fluent-plugin-windows-eventlog 0.4.6 → 0.5.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +4 -0
  3. data/README.md +54 -2
  4. data/fluent-plugin-winevtlog.gemspec +2 -2
  5. data/lib/fluent/plugin/in_windows_eventlog2.rb +47 -23
  6. data/test/plugin/test_in_windows_eventlog2.rb +65 -2
  7. metadata +2 -8
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f4516e76fe8713d76f90513a1312ad213eee4e779acecaef91244b799de7aa99
4
- data.tar.gz: 84db0703a52631a1e982b3d90f382803e00f22909c749d12aca5c2bbc2ebe8ac
3
+ metadata.gz: 35b9fd46107e694c466990707eb437a8d065a6bad1553973f5e982bda134be2f
4
+ data.tar.gz: 72805c709bdfe6cd9a3ff6c3c83bf6611168191ff173c1fe2d1e4b5a5de64c83
5
5
  SHA512:
6
- metadata.gz: 3cfb0b205425eba34652d5c2dc4f22666ff9eb711b4d1a3f381d082ec7f0e162e03aa9f4cde83073d5b16b1c0ea8f7b432d36e7c2a129f55d32524261201d316
7
- data.tar.gz: 9bc301c76c403093286c22d8be097e3f67a18322d73a434b73655856c5edb82e77ab036d9756d6e697729a2667e3662b16617cef3e585969c417943e61d7a1de
6
+ metadata.gz: ae27988d8b97fbfd2674b39c91c47b58fc45688f2e988a61e2cf6bd359989da06e51220266a67309ef8a78af80fdeb6448c7ff1a552467c9bd53d1029dde0d47
7
+ data.tar.gz: bd5beec850fddb5427dfb5564de325380f88cdc8d96303e613d6b2b6f2d8f5a644857665323c20008252c549ffbf1d422d78ee0423375acee07b5bde73151a91
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ # Release v0.5.0 - 2020/02/17
2
+ * in_windows_eventlog2: Support subscribe directive to handle read_existing_events paratemer each of channels.
3
+ * in_windows_eventlog2: Depends on winevt_c v0.7.0 or later.
4
+
1
5
  # Release v0.4.6 - 2020/02/15
2
6
  * Fix winevt_c dependency to prevent fetching winevt_c v0.7.0 or later.
3
7
 
data/README.md CHANGED
@@ -135,7 +135,8 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
135
135
  <source>
136
136
  @type windows_eventlog2
137
137
  @id windows_eventlog2
138
- channels application,system
138
+ channels application,system # Also be able to use `<subscribe>` directive.
139
+ read_existing_events false
139
140
  read_interval 2
140
141
  tag winevt.raw
141
142
  render_as_xml false # default is true.
@@ -149,6 +150,10 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
149
150
  <parse>
150
151
  @type winevt_xml # @type winevt_xml is the default. winevt_xml and none parsers are supported for now.
151
152
  </parse>
153
+ # <subscribe>
154
+ # channles application, system
155
+ # read_existing_events false # read_existing_events should be applied each of subscribe directive(s)
156
+ # </subscribe>
152
157
  </source>
153
158
 
154
159
  **NOTE:** in_windows_eventlog2 always handles EventLog records as UTF-8 characters. Users don't have to specify encoding related parameters and they are not provided.
@@ -163,13 +168,60 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
163
168
 
164
169
  |name | description |
165
170
  |:----- |:----- |
166
- |`channels` | (option) 'application' as default. One or more of {'application', 'system', 'setup', 'security'}. If you want to read 'setup' or 'security' logs, you must launch fluentd with administrator privileges.|
171
+ |`channels` | (option) No default value just empty array, but 'application' is used as default due to backward compatibility. One or more of {'application', 'system', 'setup', 'security'}. If you want to read 'setup' or 'security' logs, you must launch fluentd with administrator privileges.|
167
172
  |`keys` | (option) A subset of [keys](#read-keys) to read. Defaults to all keys.|
168
173
  |`read_interval` | (option) Read interval in seconds. 2 seconds as default.|
169
174
  |`from_encoding` | (option) Input character encoding. `nil` as default.|
170
175
  |`<storage>` | Setting for `storage` plugin for recording read position like `in_tail`'s `pos_file`.|
171
176
  |`<parse>` | Setting for `parser` plugin for parsing raw XML EventLog records. |
172
177
  |`parse_description`| (option) parse `description` field and set parsed result into the record. `Description` and `EventData` fields are removed|
178
+ |`read_from_head` | **Deprecated** (option) Start to read the entries from the oldest, not from when fluentd is started. Defaults to `false`.|
179
+ |`read_existing_events` | (option) Read the entries which already exist before fluentd is started. Defaults to `false`.|
180
+ |`read_existing_events` | (option) Read the entries which already exist before fluentd is started. Defaults to `false`.|
181
+ |`rate_limit` | (option) Specify rate limit to consume EventLog. Default is `Winevt::EventLog::Subscribe::RATE_INFINITE`.|
182
+ |`<subscribe>` | Setting for subscribe channels. |
183
+
184
+ ##### subscribe section
185
+
186
+ |name | description |
187
+ |:----- |:----- |
188
+ |`channels` | One or more of {'application', 'system', 'setup', 'security'}. If you want to read 'setup' or 'security' logs, you must launch fluentd with administrator privileges. |
189
+ |`read_existing_events` | (option) Read the entries which already exist before fluentd is started. Defaults to `false`. |
190
+
191
+
192
+ **Motivation:** subscribe directive is designed for applying `read_existing_events` each of channels which is specified in subscribe section(s).
193
+
194
+ e.g) The previous configuration can handle `read_existing_events` but this parameter only specifies `read_existing_events` or not for channels which are specified in `channels`.
195
+
196
+ ```aconf
197
+ channels ["Application", "Security", "HardwareEvents"]
198
+ read_existing_events true
199
+ ```
200
+
201
+ is interpreted as "Application", "Security", and "HardwareEvents" should be read existing events.
202
+
203
+ But some users want to configure to:
204
+
205
+ * "Application" and "Security" channels just tailing
206
+ * "HardwareEvent" channel read existing events before launching Fluentd
207
+
208
+ With `<subscribe>` directive, this requirements can be represendted as:
209
+
210
+ ```aconf
211
+ <subscribe>
212
+ channles ["Application", "Security"]
213
+ # read_existing_events false
214
+ </subscribe>
215
+ <subscribe>
216
+ channles ["HardwareEvent"]
217
+ read_existing_events true
218
+ </subscribe>
219
+ ```
220
+
221
+ This configuration can be handled as:
222
+
223
+ * "Application" and "Security" channels just tailing
224
+ * "HardwareEvent" channel read existing events before launching Fluentd
173
225
 
174
226
  ##### Available keys
175
227
 
data/fluent-plugin-winevtlog.gemspec CHANGED
@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
4
4
 
5
5
  Gem::Specification.new do |spec|
6
6
  spec.name = "fluent-plugin-windows-eventlog"
7
- spec.version = "0.4.6"
7
+ spec.version = "0.5.0"
8
8
  spec.authors = ["okahashi117", "Hiroshi Hatake", "Masahiro Nakagawa"]
9
9
  spec.email = ["naruki_okahashi@jbat.co.jp", "cosmo0920.oucc@gmail.com", "repeatedly@gmail.com"]
10
10
  spec.summary = %q{Fluentd Input plugin to read windows event log.}
@@ -22,7 +22,7 @@ Gem::Specification.new do |spec|
22
22
  spec.add_development_dependency "test-unit", "~> 3.2.0"
23
23
  spec.add_runtime_dependency "fluentd", [">= 0.14.12", "< 2"]
24
24
  spec.add_runtime_dependency "win32-eventlog"
25
- spec.add_runtime_dependency "winevt_c", [">= 0.6.1", "< 0.7.0"]
25
+ spec.add_runtime_dependency "winevt_c", ">= 0.7.0"
26
26
  spec.add_runtime_dependency "nokogiri", "~> 1.10"
27
27
  spec.add_runtime_dependency "fluent-plugin-parser-winevt_xml", ">= 0.1.2"
28
28
  end
data/lib/fluent/plugin/in_windows_eventlog2.rb CHANGED
@@ -32,13 +32,19 @@ module Fluent::Plugin
32
32
 
33
33
  config_param :tag, :string
34
34
  config_param :read_interval, :time, default: 2
35
- config_param :channels, :array, default: ['application']
35
+ config_param :channels, :array, default: []
36
36
  config_param :keys, :array, default: []
37
- config_param :read_from_head, :bool, default: false
37
+ config_param :read_from_head, :bool, default: false, deprecated: "Use `read_existing_events' instead."
38
+ config_param :read_existing_events, :bool, default: false
38
39
  config_param :parse_description, :bool, default: false
39
40
  config_param :render_as_xml, :bool, default: true
40
41
  config_param :rate_limit, :integer, default: Winevt::EventLog::Subscribe::RATE_INFINITE
41
42
 
43
+ config_section :subscribe, param_name: :subscribe_configs, required: false, multi: true do
44
+ config_param :channels, :array
45
+ config_param :read_existing_events, :bool, default: false
46
+ end
47
+
42
48
  config_section :storage do
43
49
  config_set_default :usage, "bookmarks"
44
50
  config_set_default :@type, DEFAULT_STORAGE_TYPE
@@ -58,7 +64,22 @@ module Fluent::Plugin
58
64
 
59
65
  def configure(conf)
60
66
  super
61
- @chs = @channels.map {|ch| ch.strip.downcase }.uniq
67
+ @chs = []
68
+
69
+ @read_existing_events = @read_from_head || @read_existing_events
70
+ if @channels.empty? && @subscribe_configs.empty?
71
+ @chs.push(['application', @read_existing_events])
72
+ else
73
+ @channels.map {|ch| ch.strip.downcase }.uniq.each do |uch|
74
+ @chs.push([uch, @read_existing_events])
75
+ end
76
+ @subscribe_configs.each do |subscribe|
77
+ subscribe.channels.map {|ch| ch.strip.downcase }.uniq.each do |uch|
78
+ @chs.push([uch, subscribe.read_existing_events])
79
+ end
80
+ end
81
+ end
82
+ @chs.uniq!
62
83
  @keynames = @keys.map {|k| k.strip }.uniq
63
84
  if @keynames.empty?
64
85
  @keynames = KEY_MAP.keys
@@ -67,7 +88,6 @@ module Fluent::Plugin
67
88
  @keynames.delete('EventData') if @parse_description
68
89
 
69
90
  @tag = tag
70
- @tailing = @read_from_head ? false : true
71
91
  @bookmarks_storage = storage_create(usage: "bookmarks")
72
92
  @winevt_xml = false
73
93
  if @render_as_xml
@@ -86,25 +106,29 @@ module Fluent::Plugin
86
106
  def start
87
107
  super
88
108
 
89
- @chs.each do |ch|
90
- bookmarkXml = @bookmarks_storage.get(ch) || ""
91
- subscribe = Winevt::EventLog::Subscribe.new
92
- bookmark = unless bookmarkXml.empty?
93
- Winevt::EventLog::Bookmark.new(bookmarkXml)
94
- else
95
- nil
96
- end
97
- subscribe.tail = @tailing
98
- begin
99
- subscribe.subscribe(ch, "*", bookmark)
100
- rescue Winevt::EventLog::Query::Error => e
101
- raise Fluent::ConfigError, "Invalid Bookmark XML is loaded. #{e}"
102
- end
103
- subscribe.render_as_xml = @render_as_xml
104
- subscribe.rate_limit = @rate_limit
105
- timer_execute("in_windows_eventlog_#{escape_channel(ch)}".to_sym, @read_interval) do
106
- on_notify(ch, subscribe)
107
- end
109
+ @chs.each do |ch, read_existing_events|
110
+ subscribe_channel(ch, read_existing_events)
111
+ end
112
+ end
113
+
114
+ def subscribe_channel(ch, read_existing_events)
115
+ bookmarkXml = @bookmarks_storage.get(ch) || ""
116
+ subscribe = Winevt::EventLog::Subscribe.new
117
+ bookmark = unless bookmarkXml.empty?
118
+ Winevt::EventLog::Bookmark.new(bookmarkXml)
119
+ else
120
+ nil
121
+ end
122
+ subscribe.read_existing_events = read_existing_events
123
+ begin
124
+ subscribe.subscribe(ch, "*", bookmark)
125
+ rescue Winevt::EventLog::Query::Error => e
126
+ raise Fluent::ConfigError, "Invalid Bookmark XML is loaded. #{e}"
127
+ end
128
+ subscribe.render_as_xml = @render_as_xml
129
+ subscribe.rate_limit = @rate_limit
130
+ timer_execute("in_windows_eventlog_#{escape_channel(ch)}".to_sym, @read_interval) do
131
+ on_notify(ch, subscribe)
108
132
  end
109
133
  end
110
134
 
data/test/plugin/test_in_windows_eventlog2.rb CHANGED
@@ -23,11 +23,74 @@ class WindowsEventLog2InputTest < Test::Unit::TestCase
23
23
  d = create_driver CONFIG
24
24
  assert_equal 'fluent.eventlog', d.instance.tag
25
25
  assert_equal 2, d.instance.read_interval
26
- assert_equal ['application'], d.instance.channels
27
- assert_false d.instance.read_from_head
26
+ assert_equal [], d.instance.channels
27
+ assert_false d.instance.read_existing_events
28
28
  assert_true d.instance.render_as_xml
29
29
  end
30
30
 
31
+ sub_test_case "configure" do
32
+ test "subscribe directive" do
33
+ d = create_driver config_element("ROOT", "", {"tag" => "fluent.eventlog"}, [
34
+ config_element("storage", "", {
35
+ '@type' => 'local',
36
+ 'persistent' => false
37
+ }),
38
+ config_element("subscribe", "", {
39
+ 'channels' => ['System', 'Windows PowerShell'],
40
+ }),
41
+ config_element("subscribe", "", {
42
+ 'channels' => ['Security'],
43
+ 'read_existing_events' => true
44
+ }),
45
+ ])
46
+ expected = [["system", false], ["windows powershell", false], ["security", true]]
47
+ assert_equal expected, d.instance.instance_variable_get(:@chs)
48
+ end
49
+
50
+ test "duplicated subscribe" do
51
+ d = create_driver config_element("ROOT", "", {"tag" => "fluent.eventlog",
52
+ "channels" => ["System", "Windows PowerShell"]
53
+ }, [
54
+ config_element("storage", "", {
55
+ '@type' => 'local',
56
+ 'persistent' => false
57
+ }),
58
+ config_element("subscribe", "", {
59
+ 'channels' => ['System', 'Windows PowerShell'],
60
+ }),
61
+ config_element("subscribe", "", {
62
+ 'channels' => ['Security'],
63
+ 'read_existing_events' => true
64
+ }),
65
+ ])
66
+ expected = [["system", false], ["windows powershell", false], ["security", true]]
67
+ assert_equal 1, d.instance.instance_variable_get(:@chs).select {|ch, flag| ch == "system"}.size
68
+ assert_equal expected, d.instance.instance_variable_get(:@chs)
69
+ end
70
+
71
+ test "non duplicated subscribe" do
72
+ d = create_driver config_element("ROOT", "", {"tag" => "fluent.eventlog",
73
+ "channels" => ["System", "Windows PowerShell"]
74
+ }, [
75
+ config_element("storage", "", {
76
+ '@type' => 'local',
77
+ 'persistent' => false
78
+ }),
79
+ config_element("subscribe", "", {
80
+ 'channels' => ['System', 'Windows PowerShell'],
81
+ 'read_existing_events' => true
82
+ }),
83
+ config_element("subscribe", "", {
84
+ 'channels' => ['Security'],
85
+ 'read_existing_events' => true
86
+ }),
87
+ ])
88
+ expected = [["system", false], ["windows powershell", false], ["system", true], ["windows powershell", true], ["security", true]]
89
+ assert_equal 2, d.instance.instance_variable_get(:@chs).select {|ch, flag| ch == "system"}.size
90
+ assert_equal expected, d.instance.instance_variable_get(:@chs)
91
+ end
92
+ end
93
+
31
94
  data("application" => ["Application", "Application"],
32
95
  "windows powershell" => ["Windows PowerShell", "Windows PowerShell"],
33
96
  "escaped" => ["Should_Be_Escaped_", "Should+Be;Escaped/"]
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: fluent-plugin-windows-eventlog
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.6
4
+ version: 0.5.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - okahashi117
@@ -10,7 +10,7 @@ authors:
10
10
  autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
- date: 2020-02-15 00:00:00.000000000 Z
13
+ date: 2020-02-17 00:00:00.000000000 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  name: bundler
@@ -93,9 +93,6 @@ dependencies:
93
93
  requirement: !ruby/object:Gem::Requirement
94
94
  requirements:
95
95
  - - ">="
96
- - !ruby/object:Gem::Version
97
- version: 0.6.1
98
- - - "<"
99
96
  - !ruby/object:Gem::Version
100
97
  version: 0.7.0
101
98
  type: :runtime
@@ -103,9 +100,6 @@ dependencies:
103
100
  version_requirements: !ruby/object:Gem::Requirement
104
101
  requirements:
105
102
  - - ">="
106
- - !ruby/object:Gem::Version
107
- version: 0.6.1
108
- - - "<"
109
103
  - !ruby/object:Gem::Version
110
104
  version: 0.7.0
111
105
  - !ruby/object:Gem::Dependency