fluent-plugin-windows-eventlog 0.4.2 → 0.4.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +4 -0
  3. data/fluent-plugin-winevtlog.gemspec +2 -2
  4. data/lib/fluent/plugin/in_windows_eventlog2.rb +18 -3
  5. data/test/plugin/test_in_windows_eventlog2.rb +47 -0
  6. metadata +4 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 06511272a8c96f22e69b50f60d2a6c5b7ac377c0c446d48fc842cc4e2b272b7b
4
- data.tar.gz: 78635a96981173d47b640f887b62e4ba7d0d773b1eaf39bfb0c59be488073364
3
+ metadata.gz: 300dbf6a1600969a0b6a5401dad54494bea12c9a32435b995f26b391926b460a
4
+ data.tar.gz: 69a35513989955c04f7aea4f3a44b6ca203783f968b6469c264b44487204e34c
5
5
  SHA512:
6
- metadata.gz: ccabe68cf1bd5188e12f3eaa46670488b6eb458aca556d15d09022489722bf5be9ca6cace64b93abbb2d4aeecb5a4a8210a2e9787de96a201d6a24bdca201f1a
7
- data.tar.gz: 290a21af0606ef47c61e3f9c63f45b25b0f1d90dcf2268a950c3f460e02faa59e72b4a0e6bdc3452bae10121c550b53d4b410610c587042498837075e081977e
6
+ metadata.gz: 89bdf9b1e43f88a8784968f88ab29956eec7036381078d95453e91fee2c754f2796de7a06c0a229c77f632ec6a95f6bd49409f1974f69f2a10cb6b5975125648
7
+ data.tar.gz: 8454063733dc798315f054819c444d9bf6e739ccb0150e07284f9e8c1c3c962b218d471fee85e924b9d92f3442d2c70d14bba5acdbbc3eb86667b4f609ebf6bf
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ # Release v0.4.3 - 2019/10/31
2
+ * in_windows_eventlog2: Handle privileges record on #parse_desc
3
+ * in_windows_eventlog2: Raise error when handling invalid bookmark xml
4
+
1
5
  # Release v0.4.2 - 2019/10/16
2
6
  * in_windows_eventlog2: Handle invalid data error from `Winevt::EventLog::Query::Error`
3
7
 
data/fluent-plugin-winevtlog.gemspec CHANGED
@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
4
4
 
5
5
  Gem::Specification.new do |spec|
6
6
  spec.name = "fluent-plugin-windows-eventlog"
7
- spec.version = "0.4.2"
7
+ spec.version = "0.4.3"
8
8
  spec.authors = ["okahashi117", "Hiroshi Hatake", "Masahiro Nakagawa"]
9
9
  spec.email = ["naruki_okahashi@jbat.co.jp", "cosmo0920.oucc@gmail.com", "repeatedly@gmail.com"]
10
10
  spec.summary = %q{Fluentd Input plugin to read windows event log.}
@@ -22,7 +22,7 @@ Gem::Specification.new do |spec|
22
22
  spec.add_development_dependency "test-unit", "~> 3.2.0"
23
23
  spec.add_runtime_dependency "fluentd", [">= 0.14.12", "< 2"]
24
24
  spec.add_runtime_dependency "win32-eventlog"
25
- spec.add_runtime_dependency "winevt_c", ">= 0.6.0"
25
+ spec.add_runtime_dependency "winevt_c", ">= 0.6.1"
26
26
  spec.add_runtime_dependency "nokogiri", "~> 1.10"
27
27
  spec.add_runtime_dependency "fluent-plugin-parser-winevt_xml", ">= 0.1.2"
28
28
  end
data/lib/fluent/plugin/in_windows_eventlog2.rb CHANGED
@@ -89,9 +89,17 @@ module Fluent::Plugin
89
89
  @chs.each do |ch|
90
90
  bookmarkXml = @bookmarks_storage.get(ch) || ""
91
91
  subscribe = Winevt::EventLog::Subscribe.new
92
- bookmark = Winevt::EventLog::Bookmark.new(bookmarkXml)
92
+ bookmark = unless bookmarkXml.empty?
93
+ Winevt::EventLog::Bookmark.new(bookmarkXml)
94
+ else
95
+ nil
96
+ end
93
97
  subscribe.tail = @tailing
94
- subscribe.subscribe(ch, "*", bookmark)
98
+ begin
99
+ subscribe.subscribe(ch, "*", bookmark)
100
+ rescue Winevt::EventLog::Query::Error => e
101
+ raise Fluent::ConfigError, "Invalid Bookmark XML is loaded. #{e}"
102
+ end
95
103
  subscribe.render_as_xml = @render_as_xml
96
104
  subscribe.rate_limit = @rate_limit
97
105
  timer_execute("in_windows_eventlog_#{escape_channel(ch)}".to_sym, @read_interval) do
@@ -192,6 +200,7 @@ module Fluent::Plugin
192
200
 
193
201
  elems = desc.split(GROUP_DELIMITER)
194
202
  record['DescriptionTitle'] = elems.shift
203
+ previous_key = nil
195
204
  elems.each { |elem|
196
205
  parent_key = nil
197
206
  elem.split(RECORD_DELIMITER).each { |r|
@@ -206,13 +215,19 @@ module Fluent::Plugin
206
215
  else
207
216
  # parsed value sometimes contain unexpected "\t". So remove it.
208
217
  value.strip!
209
- if parent_key.nil?
218
+ # merge empty key values into the previous non-empty key record.
219
+ if key.empty?
220
+ record[previous_key] = [record[previous_key], value].flatten
221
+ elsif parent_key.nil?
210
222
  record[to_key(key)] = value
211
223
  else
212
224
  k = "#{parent_key}.#{to_key(key)}"
213
225
  record[k] = value
214
226
  end
215
227
  end
228
+ # XXX: This is for empty privileges record key.
229
+ # We should investigate whether an another case exists or not.
230
+ previous_key = to_key(key) unless key.empty?
216
231
  }
217
232
  }
218
233
  end
data/test/plugin/test_in_windows_eventlog2.rb CHANGED
@@ -48,6 +48,38 @@ DESC
48
48
  assert_equal(expected, h)
49
49
  end
50
50
 
51
+ def test_parse_privileges_description
52
+ d = create_driver
53
+ desc = ["Special privileges assigned to new logon.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-X-Y-ZZ\r\n\t",
54
+ "AccountName:\t\tSYSTEM\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x3E7\r\n\r\n",
55
+ "Privileges:\t\tSeAssignPrimaryTokenPrivilege\r\n\t\t\tSeTcbPrivilege\r\n\t\t\t",
56
+ "SeSecurityPrivilege\r\n\t\t\tSeTakeOwnershipPrivilege\r\n\t\t\tSeLoadDriverPrivilege\r\n\t\t\t",
57
+ "SeBackupPrivilege\r\n\t\t\tSeRestorePrivilege\r\n\t\t\tSeDebugPrivilege\r\n\t\t\t",
58
+ "SeAuditPrivilege\r\n\t\t\tSeSystemEnvironmentPrivilege\r\n\t\t\tSeImpersonatePrivilege\r\n\t\t\t",
59
+ "SeDelegateSessionUserImpersonatePrivilege"].join("")
60
+
61
+ h = {"Description" => desc}
62
+ expected = {"DescriptionTitle" => "Special privileges assigned to new logon.",
63
+ "subject.security_id" => "S-X-Y-ZZ",
64
+ "subject.accountname" => "SYSTEM",
65
+ "subject.account_domain" => "NT AUTHORITY",
66
+ "subject.logon_id" => "0x3E7",
67
+ "privileges" => ["SeAssignPrimaryTokenPrivilege",
68
+ "SeTcbPrivilege",
69
+ "SeSecurityPrivilege",
70
+ "SeTakeOwnershipPrivilege",
71
+ "SeLoadDriverPrivilege",
72
+ "SeBackupPrivilege",
73
+ "SeRestorePrivilege",
74
+ "SeDebugPrivilege",
75
+ "SeAuditPrivilege",
76
+ "SeSystemEnvironmentPrivilege",
77
+ "SeImpersonatePrivilege",
78
+ "SeDelegateSessionUserImpersonatePrivilege"]}
79
+ d.instance.parse_desc(h)
80
+ assert_equal(expected, h)
81
+ end
82
+
51
83
  def test_write
52
84
  d = create_driver
53
85
 
@@ -180,6 +212,21 @@ DESC
180
212
 
181
213
  assert File.exist?(File.join(TEST_PLUGIN_STORAGE_PATH, 'json', 'test-02.json'))
182
214
  end
215
+
216
+ def test_start_with_invalid_bookmark
217
+ invalid_storage_contents = <<-EOS
218
+ <BookmarkList>\r\n <Bookmark Channel='Application' RecordId='20063' IsCurrent='true'/>\r\n
219
+ EOS
220
+ d = create_driver(CONFIG2)
221
+ storage = d.instance.instance_variable_get(:@bookmarks_storage)
222
+ storage.put('application', invalid_storage_contents)
223
+ assert File.exist?(File.join(TEST_PLUGIN_STORAGE_PATH, 'json', 'test-02.json'))
224
+
225
+ d2 = create_driver(CONFIG2)
226
+ assert_raise(Fluent::ConfigError) do
227
+ d2.instance.start
228
+ end
229
+ end
183
230
  end
184
231
 
185
232
  def test_write_with_none_parser
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: fluent-plugin-windows-eventlog
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.2
4
+ version: 0.4.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - okahashi117
@@ -10,7 +10,7 @@ authors:
10
10
  autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
- date: 2019-10-16 00:00:00.000000000 Z
13
+ date: 2019-10-31 00:00:00.000000000 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  name: bundler
@@ -94,14 +94,14 @@ dependencies:
94
94
  requirements:
95
95
  - - ">="
96
96
  - !ruby/object:Gem::Version
97
- version: 0.6.0
97
+ version: 0.6.1
98
98
  type: :runtime
99
99
  prerelease: false
100
100
  version_requirements: !ruby/object:Gem::Requirement
101
101
  requirements:
102
102
  - - ">="
103
103
  - !ruby/object:Gem::Version
104
- version: 0.6.0
104
+ version: 0.6.1
105
105
  - !ruby/object:Gem::Dependency
106
106
  name: nokogiri
107
107
  requirement: !ruby/object:Gem::Requirement