RubyGems - fluent-plugin-windows-eventlog - Versions diffs - 0.3.0 → 0.4.4 - Mend

fluent-plugin-windows-eventlog 0.3.0 → 0.4.4

Files changed (13) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +19 -0
data/README.md +10 -4
data/fluent-plugin-winevtlog.gemspec +3 -2
data/lib/fluent/plugin/in_windows_eventlog.rb +8 -2
data/lib/fluent/plugin/in_windows_eventlog2.rb +101 -28
data/test/helper.rb +0 -2
data/test/plugin/test_in_windows_eventlog2.rb +81 -2
data/test/plugin/test_in_winevtlog.rb +1 -1
metadata +18 -9
data/lib/fluent/plugin/parser_winevt_xml.rb +0 -34
data/test/data/eventlog.xml +0 -1
data/test/plugin/test_parser_winevt_xml.rb +0 -42

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8c05a4b1a785316299232e1cd4c3a5f60e7458b93b5b4d717720a6de5f079cbb
-  data.tar.gz: aad0c8d51e5b88d96f86704bb72394d6a16253edecd8b975ed6c3334f433ebf4
+  metadata.gz: 6634a0ee22c7988e40ebe92ebd457996eb25cfdd926a09c557e497065f6dbeac
+  data.tar.gz: 8f3a1543db5dd4a2299c5675ccd81ee19e10b476b06e3f6b7685213e14247814
 SHA512:
-  metadata.gz: 185857a8f3114029de23b8a0b9b262de929e20b6ad98f783a937bb4eb48e8d594a84df33405ff7a5b348c43f0f81d601bdfea72288f4e30637e98035f92ed834
-  data.tar.gz: 1bb7650803e3852a2a14c701f9e3aeeeab932438b36702719f246c8e6b2be4b6c3ffa67a567e2c2dae1fc0cff7dd82144fcc874acb7045ea9beb5c819f6f28eb
+  metadata.gz: 8c9450771f970e88ec85ec5a44f3156a93475aeef12a729ffafe87c863516939fa66c739791b20c6e5bff30ba72e5958f14701b0713d5dca747c1b7919dee72c
+  data.tar.gz: 4d44d036e961e7cd502932863eedeb3781f25507384737850f9a81eb70f4099b0d24d27f8cc0f7753d310f9c3702273fd914271efa398e102610a2084b90c06a

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,22 @@
+# Release v0.4.4 - 2019/11/07
+* in_windows_eventlog: Improve error handling and logging when failed to open Windows Event Log.
+# Release v0.4.3 - 2019/10/31
+* in_windows_eventlog2: Handle privileges record on #parse_desc
+* in_windows_eventlog2: Raise error when handling invalid bookmark xml
+# Release v0.4.2 - 2019/10/16
+* in_windows_eventlog2: Handle invalid data error from `Winevt::EventLog::Query::Error`
+# Release v0.4.1 - 2019/10/11
+* in_windows_eventlog2: Add a missing ProcessID record
+# Release v0.4.0 - 2019/10/10
+* in_windows_eventlog2: Add new `render_as_xml` parameter to switch rendering as XML or Ruby Hash object
+* in_windows_eventlog2: Support rate limit with `rate_limit` option
+* parser_winevt_xml: Separate `parser_winevt_xml` plugin to other repository and published as Fluentd parser plugin
 # Release v0.3.0 - 2019/07/08
 * Add new `in_windows_eventlog2` plugin. This plugin uses newer windows event logging API.

data/README.md CHANGED Viewed

@@ -4,10 +4,10 @@
 ### fluentd Input plugin for the Windows Event Log
-[Fluentd](http://fluentd.org) plugin to read the Windows Event Log.
+[Fluentd](https://www.fluentd.org/) plugin to read the Windows Event Log.
 ## Installation
-    gem install fluent-plugin-windows-eventlog
+    ridk exec gem install fluent-plugin-windows-eventlog
 ## Configuration
@@ -15,7 +15,7 @@
 Check [in_windows_eventlog2](https://github.com/fluent/fluent-plugin-windows-eventlog#in_windows_eventlog2) first. `in_windows_eventlog` will be replaced with `in_windows_eventlog2`.
-#### fluentd Input plugin for the Windows Event Log using old Windows Event Logging API
+fluentd Input plugin for the Windows Event Log using old Windows Event Logging API
     <source>
       @type windows_eventlog
@@ -130,7 +130,7 @@ If your `description` doesn't follow this format, the parsed result is only `des
 ### in_windows_eventlog2
-#### fluentd Input plugin for the Windows Event Log using newer Windows Event Logging API
+fluentd Input plugin for the Windows Event Log using newer Windows Event Logging API. This is successor to `in_windows_eventlog`. See also [this slide](https://www.slideshare.net/cosmo0920/fluentd-meetup-2019) for the details of `in_windows_eventlog2` plugin.
     <source>
       @type windows_eventlog2
@@ -138,6 +138,8 @@ If your `description` doesn't follow this format, the parsed result is only `des
       channels application,system
       read_interval 2
       tag winevt.raw
+      render_as_xml false       # default is true.
+      rate_limit 200            # default is -1(Winevt::EventLog::Subscribe::RATE_INFINITE).
       <storage>
         @type local             # @type local is the default.
         persistent true         # default is true. Set to false to use in-memory storage.
@@ -153,6 +155,10 @@ If your `description` doesn't follow this format, the parsed result is only `des
 **NOTE:** When `Description` contains error message such as `The message resource is present but the message was not found in the message table.`, eventlog's resource file (.mui) related to error generating event is something wrong. This issue is also occurred in built-in Windows Event Viewer which is the part of Windows management tool.
+**NOTE:** When `render_as_xml` as `false`, the dependent winevt_c gem renders Windows EventLog as Ruby Hash object directly. This reduces bottleneck to consume EventLog. Specifying `render_as_xml` as `false` should be faster consuming than `render_as_xml` as `true` case.
+**NOTE:** If you encountered CPU spike due to massively huge EventLog channel, `rate_limit` parameter may help you. Currently, this paramter can handle the multiples of 10 or -1(`Winevt::EventLog::Subscribe::RATE_INFINITE`).
 #### parameters
 |name      | description |

data/fluent-plugin-winevtlog.gemspec CHANGED Viewed

@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 Gem::Specification.new do |spec|
   spec.name          = "fluent-plugin-windows-eventlog"
-  spec.version       = "0.3.0"
+  spec.version       = "0.4.4"
   spec.authors       = ["okahashi117", "Hiroshi Hatake", "Masahiro Nakagawa"]
   spec.email         = ["naruki_okahashi@jbat.co.jp", "cosmo0920.oucc@gmail.com", "repeatedly@gmail.com"]
   spec.summary       = %q{Fluentd Input plugin to read windows event log.}
@@ -22,6 +22,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "test-unit", "~> 3.2.0"
   spec.add_runtime_dependency "fluentd", [">= 0.14.12", "< 2"]
   spec.add_runtime_dependency "win32-eventlog"
-  spec.add_runtime_dependency "winevt_c"
+  spec.add_runtime_dependency "winevt_c", ">= 0.6.1"
   spec.add_runtime_dependency "nokogiri", "~> 1.10"
+  spec.add_runtime_dependency "fluent-plugin-parser-winevt_xml", ">= 0.1.2"
 end

data/lib/fluent/plugin/in_windows_eventlog.rb CHANGED Viewed

@@ -151,7 +151,11 @@ module Fluent::Plugin
     end
     def on_notify(ch)
-      el = Win32::EventLog.open(ch)
+      begin
+        el = Win32::EventLog.open(ch)
+      rescue => e
+        log.error "Failed to open Windows Event log.", error: e
+      end
       current_oldest_record_number = el.oldest_record_number
       current_total_records = el.total_records
@@ -186,7 +190,9 @@ module Fluent::Plugin
       receive_lines(ch, winlogs)
       @pos_storage.put(ch, [read_start, read_num + winlogs.size])
     ensure
-      el.close
+      if el
+        el.close
+      end
     end
     GROUP_DELIMITER = "\r\n\r\n".freeze

data/lib/fluent/plugin/in_windows_eventlog2.rb CHANGED Viewed

@@ -21,6 +21,7 @@ module Fluent::Plugin
                "EventRecordID"     => ["EventRecordID",         :string],
                "ActivityID"        => ["ActivityID",            :string],
                "RelatedActivityID" => ["RelatedActivityID",     :string],
+               "ProcessID"         => ["ProcessID",             :string],
                "ThreadID"          => ["ThreadID",              :string],
                "Channel"           => ["Channel",               :string],
                "Computer"          => ["Computer",              :string],
@@ -35,6 +36,8 @@ module Fluent::Plugin
     config_param :keys, :array, default: []
     config_param :read_from_head, :bool, default: false
     config_param :parse_description, :bool, default: false
+    config_param :render_as_xml, :bool, default: true
+    config_param :rate_limit, :integer, default: Winevt::EventLog::Subscribe::RATE_INFINITE
     config_section :storage do
       config_set_default :usage, "bookmarks"
@@ -60,12 +63,24 @@ module Fluent::Plugin
       if @keynames.empty?
         @keynames = KEY_MAP.keys
       end
+      @keynames.delete('Qualifiers') unless @render_as_xml
       @keynames.delete('EventData') if @parse_description
       @tag = tag
       @tailing = @read_from_head ? false : true
       @bookmarks_storage = storage_create(usage: "bookmarks")
-      @parser = parser_create
+      @winevt_xml = false
+      if @render_as_xml
+        @parser = parser_create
+        @winevt_xml = @parser.respond_to?(:winevt_xml?) && @parser.winevt_xml?
+        class << self
+          alias_method :on_notify, :on_notify_xml
+        end
+      else
+        class << self
+          alias_method :on_notify, :on_notify_hash
+        end
+      end
     end
     def start
@@ -74,9 +89,19 @@ module Fluent::Plugin
       @chs.each do |ch|
         bookmarkXml = @bookmarks_storage.get(ch) || ""
         subscribe = Winevt::EventLog::Subscribe.new
-        bookmark = Winevt::EventLog::Bookmark.new(bookmarkXml)
+        bookmark = unless bookmarkXml.empty?
+                     Winevt::EventLog::Bookmark.new(bookmarkXml)
+                   else
+                     nil
+                   end
         subscribe.tail = @tailing
-        subscribe.subscribe(ch, "*", bookmark)
+        begin
+          subscribe.subscribe(ch, "*", bookmark)
+        rescue Winevt::EventLog::Query::Error => e
+          raise Fluent::ConfigError, "Invalid Bookmark XML is loaded. #{e}"
+        end
+        subscribe.render_as_xml = @render_as_xml
+        subscribe.rate_limit = @rate_limit
         timer_execute("in_windows_eventlog_#{escape_channel(ch)}".to_sym, @read_interval) do
           on_notify(ch, subscribe)
         end
@@ -88,34 +113,75 @@ module Fluent::Plugin
     end
     def on_notify(ch, subscribe)
+      # for safety.
+    end
+    def on_notify_xml(ch, subscribe)
       es = Fluent::MultiEventStream.new
-      subscribe.each do |xml, message, string_inserts|
-        @parser.parse(xml) do |time, record|
-          # record.has_key?("EventData") for none parser checking.
-          if record.has_key?("EventData")
-            record["Description"] = message
-            record["EventData"] = string_inserts
-            h = {}
-            @keynames.each do |k|
-              type = KEY_MAP[k][1]
-              value = record[KEY_MAP[k][0]]
-              h[k]=case type
-                   when :string
-                     value.to_s
-                   when :array
-                     value.map {|v| v.to_s}
-                   else
-                     raise "Unknown value type: #{type}"
-                   end
+      begin
+        subscribe.each do |xml, message, string_inserts|
+          @parser.parse(xml) do |time, record|
+            # record.has_key?("EventData") for none parser checking.
+            if @winevt_xml
+              record["Description"] = message
+              record["EventData"] = string_inserts
+              h = {}
+              @keynames.each do |k|
+                type = KEY_MAP[k][1]
+                value = record[KEY_MAP[k][0]]
+                h[k]=case type
+                     when :string
+                       value.to_s
+                     when :array
+                       value.map {|v| v.to_s}
+                     else
+                       raise "Unknown value type: #{type}"
+                     end
+              end
+              parse_desc(h) if @parse_description
+              es.add(Fluent::Engine.now, h)
+            else
+              record["Description"] = message
+              record["EventData"] = string_inserts
+              # for none parser
+              es.add(Fluent::Engine.now, record)
             end
-            parse_desc(h) if @parse_description
-            es.add(Fluent::Engine.now, h)
-          else
-            # for none parser
-            es.add(Fluent::Engine.now, record)
           end
         end
+      rescue Winevt::EventLog::Query::Error => e
+        log.warn "Invalid XML data", error: e
+        log.warn_backtrace
+      end
+      router.emit_stream(@tag, es)
+      @bookmarks_storage.put(ch, subscribe.bookmark)
+    end
+    def on_notify_hash(ch, subscribe)
+      es = Fluent::MultiEventStream.new
+      begin
+        subscribe.each do |record, message, string_inserts|
+          record["Description"] = message
+          record["EventData"] = string_inserts
+          h = {}
+          @keynames.each do |k|
+            type = KEY_MAP[k][1]
+            value = record[KEY_MAP[k][0]]
+            h[k]=case type
+                 when :string
+                   value.to_s
+                 when :array
+                   value.map {|v| v.to_s}
+                 else
+                   raise "Unknown value type: #{type}"
+                 end
+          end
+          parse_desc(h) if @parse_description
+          es.add(Fluent::Engine.now, h)
+        end
+      rescue Winevt::EventLog::Query::Error => e
+        log.warn "Invalid Hash data", error: e
+        log.warn_backtrace
       end
       router.emit_stream(@tag, es)
       @bookmarks_storage.put(ch, subscribe.bookmark)
@@ -134,6 +200,7 @@ module Fluent::Plugin
       elems = desc.split(GROUP_DELIMITER)
       record['DescriptionTitle'] = elems.shift
+      previous_key = nil
       elems.each { |elem|
         parent_key = nil
         elem.split(RECORD_DELIMITER).each { |r|
@@ -148,13 +215,19 @@ module Fluent::Plugin
           else
             # parsed value sometimes contain unexpected "\t". So remove it.
             value.strip!
-            if parent_key.nil?
+            # merge empty key values into the previous non-empty key record.
+            if key.empty?
+              record[previous_key] = [record[previous_key], value].flatten
+            elsif parent_key.nil?
               record[to_key(key)] = value
             else
               k = "#{parent_key}.#{to_key(key)}"
               record[k] = value
             end
           end
+          # XXX: This is for empty privileges record key.
+          # We should investigate whether an another case exists or not.
+          previous_key = to_key(key) unless key.empty?
         }
       }
     end

data/test/helper.rb CHANGED Viewed

@@ -23,10 +23,8 @@ unless ENV.has_key?('VERBOSE')
 end
 require 'fluent/test/driver/input'
-require 'fluent/test/driver/parser'
 require 'fluent/plugin/in_windows_eventlog'
 require 'fluent/plugin/in_windows_eventlog2'
-require 'fluent/plugin/parser_winevt_xml'
 class Test::Unit::TestCase
 end

data/test/plugin/test_in_windows_eventlog2.rb CHANGED Viewed

@@ -25,6 +25,7 @@ class WindowsEventLog2InputTest < Test::Unit::TestCase
     assert_equal 2, d.instance.read_interval
     assert_equal ['application'], d.instance.channels
     assert_false d.instance.read_from_head
+    assert_true d.instance.render_as_xml
   end
   def test_parse_desc
@@ -47,6 +48,38 @@ DESC
     assert_equal(expected, h)
   end
+  def test_parse_privileges_description
+    d = create_driver
+    desc = ["Special privileges assigned to new logon.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-X-Y-ZZ\r\n\t",
+            "AccountName:\t\tSYSTEM\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x3E7\r\n\r\n",
+            "Privileges:\t\tSeAssignPrimaryTokenPrivilege\r\n\t\t\tSeTcbPrivilege\r\n\t\t\t",
+            "SeSecurityPrivilege\r\n\t\t\tSeTakeOwnershipPrivilege\r\n\t\t\tSeLoadDriverPrivilege\r\n\t\t\t",
+            "SeBackupPrivilege\r\n\t\t\tSeRestorePrivilege\r\n\t\t\tSeDebugPrivilege\r\n\t\t\t",
+            "SeAuditPrivilege\r\n\t\t\tSeSystemEnvironmentPrivilege\r\n\t\t\tSeImpersonatePrivilege\r\n\t\t\t",
+            "SeDelegateSessionUserImpersonatePrivilege"].join("")
+    h = {"Description" => desc}
+    expected = {"DescriptionTitle"       => "Special privileges assigned to new logon.",
+                "subject.security_id"    => "S-X-Y-ZZ",
+                "subject.accountname"    => "SYSTEM",
+                "subject.account_domain" => "NT AUTHORITY",
+                "subject.logon_id"       => "0x3E7",
+                "privileges"             => ["SeAssignPrimaryTokenPrivilege",
+                                             "SeTcbPrivilege",
+                                             "SeSecurityPrivilege",
+                                             "SeTakeOwnershipPrivilege",
+                                             "SeLoadDriverPrivilege",
+                                             "SeBackupPrivilege",
+                                             "SeRestorePrivilege",
+                                             "SeDebugPrivilege",
+                                             "SeAuditPrivilege",
+                                             "SeSystemEnvironmentPrivilege",
+                                             "SeImpersonatePrivilege",
+                                             "SeDelegateSessionUserImpersonatePrivilege"]}
+    d.instance.parse_desc(h)
+    assert_equal(expected, h)
+  end
   def test_write
     d = create_driver
@@ -57,7 +90,7 @@ DESC
     end
     assert(d.events.length >= 1)
-    event = d.events.last
+    event = d.events.select {|e| e.last["EventID"] == "65500" }.last
     record = event.last
     assert_equal("Application", record["Channel"])
@@ -96,6 +129,34 @@ DESC
     assert_equal(expected, record)
   end
+  class HashRendered < self
+    def test_write
+      d = create_driver(config_element("ROOT", "", {"tag" => "fluent.eventlog",
+                                                    "render_as_xml" => false}, [
+                           config_element("storage", "", {
+                                            '@type' => 'local',
+                                            'persistent' => false
+                                          })
+                           ]))
+      service = Fluent::Plugin::EventService.new
+      d.run(expect_emits: 1) do
+        service.run
+      end
+      assert(d.events.length >= 1)
+      event = d.events.select {|e| e.last["EventID"] == "65500" }.last
+      record = event.last
+      assert_false(d.instance.render_as_xml)
+      assert_equal("Application", record["Channel"])
+      assert_equal("65500", record["EventID"])
+      assert_equal("4", record["Level"])
+      assert_equal("fluent-plugins", record["ProviderName"])
+    end
+  end
   class PersistBookMark < self
     TEST_PLUGIN_STORAGE_PATH = File.join( File.dirname(File.dirname(__FILE__)), 'tmp', 'in_windows_eventlog2', 'store' )
     CONFIG2 = config_element("ROOT", "", {"tag" => "fluent.eventlog"}, [
@@ -126,7 +187,7 @@ DESC
       end
       assert(d.events.length >= 1)
-      event = d.events.last
+      event = d.events.select {|e| e.last["EventID"] == "65500" }.last
       record = event.last
       prev_id = record["EventRecordID"].to_i
@@ -151,6 +212,21 @@ DESC
       assert File.exist?(File.join(TEST_PLUGIN_STORAGE_PATH, 'json', 'test-02.json'))
     end
+    def test_start_with_invalid_bookmark
+      invalid_storage_contents = <<-EOS
+<BookmarkList>\r\n  <Bookmark Channel='Application' RecordId='20063' IsCurrent='true'/>\r\n
+EOS
+      d = create_driver(CONFIG2)
+      storage = d.instance.instance_variable_get(:@bookmarks_storage)
+      storage.put('application', invalid_storage_contents)
+      assert File.exist?(File.join(TEST_PLUGIN_STORAGE_PATH, 'json', 'test-02.json'))
+      d2 = create_driver(CONFIG2)
+      assert_raise(Fluent::ConfigError) do
+        d2.instance.start
+      end
+    end
   end
   def test_write_with_none_parser
@@ -178,5 +254,8 @@ DESC
       # record should be {message: <RAW XML EventLog>}.
       record["message"]
     end
+    assert_true(record.has_key?("Description"))
+    assert_true(record.has_key?("EventData"))
   end
 end

data/test/plugin/test_in_winevtlog.rb CHANGED Viewed

@@ -38,7 +38,7 @@ class WindowsEventLogInputTest < Test::Unit::TestCase
     end
     assert(d.events.length >= 1)
-    event = d.events.last
+    event = d.events.select {|e| e.last["event_id"] == "65500" }.last
     record = event.last
     assert_equal("application", record["channel"])
     assert_equal("65500", record["event_id"])

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: fluent-plugin-windows-eventlog
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.4.4
 platform: ruby
 authors:
 - okahashi117
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-07-09 00:00:00.000000000 Z
+date: 2019-11-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -94,14 +94,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.6.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.6.1
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -116,6 +116,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.10'
+- !ruby/object:Gem::Dependency
+  name: fluent-plugin-parser-winevt_xml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.2
 description: Fluentd Input plugin to read windows event log.
 email:
 - naruki_okahashi@jbat.co.jp
@@ -135,13 +149,10 @@ files:
 - fluent-plugin-winevtlog.gemspec
 - lib/fluent/plugin/in_windows_eventlog.rb
 - lib/fluent/plugin/in_windows_eventlog2.rb
-- lib/fluent/plugin/parser_winevt_xml.rb
-- test/data/eventlog.xml
 - test/generate-windows-event.rb
 - test/helper.rb
 - test/plugin/test_in_windows_eventlog2.rb
 - test/plugin/test_in_winevtlog.rb
-- test/plugin/test_parser_winevt_xml.rb
 homepage: https://github.com/fluent/fluent-plugin-windows-eventlog
 licenses:
 - Apache-2.0
@@ -167,9 +178,7 @@ signing_key:
 specification_version: 4
 summary: Fluentd Input plugin to read windows event log.
 test_files:
-- test/data/eventlog.xml
 - test/generate-windows-event.rb
 - test/helper.rb
 - test/plugin/test_in_windows_eventlog2.rb
 - test/plugin/test_in_winevtlog.rb
-- test/plugin/test_parser_winevt_xml.rb

data/lib/fluent/plugin/parser_winevt_xml.rb DELETED Viewed

@@ -1,34 +0,0 @@
-require 'fluent/plugin/parser'
-require 'nokogiri'
-module Fluent::Plugin
-  class WinevtXMLparser < Parser
-    Fluent::Plugin.register_parser('winevt_xml', self)
-    def parse(text)
-      record = {}
-      doc = Nokogiri::XML(text)
-      system_elem                     = doc/'Event'/'System'
-      record["ProviderName"]          = (system_elem/"Provider").attribute("Name").text rescue nil
-      record["ProviderGUID"]          = (system_elem/"Provider").attribute("Guid").text rescue nil
-      record["EventID"]               = (system_elem/'EventID').text rescue nil
-      record["Qualifiers"]            = (system_elem/'EventID').attribute("Qualifiers").text rescue nil
-      record["Level"]                 = (system_elem/'Level').text rescue nil
-      record["Task"]                  = (system_elem/'Task').text rescue nil
-      record["Opcode"]                = (system_elem/'Opcode').text rescue nil
-      record["Keywords"]              = (system_elem/'Keywords').text rescue nil
-      record["TimeCreated"]           = (system_elem/'TimeCreated').attribute("SystemTime").text rescue nil
-      record["EventRecordID"]         = (system_elem/'EventRecordID').text rescue nil
-      record["ActivityID"]            = (system_elem/'ActivityID').text rescue nil
-      record["RelatedActivityID"]     = (system_elem/'Correlation').attribute("ActivityID").text rescue nil
-      record["ThreadID"]              = (system_elem/'Execution').attribute("ThreadID").text rescue nil
-      record["Channel"]               = (system_elem/'Channel').text rescue nil
-      record["Computer"]              = (system_elem/"Computer").text rescue nil
-      record["UserID"]                = (system_elem/'Security').attribute("UserID").text rescue nil
-      record["Version"]               = (system_elem/'Version').text rescue nil
-      record["EventData"]             = [] # These parameters are processed in winevt_c.
-      time = @estimate_current_event ? Fluent::EventTime.now : nil
-      yield time, record
-    end
-  end
-end

data/test/data/eventlog.xml DELETED Viewed

@@ -1 +0,0 @@

- <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2019-06-13T09:21:23.345889600Z'/><EventRecordID>80688</EventRecordID><Correlation ActivityID='{587F0743-1F71-0006-5007-7F58711FD501}'/><Execution ProcessID='912' ThreadID='24708'/><Channel>Security</Channel><Computer>Fluentd-Developing-Windows</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>Fluentd-Developing-Windows$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='TargetUserSid'>S-1-5-18</Data><Data Name='TargetUserName'>SYSTEM</Data><Data Name='TargetDomainName'>NT AUTHORITY</Data><Data Name='TargetLogonId'>0x3e7</Data><Data Name='LogonType'>5</Data><Data Name='LogonProcessName'>Advapi </Data><Data Name='AuthenticationPackageName'>Negotiate</Data><Data Name='WorkstationName'>-</Data><Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x344</Data><Data Name='ProcessName'>C:\Windows\System32\services.exe</Data><Data Name='IpAddress'>-</Data><Data Name='IpPort'>-</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data Name='ElevatedToken'>%%1842</Data></EventData></Event>

data/test/plugin/test_parser_winevt_xml.rb DELETED Viewed

@@ -1,42 +0,0 @@
-require 'helper'
-require 'generate-windows-event'
-class WinevtXMLparserTest < Test::Unit::TestCase
-  def setup
-    Fluent::Test.setup
-  end
-  CONFIG = %[]
-  XMLLOG = File.open(File.join(__dir__, "..", "data", "eventlog.xml") )
-  def create_driver(conf = CONFIG)
-    Fluent::Test::Driver::Parser.new(Fluent::Plugin::WinevtXMLparser).configure(conf)
-  end
-  def test_parse
-    d = create_driver
-    xml = XMLLOG
-    expected = {"ProviderName"      => "Microsoft-Windows-Security-Auditing",
-                "ProviderGUID"      => "{54849625-5478-4994-A5BA-3E3B0328C30D}",
-                "EventID"           => "4624",
-                "Qualifiers"        => nil,
-                "Level"             => "0",
-                "Task"              => "12544",
-                "Opcode"            => "0",
-                "Keywords"          => "0x8020000000000000",
-                "TimeCreated"       => "2019-06-13T09:21:23.345889600Z",
-                "EventRecordID"     => "80688",
-                "ActivityID"        => "",
-                "RelatedActivityID" => "{587F0743-1F71-0006-5007-7F58711FD501}",
-                "ThreadID"          => "24708",
-                "Channel"           => "Security",
-                "Computer"          => "Fluentd-Developing-Windows",
-                "UserID"            => nil,
-                "Version"           => "2",
-                "EventData"         => []}
-    d.instance.parse(xml) do |time, record|
-      assert_equal(expected, record)
-    end
-  end
-end