fluent-plugin-windows-eventlog 0.4.2 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 06511272a8c96f22e69b50f60d2a6c5b7ac377c0c446d48fc842cc4e2b272b7b
-  data.tar.gz: 78635a96981173d47b640f887b62e4ba7d0d773b1eaf39bfb0c59be488073364
+  metadata.gz: 35b9fd46107e694c466990707eb437a8d065a6bad1553973f5e982bda134be2f
+  data.tar.gz: 72805c709bdfe6cd9a3ff6c3c83bf6611168191ff173c1fe2d1e4b5a5de64c83
 SHA512:
-  metadata.gz: ccabe68cf1bd5188e12f3eaa46670488b6eb458aca556d15d09022489722bf5be9ca6cace64b93abbb2d4aeecb5a4a8210a2e9787de96a201d6a24bdca201f1a
-  data.tar.gz: 290a21af0606ef47c61e3f9c63f45b25b0f1d90dcf2268a950c3f460e02faa59e72b4a0e6bdc3452bae10121c550b53d4b410610c587042498837075e081977e
+  metadata.gz: ae27988d8b97fbfd2674b39c91c47b58fc45688f2e988a61e2cf6bd359989da06e51220266a67309ef8a78af80fdeb6448c7ff1a552467c9bd53d1029dde0d47
+  data.tar.gz: bd5beec850fddb5427dfb5564de325380f88cdc8d96303e613d6b2b6f2d8f5a644857665323c20008252c549ffbf1d422d78ee0423375acee07b5bde73151a91

data/CHANGELOG.md

@@ -1,3 +1,20 @@
+# Release v0.5.0 - 2020/02/17
+* in_windows_eventlog2: Support subscribe directive to handle read_existing_events paratemer each of channels.
+* in_windows_eventlog2: Depends on winevt_c v0.7.0 or later.
+
+# Release v0.4.6 - 2020/02/15
+* Fix winevt_c dependency to prevent fetching winevt_c v0.7.0 or later.
+
+# Release v0.4.5 - 2020/01/28
+* in_windows_eventlog2: Handle empty key case in parsing description method.
+
+# Release v0.4.4 - 2019/11/07
+* in_windows_eventlog: Improve error handling and logging when failed to open Windows Event Log.
+
+# Release v0.4.3 - 2019/10/31
+* in_windows_eventlog2: Handle privileges record on #parse_desc
+* in_windows_eventlog2: Raise error when handling invalid bookmark xml
+
 # Release v0.4.2 - 2019/10/16
 * in_windows_eventlog2: Handle invalid data error from `Winevt::EventLog::Query::Error`
 

data/README.md

@@ -135,7 +135,8 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
     <source>
       @type windows_eventlog2
       @id windows_eventlog2
-      channels application,system
+      channels application,system # Also be able to use `<subscribe>` directive.
+      read_existing_events false
       read_interval 2
       tag winevt.raw
       render_as_xml false       # default is true.
@@ -149,6 +150,10 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
       <parse>
         @type winevt_xml # @type winevt_xml is the default. winevt_xml and none parsers are supported for now.
       </parse>
+      # <subscribe>
+      #   channles application, system
+      #   read_existing_events false # read_existing_events should be applied each of subscribe directive(s)
+      # </subscribe>
     </source>
 
 **NOTE:** in_windows_eventlog2 always handles EventLog records as UTF-8 characters. Users don't have to specify encoding related parameters and they are not provided.
@@ -163,13 +168,60 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
 
 |name      | description |
 |:-----    |:-----       |
-|`channels`         | (option) 'application' as default. One or more of {'application', 'system', 'setup', 'security'}. If you want to read 'setup' or 'security' logs, you must launch fluentd with administrator privileges.|
+|`channels`         | (option) No default value just empty array, but 'application' is used as default due to backward compatibility. One or more of {'application', 'system', 'setup', 'security'}. If you want to read 'setup' or 'security' logs, you must launch fluentd with administrator privileges.|
 |`keys`             | (option) A subset of [keys](#read-keys) to read. Defaults to all keys.|
 |`read_interval`    | (option) Read interval in seconds. 2 seconds as default.|
 |`from_encoding`    | (option) Input character encoding. `nil` as default.|
 |`<storage>`        | Setting for `storage` plugin for recording read position like `in_tail`'s `pos_file`.|
 |`<parse>`          | Setting for `parser` plugin for parsing raw XML EventLog records. |
 |`parse_description`| (option) parse `description` field and set parsed result into the record. `Description` and `EventData` fields are removed|
+|`read_from_head`   | **Deprecated** (option) Start to read the entries from the oldest, not from when fluentd is started. Defaults to `false`.|
+|`read_existing_events` | (option) Read the entries which already exist before fluentd is started. Defaults to `false`.|
+|`read_existing_events` | (option) Read the entries which already exist before fluentd is started. Defaults to `false`.|
+|`rate_limit`      | (option) Specify rate limit to consume EventLog. Default is `Winevt::EventLog::Subscribe::RATE_INFINITE`.|
+|`<subscribe>`          | Setting for subscribe channels. |
+
+##### subscribe section
+
+|name      | description |
+|:-----    |:-----       |
+|`channels`             | One or more of {'application', 'system', 'setup', 'security'}. If you want to read 'setup' or 'security' logs, you must launch fluentd with administrator privileges. |
+|`read_existing_events` | (option) Read the entries which already exist before fluentd is started. Defaults to `false`. |
+
+
+**Motivation:** subscribe directive is designed for applying `read_existing_events` each of channels which is specified in subscribe section(s).
+
+e.g) The previous configuration can handle `read_existing_events` but this parameter only specifies `read_existing_events` or not for channels which are specified in `channels`.
+
+```aconf
+channels ["Application", "Security", "HardwareEvents"]
+read_existing_events true
+```
+
+is interpreted as "Application", "Security", and "HardwareEvents" should be read existing events.
+
+But some users want to configure to:
+
+* "Application" and "Security" channels just tailing
+* "HardwareEvent" channel read existing events before launching Fluentd
+
+With `<subscribe>` directive, this requirements can be represendted as:
+
+```aconf
+<subscribe>
+  channles ["Application", "Security"]
+  # read_existing_events false
+</subscribe>
+<subscribe>
+  channles ["HardwareEvent"]
+  read_existing_events true
+</subscribe>
+```
+
+This configuration can be handled as:
+
+* "Application" and "Security" channels just tailing
+* "HardwareEvent" channel read existing events before launching Fluentd
 
 ##### Available keys
 

data/fluent-plugin-winevtlog.gemspec

@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 
 Gem::Specification.new do |spec|
   spec.name          = "fluent-plugin-windows-eventlog"
-  spec.version       = "0.4.2"
+  spec.version       = "0.5.0"
   spec.authors       = ["okahashi117", "Hiroshi Hatake", "Masahiro Nakagawa"]
   spec.email         = ["naruki_okahashi@jbat.co.jp", "cosmo0920.oucc@gmail.com", "repeatedly@gmail.com"]
   spec.summary       = %q{Fluentd Input plugin to read windows event log.}
@@ -22,7 +22,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "test-unit", "~> 3.2.0"
   spec.add_runtime_dependency "fluentd", [">= 0.14.12", "< 2"]
   spec.add_runtime_dependency "win32-eventlog"
-  spec.add_runtime_dependency "winevt_c", ">= 0.6.0"
+  spec.add_runtime_dependency "winevt_c", ">= 0.7.0"
   spec.add_runtime_dependency "nokogiri", "~> 1.10"
   spec.add_runtime_dependency "fluent-plugin-parser-winevt_xml", ">= 0.1.2"
 end

data/lib/fluent/plugin/in_windows_eventlog.rb

@@ -151,7 +151,11 @@ module Fluent::Plugin
     end
 
     def on_notify(ch)
-      el = Win32::EventLog.open(ch)
+      begin
+        el = Win32::EventLog.open(ch)
+      rescue => e
+        log.error "Failed to open Windows Event log.", error: e
+      end
 
       current_oldest_record_number = el.oldest_record_number
       current_total_records = el.total_records
@@ -186,7 +190,9 @@ module Fluent::Plugin
       receive_lines(ch, winlogs)
       @pos_storage.put(ch, [read_start, read_num + winlogs.size])
     ensure
-      el.close
+      if el
+        el.close
+      end
     end
 
     GROUP_DELIMITER = "\r\n\r\n".freeze

data/lib/fluent/plugin/in_windows_eventlog2.rb

@@ -32,13 +32,19 @@ module Fluent::Plugin
 
     config_param :tag, :string
     config_param :read_interval, :time, default: 2
-    config_param :channels, :array, default: ['application']
+    config_param :channels, :array, default: []
     config_param :keys, :array, default: []
-    config_param :read_from_head, :bool, default: false
+    config_param :read_from_head, :bool, default: false, deprecated: "Use `read_existing_events' instead."
+    config_param :read_existing_events, :bool, default: false
     config_param :parse_description, :bool, default: false
     config_param :render_as_xml, :bool, default: true
     config_param :rate_limit, :integer, default: Winevt::EventLog::Subscribe::RATE_INFINITE
 
+    config_section :subscribe, param_name: :subscribe_configs, required: false, multi: true do
+      config_param :channels, :array
+      config_param :read_existing_events, :bool, default: false
+    end
+
     config_section :storage do
       config_set_default :usage, "bookmarks"
       config_set_default :@type, DEFAULT_STORAGE_TYPE
@@ -58,7 +64,22 @@ module Fluent::Plugin
 
     def configure(conf)
       super
-      @chs = @channels.map {|ch| ch.strip.downcase }.uniq
+      @chs = []
+
+      @read_existing_events = @read_from_head || @read_existing_events
+      if @channels.empty? && @subscribe_configs.empty?
+        @chs.push(['application', @read_existing_events])
+      else
+        @channels.map {|ch| ch.strip.downcase }.uniq.each do |uch|
+          @chs.push([uch, @read_existing_events])
+        end
+        @subscribe_configs.each do |subscribe|
+          subscribe.channels.map {|ch| ch.strip.downcase }.uniq.each do |uch|
+            @chs.push([uch, subscribe.read_existing_events])
+          end
+        end
+      end
+      @chs.uniq!
       @keynames = @keys.map {|k| k.strip }.uniq
       if @keynames.empty?
         @keynames = KEY_MAP.keys
@@ -67,7 +88,6 @@ module Fluent::Plugin
       @keynames.delete('EventData') if @parse_description
 
       @tag = tag
-      @tailing = @read_from_head ? false : true
       @bookmarks_storage = storage_create(usage: "bookmarks")
       @winevt_xml = false
       if @render_as_xml
@@ -86,22 +106,34 @@ module Fluent::Plugin
     def start
       super
 
-      @chs.each do |ch|
-        bookmarkXml = @bookmarks_storage.get(ch) || ""
-        subscribe = Winevt::EventLog::Subscribe.new
-        bookmark = Winevt::EventLog::Bookmark.new(bookmarkXml)
-        subscribe.tail = @tailing
+      @chs.each do |ch, read_existing_events|
+        subscribe_channel(ch, read_existing_events)
+      end
+    end
+
+    def subscribe_channel(ch, read_existing_events)
+      bookmarkXml = @bookmarks_storage.get(ch) || ""
+      subscribe = Winevt::EventLog::Subscribe.new
+      bookmark = unless bookmarkXml.empty?
+                   Winevt::EventLog::Bookmark.new(bookmarkXml)
+                 else
+                   nil
+                 end
+      subscribe.read_existing_events = read_existing_events
+      begin
         subscribe.subscribe(ch, "*", bookmark)
-        subscribe.render_as_xml = @render_as_xml
-        subscribe.rate_limit = @rate_limit
-        timer_execute("in_windows_eventlog_#{escape_channel(ch)}".to_sym, @read_interval) do
-          on_notify(ch, subscribe)
-        end
+      rescue Winevt::EventLog::Query::Error => e
+        raise Fluent::ConfigError, "Invalid Bookmark XML is loaded. #{e}"
+      end
+      subscribe.render_as_xml = @render_as_xml
+      subscribe.rate_limit = @rate_limit
+      timer_execute("in_windows_eventlog_#{escape_channel(ch)}".to_sym, @read_interval) do
+        on_notify(ch, subscribe)
       end
     end
 
     def escape_channel(ch)
-      ch.gsub(/[^a-zA-Z0-9]/, '_')
+      ch.gsub(/[^a-zA-Z0-9\s]/, '_')
     end
 
     def on_notify(ch, subscribe)
@@ -192,6 +224,7 @@ module Fluent::Plugin
 
       elems = desc.split(GROUP_DELIMITER)
       record['DescriptionTitle'] = elems.shift
+      previous_key = nil
       elems.each { |elem|
         parent_key = nil
         elem.split(RECORD_DELIMITER).each { |r|
@@ -200,19 +233,26 @@ module Fluent::Plugin
                        else
                          r.split(NONE_FIELD_DELIMITER)
                        end
+          key = "" if key.nil?
           key.chop!  # remove ':' from key
           if value.nil?
             parent_key = to_key(key)
           else
             # parsed value sometimes contain unexpected "\t". So remove it.
             value.strip!
-            if parent_key.nil?
+            # merge empty key values into the previous non-empty key record.
+            if key.empty?
+              record[previous_key] = [record[previous_key], value].flatten.reject {|e| e.nil?}
+            elsif parent_key.nil?
               record[to_key(key)] = value
             else
               k = "#{parent_key}.#{to_key(key)}"
               record[k] = value
             end
           end
+          # XXX: This is for empty privileges record key.
+          # We should investigate whether an another case exists or not.
+          previous_key = to_key(key) unless key.empty?
         }
       }
     end

data/test/data/eventid_6416

@@ -0,0 +1,27 @@
+A new external device was recognized by the system.
+
+Subject:
+	Security ID:		SYSTEM
+	Account Name:		IIZHU2016$
+	Account Domain:		ITSS
+	Logon ID:		0x3E7
+
+Device ID:	SWD\PRINTENUM\{60FA1C6A-1AB2-440A-AEE1-62ABFB9A4650}
+
+Device Name:	Microsoft Print to PDF
+
+Class ID:		{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}
+
+Class Name:	PrintQueue
+
+Vendor IDs:
+		PRINTENUM\{084f01fa-e634-4d77-83ee-074817c03581}
+		PRINTENUM\LocalPrintQueue
+		{084f01fa-e634-4d77-83ee-074817c03581}
+
+
+
+Compatible IDs:
+		GenPrintQueue
+		SWD\GenericRaw
+		SWD\Generic

data/test/plugin/test_in_windows_eventlog2.rb

@@ -23,11 +23,84 @@ class WindowsEventLog2InputTest < Test::Unit::TestCase
     d = create_driver CONFIG
     assert_equal 'fluent.eventlog', d.instance.tag
     assert_equal 2, d.instance.read_interval
-    assert_equal ['application'], d.instance.channels
-    assert_false d.instance.read_from_head
+    assert_equal [], d.instance.channels
+    assert_false d.instance.read_existing_events
     assert_true d.instance.render_as_xml
   end
 
+  sub_test_case "configure" do
+    test "subscribe directive" do
+      d = create_driver config_element("ROOT", "", {"tag" => "fluent.eventlog"}, [
+                                         config_element("storage", "", {
+                                                          '@type' => 'local',
+                                                          'persistent' => false
+                                                        }),
+                                         config_element("subscribe", "", {
+                                                          'channels' => ['System', 'Windows PowerShell'],
+                                                        }),
+                                         config_element("subscribe", "", {
+                                                          'channels' => ['Security'],
+                                                          'read_existing_events' => true
+                                                        }),
+                                       ])
+      expected = [["system", false], ["windows powershell", false], ["security", true]]
+      assert_equal expected, d.instance.instance_variable_get(:@chs)
+    end
+
+    test "duplicated subscribe" do
+      d = create_driver config_element("ROOT", "", {"tag" => "fluent.eventlog",
+                                                    "channels" => ["System", "Windows PowerShell"]
+                                                   }, [
+                                         config_element("storage", "", {
+                                                          '@type' => 'local',
+                                                          'persistent' => false
+                                                        }),
+                                         config_element("subscribe", "", {
+                                                          'channels' => ['System', 'Windows PowerShell'],
+                                                        }),
+                                         config_element("subscribe", "", {
+                                                          'channels' => ['Security'],
+                                                          'read_existing_events' => true
+                                                        }),
+                                       ])
+      expected = [["system", false], ["windows powershell", false], ["security", true]]
+      assert_equal 1, d.instance.instance_variable_get(:@chs).select {|ch, flag| ch == "system"}.size
+      assert_equal expected, d.instance.instance_variable_get(:@chs)
+    end
+
+    test "non duplicated subscribe" do
+      d = create_driver config_element("ROOT", "", {"tag" => "fluent.eventlog",
+                                                    "channels" => ["System", "Windows PowerShell"]
+                                                   }, [
+                                         config_element("storage", "", {
+                                                          '@type' => 'local',
+                                                          'persistent' => false
+                                                        }),
+                                         config_element("subscribe", "", {
+                                                          'channels' => ['System', 'Windows PowerShell'],
+                                                          'read_existing_events' => true
+                                                        }),
+                                         config_element("subscribe", "", {
+                                                          'channels' => ['Security'],
+                                                          'read_existing_events' => true
+                                                        }),
+                                       ])
+      expected = [["system", false], ["windows powershell", false], ["system", true], ["windows powershell", true], ["security", true]]
+      assert_equal 2, d.instance.instance_variable_get(:@chs).select {|ch, flag| ch == "system"}.size
+      assert_equal expected, d.instance.instance_variable_get(:@chs)
+    end
+  end
+
+  data("application"        => ["Application", "Application"],
+       "windows powershell" => ["Windows PowerShell", "Windows PowerShell"],
+       "escaped"            => ["Should_Be_Escaped_", "Should+Be;Escaped/"]
+      )
+  def test_escape_channel(data)
+    expected, actual = data
+    d = create_driver CONFIG
+    assert_equal expected, d.instance.escape_channel(actual)
+  end
+
   def test_parse_desc
     d = create_driver
     desc =<<-DESC
@@ -48,6 +121,63 @@ DESC
     assert_equal(expected, h)
   end
 
+  def test_parse_privileges_description
+    d = create_driver
+    desc = ["Special privileges assigned to new logon.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-X-Y-ZZ\r\n\t",
+            "AccountName:\t\tSYSTEM\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x3E7\r\n\r\n",
+            "Privileges:\t\tSeAssignPrimaryTokenPrivilege\r\n\t\t\tSeTcbPrivilege\r\n\t\t\t",
+            "SeSecurityPrivilege\r\n\t\t\tSeTakeOwnershipPrivilege\r\n\t\t\tSeLoadDriverPrivilege\r\n\t\t\t",
+            "SeBackupPrivilege\r\n\t\t\tSeRestorePrivilege\r\n\t\t\tSeDebugPrivilege\r\n\t\t\t",
+            "SeAuditPrivilege\r\n\t\t\tSeSystemEnvironmentPrivilege\r\n\t\t\tSeImpersonatePrivilege\r\n\t\t\t",
+            "SeDelegateSessionUserImpersonatePrivilege"].join("")
+
+    h = {"Description" => desc}
+    expected = {"DescriptionTitle"       => "Special privileges assigned to new logon.",
+                "subject.security_id"    => "S-X-Y-ZZ",
+                "subject.accountname"    => "SYSTEM",
+                "subject.account_domain" => "NT AUTHORITY",
+                "subject.logon_id"       => "0x3E7",
+                "privileges"             => ["SeAssignPrimaryTokenPrivilege",
+                                             "SeTcbPrivilege",
+                                             "SeSecurityPrivilege",
+                                             "SeTakeOwnershipPrivilege",
+                                             "SeLoadDriverPrivilege",
+                                             "SeBackupPrivilege",
+                                             "SeRestorePrivilege",
+                                             "SeDebugPrivilege",
+                                             "SeAuditPrivilege",
+                                             "SeSystemEnvironmentPrivilege",
+                                             "SeImpersonatePrivilege",
+                                             "SeDelegateSessionUserImpersonatePrivilege"]}
+    d.instance.parse_desc(h)
+    assert_equal(expected, h)
+  end
+
+  test "A new external device was recognized by the system." do
+    # using the event log example: eventopedia.cloudapp.net/EventDetails.aspx?id=17ef124e-eb89-4c01-9ba2-d761e06b2b68
+    d = create_driver
+    desc = nil
+    File.open('./test/data/eventid_6416', 'r') do |f|
+      desc = f.read.gsub(/\R/, "\r\n")
+    end
+    h = {"Description" => desc}
+    expected = {"DescriptionTitle"       => "A new external device was recognized by the system.",
+                "class_id"               => "{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}",
+                "class_name"             => "PrintQueue",
+                "compatible_ids"         => ["GenPrintQueue", "SWD\\GenericRaw", "SWD\\Generic"],
+                "device_id"              => "SWD\\PRINTENUM\\{60FA1C6A-1AB2-440A-AEE1-62ABFB9A4650}",
+                "device_name"            => "Microsoft Print to PDF",
+                "subject.account_domain" => "ITSS",
+                "subject.account_name"   => "IIZHU2016$",
+                "subject.logon_id"       => "0x3E7",
+                "subject.security_id"    => "SYSTEM",
+                "vendor_ids"             => ["PRINTENUM\\{084f01fa-e634-4d77-83ee-074817c03581}",
+                                             "PRINTENUM\\LocalPrintQueue",
+                                             "{084f01fa-e634-4d77-83ee-074817c03581}"]}
+    d.instance.parse_desc(h)
+    assert_equal(expected, h)
+  end
+
   def test_write
     d = create_driver
 
@@ -180,6 +310,21 @@ DESC
 
       assert File.exist?(File.join(TEST_PLUGIN_STORAGE_PATH, 'json', 'test-02.json'))
     end
+
+    def test_start_with_invalid_bookmark
+      invalid_storage_contents = <<-EOS
+<BookmarkList>\r\n  <Bookmark Channel='Application' RecordId='20063' IsCurrent='true'/>\r\n
+EOS
+      d = create_driver(CONFIG2)
+      storage = d.instance.instance_variable_get(:@bookmarks_storage)
+      storage.put('application', invalid_storage_contents)
+      assert File.exist?(File.join(TEST_PLUGIN_STORAGE_PATH, 'json', 'test-02.json'))
+
+      d2 = create_driver(CONFIG2)
+      assert_raise(Fluent::ConfigError) do
+        d2.instance.start
+      end
+    end
   end
 
   def test_write_with_none_parser

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: fluent-plugin-windows-eventlog
 version: !ruby/object:Gem::Version
-  version: 0.4.2
+  version: 0.5.0
 platform: ruby
 authors:
 - okahashi117
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-10-16 00:00:00.000000000 Z
+date: 2020-02-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -94,14 +94,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.6.0
+        version: 0.7.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.6.0
+        version: 0.7.0
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -149,6 +149,7 @@ files:
 - fluent-plugin-winevtlog.gemspec
 - lib/fluent/plugin/in_windows_eventlog.rb
 - lib/fluent/plugin/in_windows_eventlog2.rb
+- test/data/eventid_6416
 - test/generate-windows-event.rb
 - test/helper.rb
 - test/plugin/test_in_windows_eventlog2.rb
@@ -173,11 +174,12 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.3
+rubygems_version: 2.7.6.2
 signing_key: 
 specification_version: 4
 summary: Fluentd Input plugin to read windows event log.
 test_files:
+- test/data/eventid_6416
 - test/generate-windows-event.rb
 - test/helper.rb
 - test/plugin/test_in_windows_eventlog2.rb