fluent-plugin-windows-eventlog 0.4.1 → 0.4.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 59131dc675a5af717f4f3d693af1f902d76aa7b557e82c14431cd310f28cf999
-  data.tar.gz: f130a09fbb2c8a35a287869447e1486b3d21d371bc1acf4744ebd1a471e76edf
+  metadata.gz: f4516e76fe8713d76f90513a1312ad213eee4e779acecaef91244b799de7aa99
+  data.tar.gz: 84db0703a52631a1e982b3d90f382803e00f22909c749d12aca5c2bbc2ebe8ac
 SHA512:
-  metadata.gz: 6b9e107c6dd037cc4c2ef391cacf6636884a210a3c7058770972c0968603c8600267babaeee7cebb3dc75259c13d3aa0697e3a1980c06cba3d0daf26912b063e
-  data.tar.gz: 8e41835e28cf0ad5ba6a73d50c985518c001988a721a5fdee2dd4820d48e656835b4e26d19eeefdd0c3db62ee701f29d957efcff7d87f0ade7449f720c8f6849
+  metadata.gz: 3cfb0b205425eba34652d5c2dc4f22666ff9eb711b4d1a3f381d082ec7f0e162e03aa9f4cde83073d5b16b1c0ea8f7b432d36e7c2a129f55d32524261201d316
+  data.tar.gz: 9bc301c76c403093286c22d8be097e3f67a18322d73a434b73655856c5edb82e77ab036d9756d6e697729a2667e3662b16617cef3e585969c417943e61d7a1de

data/CHANGELOG.md

@@ -1,3 +1,19 @@
+# Release v0.4.6 - 2020/02/15
+* Fix winevt_c dependency to prevent fetching winevt_c v0.7.0 or later.
+
+# Release v0.4.5 - 2020/01/28
+* in_windows_eventlog2: Handle empty key case in parsing description method.
+
+# Release v0.4.4 - 2019/11/07
+* in_windows_eventlog: Improve error handling and logging when failed to open Windows Event Log.
+
+# Release v0.4.3 - 2019/10/31
+* in_windows_eventlog2: Handle privileges record on #parse_desc
+* in_windows_eventlog2: Raise error when handling invalid bookmark xml
+
+# Release v0.4.2 - 2019/10/16
+* in_windows_eventlog2: Handle invalid data error from `Winevt::EventLog::Query::Error`
+
 # Release v0.4.1 - 2019/10/11
 * in_windows_eventlog2: Add a missing ProcessID record
 

data/fluent-plugin-winevtlog.gemspec

@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 
 Gem::Specification.new do |spec|
   spec.name          = "fluent-plugin-windows-eventlog"
-  spec.version       = "0.4.1"
+  spec.version       = "0.4.6"
   spec.authors       = ["okahashi117", "Hiroshi Hatake", "Masahiro Nakagawa"]
   spec.email         = ["naruki_okahashi@jbat.co.jp", "cosmo0920.oucc@gmail.com", "repeatedly@gmail.com"]
   spec.summary       = %q{Fluentd Input plugin to read windows event log.}
@@ -22,7 +22,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "test-unit", "~> 3.2.0"
   spec.add_runtime_dependency "fluentd", [">= 0.14.12", "< 2"]
   spec.add_runtime_dependency "win32-eventlog"
-  spec.add_runtime_dependency "winevt_c", ">= 0.6.0"
+  spec.add_runtime_dependency "winevt_c", [">= 0.6.1", "< 0.7.0"]
   spec.add_runtime_dependency "nokogiri", "~> 1.10"
   spec.add_runtime_dependency "fluent-plugin-parser-winevt_xml", ">= 0.1.2"
 end

data/lib/fluent/plugin/in_windows_eventlog.rb

@@ -151,7 +151,11 @@ module Fluent::Plugin
     end
 
     def on_notify(ch)
-      el = Win32::EventLog.open(ch)
+      begin
+        el = Win32::EventLog.open(ch)
+      rescue => e
+        log.error "Failed to open Windows Event log.", error: e
+      end
 
       current_oldest_record_number = el.oldest_record_number
       current_total_records = el.total_records
@@ -186,7 +190,9 @@ module Fluent::Plugin
       receive_lines(ch, winlogs)
       @pos_storage.put(ch, [read_start, read_num + winlogs.size])
     ensure
-      el.close
+      if el
+        el.close
+      end
     end
 
     GROUP_DELIMITER = "\r\n\r\n".freeze

data/lib/fluent/plugin/in_windows_eventlog2.rb

@@ -89,9 +89,17 @@ module Fluent::Plugin
       @chs.each do |ch|
         bookmarkXml = @bookmarks_storage.get(ch) || ""
         subscribe = Winevt::EventLog::Subscribe.new
-        bookmark = Winevt::EventLog::Bookmark.new(bookmarkXml)
+        bookmark = unless bookmarkXml.empty?
+                     Winevt::EventLog::Bookmark.new(bookmarkXml)
+                   else
+                     nil
+                   end
         subscribe.tail = @tailing
-        subscribe.subscribe(ch, "*", bookmark)
+        begin
+          subscribe.subscribe(ch, "*", bookmark)
+        rescue Winevt::EventLog::Query::Error => e
+          raise Fluent::ConfigError, "Invalid Bookmark XML is loaded. #{e}"
+        end
         subscribe.render_as_xml = @render_as_xml
         subscribe.rate_limit = @rate_limit
         timer_execute("in_windows_eventlog_#{escape_channel(ch)}".to_sym, @read_interval) do
@@ -101,7 +109,7 @@ module Fluent::Plugin
     end
 
     def escape_channel(ch)
-      ch.gsub(/[^a-zA-Z0-9]/, '_')
+      ch.gsub(/[^a-zA-Z0-9\s]/, '_')
     end
 
     def on_notify(ch, subscribe)
@@ -110,35 +118,40 @@ module Fluent::Plugin
 
     def on_notify_xml(ch, subscribe)
       es = Fluent::MultiEventStream.new
-      subscribe.each do |xml, message, string_inserts|
-        @parser.parse(xml) do |time, record|
-          # record.has_key?("EventData") for none parser checking.
-          if @winevt_xml
-            record["Description"] = message
-            record["EventData"] = string_inserts
-
-            h = {}
-            @keynames.each do |k|
-              type = KEY_MAP[k][1]
-              value = record[KEY_MAP[k][0]]
-              h[k]=case type
-                   when :string
-                     value.to_s
-                   when :array
-                     value.map {|v| v.to_s}
-                   else
-                     raise "Unknown value type: #{type}"
-                   end
+      begin
+        subscribe.each do |xml, message, string_inserts|
+          @parser.parse(xml) do |time, record|
+            # record.has_key?("EventData") for none parser checking.
+            if @winevt_xml
+              record["Description"] = message
+              record["EventData"] = string_inserts
+
+              h = {}
+              @keynames.each do |k|
+                type = KEY_MAP[k][1]
+                value = record[KEY_MAP[k][0]]
+                h[k]=case type
+                     when :string
+                       value.to_s
+                     when :array
+                       value.map {|v| v.to_s}
+                     else
+                       raise "Unknown value type: #{type}"
+                     end
+              end
+              parse_desc(h) if @parse_description
+              es.add(Fluent::Engine.now, h)
+            else
+              record["Description"] = message
+              record["EventData"] = string_inserts
+              # for none parser
+              es.add(Fluent::Engine.now, record)
             end
-            parse_desc(h) if @parse_description
-            es.add(Fluent::Engine.now, h)
-          else
-            record["Description"] = message
-            record["EventData"] = string_inserts
-            # for none parser
-            es.add(Fluent::Engine.now, record)
           end
         end
+      rescue Winevt::EventLog::Query::Error => e
+        log.warn "Invalid XML data", error: e
+        log.warn_backtrace
       end
       router.emit_stream(@tag, es)
       @bookmarks_storage.put(ch, subscribe.bookmark)
@@ -146,24 +159,29 @@ module Fluent::Plugin
 
     def on_notify_hash(ch, subscribe)
       es = Fluent::MultiEventStream.new
-      subscribe.each do |record, message, string_inserts|
-        record["Description"] = message
-        record["EventData"] = string_inserts
-        h = {}
-        @keynames.each do |k|
-          type = KEY_MAP[k][1]
-          value = record[KEY_MAP[k][0]]
-          h[k]=case type
-               when :string
-                 value.to_s
-               when :array
-                 value.map {|v| v.to_s}
-               else
-                 raise "Unknown value type: #{type}"
-               end
+      begin
+        subscribe.each do |record, message, string_inserts|
+          record["Description"] = message
+          record["EventData"] = string_inserts
+          h = {}
+          @keynames.each do |k|
+            type = KEY_MAP[k][1]
+            value = record[KEY_MAP[k][0]]
+            h[k]=case type
+                 when :string
+                   value.to_s
+                 when :array
+                   value.map {|v| v.to_s}
+                 else
+                   raise "Unknown value type: #{type}"
+                 end
+          end
+          parse_desc(h) if @parse_description
+          es.add(Fluent::Engine.now, h)
         end
-        parse_desc(h) if @parse_description
-        es.add(Fluent::Engine.now, h)
+      rescue Winevt::EventLog::Query::Error => e
+        log.warn "Invalid Hash data", error: e
+        log.warn_backtrace
       end
       router.emit_stream(@tag, es)
       @bookmarks_storage.put(ch, subscribe.bookmark)
@@ -182,6 +200,7 @@ module Fluent::Plugin
 
       elems = desc.split(GROUP_DELIMITER)
       record['DescriptionTitle'] = elems.shift
+      previous_key = nil
       elems.each { |elem|
         parent_key = nil
         elem.split(RECORD_DELIMITER).each { |r|
@@ -190,19 +209,26 @@ module Fluent::Plugin
                        else
                          r.split(NONE_FIELD_DELIMITER)
                        end
+          key = "" if key.nil?
           key.chop!  # remove ':' from key
           if value.nil?
             parent_key = to_key(key)
           else
             # parsed value sometimes contain unexpected "\t". So remove it.
             value.strip!
-            if parent_key.nil?
+            # merge empty key values into the previous non-empty key record.
+            if key.empty?
+              record[previous_key] = [record[previous_key], value].flatten.reject {|e| e.nil?}
+            elsif parent_key.nil?
               record[to_key(key)] = value
             else
               k = "#{parent_key}.#{to_key(key)}"
               record[k] = value
             end
           end
+          # XXX: This is for empty privileges record key.
+          # We should investigate whether an another case exists or not.
+          previous_key = to_key(key) unless key.empty?
         }
       }
     end

data/test/data/eventid_6416

@@ -0,0 +1,27 @@
+A new external device was recognized by the system.
+
+Subject:
+	Security ID:		SYSTEM
+	Account Name:		IIZHU2016$
+	Account Domain:		ITSS
+	Logon ID:		0x3E7
+
+Device ID:	SWD\PRINTENUM\{60FA1C6A-1AB2-440A-AEE1-62ABFB9A4650}
+
+Device Name:	Microsoft Print to PDF
+
+Class ID:		{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}
+
+Class Name:	PrintQueue
+
+Vendor IDs:
+		PRINTENUM\{084f01fa-e634-4d77-83ee-074817c03581}
+		PRINTENUM\LocalPrintQueue
+		{084f01fa-e634-4d77-83ee-074817c03581}
+
+
+
+Compatible IDs:
+		GenPrintQueue
+		SWD\GenericRaw
+		SWD\Generic

data/test/plugin/test_in_windows_eventlog2.rb

@@ -28,6 +28,16 @@ class WindowsEventLog2InputTest < Test::Unit::TestCase
     assert_true d.instance.render_as_xml
   end
 
+  data("application"        => ["Application", "Application"],
+       "windows powershell" => ["Windows PowerShell", "Windows PowerShell"],
+       "escaped"            => ["Should_Be_Escaped_", "Should+Be;Escaped/"]
+      )
+  def test_escape_channel(data)
+    expected, actual = data
+    d = create_driver CONFIG
+    assert_equal expected, d.instance.escape_channel(actual)
+  end
+
   def test_parse_desc
     d = create_driver
     desc =<<-DESC
@@ -48,6 +58,63 @@ DESC
     assert_equal(expected, h)
   end
 
+  def test_parse_privileges_description
+    d = create_driver
+    desc = ["Special privileges assigned to new logon.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-X-Y-ZZ\r\n\t",
+            "AccountName:\t\tSYSTEM\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x3E7\r\n\r\n",
+            "Privileges:\t\tSeAssignPrimaryTokenPrivilege\r\n\t\t\tSeTcbPrivilege\r\n\t\t\t",
+            "SeSecurityPrivilege\r\n\t\t\tSeTakeOwnershipPrivilege\r\n\t\t\tSeLoadDriverPrivilege\r\n\t\t\t",
+            "SeBackupPrivilege\r\n\t\t\tSeRestorePrivilege\r\n\t\t\tSeDebugPrivilege\r\n\t\t\t",
+            "SeAuditPrivilege\r\n\t\t\tSeSystemEnvironmentPrivilege\r\n\t\t\tSeImpersonatePrivilege\r\n\t\t\t",
+            "SeDelegateSessionUserImpersonatePrivilege"].join("")
+
+    h = {"Description" => desc}
+    expected = {"DescriptionTitle"       => "Special privileges assigned to new logon.",
+                "subject.security_id"    => "S-X-Y-ZZ",
+                "subject.accountname"    => "SYSTEM",
+                "subject.account_domain" => "NT AUTHORITY",
+                "subject.logon_id"       => "0x3E7",
+                "privileges"             => ["SeAssignPrimaryTokenPrivilege",
+                                             "SeTcbPrivilege",
+                                             "SeSecurityPrivilege",
+                                             "SeTakeOwnershipPrivilege",
+                                             "SeLoadDriverPrivilege",
+                                             "SeBackupPrivilege",
+                                             "SeRestorePrivilege",
+                                             "SeDebugPrivilege",
+                                             "SeAuditPrivilege",
+                                             "SeSystemEnvironmentPrivilege",
+                                             "SeImpersonatePrivilege",
+                                             "SeDelegateSessionUserImpersonatePrivilege"]}
+    d.instance.parse_desc(h)
+    assert_equal(expected, h)
+  end
+
+  test "A new external device was recognized by the system." do
+    # using the event log example: eventopedia.cloudapp.net/EventDetails.aspx?id=17ef124e-eb89-4c01-9ba2-d761e06b2b68
+    d = create_driver
+    desc = nil
+    File.open('./test/data/eventid_6416', 'r') do |f|
+      desc = f.read.gsub(/\R/, "\r\n")
+    end
+    h = {"Description" => desc}
+    expected = {"DescriptionTitle"       => "A new external device was recognized by the system.",
+                "class_id"               => "{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}",
+                "class_name"             => "PrintQueue",
+                "compatible_ids"         => ["GenPrintQueue", "SWD\\GenericRaw", "SWD\\Generic"],
+                "device_id"              => "SWD\\PRINTENUM\\{60FA1C6A-1AB2-440A-AEE1-62ABFB9A4650}",
+                "device_name"            => "Microsoft Print to PDF",
+                "subject.account_domain" => "ITSS",
+                "subject.account_name"   => "IIZHU2016$",
+                "subject.logon_id"       => "0x3E7",
+                "subject.security_id"    => "SYSTEM",
+                "vendor_ids"             => ["PRINTENUM\\{084f01fa-e634-4d77-83ee-074817c03581}",
+                                             "PRINTENUM\\LocalPrintQueue",
+                                             "{084f01fa-e634-4d77-83ee-074817c03581}"]}
+    d.instance.parse_desc(h)
+    assert_equal(expected, h)
+  end
+
   def test_write
     d = create_driver
 
@@ -58,7 +125,7 @@ DESC
     end
 
     assert(d.events.length >= 1)
-    event = d.events.last
+    event = d.events.select {|e| e.last["EventID"] == "65500" }.last
     record = event.last
 
     assert_equal("Application", record["Channel"])
@@ -114,7 +181,7 @@ DESC
       end
 
       assert(d.events.length >= 1)
-      event = d.events.last
+      event = d.events.select {|e| e.last["EventID"] == "65500" }.last
       record = event.last
 
       assert_false(d.instance.render_as_xml)
@@ -155,7 +222,7 @@ DESC
       end
 
       assert(d.events.length >= 1)
-      event = d.events.last
+      event = d.events.select {|e| e.last["EventID"] == "65500" }.last
       record = event.last
 
       prev_id = record["EventRecordID"].to_i
@@ -180,6 +247,21 @@ DESC
 
       assert File.exist?(File.join(TEST_PLUGIN_STORAGE_PATH, 'json', 'test-02.json'))
     end
+
+    def test_start_with_invalid_bookmark
+      invalid_storage_contents = <<-EOS
+<BookmarkList>\r\n  <Bookmark Channel='Application' RecordId='20063' IsCurrent='true'/>\r\n
+EOS
+      d = create_driver(CONFIG2)
+      storage = d.instance.instance_variable_get(:@bookmarks_storage)
+      storage.put('application', invalid_storage_contents)
+      assert File.exist?(File.join(TEST_PLUGIN_STORAGE_PATH, 'json', 'test-02.json'))
+
+      d2 = create_driver(CONFIG2)
+      assert_raise(Fluent::ConfigError) do
+        d2.instance.start
+      end
+    end
   end
 
   def test_write_with_none_parser

data/test/plugin/test_in_winevtlog.rb

@@ -38,7 +38,7 @@ class WindowsEventLogInputTest < Test::Unit::TestCase
     end
 
     assert(d.events.length >= 1)
-    event = d.events.last
+    event = d.events.select {|e| e.last["event_id"] == "65500" }.last
     record = event.last
     assert_equal("application", record["channel"])
     assert_equal("65500", record["event_id"])

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: fluent-plugin-windows-eventlog
 version: !ruby/object:Gem::Version
-  version: 0.4.1
+  version: 0.4.6
 platform: ruby
 authors:
 - okahashi117
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-10-11 00:00:00.000000000 Z
+date: 2020-02-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -94,14 +94,20 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.6.0
+        version: 0.6.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 0.7.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.6.0
+        version: 0.6.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 0.7.0
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -149,6 +155,7 @@ files:
 - fluent-plugin-winevtlog.gemspec
 - lib/fluent/plugin/in_windows_eventlog.rb
 - lib/fluent/plugin/in_windows_eventlog2.rb
+- test/data/eventid_6416
 - test/generate-windows-event.rb
 - test/helper.rb
 - test/plugin/test_in_windows_eventlog2.rb
@@ -173,11 +180,12 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.3
+rubygems_version: 2.7.6.2
 signing_key: 
 specification_version: 4
 summary: Fluentd Input plugin to read windows event log.
 test_files:
+- test/data/eventid_6416
 - test/generate-windows-event.rb
 - test/helper.rb
 - test/plugin/test_in_windows_eventlog2.rb