fluent-plugin-windows-eventlog 0.4.4 → 0.5.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6634a0ee22c7988e40ebe92ebd457996eb25cfdd926a09c557e497065f6dbeac
-  data.tar.gz: 8f3a1543db5dd4a2299c5675ccd81ee19e10b476b06e3f6b7685213e14247814
+  metadata.gz: 359baf1a9205ef362e4504df9408456929e11476b8b7ca8f31b930fa75f67996
+  data.tar.gz: 3022117b4b9650f09e7856cfbb82a39267818bb71b46fb016ca0f71deb26c4d9
 SHA512:
-  metadata.gz: 8c9450771f970e88ec85ec5a44f3156a93475aeef12a729ffafe87c863516939fa66c739791b20c6e5bff30ba72e5958f14701b0713d5dca747c1b7919dee72c
-  data.tar.gz: 4d44d036e961e7cd502932863eedeb3781f25507384737850f9a81eb70f4099b0d24d27f8cc0f7753d310f9c3702273fd914271efa398e102610a2084b90c06a
+  metadata.gz: c37d3b7a0a0c8b39e889efdda75fd7d22e6227b7a60eb1c47e9f2b459458c3144725a9d68f7e4ad6215315f62ce0829dde6730f7fccc4d37d93b2a47e7e8951f
+  data.tar.gz: b1cad59577bcec5188c0009545d0a89087210abf8b5bc1f946453607ab0b3f8b87aff1dfacbbf066d0d3b61c0505b9ffdde9da3ab788ca9dd2bc53be1ee65f1e

data/CHANGELOG.md

@@ -1,3 +1,19 @@
+# Release v0.5.2 - 2020/02/28
+* in_windows_eventlog2: Add parameter to read from all channels shortcut
+
+# Release v0.5.1 - 2020/02/26
+* in_windows_eventlog2: Add empty bookmark checking mechanism
+
+# Release v0.5.0 - 2020/02/17
+* in_windows_eventlog2: Support subscribe directive to handle read_existing_events paratemer each of channels.
+* in_windows_eventlog2: Depends on winevt_c v0.7.0 or later.
+
+# Release v0.4.6 - 2020/02/15
+* Fix winevt_c dependency to prevent fetching winevt_c v0.7.0 or later.
+
+# Release v0.4.5 - 2020/01/28
+* in_windows_eventlog2: Handle empty key case in parsing description method.
+
 # Release v0.4.4 - 2019/11/07
 * in_windows_eventlog: Improve error handling and logging when failed to open Windows Event Log.
 

data/README.md

@@ -135,7 +135,8 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
     <source>
       @type windows_eventlog2
       @id windows_eventlog2
-      channels application,system
+      channels application,system # Also be able to use `<subscribe>` directive.
+      read_existing_events false
       read_interval 2
       tag winevt.raw
       render_as_xml false       # default is true.
@@ -149,6 +150,10 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
       <parse>
         @type winevt_xml # @type winevt_xml is the default. winevt_xml and none parsers are supported for now.
       </parse>
+      # <subscribe>
+      #   channles application, system
+      #   read_existing_events false # read_existing_events should be applied each of subscribe directive(s)
+      # </subscribe>
     </source>
 
 **NOTE:** in_windows_eventlog2 always handles EventLog records as UTF-8 characters. Users don't have to specify encoding related parameters and they are not provided.
@@ -163,13 +168,60 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
 
 |name      | description |
 |:-----    |:-----       |
-|`channels`         | (option) 'application' as default. One or more of {'application', 'system', 'setup', 'security'}. If you want to read 'setup' or 'security' logs, you must launch fluentd with administrator privileges.|
+|`channels`         | (option) No default value just empty array, but 'application' is used as default due to backward compatibility. One or more of {'application', 'system', 'setup', 'security'}. If you want to read 'setup' or 'security' logs, you must launch fluentd with administrator privileges.|
 |`keys`             | (option) A subset of [keys](#read-keys) to read. Defaults to all keys.|
 |`read_interval`    | (option) Read interval in seconds. 2 seconds as default.|
 |`from_encoding`    | (option) Input character encoding. `nil` as default.|
 |`<storage>`        | Setting for `storage` plugin for recording read position like `in_tail`'s `pos_file`.|
 |`<parse>`          | Setting for `parser` plugin for parsing raw XML EventLog records. |
 |`parse_description`| (option) parse `description` field and set parsed result into the record. `Description` and `EventData` fields are removed|
+|`read_from_head`   | **Deprecated** (option) Start to read the entries from the oldest, not from when fluentd is started. Defaults to `false`.|
+|`read_existing_events` | (option) Read the entries which already exist before fluentd is started. Defaults to `false`.|
+|`rate_limit`      | (option) Specify rate limit to consume EventLog. Default is `Winevt::EventLog::Subscribe::RATE_INFINITE`.|
+|`read_all_channels`| (option) Read from all channels. Default is `false`|
+|`<subscribe>`          | Setting for subscribe channels. |
+
+##### subscribe section
+
+|name      | description |
+|:-----    |:-----       |
+|`channels`             | One or more of {'application', 'system', 'setup', 'security'}. If you want to read 'setup' or 'security' logs, you must launch fluentd with administrator privileges. |
+|`read_existing_events` | (option) Read the entries which already exist before fluentd is started. Defaults to `false`. |
+
+
+**Motivation:** subscribe directive is designed for applying `read_existing_events` each of channels which is specified in subscribe section(s).
+
+e.g) The previous configuration can handle `read_existing_events` but this parameter only specifies `read_existing_events` or not for channels which are specified in `channels`.
+
+```aconf
+channels ["Application", "Security", "HardwareEvents"]
+read_existing_events true
+```
+
+is interpreted as "Application", "Security", and "HardwareEvents" should be read existing events.
+
+But some users want to configure to:
+
+* "Application" and "Security" channels just tailing
+* "HardwareEvent" channel read existing events before launching Fluentd
+
+With `<subscribe>` directive, this requirements can be represendted as:
+
+```aconf
+<subscribe>
+  channles ["Application", "Security"]
+  # read_existing_events false
+</subscribe>
+<subscribe>
+  channles ["HardwareEvent"]
+  read_existing_events true
+</subscribe>
+```
+
+This configuration can be handled as:
+
+* "Application" and "Security" channels just tailing
+* "HardwareEvent" channel read existing events before launching Fluentd
 
 ##### Available keys
 

data/fluent-plugin-winevtlog.gemspec

@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 
 Gem::Specification.new do |spec|
   spec.name          = "fluent-plugin-windows-eventlog"
-  spec.version       = "0.4.4"
+  spec.version       = "0.5.2"
   spec.authors       = ["okahashi117", "Hiroshi Hatake", "Masahiro Nakagawa"]
   spec.email         = ["naruki_okahashi@jbat.co.jp", "cosmo0920.oucc@gmail.com", "repeatedly@gmail.com"]
   spec.summary       = %q{Fluentd Input plugin to read windows event log.}
@@ -22,7 +22,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "test-unit", "~> 3.2.0"
   spec.add_runtime_dependency "fluentd", [">= 0.14.12", "< 2"]
   spec.add_runtime_dependency "win32-eventlog"
-  spec.add_runtime_dependency "winevt_c", ">= 0.6.1"
+  spec.add_runtime_dependency "winevt_c", ">= 0.7.1"
   spec.add_runtime_dependency "nokogiri", "~> 1.10"
   spec.add_runtime_dependency "fluent-plugin-parser-winevt_xml", ">= 0.1.2"
 end

data/lib/fluent/plugin/bookmark_sax_parser.rb

@@ -0,0 +1,30 @@
+require 'nokogiri'
+
+class WinevtBookmarkDocument < Nokogiri::XML::SAX::Document
+  attr_reader :result
+
+  def initialize
+    @result = {}
+    super
+  end
+
+  def start_document
+  end
+
+  def start_element(name, attributes = [])
+    if name == "Bookmark"
+      @result[:channel] = attributes[0][1] rescue nil
+      @result[:record_id] = attributes[1][1].to_i rescue nil
+      @result[:is_current] = attributes[2][1].downcase == "true" rescue nil
+    end
+  end
+
+  def characters(string)
+  end
+
+  def end_element(name, attributes = [])
+  end
+
+  def end_document
+  end
+end

data/lib/fluent/plugin/in_windows_eventlog2.rb

@@ -1,6 +1,7 @@
 require 'winevt'
 require 'fluent/plugin/input'
 require 'fluent/plugin'
+require_relative 'bookmark_sax_parser'
 
 module Fluent::Plugin
   class WindowsEventLog2Input < Input
@@ -32,12 +33,19 @@ module Fluent::Plugin
 
     config_param :tag, :string
     config_param :read_interval, :time, default: 2
-    config_param :channels, :array, default: ['application']
+    config_param :channels, :array, default: []
     config_param :keys, :array, default: []
-    config_param :read_from_head, :bool, default: false
+    config_param :read_from_head, :bool, default: false, deprecated: "Use `read_existing_events' instead."
+    config_param :read_existing_events, :bool, default: false
     config_param :parse_description, :bool, default: false
     config_param :render_as_xml, :bool, default: true
     config_param :rate_limit, :integer, default: Winevt::EventLog::Subscribe::RATE_INFINITE
+    config_param :read_all_channels, :bool, default: false
+
+    config_section :subscribe, param_name: :subscribe_configs, required: false, multi: true do
+      config_param :channels, :array
+      config_param :read_existing_events, :bool, default: false
+    end
 
     config_section :storage do
       config_set_default :usage, "bookmarks"
@@ -58,7 +66,31 @@ module Fluent::Plugin
 
     def configure(conf)
       super
-      @chs = @channels.map {|ch| ch.strip.downcase }.uniq
+      @chs = []
+      @all_chs = Winevt::EventLog::Channel.new
+      @all_chs.force_enumerate = false
+
+      if @read_all_channels
+        @all_chs.each do |ch|
+          uch = ch.strip.downcase
+          @chs.push([uch, @read_existing_events])
+        end
+      end
+
+      @read_existing_events = @read_from_head || @read_existing_events
+      if @channels.empty? && @subscribe_configs.empty? && !@read_all_channels
+        @chs.push(['application', @read_existing_events])
+      else
+        @channels.map {|ch| ch.strip.downcase }.uniq.each do |uch|
+          @chs.push([uch, @read_existing_events])
+        end
+        @subscribe_configs.each do |subscribe|
+          subscribe.channels.map {|ch| ch.strip.downcase }.uniq.each do |uch|
+            @chs.push([uch, subscribe.read_existing_events])
+          end
+        end
+      end
+      @chs.uniq!
       @keynames = @keys.map {|k| k.strip }.uniq
       if @keynames.empty?
         @keynames = KEY_MAP.keys
@@ -67,7 +99,6 @@ module Fluent::Plugin
       @keynames.delete('EventData') if @parse_description
 
       @tag = tag
-      @tailing = @read_from_head ? false : true
       @bookmarks_storage = storage_create(usage: "bookmarks")
       @winevt_xml = false
       if @render_as_xml
@@ -86,30 +117,48 @@ module Fluent::Plugin
     def start
       super
 
-      @chs.each do |ch|
-        bookmarkXml = @bookmarks_storage.get(ch) || ""
-        subscribe = Winevt::EventLog::Subscribe.new
-        bookmark = unless bookmarkXml.empty?
-                     Winevt::EventLog::Bookmark.new(bookmarkXml)
-                   else
-                     nil
-                   end
-        subscribe.tail = @tailing
-        begin
-          subscribe.subscribe(ch, "*", bookmark)
-        rescue Winevt::EventLog::Query::Error => e
-          raise Fluent::ConfigError, "Invalid Bookmark XML is loaded. #{e}"
-        end
-        subscribe.render_as_xml = @render_as_xml
-        subscribe.rate_limit = @rate_limit
-        timer_execute("in_windows_eventlog_#{escape_channel(ch)}".to_sym, @read_interval) do
-          on_notify(ch, subscribe)
-        end
+      @chs.each do |ch, read_existing_events|
+        subscribe_channel(ch, read_existing_events)
+      end
+    end
+
+    def subscribe_channel(ch, read_existing_events)
+      bookmarkXml = @bookmarks_storage.get(ch) || ""
+      bookmark = nil
+      if bookmark_validator(bookmarkXml, ch)
+        bookmark = Winevt::EventLog::Bookmark.new(bookmarkXml)
+      end
+      subscribe = Winevt::EventLog::Subscribe.new
+      subscribe.read_existing_events = read_existing_events
+      begin
+        subscribe.subscribe(ch, "*", bookmark)
+      rescue Winevt::EventLog::Query::Error => e
+        raise Fluent::ConfigError, "Invalid Bookmark XML is loaded. #{e}"
+      end
+      subscribe.render_as_xml = @render_as_xml
+      subscribe.rate_limit = @rate_limit
+      timer_execute("in_windows_eventlog_#{escape_channel(ch)}".to_sym, @read_interval) do
+        on_notify(ch, subscribe)
+      end
+    end
+
+    def bookmark_validator(bookmarkXml, channel)
+      return false if bookmarkXml.empty?
+
+      evtxml = WinevtBookmarkDocument.new
+      parser = Nokogiri::XML::SAX::Parser.new(evtxml)
+      parser.parse(bookmarkXml)
+      result = evtxml.result
+      if !result.empty? && (result[:channel].downcase == channel.downcase) && result[:is_current]
+        true
+      else
+        log.warn "This stored bookmark is incomplete for using. Referring `read_existing_events` parameter to subscribe: #{bookmarkXml}, channel: #{channel}"
+        false
       end
     end
 
     def escape_channel(ch)
-      ch.gsub(/[^a-zA-Z0-9]/, '_')
+      ch.gsub(/[^a-zA-Z0-9\s]/, '_')
     end
 
     def on_notify(ch, subscribe)
@@ -209,6 +258,7 @@ module Fluent::Plugin
                        else
                          r.split(NONE_FIELD_DELIMITER)
                        end
+          key = "" if key.nil?
           key.chop!  # remove ':' from key
           if value.nil?
             parent_key = to_key(key)
@@ -217,7 +267,7 @@ module Fluent::Plugin
             value.strip!
             # merge empty key values into the previous non-empty key record.
             if key.empty?
-              record[previous_key] = [record[previous_key], value].flatten
+              record[previous_key] = [record[previous_key], value].flatten.reject {|e| e.nil?}
             elsif parent_key.nil?
               record[to_key(key)] = value
             else

data/test/data/eventid_6416

@@ -0,0 +1,27 @@
+A new external device was recognized by the system.
+
+Subject:
+	Security ID:		SYSTEM
+	Account Name:		IIZHU2016$
+	Account Domain:		ITSS
+	Logon ID:		0x3E7
+
+Device ID:	SWD\PRINTENUM\{60FA1C6A-1AB2-440A-AEE1-62ABFB9A4650}
+
+Device Name:	Microsoft Print to PDF
+
+Class ID:		{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}
+
+Class Name:	PrintQueue
+
+Vendor IDs:
+		PRINTENUM\{084f01fa-e634-4d77-83ee-074817c03581}
+		PRINTENUM\LocalPrintQueue
+		{084f01fa-e634-4d77-83ee-074817c03581}
+
+
+
+Compatible IDs:
+		GenPrintQueue
+		SWD\GenericRaw
+		SWD\Generic

data/test/helper.rb

@@ -25,6 +25,7 @@ end
 require 'fluent/test/driver/input'
 require 'fluent/plugin/in_windows_eventlog'
 require 'fluent/plugin/in_windows_eventlog2'
+require 'fluent/plugin/bookmark_sax_parser'
 
 class Test::Unit::TestCase
 end

data/test/plugin/test_bookmark_sax_parser.rb

@@ -0,0 +1,41 @@
+require_relative '../helper'
+
+class BookmarkSAXParserTest < Test::Unit::TestCase
+
+  def setup
+    @evtxml = WinevtBookmarkDocument.new
+    @parser = Nokogiri::XML::SAX::Parser.new(@evtxml)
+  end
+
+  def test_parse
+    bookmark_str = <<EOS
+<BookmarkList>
+  <Bookmark Channel='Application' RecordId='161332' IsCurrent='true'/>
+</BookmarkList>
+EOS
+    @parser.parse(bookmark_str)
+    expected = {channel: "Application", record_id: 161332, is_current: true}
+    assert_equal expected, @evtxml.result
+  end
+
+  def test_parse_2
+    bookmark_str = <<EOS
+<BookmarkList>
+  <Bookmark Channel='Security' RecordId='25464' IsCurrent='true'/>
+</BookmarkList>
+EOS
+    @parser.parse(bookmark_str)
+    expected = {channel: "Security", record_id: 25464, is_current: true}
+    assert_equal expected, @evtxml.result
+  end
+
+  def test_parse_empty_bookmark_list
+    bookmark_str = <<EOS
+<BookmarkList>
+</BookmarkList>
+EOS
+    @parser.parse(bookmark_str)
+    expected = {}
+    assert_equal expected, @evtxml.result
+  end
+end

data/test/plugin/test_in_windows_eventlog2.rb

@@ -23,11 +23,84 @@ class WindowsEventLog2InputTest < Test::Unit::TestCase
     d = create_driver CONFIG
     assert_equal 'fluent.eventlog', d.instance.tag
     assert_equal 2, d.instance.read_interval
-    assert_equal ['application'], d.instance.channels
-    assert_false d.instance.read_from_head
+    assert_equal [], d.instance.channels
+    assert_false d.instance.read_existing_events
     assert_true d.instance.render_as_xml
   end
 
+  sub_test_case "configure" do
+    test "subscribe directive" do
+      d = create_driver config_element("ROOT", "", {"tag" => "fluent.eventlog"}, [
+                                         config_element("storage", "", {
+                                                          '@type' => 'local',
+                                                          'persistent' => false
+                                                        }),
+                                         config_element("subscribe", "", {
+                                                          'channels' => ['System', 'Windows PowerShell'],
+                                                        }),
+                                         config_element("subscribe", "", {
+                                                          'channels' => ['Security'],
+                                                          'read_existing_events' => true
+                                                        }),
+                                       ])
+      expected = [["system", false], ["windows powershell", false], ["security", true]]
+      assert_equal expected, d.instance.instance_variable_get(:@chs)
+    end
+
+    test "duplicated subscribe" do
+      d = create_driver config_element("ROOT", "", {"tag" => "fluent.eventlog",
+                                                    "channels" => ["System", "Windows PowerShell"]
+                                                   }, [
+                                         config_element("storage", "", {
+                                                          '@type' => 'local',
+                                                          'persistent' => false
+                                                        }),
+                                         config_element("subscribe", "", {
+                                                          'channels' => ['System', 'Windows PowerShell'],
+                                                        }),
+                                         config_element("subscribe", "", {
+                                                          'channels' => ['Security'],
+                                                          'read_existing_events' => true
+                                                        }),
+                                       ])
+      expected = [["system", false], ["windows powershell", false], ["security", true]]
+      assert_equal 1, d.instance.instance_variable_get(:@chs).select {|ch, flag| ch == "system"}.size
+      assert_equal expected, d.instance.instance_variable_get(:@chs)
+    end
+
+    test "non duplicated subscribe" do
+      d = create_driver config_element("ROOT", "", {"tag" => "fluent.eventlog",
+                                                    "channels" => ["System", "Windows PowerShell"]
+                                                   }, [
+                                         config_element("storage", "", {
+                                                          '@type' => 'local',
+                                                          'persistent' => false
+                                                        }),
+                                         config_element("subscribe", "", {
+                                                          'channels' => ['System', 'Windows PowerShell'],
+                                                          'read_existing_events' => true
+                                                        }),
+                                         config_element("subscribe", "", {
+                                                          'channels' => ['Security'],
+                                                          'read_existing_events' => true
+                                                        }),
+                                       ])
+      expected = [["system", false], ["windows powershell", false], ["system", true], ["windows powershell", true], ["security", true]]
+      assert_equal 2, d.instance.instance_variable_get(:@chs).select {|ch, flag| ch == "system"}.size
+      assert_equal expected, d.instance.instance_variable_get(:@chs)
+    end
+  end
+
+  data("application"        => ["Application", "Application"],
+       "windows powershell" => ["Windows PowerShell", "Windows PowerShell"],
+       "escaped"            => ["Should_Be_Escaped_", "Should+Be;Escaped/"]
+      )
+  def test_escape_channel(data)
+    expected, actual = data
+    d = create_driver CONFIG
+    assert_equal expected, d.instance.escape_channel(actual)
+  end
+
   def test_parse_desc
     d = create_driver
     desc =<<-DESC
@@ -80,6 +153,31 @@ DESC
     assert_equal(expected, h)
   end
 
+  test "A new external device was recognized by the system." do
+    # using the event log example: eventopedia.cloudapp.net/EventDetails.aspx?id=17ef124e-eb89-4c01-9ba2-d761e06b2b68
+    d = create_driver
+    desc = nil
+    File.open('./test/data/eventid_6416', 'r') do |f|
+      desc = f.read.gsub(/\R/, "\r\n")
+    end
+    h = {"Description" => desc}
+    expected = {"DescriptionTitle"       => "A new external device was recognized by the system.",
+                "class_id"               => "{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}",
+                "class_name"             => "PrintQueue",
+                "compatible_ids"         => ["GenPrintQueue", "SWD\\GenericRaw", "SWD\\Generic"],
+                "device_id"              => "SWD\\PRINTENUM\\{60FA1C6A-1AB2-440A-AEE1-62ABFB9A4650}",
+                "device_name"            => "Microsoft Print to PDF",
+                "subject.account_domain" => "ITSS",
+                "subject.account_name"   => "IIZHU2016$",
+                "subject.logon_id"       => "0x3E7",
+                "subject.security_id"    => "SYSTEM",
+                "vendor_ids"             => ["PRINTENUM\\{084f01fa-e634-4d77-83ee-074817c03581}",
+                                             "PRINTENUM\\LocalPrintQueue",
+                                             "{084f01fa-e634-4d77-83ee-074817c03581}"]}
+    d.instance.parse_desc(h)
+    assert_equal(expected, h)
+  end
+
   def test_write
     d = create_driver
 
@@ -163,6 +261,7 @@ DESC
                                config_element("storage", "", {
                                                 '@type' => 'local',
                                                 '@id' => 'test-02',
+                                                '@log_level' => "info",
                                                 'path' => File.join(TEST_PLUGIN_STORAGE_PATH,
                                                                     'json', 'test-02.json'),
                                                 'persistent' => true,
@@ -226,6 +325,21 @@ EOS
       assert_raise(Fluent::ConfigError) do
         d2.instance.start
       end
+      assert_equal 0, d2.logs.grep(/This stored bookmark is incomplete for using. Referring `read_existing_events` parameter to subscribe:/).length
+    end
+
+    def test_start_with_empty_bookmark
+      invalid_storage_contents = <<-EOS
+<BookmarkList>\r\n</BookmarkList>
+EOS
+      d = create_driver(CONFIG2)
+      storage = d.instance.instance_variable_get(:@bookmarks_storage)
+      storage.put('application', invalid_storage_contents)
+      assert File.exist?(File.join(TEST_PLUGIN_STORAGE_PATH, 'json', 'test-02.json'))
+
+      d2 = create_driver(CONFIG2)
+      d2.instance.start
+      assert_equal 1, d2.logs.grep(/This stored bookmark is incomplete for using. Referring `read_existing_events` parameter to subscribe:/).length
     end
   end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: fluent-plugin-windows-eventlog
 version: !ruby/object:Gem::Version
-  version: 0.4.4
+  version: 0.5.2
 platform: ruby
 authors:
 - okahashi117
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-11-07 00:00:00.000000000 Z
+date: 2020-02-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -94,14 +94,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.6.1
+        version: 0.7.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.6.1
+        version: 0.7.1
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -147,10 +147,13 @@ files:
 - Rakefile
 - appveyor.yml
 - fluent-plugin-winevtlog.gemspec
+- lib/fluent/plugin/bookmark_sax_parser.rb
 - lib/fluent/plugin/in_windows_eventlog.rb
 - lib/fluent/plugin/in_windows_eventlog2.rb
+- test/data/eventid_6416
 - test/generate-windows-event.rb
 - test/helper.rb
+- test/plugin/test_bookmark_sax_parser.rb
 - test/plugin/test_in_windows_eventlog2.rb
 - test/plugin/test_in_winevtlog.rb
 homepage: https://github.com/fluent/fluent-plugin-windows-eventlog
@@ -173,12 +176,14 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.3
+rubygems_version: 2.7.6.2
 signing_key: 
 specification_version: 4
 summary: Fluentd Input plugin to read windows event log.
 test_files:
+- test/data/eventid_6416
 - test/generate-windows-event.rb
 - test/helper.rb
+- test/plugin/test_bookmark_sax_parser.rb
 - test/plugin/test_in_windows_eventlog2.rb
 - test/plugin/test_in_winevtlog.rb