fluent-plugin-windows-eventlog 0.5.0 → 0.5.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 35b9fd46107e694c466990707eb437a8d065a6bad1553973f5e982bda134be2f
-  data.tar.gz: 72805c709bdfe6cd9a3ff6c3c83bf6611168191ff173c1fe2d1e4b5a5de64c83
+  metadata.gz: 2946ba1ffbe8219ffc2a06da14574510f677bc9de02fbb47744b7a38cae77671
+  data.tar.gz: 9655f498e66267796daf2f0fc0cc3c4262b426e5b86a1a52546223ce7d1446fc
 SHA512:
-  metadata.gz: ae27988d8b97fbfd2674b39c91c47b58fc45688f2e988a61e2cf6bd359989da06e51220266a67309ef8a78af80fdeb6448c7ff1a552467c9bd53d1029dde0d47
-  data.tar.gz: bd5beec850fddb5427dfb5564de325380f88cdc8d96303e613d6b2b6f2d8f5a644857665323c20008252c549ffbf1d422d78ee0423375acee07b5bde73151a91
+  metadata.gz: b3ae256e9f3bacc2c25b98224bf73872a0edea8de4ede5b56c3d0a966827fba7d10dc5ff99640ee1e8271a31560f82fa4f95f18a1eb63ffd63a2c98b5795d95c
+  data.tar.gz: 300b90957142a1bb66cf19b12cbdcc63c61eb1ef7f32a6408d9661d4d86fd6851ebb32ea3d35075bf6e5c0862ef00620fba7329d7cfc99e49d4aeb9afa98a72b

data/CHANGELOG.md

@@ -1,3 +1,6 @@
+# Release v0.5.1 - 2020/02/26
+* in_windows_eventlog2: Add empty bookmark checking mechanism
+
 # Release v0.5.0 - 2020/02/17
 * in_windows_eventlog2: Support subscribe directive to handle read_existing_events paratemer each of channels.
 * in_windows_eventlog2: Depends on winevt_c v0.7.0 or later.

data/fluent-plugin-winevtlog.gemspec

@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 
 Gem::Specification.new do |spec|
   spec.name          = "fluent-plugin-windows-eventlog"
-  spec.version       = "0.5.0"
+  spec.version       = "0.5.1"
   spec.authors       = ["okahashi117", "Hiroshi Hatake", "Masahiro Nakagawa"]
   spec.email         = ["naruki_okahashi@jbat.co.jp", "cosmo0920.oucc@gmail.com", "repeatedly@gmail.com"]
   spec.summary       = %q{Fluentd Input plugin to read windows event log.}

data/lib/fluent/plugin/bookmark_sax_parser.rb

@@ -0,0 +1,30 @@
+require 'nokogiri'
+
+class WinevtBookmarkDocument < Nokogiri::XML::SAX::Document
+  attr_reader :result
+
+  def initialize
+    @result = {}
+    super
+  end
+
+  def start_document
+  end
+
+  def start_element(name, attributes = [])
+    if name == "Bookmark"
+      @result[:channel] = attributes[0][1] rescue nil
+      @result[:record_id] = attributes[1][1].to_i rescue nil
+      @result[:is_current] = attributes[2][1].downcase == "true" rescue nil
+    end
+  end
+
+  def characters(string)
+  end
+
+  def end_element(name, attributes = [])
+  end
+
+  def end_document
+  end
+end

data/lib/fluent/plugin/in_windows_eventlog2.rb

@@ -1,6 +1,7 @@
 require 'winevt'
 require 'fluent/plugin/input'
 require 'fluent/plugin'
+require_relative 'bookmark_sax_parser'
 
 module Fluent::Plugin
   class WindowsEventLog2Input < Input
@@ -113,12 +114,11 @@ module Fluent::Plugin
 
     def subscribe_channel(ch, read_existing_events)
       bookmarkXml = @bookmarks_storage.get(ch) || ""
+      bookmark = nil
+      if bookmark_validator(bookmarkXml, ch)
+        bookmark = Winevt::EventLog::Bookmark.new(bookmarkXml)
+      end
       subscribe = Winevt::EventLog::Subscribe.new
-      bookmark = unless bookmarkXml.empty?
-                   Winevt::EventLog::Bookmark.new(bookmarkXml)
-                 else
-                   nil
-                 end
       subscribe.read_existing_events = read_existing_events
       begin
         subscribe.subscribe(ch, "*", bookmark)
@@ -132,6 +132,21 @@ module Fluent::Plugin
       end
     end
 
+    def bookmark_validator(bookmarkXml, channel)
+      return false if bookmarkXml.empty?
+
+      evtxml = WinevtBookmarkDocument.new
+      parser = Nokogiri::XML::SAX::Parser.new(evtxml)
+      parser.parse(bookmarkXml)
+      result = evtxml.result
+      if !result.empty? && (result[:channel].downcase == channel.downcase) && result[:is_current]
+        true
+      else
+        log.warn "This stored bookmark is incomplete for using. Referring `read_existing_events` parameter to subscribe: #{bookmarkXml}, channel: #{channel}"
+        false
+      end
+    end
+
     def escape_channel(ch)
       ch.gsub(/[^a-zA-Z0-9\s]/, '_')
     end

data/test/helper.rb

@@ -25,6 +25,7 @@ end
 require 'fluent/test/driver/input'
 require 'fluent/plugin/in_windows_eventlog'
 require 'fluent/plugin/in_windows_eventlog2'
+require 'fluent/plugin/bookmark_sax_parser'
 
 class Test::Unit::TestCase
 end

data/test/plugin/test_bookmark_sax_parser.rb

@@ -0,0 +1,41 @@
+require_relative '../helper'
+
+class BookmarkSAXParserTest < Test::Unit::TestCase
+
+  def setup
+    @evtxml = WinevtBookmarkDocument.new
+    @parser = Nokogiri::XML::SAX::Parser.new(@evtxml)
+  end
+
+  def test_parse
+    bookmark_str = <<EOS
+<BookmarkList>
+  <Bookmark Channel='Application' RecordId='161332' IsCurrent='true'/>
+</BookmarkList>
+EOS
+    @parser.parse(bookmark_str)
+    expected = {channel: "Application", record_id: 161332, is_current: true}
+    assert_equal expected, @evtxml.result
+  end
+
+  def test_parse_2
+    bookmark_str = <<EOS
+<BookmarkList>
+  <Bookmark Channel='Security' RecordId='25464' IsCurrent='true'/>
+</BookmarkList>
+EOS
+    @parser.parse(bookmark_str)
+    expected = {channel: "Security", record_id: 25464, is_current: true}
+    assert_equal expected, @evtxml.result
+  end
+
+  def test_parse_empty_bookmark_list
+    bookmark_str = <<EOS
+<BookmarkList>
+</BookmarkList>
+EOS
+    @parser.parse(bookmark_str)
+    expected = {}
+    assert_equal expected, @evtxml.result
+  end
+end

data/test/plugin/test_in_windows_eventlog2.rb

@@ -261,6 +261,7 @@ DESC
                                config_element("storage", "", {
                                                 '@type' => 'local',
                                                 '@id' => 'test-02',
+                                                '@log_level' => "info",
                                                 'path' => File.join(TEST_PLUGIN_STORAGE_PATH,
                                                                     'json', 'test-02.json'),
                                                 'persistent' => true,
@@ -324,6 +325,21 @@ EOS
       assert_raise(Fluent::ConfigError) do
         d2.instance.start
       end
+      assert_equal 0, d2.logs.grep(/This stored bookmark is incomplete for using. Referring `read_existing_events` parameter to subscribe:/).length
+    end
+
+    def test_start_with_empty_bookmark
+      invalid_storage_contents = <<-EOS
+<BookmarkList>\r\n</BookmarkList>
+EOS
+      d = create_driver(CONFIG2)
+      storage = d.instance.instance_variable_get(:@bookmarks_storage)
+      storage.put('application', invalid_storage_contents)
+      assert File.exist?(File.join(TEST_PLUGIN_STORAGE_PATH, 'json', 'test-02.json'))
+
+      d2 = create_driver(CONFIG2)
+      d2.instance.start
+      assert_equal 1, d2.logs.grep(/This stored bookmark is incomplete for using. Referring `read_existing_events` parameter to subscribe:/).length
     end
   end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: fluent-plugin-windows-eventlog
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.5.1
 platform: ruby
 authors:
 - okahashi117
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-02-17 00:00:00.000000000 Z
+date: 2020-02-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -147,11 +147,13 @@ files:
 - Rakefile
 - appveyor.yml
 - fluent-plugin-winevtlog.gemspec
+- lib/fluent/plugin/bookmark_sax_parser.rb
 - lib/fluent/plugin/in_windows_eventlog.rb
 - lib/fluent/plugin/in_windows_eventlog2.rb
 - test/data/eventid_6416
 - test/generate-windows-event.rb
 - test/helper.rb
+- test/plugin/test_bookmark_sax_parser.rb
 - test/plugin/test_in_windows_eventlog2.rb
 - test/plugin/test_in_winevtlog.rb
 homepage: https://github.com/fluent/fluent-plugin-windows-eventlog
@@ -182,5 +184,6 @@ test_files:
 - test/data/eventid_6416
 - test/generate-windows-event.rb
 - test/helper.rb
+- test/plugin/test_bookmark_sax_parser.rb
 - test/plugin/test_in_windows_eventlog2.rb
 - test/plugin/test_in_winevtlog.rb