fluent-plugin-windows-eventlog 0.4.6 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +4 -0
  3. data/README.md +54 -2
  4. data/fluent-plugin-winevtlog.gemspec +2 -2
  5. data/lib/fluent/plugin/in_windows_eventlog2.rb +47 -23
  6. data/test/plugin/test_in_windows_eventlog2.rb +65 -2
  7. metadata +2 -8
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f4516e76fe8713d76f90513a1312ad213eee4e779acecaef91244b799de7aa99
4
- data.tar.gz: 84db0703a52631a1e982b3d90f382803e00f22909c749d12aca5c2bbc2ebe8ac
3
+ metadata.gz: 35b9fd46107e694c466990707eb437a8d065a6bad1553973f5e982bda134be2f
4
+ data.tar.gz: 72805c709bdfe6cd9a3ff6c3c83bf6611168191ff173c1fe2d1e4b5a5de64c83
5
5
  SHA512:
6
- metadata.gz: 3cfb0b205425eba34652d5c2dc4f22666ff9eb711b4d1a3f381d082ec7f0e162e03aa9f4cde83073d5b16b1c0ea8f7b432d36e7c2a129f55d32524261201d316
7
- data.tar.gz: 9bc301c76c403093286c22d8be097e3f67a18322d73a434b73655856c5edb82e77ab036d9756d6e697729a2667e3662b16617cef3e585969c417943e61d7a1de
6
+ metadata.gz: ae27988d8b97fbfd2674b39c91c47b58fc45688f2e988a61e2cf6bd359989da06e51220266a67309ef8a78af80fdeb6448c7ff1a552467c9bd53d1029dde0d47
7
+ data.tar.gz: bd5beec850fddb5427dfb5564de325380f88cdc8d96303e613d6b2b6f2d8f5a644857665323c20008252c549ffbf1d422d78ee0423375acee07b5bde73151a91
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ # Release v0.5.0 - 2020/02/17
2
+ * in_windows_eventlog2: Support subscribe directive to handle read_existing_events paratemer each of channels.
3
+ * in_windows_eventlog2: Depends on winevt_c v0.7.0 or later.
4
+
1
5
  # Release v0.4.6 - 2020/02/15
2
6
  * Fix winevt_c dependency to prevent fetching winevt_c v0.7.0 or later.
3
7
 
data/README.md CHANGED
@@ -135,7 +135,8 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
135
135
  <source>
136
136
  @type windows_eventlog2
137
137
  @id windows_eventlog2
138
- channels application,system
138
+ channels application,system # Also be able to use `<subscribe>` directive.
139
+ read_existing_events false
139
140
  read_interval 2
140
141
  tag winevt.raw
141
142
  render_as_xml false # default is true.
@@ -149,6 +150,10 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
149
150
  <parse>
150
151
  @type winevt_xml # @type winevt_xml is the default. winevt_xml and none parsers are supported for now.
151
152
  </parse>
153
+ # <subscribe>
154
+ # channles application, system
155
+ # read_existing_events false # read_existing_events should be applied each of subscribe directive(s)
156
+ # </subscribe>
152
157
  </source>
153
158
 
154
159
  **NOTE:** in_windows_eventlog2 always handles EventLog records as UTF-8 characters. Users don't have to specify encoding related parameters and they are not provided.
@@ -163,13 +168,60 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
163
168
 
164
169
  |name | description |
165
170
  |:----- |:----- |
166
- |`channels` | (option) 'application' as default. One or more of {'application', 'system', 'setup', 'security'}. If you want to read 'setup' or 'security' logs, you must launch fluentd with administrator privileges.|
171
+ |`channels` | (option) No default value just empty array, but 'application' is used as default due to backward compatibility. One or more of {'application', 'system', 'setup', 'security'}. If you want to read 'setup' or 'security' logs, you must launch fluentd with administrator privileges.|
167
172
  |`keys` | (option) A subset of [keys](#read-keys) to read. Defaults to all keys.|
168
173
  |`read_interval` | (option) Read interval in seconds. 2 seconds as default.|
169
174
  |`from_encoding` | (option) Input character encoding. `nil` as default.|
170
175
  |`<storage>` | Setting for `storage` plugin for recording read position like `in_tail`'s `pos_file`.|
171
176
  |`<parse>` | Setting for `parser` plugin for parsing raw XML EventLog records. |
172
177
  |`parse_description`| (option) parse `description` field and set parsed result into the record. `Description` and `EventData` fields are removed|
178
+ |`read_from_head` | **Deprecated** (option) Start to read the entries from the oldest, not from when fluentd is started. Defaults to `false`.|
179
+ |`read_existing_events` | (option) Read the entries which already exist before fluentd is started. Defaults to `false`.|
180
+ |`read_existing_events` | (option) Read the entries which already exist before fluentd is started. Defaults to `false`.|
181
+ |`rate_limit` | (option) Specify rate limit to consume EventLog. Default is `Winevt::EventLog::Subscribe::RATE_INFINITE`.|
182
+ |`<subscribe>` | Setting for subscribe channels. |
183
+
184
+ ##### subscribe section
185
+
186
+ |name | description |
187
+ |:----- |:----- |
188
+ |`channels` | One or more of {'application', 'system', 'setup', 'security'}. If you want to read 'setup' or 'security' logs, you must launch fluentd with administrator privileges. |
189
+ |`read_existing_events` | (option) Read the entries which already exist before fluentd is started. Defaults to `false`. |
190
+
191
+
192
+ **Motivation:** subscribe directive is designed for applying `read_existing_events` each of channels which is specified in subscribe section(s).
193
+
194
+ e.g) The previous configuration can handle `read_existing_events` but this parameter only specifies `read_existing_events` or not for channels which are specified in `channels`.
195
+
196
+ ```aconf
197
+ channels ["Application", "Security", "HardwareEvents"]
198
+ read_existing_events true
199
+ ```
200
+
201
+ is interpreted as "Application", "Security", and "HardwareEvents" should be read existing events.
202
+
203
+ But some users want to configure to:
204
+
205
+ * "Application" and "Security" channels just tailing
206
+ * "HardwareEvent" channel read existing events before launching Fluentd
207
+
208
+ With `<subscribe>` directive, this requirements can be represendted as:
209
+
210
+ ```aconf
211
+ <subscribe>
212
+ channles ["Application", "Security"]
213
+ # read_existing_events false
214
+ </subscribe>
215
+ <subscribe>
216
+ channles ["HardwareEvent"]
217
+ read_existing_events true
218
+ </subscribe>
219
+ ```
220
+
221
+ This configuration can be handled as:
222
+
223
+ * "Application" and "Security" channels just tailing
224
+ * "HardwareEvent" channel read existing events before launching Fluentd
173
225
 
174
226
  ##### Available keys
175
227
 
data/fluent-plugin-winevtlog.gemspec CHANGED
@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
4
4
 
5
5
  Gem::Specification.new do |spec|
6
6
  spec.name = "fluent-plugin-windows-eventlog"
7
- spec.version = "0.4.6"
7
+ spec.version = "0.5.0"
8
8
  spec.authors = ["okahashi117", "Hiroshi Hatake", "Masahiro Nakagawa"]
9
9
  spec.email = ["naruki_okahashi@jbat.co.jp", "cosmo0920.oucc@gmail.com", "repeatedly@gmail.com"]
10
10
  spec.summary = %q{Fluentd Input plugin to read windows event log.}
@@ -22,7 +22,7 @@ Gem::Specification.new do |spec|
22
22
  spec.add_development_dependency "test-unit", "~> 3.2.0"
23
23
  spec.add_runtime_dependency "fluentd", [">= 0.14.12", "< 2"]
24
24
  spec.add_runtime_dependency "win32-eventlog"
25
- spec.add_runtime_dependency "winevt_c", [">= 0.6.1", "< 0.7.0"]
25
+ spec.add_runtime_dependency "winevt_c", ">= 0.7.0"
26
26
  spec.add_runtime_dependency "nokogiri", "~> 1.10"
27
27
  spec.add_runtime_dependency "fluent-plugin-parser-winevt_xml", ">= 0.1.2"
28
28
  end
data/lib/fluent/plugin/in_windows_eventlog2.rb CHANGED
@@ -32,13 +32,19 @@ module Fluent::Plugin
32
32
 
33
33
  config_param :tag, :string
34
34
  config_param :read_interval, :time, default: 2
35
- config_param :channels, :array, default: ['application']
35
+ config_param :channels, :array, default: []
36
36
  config_param :keys, :array, default: []
37
- config_param :read_from_head, :bool, default: false
37
+ config_param :read_from_head, :bool, default: false, deprecated: "Use `read_existing_events' instead."
38
+ config_param :read_existing_events, :bool, default: false
38
39
  config_param :parse_description, :bool, default: false
39
40
  config_param :render_as_xml, :bool, default: true
40
41
  config_param :rate_limit, :integer, default: Winevt::EventLog::Subscribe::RATE_INFINITE
41
42
 
43
+ config_section :subscribe, param_name: :subscribe_configs, required: false, multi: true do
44
+ config_param :channels, :array
45
+ config_param :read_existing_events, :bool, default: false
46
+ end
47
+
42
48
  config_section :storage do
43
49
  config_set_default :usage, "bookmarks"
44
50
  config_set_default :@type, DEFAULT_STORAGE_TYPE
@@ -58,7 +64,22 @@ module Fluent::Plugin
58
64
 
59
65
  def configure(conf)
60
66
  super
61
- @chs = @channels.map {|ch| ch.strip.downcase }.uniq
67
+ @chs = []
68
+
69
+ @read_existing_events = @read_from_head || @read_existing_events
70
+ if @channels.empty? && @subscribe_configs.empty?
71
+ @chs.push(['application', @read_existing_events])
72
+ else
73
+ @channels.map {|ch| ch.strip.downcase }.uniq.each do |uch|
74
+ @chs.push([uch, @read_existing_events])
75
+ end
76
+ @subscribe_configs.each do |subscribe|
77
+ subscribe.channels.map {|ch| ch.strip.downcase }.uniq.each do |uch|
78
+ @chs.push([uch, subscribe.read_existing_events])
79
+ end
80
+ end
81
+ end
82
+ @chs.uniq!
62
83
  @keynames = @keys.map {|k| k.strip }.uniq
63
84
  if @keynames.empty?
64
85
  @keynames = KEY_MAP.keys
@@ -67,7 +88,6 @@ module Fluent::Plugin
67
88
  @keynames.delete('EventData') if @parse_description
68
89
 
69
90
  @tag = tag
70
- @tailing = @read_from_head ? false : true
71
91
  @bookmarks_storage = storage_create(usage: "bookmarks")
72
92
  @winevt_xml = false
73
93
  if @render_as_xml
@@ -86,25 +106,29 @@ module Fluent::Plugin
86
106
  def start
87
107
  super
88
108
 
89
- @chs.each do |ch|
90
- bookmarkXml = @bookmarks_storage.get(ch) || ""
91
- subscribe = Winevt::EventLog::Subscribe.new
92
- bookmark = unless bookmarkXml.empty?
93
- Winevt::EventLog::Bookmark.new(bookmarkXml)
94
- else
95
- nil
96
- end
97
- subscribe.tail = @tailing
98
- begin
99
- subscribe.subscribe(ch, "*", bookmark)
100
- rescue Winevt::EventLog::Query::Error => e
101
- raise Fluent::ConfigError, "Invalid Bookmark XML is loaded. #{e}"
102
- end
103
- subscribe.render_as_xml = @render_as_xml
104
- subscribe.rate_limit = @rate_limit
105
- timer_execute("in_windows_eventlog_#{escape_channel(ch)}".to_sym, @read_interval) do
106
- on_notify(ch, subscribe)
107
- end
109
+ @chs.each do |ch, read_existing_events|
110
+ subscribe_channel(ch, read_existing_events)
111
+ end
112
+ end
113
+
114
+ def subscribe_channel(ch, read_existing_events)
115
+ bookmarkXml = @bookmarks_storage.get(ch) || ""
116
+ subscribe = Winevt::EventLog::Subscribe.new
117
+ bookmark = unless bookmarkXml.empty?
118
+ Winevt::EventLog::Bookmark.new(bookmarkXml)
119
+ else
120
+ nil
121
+ end
122
+ subscribe.read_existing_events = read_existing_events
123
+ begin
124
+ subscribe.subscribe(ch, "*", bookmark)
125
+ rescue Winevt::EventLog::Query::Error => e
126
+ raise Fluent::ConfigError, "Invalid Bookmark XML is loaded. #{e}"
127
+ end
128
+ subscribe.render_as_xml = @render_as_xml
129
+ subscribe.rate_limit = @rate_limit
130
+ timer_execute("in_windows_eventlog_#{escape_channel(ch)}".to_sym, @read_interval) do
131
+ on_notify(ch, subscribe)
108
132
  end
109
133
  end
110
134
 
data/test/plugin/test_in_windows_eventlog2.rb CHANGED
@@ -23,11 +23,74 @@ class WindowsEventLog2InputTest < Test::Unit::TestCase
23
23
  d = create_driver CONFIG
24
24
  assert_equal 'fluent.eventlog', d.instance.tag
25
25
  assert_equal 2, d.instance.read_interval
26
- assert_equal ['application'], d.instance.channels
27
- assert_false d.instance.read_from_head
26
+ assert_equal [], d.instance.channels
27
+ assert_false d.instance.read_existing_events
28
28
  assert_true d.instance.render_as_xml
29
29
  end
30
30
 
31
+ sub_test_case "configure" do
32
+ test "subscribe directive" do
33
+ d = create_driver config_element("ROOT", "", {"tag" => "fluent.eventlog"}, [
34
+ config_element("storage", "", {
35
+ '@type' => 'local',
36
+ 'persistent' => false
37
+ }),
38
+ config_element("subscribe", "", {
39
+ 'channels' => ['System', 'Windows PowerShell'],
40
+ }),
41
+ config_element("subscribe", "", {
42
+ 'channels' => ['Security'],
43
+ 'read_existing_events' => true
44
+ }),
45
+ ])
46
+ expected = [["system", false], ["windows powershell", false], ["security", true]]
47
+ assert_equal expected, d.instance.instance_variable_get(:@chs)
48
+ end
49
+
50
+ test "duplicated subscribe" do
51
+ d = create_driver config_element("ROOT", "", {"tag" => "fluent.eventlog",
52
+ "channels" => ["System", "Windows PowerShell"]
53
+ }, [
54
+ config_element("storage", "", {
55
+ '@type' => 'local',
56
+ 'persistent' => false
57
+ }),
58
+ config_element("subscribe", "", {
59
+ 'channels' => ['System', 'Windows PowerShell'],
60
+ }),
61
+ config_element("subscribe", "", {
62
+ 'channels' => ['Security'],
63
+ 'read_existing_events' => true
64
+ }),
65
+ ])
66
+ expected = [["system", false], ["windows powershell", false], ["security", true]]
67
+ assert_equal 1, d.instance.instance_variable_get(:@chs).select {|ch, flag| ch == "system"}.size
68
+ assert_equal expected, d.instance.instance_variable_get(:@chs)
69
+ end
70
+
71
+ test "non duplicated subscribe" do
72
+ d = create_driver config_element("ROOT", "", {"tag" => "fluent.eventlog",
73
+ "channels" => ["System", "Windows PowerShell"]
74
+ }, [
75
+ config_element("storage", "", {
76
+ '@type' => 'local',
77
+ 'persistent' => false
78
+ }),
79
+ config_element("subscribe", "", {
80
+ 'channels' => ['System', 'Windows PowerShell'],
81
+ 'read_existing_events' => true
82
+ }),
83
+ config_element("subscribe", "", {
84
+ 'channels' => ['Security'],
85
+ 'read_existing_events' => true
86
+ }),
87
+ ])
88
+ expected = [["system", false], ["windows powershell", false], ["system", true], ["windows powershell", true], ["security", true]]
89
+ assert_equal 2, d.instance.instance_variable_get(:@chs).select {|ch, flag| ch == "system"}.size
90
+ assert_equal expected, d.instance.instance_variable_get(:@chs)
91
+ end
92
+ end
93
+
31
94
  data("application" => ["Application", "Application"],
32
95
  "windows powershell" => ["Windows PowerShell", "Windows PowerShell"],
33
96
  "escaped" => ["Should_Be_Escaped_", "Should+Be;Escaped/"]
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: fluent-plugin-windows-eventlog
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.6
4
+ version: 0.5.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - okahashi117
@@ -10,7 +10,7 @@ authors:
10
10
  autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
- date: 2020-02-15 00:00:00.000000000 Z
13
+ date: 2020-02-17 00:00:00.000000000 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  name: bundler
@@ -93,9 +93,6 @@ dependencies:
93
93
  requirement: !ruby/object:Gem::Requirement
94
94
  requirements:
95
95
  - - ">="
96
- - !ruby/object:Gem::Version
97
- version: 0.6.1
98
- - - "<"
99
96
  - !ruby/object:Gem::Version
100
97
  version: 0.7.0
101
98
  type: :runtime
@@ -103,9 +100,6 @@ dependencies:
103
100
  version_requirements: !ruby/object:Gem::Requirement
104
101
  requirements:
105
102
  - - ">="
106
- - !ruby/object:Gem::Version
107
- version: 0.6.1
108
- - - "<"
109
103
  - !ruby/object:Gem::Version
110
104
  version: 0.7.0
111
105
  - !ruby/object:Gem::Dependency