RubyGems - fluent-plugin-windows-eventlog - Versions diffs - 0.3.0 → 0.4.4 - Mend

fluent-plugin-windows-eventlog 0.3.0 → 0.4.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +19 -0
data/README.md +10 -4
data/fluent-plugin-winevtlog.gemspec +3 -2
data/lib/fluent/plugin/in_windows_eventlog.rb +8 -2
data/lib/fluent/plugin/in_windows_eventlog2.rb +101 -28
data/test/helper.rb +0 -2
data/test/plugin/test_in_windows_eventlog2.rb +81 -2
data/test/plugin/test_in_winevtlog.rb +1 -1
metadata +18 -9
data/lib/fluent/plugin/parser_winevt_xml.rb +0 -34
data/test/data/eventlog.xml +0 -1
data/test/plugin/test_parser_winevt_xml.rb +0 -42

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8c05a4b1a785316299232e1cd4c3a5f60e7458b93b5b4d717720a6de5f079cbb
-  data.tar.gz: aad0c8d51e5b88d96f86704bb72394d6a16253edecd8b975ed6c3334f433ebf4
+  metadata.gz: 6634a0ee22c7988e40ebe92ebd457996eb25cfdd926a09c557e497065f6dbeac
+  data.tar.gz: 8f3a1543db5dd4a2299c5675ccd81ee19e10b476b06e3f6b7685213e14247814
 SHA512:
-  metadata.gz: 185857a8f3114029de23b8a0b9b262de929e20b6ad98f783a937bb4eb48e8d594a84df33405ff7a5b348c43f0f81d601bdfea72288f4e30637e98035f92ed834
-  data.tar.gz: 1bb7650803e3852a2a14c701f9e3aeeeab932438b36702719f246c8e6b2be4b6c3ffa67a567e2c2dae1fc0cff7dd82144fcc874acb7045ea9beb5c819f6f28eb
+  metadata.gz: 8c9450771f970e88ec85ec5a44f3156a93475aeef12a729ffafe87c863516939fa66c739791b20c6e5bff30ba72e5958f14701b0713d5dca747c1b7919dee72c
+  data.tar.gz: 4d44d036e961e7cd502932863eedeb3781f25507384737850f9a81eb70f4099b0d24d27f8cc0f7753d310f9c3702273fd914271efa398e102610a2084b90c06a

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,22 @@
+# Release v0.4.4 - 2019/11/07
+* in_windows_eventlog: Improve error handling and logging when failed to open Windows Event Log.
+# Release v0.4.3 - 2019/10/31
+* in_windows_eventlog2: Handle privileges record on #parse_desc
+* in_windows_eventlog2: Raise error when handling invalid bookmark xml
+# Release v0.4.2 - 2019/10/16
+* in_windows_eventlog2: Handle invalid data error from `Winevt::EventLog::Query::Error`
+# Release v0.4.1 - 2019/10/11
+* in_windows_eventlog2: Add a missing ProcessID record
+# Release v0.4.0 - 2019/10/10
+* in_windows_eventlog2: Add new `render_as_xml` parameter to switch rendering as XML or Ruby Hash object
+* in_windows_eventlog2: Support rate limit with `rate_limit` option
+* parser_winevt_xml: Separate `parser_winevt_xml` plugin to other repository and published as Fluentd parser plugin
 # Release v0.3.0 - 2019/07/08
 * Add new `in_windows_eventlog2` plugin. This plugin uses newer windows event logging API.

data/README.md CHANGED Viewed

@@ -4,10 +4,10 @@
 ### fluentd Input plugin for the Windows Event Log
-[Fluentd](http://fluentd.org) plugin to read the Windows Event Log.
+[Fluentd](https://www.fluentd.org/) plugin to read the Windows Event Log.
 ## Installation
-    gem install fluent-plugin-windows-eventlog
+    ridk exec gem install fluent-plugin-windows-eventlog
 ## Configuration
@@ -15,7 +15,7 @@
 Check [in_windows_eventlog2](https://github.com/fluent/fluent-plugin-windows-eventlog#in_windows_eventlog2) first. `in_windows_eventlog` will be replaced with `in_windows_eventlog2`.
-#### fluentd Input plugin for the Windows Event Log using old Windows Event Logging API
+fluentd Input plugin for the Windows Event Log using old Windows Event Logging API
     <source>
       @type windows_eventlog
@@ -130,7 +130,7 @@ If your `description` doesn't follow this format, the parsed result is only `des
 ### in_windows_eventlog2
-#### fluentd Input plugin for the Windows Event Log using newer Windows Event Logging API
+fluentd Input plugin for the Windows Event Log using newer Windows Event Logging API. This is successor to `in_windows_eventlog`. See also [this slide](https://www.slideshare.net/cosmo0920/fluentd-meetup-2019) for the details of `in_windows_eventlog2` plugin.
     <source>
       @type windows_eventlog2
@@ -138,6 +138,8 @@ If your `description` doesn't follow this format, the parsed result is only `des
       channels application,system
       read_interval 2
       tag winevt.raw
+      render_as_xml false       # default is true.
+      rate_limit 200            # default is -1(Winevt::EventLog::Subscribe::RATE_INFINITE).
       <storage>
         @type local             # @type local is the default.
         persistent true         # default is true. Set to false to use in-memory storage.
@@ -153,6 +155,10 @@ If your `description` doesn't follow this format, the parsed result is only `des
 **NOTE:** When `Description` contains error message such as `The message resource is present but the message was not found in the message table.`, eventlog's resource file (.mui) related to error generating event is something wrong. This issue is also occurred in built-in Windows Event Viewer which is the part of Windows management tool.
+**NOTE:** When `render_as_xml` as `false`, the dependent winevt_c gem renders Windows EventLog as Ruby Hash object directly. This reduces bottleneck to consume EventLog. Specifying `render_as_xml` as `false` should be faster consuming than `render_as_xml` as `true` case.
+**NOTE:** If you encountered CPU spike due to massively huge EventLog channel, `rate_limit` parameter may help you. Currently, this paramter can handle the multiples of 10 or -1(`Winevt::EventLog::Subscribe::RATE_INFINITE`).
 #### parameters
 |name      | description |

data/fluent-plugin-winevtlog.gemspec CHANGED Viewed

@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 Gem::Specification.new do |spec|
   spec.name          = "fluent-plugin-windows-eventlog"
-  spec.version       = "0.3.0"
+  spec.version       = "0.4.4"
   spec.authors       = ["okahashi117", "Hiroshi Hatake", "Masahiro Nakagawa"]
   spec.email         = ["naruki_okahashi@jbat.co.jp", "cosmo0920.oucc@gmail.com", "repeatedly@gmail.com"]
   spec.summary       = %q{Fluentd Input plugin to read windows event log.}
@@ -22,6 +22,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "test-unit", "~> 3.2.0"
   spec.add_runtime_dependency "fluentd", [">= 0.14.12", "< 2"]
   spec.add_runtime_dependency "win32-eventlog"
-  spec.add_runtime_dependency "winevt_c"
+  spec.add_runtime_dependency "winevt_c", ">= 0.6.1"
   spec.add_runtime_dependency "nokogiri", "~> 1.10"
+  spec.add_runtime_dependency "fluent-plugin-parser-winevt_xml", ">= 0.1.2"
 end

data/lib/fluent/plugin/in_windows_eventlog.rb CHANGED Viewed

@@ -151,7 +151,11 @@ module Fluent::Plugin
     end
     def on_notify(ch)
-      el = Win32::EventLog.open(ch)
+      begin
+        el = Win32::EventLog.open(ch)
+      rescue => e
+        log.error "Failed to open Windows Event log.", error: e
+      end
       current_oldest_record_number = el.oldest_record_number
       current_total_records = el.total_records
@@ -186,7 +190,9 @@ module Fluent::Plugin
       receive_lines(ch, winlogs)
       @pos_storage.put(ch, [read_start, read_num + winlogs.size])
     ensure
-      el.close
+      if el
+        el.close
+      end
     end
     GROUP_DELIMITER = "\r\n\r\n".freeze

data/lib/fluent/plugin/in_windows_eventlog2.rb CHANGED Viewed

@@ -21,6 +21,7 @@ module Fluent::Plugin
                "EventRecordID"     => ["EventRecordID",         :string],
                "ActivityID"        => ["ActivityID",            :string],
                "RelatedActivityID" => ["RelatedActivityID",     :string],
+               "ProcessID"         => ["ProcessID",             :string],
                "ThreadID"          => ["ThreadID",              :string],
                "Channel"           => ["Channel",               :string],
                "Computer"          => ["Computer",              :string],
@@ -35,6 +36,8 @@ module Fluent::Plugin
     config_param :keys, :array, default: []
     config_param :read_from_head, :bool, default: false
     config_param :parse_description, :bool, default: false
+    config_param :render_as_xml, :bool, default: true
+    config_param :rate_limit, :integer, default: Winevt::EventLog::Subscribe::RATE_INFINITE
     config_section :storage do
       config_set_default :usage, "bookmarks"
@@ -60,12 +63,24 @@ module Fluent::Plugin
       if @keynames.empty?
         @keynames = KEY_MAP.keys
       end
+      @keynames.delete('Qualifiers') unless @render_as_xml
       @keynames.delete('EventData') if @parse_description
       @tag = tag
       @tailing = @read_from_head ? false : true
       @bookmarks_storage = storage_create(usage: "bookmarks")
-      @parser = parser_create
+      @winevt_xml = false
+      if @render_as_xml
+        @parser = parser_create
+        @winevt_xml = @parser.respond_to?(:winevt_xml?) && @parser.winevt_xml?
+        class << self
+          alias_method :on_notify, :on_notify_xml
+        end
+      else
+        class << self
+          alias_method :on_notify, :on_notify_hash
+        end
+      end
     end
     def start
@@ -74,9 +89,19 @@ module Fluent::Plugin
       @chs.each do |ch|
         bookmarkXml = @bookmarks_storage.get(ch) || ""
         subscribe = Winevt::EventLog::Subscribe.new
-        bookmark = Winevt::EventLog::Bookmark.new(bookmarkXml)
+        bookmark = unless bookmarkXml.empty?
+                     Winevt::EventLog::Bookmark.new(bookmarkXml)
+                   else
+                     nil
+                   end
         subscribe.tail = @tailing
-        subscribe.subscribe(ch, "*", bookmark)
+        begin
+          subscribe.subscribe(ch, "*", bookmark)
+        rescue Winevt::EventLog::Query::Error => e
+          raise Fluent::ConfigError, "Invalid Bookmark XML is loaded. #{e}"
+        end
+        subscribe.render_as_xml = @render_as_xml
+        subscribe.rate_limit = @rate_limit
         timer_execute("in_windows_eventlog_#{escape_channel(ch)}".to_sym, @read_interval) do
           on_notify(ch, subscribe)
         end
@@ -88,34 +113,75 @@ module Fluent::Plugin
     end
     def on_notify(ch, subscribe)
+      # for safety.
+    end
+    def on_notify_xml(ch, subscribe)
       es = Fluent::MultiEventStream.new
-      subscribe.each do |xml, message, string_inserts|
-        @parser.parse(xml) do |time, record|
-          # record.has_key?("EventData") for none parser checking.
-          if record.has_key?("EventData")
-            record["Description"] = message
-            record["EventData"] = string_inserts
-            h = {}
-            @keynames.each do |k|
-              type = KEY_MAP[k][1]
-              value = record[KEY_MAP[k][0]]
-              h[k]=case type
-                   when :string
-                     value.to_s
-                   when :array
-                     value.map {|v| v.to_s}
-                   else
-                     raise "Unknown value type: #{type}"
-                   end
+      begin
+        subscribe.each do |xml, message, string_inserts|
+          @parser.parse(xml) do |time, record|
+            # record.has_key?("EventData") for none parser checking.
+            if @winevt_xml
+              record["Description"] = message
+              record["EventData"] = string_inserts
+              h = {}
+              @keynames.each do |k|
+                type = KEY_MAP[k][1]
+                value = record[KEY_MAP[k][0]]
+                h[k]=case type
+                     when :string
+                       value.to_s
+                     when :array
+                       value.map {|v| v.to_s}
+                     else
+                       raise "Unknown value type: #{type}"
+                     end
+              end
+              parse_desc(h) if @parse_description
+              es.add(Fluent::Engine.now, h)
+            else
+              record["Description"] = message
+              record["EventData"] = string_inserts
+              # for none parser
+              es.add(Fluent::Engine.now, record)
             end
-            parse_desc(h) if @parse_description
-            es.add(Fluent::Engine.now, h)
-          else
-            # for none parser
-            es.add(Fluent::Engine.now, record)
           end
         end
+      rescue Winevt::EventLog::Query::Error => e
+        log.warn "Invalid XML data", error: e
+        log.warn_backtrace
+      end
+      router.emit_stream(@tag, es)
+      @bookmarks_storage.put(ch, subscribe.bookmark)
+    end
+    def on_notify_hash(ch, subscribe)
+      es = Fluent::MultiEventStream.new
+      begin
+        subscribe.each do |record, message, string_inserts|
+          record["Description"] = message
+          record["EventData"] = string_inserts
+          h = {}
+          @keynames.each do |k|
+            type = KEY_MAP[k][1]
+            value = record[KEY_MAP[k][0]]
+            h[k]=case type
+                 when :string
+                   value.to_s
+                 when :array
+                   value.map {|v| v.to_s}
+                 else
+                   raise "Unknown value type: #{type}"
+                 end
+          end
+          parse_desc(h) if @parse_description
+          es.add(Fluent::Engine.now, h)
+        end
+      rescue Winevt::EventLog::Query::Error => e
+        log.warn "Invalid Hash data", error: e
+        log.warn_backtrace
       end
       router.emit_stream(@tag, es)
       @bookmarks_storage.put(ch, subscribe.bookmark)
@@ -134,6 +200,7 @@ module Fluent::Plugin
       elems = desc.split(GROUP_DELIMITER)
       record['DescriptionTitle'] = elems.shift
+      previous_key = nil
       elems.each { |elem|
         parent_key = nil
         elem.split(RECORD_DELIMITER).each { |r|
@@ -148,13 +215,19 @@ module Fluent::Plugin
           else
             # parsed value sometimes contain unexpected "\t". So remove it.
             value.strip!
-            if parent_key.nil?
+            # merge empty key values into the previous non-empty key record.
+            if key.empty?
+              record[previous_key] = [record[previous_key], value].flatten
+            elsif parent_key.nil?
               record[to_key(key)] = value
             else
               k = "#{parent_key}.#{to_key(key)}"
               record[k] = value
             end
           end
+          # XXX: This is for empty privileges record key.
+          # We should investigate whether an another case exists or not.
+          previous_key = to_key(key) unless key.empty?
         }
       }
     end

data/test/helper.rb CHANGED Viewed

@@ -23,10 +23,8 @@ unless ENV.has_key?('VERBOSE')
 end
 require 'fluent/test/driver/input'
-require 'fluent/test/driver/parser'
 require 'fluent/plugin/in_windows_eventlog'
 require 'fluent/plugin/in_windows_eventlog2'
-require 'fluent/plugin/parser_winevt_xml'
 class Test::Unit::TestCase
 end

data/test/plugin/test_in_windows_eventlog2.rb CHANGED Viewed

@@ -25,6 +25,7 @@ class WindowsEventLog2InputTest < Test::Unit::TestCase
     assert_equal 2, d.instance.read_interval
     assert_equal ['application'], d.instance.channels
     assert_false d.instance.read_from_head
+    assert_true d.instance.render_as_xml
   end
   def test_parse_desc
@@ -47,6 +48,38 @@ DESC
     assert_equal(expected, h)
   end
+  def test_parse_privileges_description
+    d = create_driver
+    desc = ["Special privileges assigned to new logon.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-X-Y-ZZ\r\n\t",
+            "AccountName:\t\tSYSTEM\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x3E7\r\n\r\n",
+            "Privileges:\t\tSeAssignPrimaryTokenPrivilege\r\n\t\t\tSeTcbPrivilege\r\n\t\t\t",
+            "SeSecurityPrivilege\r\n\t\t\tSeTakeOwnershipPrivilege\r\n\t\t\tSeLoadDriverPrivilege\r\n\t\t\t",
+            "SeBackupPrivilege\r\n\t\t\tSeRestorePrivilege\r\n\t\t\tSeDebugPrivilege\r\n\t\t\t",
+            "SeAuditPrivilege\r\n\t\t\tSeSystemEnvironmentPrivilege\r\n\t\t\tSeImpersonatePrivilege\r\n\t\t\t",
+            "SeDelegateSessionUserImpersonatePrivilege"].join("")
+    h = {"Description" => desc}
+    expected = {"DescriptionTitle"       => "Special privileges assigned to new logon.",
+                "subject.security_id"    => "S-X-Y-ZZ",
+                "subject.accountname"    => "SYSTEM",
+                "subject.account_domain" => "NT AUTHORITY",
+                "subject.logon_id"       => "0x3E7",
+                "privileges"             => ["SeAssignPrimaryTokenPrivilege",
+                                             "SeTcbPrivilege",
+                                             "SeSecurityPrivilege",
+                                             "SeTakeOwnershipPrivilege",
+                                             "SeLoadDriverPrivilege",
+                                             "SeBackupPrivilege",
+                                             "SeRestorePrivilege",
+                                             "SeDebugPrivilege",
+                                             "SeAuditPrivilege",
+                                             "SeSystemEnvironmentPrivilege",
+                                             "SeImpersonatePrivilege",
+                                             "SeDelegateSessionUserImpersonatePrivilege"]}
+    d.instance.parse_desc(h)
+    assert_equal(expected, h)
+  end
   def test_write
     d = create_driver
@@ -57,7 +90,7 @@ DESC
     end
     assert(d.events.length >= 1)
-    event = d.events.last
+    event = d.events.select {|e| e.last["EventID"] == "65500" }.last
     record = event.last
     assert_equal("Application", record["Channel"])
@@ -96,6 +129,34 @@ DESC
     assert_equal(expected, record)
   end
+  class HashRendered < self
+    def test_write
+      d = create_driver(config_element("ROOT", "", {"tag" => "fluent.eventlog",
+                                                    "render_as_xml" => false}, [
+                           config_element("storage", "", {
+                                            '@type' => 'local',
+                                            'persistent' => false
+                                          })
+                           ]))
+      service = Fluent::Plugin::EventService.new
+      d.run(expect_emits: 1) do
+        service.run
+      end
+      assert(d.events.length >= 1)
+      event = d.events.select {|e| e.last["EventID"] == "65500" }.last
+      record = event.last
+      assert_false(d.instance.render_as_xml)
+      assert_equal("Application", record["Channel"])
+      assert_equal("65500", record["EventID"])
+      assert_equal("4", record["Level"])
+      assert_equal("fluent-plugins", record["ProviderName"])
+    end
+  end
   class PersistBookMark < self
     TEST_PLUGIN_STORAGE_PATH = File.join( File.dirname(File.dirname(__FILE__)), 'tmp', 'in_windows_eventlog2', 'store' )
     CONFIG2 = config_element("ROOT", "", {"tag" => "fluent.eventlog"}, [
@@ -126,7 +187,7 @@ DESC
       end
       assert(d.events.length >= 1)
-      event = d.events.last
+      event = d.events.select {|e| e.last["EventID"] == "65500" }.last
       record = event.last
       prev_id = record["EventRecordID"].to_i
@@ -151,6 +212,21 @@ DESC
       assert File.exist?(File.join(TEST_PLUGIN_STORAGE_PATH, 'json', 'test-02.json'))
     end
+    def test_start_with_invalid_bookmark
+      invalid_storage_contents = <<-EOS
+<BookmarkList>\r\n  <Bookmark Channel='Application' RecordId='20063' IsCurrent='true'/>\r\n
+EOS
+      d = create_driver(CONFIG2)
+      storage = d.instance.instance_variable_get(:@bookmarks_storage)
+      storage.put('application', invalid_storage_contents)
+      assert File.exist?(File.join(TEST_PLUGIN_STORAGE_PATH, 'json', 'test-02.json'))
+      d2 = create_driver(CONFIG2)
+      assert_raise(Fluent::ConfigError) do
+        d2.instance.start
+      end
+    end
   end
   def test_write_with_none_parser
@@ -178,5 +254,8 @@ DESC
       # record should be {message: <RAW XML EventLog>}.
       record["message"]
     end
+    assert_true(record.has_key?("Description"))
+    assert_true(record.has_key?("EventData"))
   end
 end

data/test/plugin/test_in_winevtlog.rb CHANGED Viewed

@@ -38,7 +38,7 @@ class WindowsEventLogInputTest < Test::Unit::TestCase
     end
     assert(d.events.length >= 1)
-    event = d.events.last
+    event = d.events.select {|e| e.last["event_id"] == "65500" }.last
     record = event.last
     assert_equal("application", record["channel"])
     assert_equal("65500", record["event_id"])

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: fluent-plugin-windows-eventlog
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.4.4
 platform: ruby
 authors:
 - okahashi117
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-07-09 00:00:00.000000000 Z
+date: 2019-11-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -94,14 +94,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.6.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.6.1
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -116,6 +116,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.10'
+- !ruby/object:Gem::Dependency
+  name: fluent-plugin-parser-winevt_xml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.2
 description: Fluentd Input plugin to read windows event log.
 email:
 - naruki_okahashi@jbat.co.jp
@@ -135,13 +149,10 @@ files:
 - fluent-plugin-winevtlog.gemspec
 - lib/fluent/plugin/in_windows_eventlog.rb
 - lib/fluent/plugin/in_windows_eventlog2.rb
-- lib/fluent/plugin/parser_winevt_xml.rb
-- test/data/eventlog.xml
 - test/generate-windows-event.rb
 - test/helper.rb
 - test/plugin/test_in_windows_eventlog2.rb
 - test/plugin/test_in_winevtlog.rb
-- test/plugin/test_parser_winevt_xml.rb
 homepage: https://github.com/fluent/fluent-plugin-windows-eventlog
 licenses:
 - Apache-2.0
@@ -167,9 +178,7 @@ signing_key:
 specification_version: 4
 summary: Fluentd Input plugin to read windows event log.
 test_files:
-- test/data/eventlog.xml
 - test/generate-windows-event.rb
 - test/helper.rb
 - test/plugin/test_in_windows_eventlog2.rb
 - test/plugin/test_in_winevtlog.rb
-- test/plugin/test_parser_winevt_xml.rb

data/lib/fluent/plugin/parser_winevt_xml.rb DELETED Viewed

@@ -1,34 +0,0 @@
-require 'fluent/plugin/parser'
-require 'nokogiri'
-module Fluent::Plugin
-  class WinevtXMLparser < Parser
-    Fluent::Plugin.register_parser('winevt_xml', self)
-    def parse(text)
-      record = {}
-      doc = Nokogiri::XML(text)
-      system_elem                     = doc/'Event'/'System'
-      record["ProviderName"]          = (system_elem/"Provider").attribute("Name").text rescue nil
-      record["ProviderGUID"]          = (system_elem/"Provider").attribute("Guid").text rescue nil
-      record["EventID"]               = (system_elem/'EventID').text rescue nil
-      record["Qualifiers"]            = (system_elem/'EventID').attribute("Qualifiers").text rescue nil
-      record["Level"]                 = (system_elem/'Level').text rescue nil
-      record["Task"]                  = (system_elem/'Task').text rescue nil
-      record["Opcode"]                = (system_elem/'Opcode').text rescue nil
-      record["Keywords"]              = (system_elem/'Keywords').text rescue nil
-      record["TimeCreated"]           = (system_elem/'TimeCreated').attribute("SystemTime").text rescue nil
-      record["EventRecordID"]         = (system_elem/'EventRecordID').text rescue nil
-      record["ActivityID"]            = (system_elem/'ActivityID').text rescue nil
-      record["RelatedActivityID"]     = (system_elem/'Correlation').attribute("ActivityID").text rescue nil
-      record["ThreadID"]              = (system_elem/'Execution').attribute("ThreadID").text rescue nil
-      record["Channel"]               = (system_elem/'Channel').text rescue nil
-      record["Computer"]              = (system_elem/"Computer").text rescue nil
-      record["UserID"]                = (system_elem/'Security').attribute("UserID").text rescue nil
-      record["Version"]               = (system_elem/'Version').text rescue nil
-      record["EventData"]             = [] # These parameters are processed in winevt_c.
-      time = @estimate_current_event ? Fluent::EventTime.now : nil
-      yield time, record
-    end
-  end
-end

data/test/data/eventlog.xml DELETED Viewed

@@ -1 +0,0 @@

- <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2019-06-13T09:21:23.345889600Z'/><EventRecordID>80688</EventRecordID><Correlation ActivityID='{587F0743-1F71-0006-5007-7F58711FD501}'/><Execution ProcessID='912' ThreadID='24708'/><Channel>Security</Channel><Computer>Fluentd-Developing-Windows</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>Fluentd-Developing-Windows$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='TargetUserSid'>S-1-5-18</Data><Data Name='TargetUserName'>SYSTEM</Data><Data Name='TargetDomainName'>NT AUTHORITY</Data><Data Name='TargetLogonId'>0x3e7</Data><Data Name='LogonType'>5</Data><Data Name='LogonProcessName'>Advapi </Data><Data Name='AuthenticationPackageName'>Negotiate</Data><Data Name='WorkstationName'>-</Data><Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x344</Data><Data Name='ProcessName'>C:\Windows\System32\services.exe</Data><Data Name='IpAddress'>-</Data><Data Name='IpPort'>-</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data Name='ElevatedToken'>%%1842</Data></EventData></Event>

data/test/plugin/test_parser_winevt_xml.rb DELETED Viewed

@@ -1,42 +0,0 @@
-require 'helper'
-require 'generate-windows-event'
-class WinevtXMLparserTest < Test::Unit::TestCase
-  def setup
-    Fluent::Test.setup
-  end
-  CONFIG = %[]
-  XMLLOG = File.open(File.join(__dir__, "..", "data", "eventlog.xml") )
-  def create_driver(conf = CONFIG)
-    Fluent::Test::Driver::Parser.new(Fluent::Plugin::WinevtXMLparser).configure(conf)
-  end
-  def test_parse
-    d = create_driver
-    xml = XMLLOG
-    expected = {"ProviderName"      => "Microsoft-Windows-Security-Auditing",
-                "ProviderGUID"      => "{54849625-5478-4994-A5BA-3E3B0328C30D}",
-                "EventID"           => "4624",
-                "Qualifiers"        => nil,
-                "Level"             => "0",
-                "Task"              => "12544",
-                "Opcode"            => "0",
-                "Keywords"          => "0x8020000000000000",
-                "TimeCreated"       => "2019-06-13T09:21:23.345889600Z",
-                "EventRecordID"     => "80688",
-                "ActivityID"        => "",
-                "RelatedActivityID" => "{587F0743-1F71-0006-5007-7F58711FD501}",
-                "ThreadID"          => "24708",
-                "Channel"           => "Security",
-                "Computer"          => "Fluentd-Developing-Windows",
-                "UserID"            => nil,
-                "Version"           => "2",
-                "EventData"         => []}
-    d.instance.parse(xml) do |time, record|
-      assert_equal(expected, record)
-    end
-  end
-end