) do
|
81
97
|
on_notify(ch, subscribe)
|
82
98
|
end
|
@@ -88,11 +104,15 @@ module Fluent::Plugin
|
|
88
104
|
end
|
89
105
|
|
90
106
|
def on_notify(ch, subscribe)
|
107
|
+
# for safety.
|
108
|
+
end
|
109
|
+
|
110
|
+
def on_notify_xml(ch, subscribe)
|
91
111
|
es = Fluent::MultiEventStream.new
|
92
112
|
subscribe.each do |xml, message, string_inserts|
|
93
113
|
@parser.parse(xml) do |time, record|
|
94
114
|
# record.has_key?("EventData") for none parser checking.
|
95
|
-
if
|
115
|
+
if @winevt_xml
|
96
116
|
record["Description"] = message
|
97
117
|
record["EventData"] = string_inserts
|
98
118
|
|
@@ -112,6 +132,8 @@ module Fluent::Plugin
|
|
112
132
|
parse_desc(h) if @parse_description
|
113
133
|
es.add(Fluent::Engine.now, h)
|
114
134
|
else
|
135
|
+
record["Description"] = message
|
136
|
+
record["EventData"] = string_inserts
|
115
137
|
# for none parser
|
116
138
|
es.add(Fluent::Engine.now, record)
|
117
139
|
end
|
@@ -121,6 +143,31 @@ module Fluent::Plugin
|
|
121
143
|
@bookmarks_storage.put(ch, subscribe.bookmark)
|
122
144
|
end
|
123
145
|
|
146
|
+
def on_notify_hash(ch, subscribe)
|
147
|
+
es = Fluent::MultiEventStream.new
|
148
|
+
subscribe.each do |record, message, string_inserts|
|
149
|
+
record["Description"] = message
|
150
|
+
record["EventData"] = string_inserts
|
151
|
+
h = {}
|
152
|
+
@keynames.each do |k|
|
153
|
+
type = KEY_MAP[k][1]
|
154
|
+
value = record[KEY_MAP[k][0]]
|
155
|
+
h[k]=case type
|
156
|
+
when :string
|
157
|
+
value.to_s
|
158
|
+
when :array
|
159
|
+
value.map {|v| v.to_s}
|
160
|
+
else
|
161
|
+
raise "Unknown value type: #{type}"
|
162
|
+
end
|
163
|
+
end
|
164
|
+
parse_desc(h) if @parse_description
|
165
|
+
es.add(Fluent::Engine.now, h)
|
166
|
+
end
|
167
|
+
router.emit_stream(@tag, es)
|
168
|
+
@bookmarks_storage.put(ch, subscribe.bookmark)
|
169
|
+
end
|
170
|
+
|
124
171
|
#### These lines copied from in_windows_eventlog plugin:
|
125
172
|
#### https://github.com/fluent/fluent-plugin-windows-eventlog/blob/528290d896a885c7721f850943daa3a43a015f3d/lib/fluent/plugin/in_windows_eventlog.rb#L192-L232
|
126
173
|
GROUP_DELIMITER = "\r\n\r\n".freeze
|
data/test/helper.rb
CHANGED
@@ -23,10 +23,8 @@ unless ENV.has_key?('VERBOSE')
|
|
23
23
|
end
|
24
24
|
|
25
25
|
require 'fluent/test/driver/input'
|
26
|
-
require 'fluent/test/driver/parser'
|
27
26
|
require 'fluent/plugin/in_windows_eventlog'
|
28
27
|
require 'fluent/plugin/in_windows_eventlog2'
|
29
|
-
require 'fluent/plugin/parser_winevt_xml'
|
30
28
|
|
31
29
|
class Test::Unit::TestCase
|
32
30
|
end
|
@@ -25,6 +25,7 @@ class WindowsEventLog2InputTest < Test::Unit::TestCase
|
|
25
25
|
assert_equal 2, d.instance.read_interval
|
26
26
|
assert_equal ['application'], d.instance.channels
|
27
27
|
assert_false d.instance.read_from_head
|
28
|
+
assert_true d.instance.render_as_xml
|
28
29
|
end
|
29
30
|
|
30
31
|
def test_parse_desc
|
@@ -96,6 +97,34 @@ DESC
|
|
96
97
|
assert_equal(expected, record)
|
97
98
|
end
|
98
99
|
|
100
|
+
class HashRendered < self
|
101
|
+
def test_write
|
102
|
+
d = create_driver(config_element("ROOT", "", {"tag" => "fluent.eventlog",
|
103
|
+
"render_as_xml" => false}, [
|
104
|
+
config_element("storage", "", {
|
105
|
+
'@type' => 'local',
|
106
|
+
'persistent' => false
|
107
|
+
})
|
108
|
+
]))
|
109
|
+
|
110
|
+
service = Fluent::Plugin::EventService.new
|
111
|
+
|
112
|
+
d.run(expect_emits: 1) do
|
113
|
+
service.run
|
114
|
+
end
|
115
|
+
|
116
|
+
assert(d.events.length >= 1)
|
117
|
+
event = d.events.last
|
118
|
+
record = event.last
|
119
|
+
|
120
|
+
assert_false(d.instance.render_as_xml)
|
121
|
+
assert_equal("Application", record["Channel"])
|
122
|
+
assert_equal("65500", record["EventID"])
|
123
|
+
assert_equal("4", record["Level"])
|
124
|
+
assert_equal("fluent-plugins", record["ProviderName"])
|
125
|
+
end
|
126
|
+
end
|
127
|
+
|
99
128
|
class PersistBookMark < self
|
100
129
|
TEST_PLUGIN_STORAGE_PATH = File.join( File.dirname(File.dirname(__FILE__)), 'tmp', 'in_windows_eventlog2', 'store' )
|
101
130
|
CONFIG2 = config_element("ROOT", "", {"tag" => "fluent.eventlog"}, [
|
@@ -178,5 +207,8 @@ DESC
|
|
178
207
|
# record should be {message: <RAW XML EventLog>}.
|
179
208
|
record["message"]
|
180
209
|
end
|
210
|
+
|
211
|
+
assert_true(record.has_key?("Description"))
|
212
|
+
assert_true(record.has_key?("EventData"))
|
181
213
|
end
|
182
214
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: fluent-plugin-windows-eventlog
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.4.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- okahashi117
|
@@ -10,7 +10,7 @@ authors:
|
|
10
10
|
autorequire:
|
11
11
|
bindir: bin
|
12
12
|
cert_chain: []
|
13
|
-
date: 2019-
|
13
|
+
date: 2019-10-10 00:00:00.000000000 Z
|
14
14
|
dependencies:
|
15
15
|
- !ruby/object:Gem::Dependency
|
16
16
|
name: bundler
|
@@ -94,14 +94,14 @@ dependencies:
|
|
94
94
|
requirements:
|
95
95
|
- - ">="
|
96
96
|
- !ruby/object:Gem::Version
|
97
|
-
version:
|
97
|
+
version: 0.6.0
|
98
98
|
type: :runtime
|
99
99
|
prerelease: false
|
100
100
|
version_requirements: !ruby/object:Gem::Requirement
|
101
101
|
requirements:
|
102
102
|
- - ">="
|
103
103
|
- !ruby/object:Gem::Version
|
104
|
-
version:
|
104
|
+
version: 0.6.0
|
105
105
|
- !ruby/object:Gem::Dependency
|
106
106
|
name: nokogiri
|
107
107
|
requirement: !ruby/object:Gem::Requirement
|
@@ -116,6 +116,20 @@ dependencies:
|
|
116
116
|
- - "~>"
|
117
117
|
- !ruby/object:Gem::Version
|
118
118
|
version: '1.10'
|
119
|
+
- !ruby/object:Gem::Dependency
|
120
|
+
name: fluent-plugin-parser-winevt_xml
|
121
|
+
requirement: !ruby/object:Gem::Requirement
|
122
|
+
requirements:
|
123
|
+
- - ">="
|
124
|
+
- !ruby/object:Gem::Version
|
125
|
+
version: 0.1.2
|
126
|
+
type: :runtime
|
127
|
+
prerelease: false
|
128
|
+
version_requirements: !ruby/object:Gem::Requirement
|
129
|
+
requirements:
|
130
|
+
- - ">="
|
131
|
+
- !ruby/object:Gem::Version
|
132
|
+
version: 0.1.2
|
119
133
|
description: Fluentd Input plugin to read windows event log.
|
120
134
|
email:
|
121
135
|
- naruki_okahashi@jbat.co.jp
|
@@ -135,13 +149,10 @@ files:
|
|
135
149
|
- fluent-plugin-winevtlog.gemspec
|
136
150
|
- lib/fluent/plugin/in_windows_eventlog.rb
|
137
151
|
- lib/fluent/plugin/in_windows_eventlog2.rb
|
138
|
-
- lib/fluent/plugin/parser_winevt_xml.rb
|
139
|
-
- test/data/eventlog.xml
|
140
152
|
- test/generate-windows-event.rb
|
141
153
|
- test/helper.rb
|
142
154
|
- test/plugin/test_in_windows_eventlog2.rb
|
143
155
|
- test/plugin/test_in_winevtlog.rb
|
144
|
-
- test/plugin/test_parser_winevt_xml.rb
|
145
156
|
homepage: https://github.com/fluent/fluent-plugin-windows-eventlog
|
146
157
|
licenses:
|
147
158
|
- Apache-2.0
|
@@ -167,9 +178,7 @@ signing_key:
|
|
167
178
|
specification_version: 4
|
168
179
|
summary: Fluentd Input plugin to read windows event log.
|
169
180
|
test_files:
|
170
|
-
- test/data/eventlog.xml
|
171
181
|
- test/generate-windows-event.rb
|
172
182
|
- test/helper.rb
|
173
183
|
- test/plugin/test_in_windows_eventlog2.rb
|
174
184
|
- test/plugin/test_in_winevtlog.rb
|
175
|
-
- test/plugin/test_parser_winevt_xml.rb
|
@@ -1,34 +0,0 @@
|
|
1
|
-
require 'fluent/plugin/parser'
|
2
|
-
require 'nokogiri'
|
3
|
-
|
4
|
-
module Fluent::Plugin
|
5
|
-
class WinevtXMLparser < Parser
|
6
|
-
Fluent::Plugin.register_parser('winevt_xml', self)
|
7
|
-
|
8
|
-
def parse(text)
|
9
|
-
record = {}
|
10
|
-
doc = Nokogiri::XML(text)
|
11
|
-
system_elem = doc/'Event'/'System'
|
12
|
-
record["ProviderName"] = (system_elem/"Provider").attribute("Name").text rescue nil
|
13
|
-
record["ProviderGUID"] = (system_elem/"Provider").attribute("Guid").text rescue nil
|
14
|
-
record["EventID"] = (system_elem/'EventID').text rescue nil
|
15
|
-
record["Qualifiers"] = (system_elem/'EventID').attribute("Qualifiers").text rescue nil
|
16
|
-
record["Level"] = (system_elem/'Level').text rescue nil
|
17
|
-
record["Task"] = (system_elem/'Task').text rescue nil
|
18
|
-
record["Opcode"] = (system_elem/'Opcode').text rescue nil
|
19
|
-
record["Keywords"] = (system_elem/'Keywords').text rescue nil
|
20
|
-
record["TimeCreated"] = (system_elem/'TimeCreated').attribute("SystemTime").text rescue nil
|
21
|
-
record["EventRecordID"] = (system_elem/'EventRecordID').text rescue nil
|
22
|
-
record["ActivityID"] = (system_elem/'ActivityID').text rescue nil
|
23
|
-
record["RelatedActivityID"] = (system_elem/'Correlation').attribute("ActivityID").text rescue nil
|
24
|
-
record["ThreadID"] = (system_elem/'Execution').attribute("ThreadID").text rescue nil
|
25
|
-
record["Channel"] = (system_elem/'Channel').text rescue nil
|
26
|
-
record["Computer"] = (system_elem/"Computer").text rescue nil
|
27
|
-
record["UserID"] = (system_elem/'Security').attribute("UserID").text rescue nil
|
28
|
-
record["Version"] = (system_elem/'Version').text rescue nil
|
29
|
-
record["EventData"] = [] # These parameters are processed in winevt_c.
|
30
|
-
time = @estimate_current_event ? Fluent::EventTime.now : nil
|
31
|
-
yield time, record
|
32
|
-
end
|
33
|
-
end
|
34
|
-
end
|
data/test/data/eventlog.xml
DELETED
@@ -1 +0,0 @@
|
|
1
|
-
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2019-06-13T09:21:23.345889600Z'/><EventRecordID>80688</EventRecordID><Correlation ActivityID='{587F0743-1F71-0006-5007-7F58711FD501}'/><Execution ProcessID='912' ThreadID='24708'/><Channel>Security</Channel><Computer>Fluentd-Developing-Windows</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>Fluentd-Developing-Windows$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='TargetUserSid'>S-1-5-18</Data><Data Name='TargetUserName'>SYSTEM</Data><Data Name='TargetDomainName'>NT AUTHORITY</Data><Data Name='TargetLogonId'>0x3e7</Data><Data Name='LogonType'>5</Data><Data Name='LogonProcessName'>Advapi </Data><Data Name='AuthenticationPackageName'>Negotiate</Data><Data Name='WorkstationName'>-</Data><Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x344</Data><Data Name='ProcessName'>C:\Windows\System32\services.exe</Data><Data Name='IpAddress'>-</Data><Data Name='IpPort'>-</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data Name='ElevatedToken'>%%1842</Data></EventData></Event>
|
@@ -1,42 +0,0 @@
|
|
1
|
-
require 'helper'
|
2
|
-
require 'generate-windows-event'
|
3
|
-
|
4
|
-
class WinevtXMLparserTest < Test::Unit::TestCase
|
5
|
-
|
6
|
-
def setup
|
7
|
-
Fluent::Test.setup
|
8
|
-
end
|
9
|
-
|
10
|
-
CONFIG = %[]
|
11
|
-
XMLLOG = File.open(File.join(__dir__, "..", "data", "eventlog.xml") )
|
12
|
-
|
13
|
-
def create_driver(conf = CONFIG)
|
14
|
-
Fluent::Test::Driver::Parser.new(Fluent::Plugin::WinevtXMLparser).configure(conf)
|
15
|
-
end
|
16
|
-
|
17
|
-
def test_parse
|
18
|
-
d = create_driver
|
19
|
-
xml = XMLLOG
|
20
|
-
expected = {"ProviderName" => "Microsoft-Windows-Security-Auditing",
|
21
|
-
"ProviderGUID" => "{54849625-5478-4994-A5BA-3E3B0328C30D}",
|
22
|
-
"EventID" => "4624",
|
23
|
-
"Qualifiers" => nil,
|
24
|
-
"Level" => "0",
|
25
|
-
"Task" => "12544",
|
26
|
-
"Opcode" => "0",
|
27
|
-
"Keywords" => "0x8020000000000000",
|
28
|
-
"TimeCreated" => "2019-06-13T09:21:23.345889600Z",
|
29
|
-
"EventRecordID" => "80688",
|
30
|
-
"ActivityID" => "",
|
31
|
-
"RelatedActivityID" => "{587F0743-1F71-0006-5007-7F58711FD501}",
|
32
|
-
"ThreadID" => "24708",
|
33
|
-
"Channel" => "Security",
|
34
|
-
"Computer" => "Fluentd-Developing-Windows",
|
35
|
-
"UserID" => nil,
|
36
|
-
"Version" => "2",
|
37
|
-
"EventData" => []}
|
38
|
-
d.instance.parse(xml) do |time, record|
|
39
|
-
assert_equal(expected, record)
|
40
|
-
end
|
41
|
-
end
|
42
|
-
end
|