fluent-plugin-windows-eventlog 0.4.2 → 0.4.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/fluent-plugin-winevtlog.gemspec +2 -2
- data/lib/fluent/plugin/in_windows_eventlog2.rb +18 -3
- data/test/plugin/test_in_windows_eventlog2.rb +47 -0
- metadata +4 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 300dbf6a1600969a0b6a5401dad54494bea12c9a32435b995f26b391926b460a
|
4
|
+
data.tar.gz: 69a35513989955c04f7aea4f3a44b6ca203783f968b6469c264b44487204e34c
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 89bdf9b1e43f88a8784968f88ab29956eec7036381078d95453e91fee2c754f2796de7a06c0a229c77f632ec6a95f6bd49409f1974f69f2a10cb6b5975125648
|
7
|
+
data.tar.gz: 8454063733dc798315f054819c444d9bf6e739ccb0150e07284f9e8c1c3c962b218d471fee85e924b9d92f3442d2c70d14bba5acdbbc3eb86667b4f609ebf6bf
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,7 @@
|
|
1
|
+
# Release v0.4.3 - 2019/10/31
|
2
|
+
* in_windows_eventlog2: Handle privileges record on #parse_desc
|
3
|
+
* in_windows_eventlog2: Raise error when handling invalid bookmark xml
|
4
|
+
|
1
5
|
# Release v0.4.2 - 2019/10/16
|
2
6
|
* in_windows_eventlog2: Handle invalid data error from `Winevt::EventLog::Query::Error`
|
3
7
|
|
@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
|
4
4
|
|
5
5
|
Gem::Specification.new do |spec|
|
6
6
|
spec.name = "fluent-plugin-windows-eventlog"
|
7
|
-
spec.version = "0.4.
|
7
|
+
spec.version = "0.4.3"
|
8
8
|
spec.authors = ["okahashi117", "Hiroshi Hatake", "Masahiro Nakagawa"]
|
9
9
|
spec.email = ["naruki_okahashi@jbat.co.jp", "cosmo0920.oucc@gmail.com", "repeatedly@gmail.com"]
|
10
10
|
spec.summary = %q{Fluentd Input plugin to read windows event log.}
|
@@ -22,7 +22,7 @@ Gem::Specification.new do |spec|
|
|
22
22
|
spec.add_development_dependency "test-unit", "~> 3.2.0"
|
23
23
|
spec.add_runtime_dependency "fluentd", [">= 0.14.12", "< 2"]
|
24
24
|
spec.add_runtime_dependency "win32-eventlog"
|
25
|
-
spec.add_runtime_dependency "winevt_c", ">= 0.6.
|
25
|
+
spec.add_runtime_dependency "winevt_c", ">= 0.6.1"
|
26
26
|
spec.add_runtime_dependency "nokogiri", "~> 1.10"
|
27
27
|
spec.add_runtime_dependency "fluent-plugin-parser-winevt_xml", ">= 0.1.2"
|
28
28
|
end
|
@@ -89,9 +89,17 @@ module Fluent::Plugin
|
|
89
89
|
@chs.each do |ch|
|
90
90
|
bookmarkXml = @bookmarks_storage.get(ch) || ""
|
91
91
|
subscribe = Winevt::EventLog::Subscribe.new
|
92
|
-
bookmark =
|
92
|
+
bookmark = unless bookmarkXml.empty?
|
93
|
+
Winevt::EventLog::Bookmark.new(bookmarkXml)
|
94
|
+
else
|
95
|
+
nil
|
96
|
+
end
|
93
97
|
subscribe.tail = @tailing
|
94
|
-
|
98
|
+
begin
|
99
|
+
subscribe.subscribe(ch, "*", bookmark)
|
100
|
+
rescue Winevt::EventLog::Query::Error => e
|
101
|
+
raise Fluent::ConfigError, "Invalid Bookmark XML is loaded. #{e}"
|
102
|
+
end
|
95
103
|
subscribe.render_as_xml = @render_as_xml
|
96
104
|
subscribe.rate_limit = @rate_limit
|
97
105
|
timer_execute("in_windows_eventlog_#{escape_channel(ch)}".to_sym, @read_interval) do
|
@@ -192,6 +200,7 @@ module Fluent::Plugin
|
|
192
200
|
|
193
201
|
elems = desc.split(GROUP_DELIMITER)
|
194
202
|
record['DescriptionTitle'] = elems.shift
|
203
|
+
previous_key = nil
|
195
204
|
elems.each { |elem|
|
196
205
|
parent_key = nil
|
197
206
|
elem.split(RECORD_DELIMITER).each { |r|
|
@@ -206,13 +215,19 @@ module Fluent::Plugin
|
|
206
215
|
else
|
207
216
|
# parsed value sometimes contain unexpected "\t". So remove it.
|
208
217
|
value.strip!
|
209
|
-
|
218
|
+
# merge empty key values into the previous non-empty key record.
|
219
|
+
if key.empty?
|
220
|
+
record[previous_key] = [record[previous_key], value].flatten
|
221
|
+
elsif parent_key.nil?
|
210
222
|
record[to_key(key)] = value
|
211
223
|
else
|
212
224
|
k = "#{parent_key}.#{to_key(key)}"
|
213
225
|
record[k] = value
|
214
226
|
end
|
215
227
|
end
|
228
|
+
# XXX: This is for empty privileges record key.
|
229
|
+
# We should investigate whether an another case exists or not.
|
230
|
+
previous_key = to_key(key) unless key.empty?
|
216
231
|
}
|
217
232
|
}
|
218
233
|
end
|
@@ -48,6 +48,38 @@ DESC
|
|
48
48
|
assert_equal(expected, h)
|
49
49
|
end
|
50
50
|
|
51
|
+
def test_parse_privileges_description
|
52
|
+
d = create_driver
|
53
|
+
desc = ["Special privileges assigned to new logon.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-X-Y-ZZ\r\n\t",
|
54
|
+
"AccountName:\t\tSYSTEM\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x3E7\r\n\r\n",
|
55
|
+
"Privileges:\t\tSeAssignPrimaryTokenPrivilege\r\n\t\t\tSeTcbPrivilege\r\n\t\t\t",
|
56
|
+
"SeSecurityPrivilege\r\n\t\t\tSeTakeOwnershipPrivilege\r\n\t\t\tSeLoadDriverPrivilege\r\n\t\t\t",
|
57
|
+
"SeBackupPrivilege\r\n\t\t\tSeRestorePrivilege\r\n\t\t\tSeDebugPrivilege\r\n\t\t\t",
|
58
|
+
"SeAuditPrivilege\r\n\t\t\tSeSystemEnvironmentPrivilege\r\n\t\t\tSeImpersonatePrivilege\r\n\t\t\t",
|
59
|
+
"SeDelegateSessionUserImpersonatePrivilege"].join("")
|
60
|
+
|
61
|
+
h = {"Description" => desc}
|
62
|
+
expected = {"DescriptionTitle" => "Special privileges assigned to new logon.",
|
63
|
+
"subject.security_id" => "S-X-Y-ZZ",
|
64
|
+
"subject.accountname" => "SYSTEM",
|
65
|
+
"subject.account_domain" => "NT AUTHORITY",
|
66
|
+
"subject.logon_id" => "0x3E7",
|
67
|
+
"privileges" => ["SeAssignPrimaryTokenPrivilege",
|
68
|
+
"SeTcbPrivilege",
|
69
|
+
"SeSecurityPrivilege",
|
70
|
+
"SeTakeOwnershipPrivilege",
|
71
|
+
"SeLoadDriverPrivilege",
|
72
|
+
"SeBackupPrivilege",
|
73
|
+
"SeRestorePrivilege",
|
74
|
+
"SeDebugPrivilege",
|
75
|
+
"SeAuditPrivilege",
|
76
|
+
"SeSystemEnvironmentPrivilege",
|
77
|
+
"SeImpersonatePrivilege",
|
78
|
+
"SeDelegateSessionUserImpersonatePrivilege"]}
|
79
|
+
d.instance.parse_desc(h)
|
80
|
+
assert_equal(expected, h)
|
81
|
+
end
|
82
|
+
|
51
83
|
def test_write
|
52
84
|
d = create_driver
|
53
85
|
|
@@ -180,6 +212,21 @@ DESC
|
|
180
212
|
|
181
213
|
assert File.exist?(File.join(TEST_PLUGIN_STORAGE_PATH, 'json', 'test-02.json'))
|
182
214
|
end
|
215
|
+
|
216
|
+
def test_start_with_invalid_bookmark
|
217
|
+
invalid_storage_contents = <<-EOS
|
218
|
+
<BookmarkList>\r\n <Bookmark Channel='Application' RecordId='20063' IsCurrent='true'/>\r\n
|
219
|
+
EOS
|
220
|
+
d = create_driver(CONFIG2)
|
221
|
+
storage = d.instance.instance_variable_get(:@bookmarks_storage)
|
222
|
+
storage.put('application', invalid_storage_contents)
|
223
|
+
assert File.exist?(File.join(TEST_PLUGIN_STORAGE_PATH, 'json', 'test-02.json'))
|
224
|
+
|
225
|
+
d2 = create_driver(CONFIG2)
|
226
|
+
assert_raise(Fluent::ConfigError) do
|
227
|
+
d2.instance.start
|
228
|
+
end
|
229
|
+
end
|
183
230
|
end
|
184
231
|
|
185
232
|
def test_write_with_none_parser
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: fluent-plugin-windows-eventlog
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.4.
|
4
|
+
version: 0.4.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- okahashi117
|
@@ -10,7 +10,7 @@ authors:
|
|
10
10
|
autorequire:
|
11
11
|
bindir: bin
|
12
12
|
cert_chain: []
|
13
|
-
date: 2019-10-
|
13
|
+
date: 2019-10-31 00:00:00.000000000 Z
|
14
14
|
dependencies:
|
15
15
|
- !ruby/object:Gem::Dependency
|
16
16
|
name: bundler
|
@@ -94,14 +94,14 @@ dependencies:
|
|
94
94
|
requirements:
|
95
95
|
- - ">="
|
96
96
|
- !ruby/object:Gem::Version
|
97
|
-
version: 0.6.
|
97
|
+
version: 0.6.1
|
98
98
|
type: :runtime
|
99
99
|
prerelease: false
|
100
100
|
version_requirements: !ruby/object:Gem::Requirement
|
101
101
|
requirements:
|
102
102
|
- - ">="
|
103
103
|
- !ruby/object:Gem::Version
|
104
|
-
version: 0.6.
|
104
|
+
version: 0.6.1
|
105
105
|
- !ruby/object:Gem::Dependency
|
106
106
|
name: nokogiri
|
107
107
|
requirement: !ruby/object:Gem::Requirement
|