fluent-plugin-windows-eventlog 0.5.2 → 0.5.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 359baf1a9205ef362e4504df9408456929e11476b8b7ca8f31b930fa75f67996
-  data.tar.gz: 3022117b4b9650f09e7856cfbb82a39267818bb71b46fb016ca0f71deb26c4d9
+  metadata.gz: f42851f147127453f0392e3e14ab31ed86983508c75453d9b41d2674441d8abc
+  data.tar.gz: fbfe63f1ee0034df3fd4346376b728b6728105b76130c82902768e67b4b5c1fe
 SHA512:
-  metadata.gz: c37d3b7a0a0c8b39e889efdda75fd7d22e6227b7a60eb1c47e9f2b459458c3144725a9d68f7e4ad6215315f62ce0829dde6730f7fccc4d37d93b2a47e7e8951f
-  data.tar.gz: b1cad59577bcec5188c0009545d0a89087210abf8b5bc1f946453607ab0b3f8b87aff1dfacbbf066d0d3b61c0505b9ffdde9da3ab788ca9dd2bc53be1ee65f1e
+  metadata.gz: a8326aa48c8661fcc9165e708db19ea3a4dd5ff0ec1407c35b7a6ef4db29fda70816eaba2c0a7b2e4e8c1255d47626b1330d8e1725c869e1ed7c5601e1681070
+  data.tar.gz: 22d9526b59591eca30044c625107a8aecc51c5e9b85448607450fec333e7630c44dccf4cc737539b5131d78bff1c2225f6ab0eb0f618832ffb06bc0b70c9ecd0

data/CHANGELOG.md

@@ -1,3 +1,6 @@
+# Release v0.5.3 - 2020/03/17
+* in_windows_eventlog2: Add Qualifiers key handling options
+
 # Release v0.5.2 - 2020/02/28
 * in_windows_eventlog2: Add parameter to read from all channels shortcut
 

data/README.md

@@ -141,6 +141,7 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
       tag winevt.raw
       render_as_xml false       # default is true.
       rate_limit 200            # default is -1(Winevt::EventLog::Subscribe::RATE_INFINITE).
+      # preserve_qualifiers_on_hash true # default is false.
       <storage>
         @type local             # @type local is the default.
         persistent true         # default is true. Set to false to use in-memory storage.
@@ -149,6 +150,11 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
       </storage>
       <parse>
         @type winevt_xml # @type winevt_xml is the default. winevt_xml and none parsers are supported for now.
+        # When set up it as true, this plugin preserves "Qualifiers" and "EventID" keys.
+        # When set up it as false, this plugin calculates actual "EventID" from "Qualifiers" and removing "Qualifiers".
+        # With the following equation:
+        # (EventID & 0xffff) | (Qualifiers & 0xffff) << 16
+        preserve_qualifiers true
       </parse>
       # <subscribe>
       #   channles application, system
@@ -177,7 +183,9 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
 |`parse_description`| (option) parse `description` field and set parsed result into the record. `Description` and `EventData` fields are removed|
 |`read_from_head`   | **Deprecated** (option) Start to read the entries from the oldest, not from when fluentd is started. Defaults to `false`.|
 |`read_existing_events` | (option) Read the entries which already exist before fluentd is started. Defaults to `false`.|
+|`render_as_xml` | (option) Render Windows EventLog as XML or Ruby Hash object directly. Defaults to `true`.|
 |`rate_limit`      | (option) Specify rate limit to consume EventLog. Default is `Winevt::EventLog::Subscribe::RATE_INFINITE`.|
+|`preserve_qualifiers_on_hash`      | (option) When set up it as true, this plugin preserves "Qualifiers" and "EventID" keys. When set up it as false, this plugin calculates actual "EventID" from "Qualifiers" and removing "Qualifiers". Default is `false`.|
 |`read_all_channels`| (option) Read from all channels. Default is `false`|
 |`<subscribe>`          | Setting for subscribe channels. |
 

data/fluent-plugin-winevtlog.gemspec

@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 
 Gem::Specification.new do |spec|
   spec.name          = "fluent-plugin-windows-eventlog"
-  spec.version       = "0.5.2"
+  spec.version       = "0.5.3"
   spec.authors       = ["okahashi117", "Hiroshi Hatake", "Masahiro Nakagawa"]
   spec.email         = ["naruki_okahashi@jbat.co.jp", "cosmo0920.oucc@gmail.com", "repeatedly@gmail.com"]
   spec.summary       = %q{Fluentd Input plugin to read windows event log.}

data/lib/fluent/plugin/in_windows_eventlog.rb

@@ -49,6 +49,7 @@ module Fluent::Plugin
     end
 
     def configure(conf)
+      log.warn "in_windows_eventlog is deprecated. It will be removed in the future version."
       super
       @chs = @channels.map {|ch| ch.strip.downcase }.uniq
       if @chs.empty?

data/lib/fluent/plugin/in_windows_eventlog2.rb

@@ -40,6 +40,7 @@ module Fluent::Plugin
     config_param :parse_description, :bool, default: false
     config_param :render_as_xml, :bool, default: true
     config_param :rate_limit, :integer, default: Winevt::EventLog::Subscribe::RATE_INFINITE
+    config_param :preserve_qualifiers_on_hash, :bool, default: false
     config_param :read_all_channels, :bool, default: false
 
     config_section :subscribe, param_name: :subscribe_configs, required: false, multi: true do
@@ -95,12 +96,11 @@ module Fluent::Plugin
       if @keynames.empty?
         @keynames = KEY_MAP.keys
       end
-      @keynames.delete('Qualifiers') unless @render_as_xml
-      @keynames.delete('EventData') if @parse_description
 
       @tag = tag
       @bookmarks_storage = storage_create(usage: "bookmarks")
       @winevt_xml = false
+      @parser = nil
       if @render_as_xml
         @parser = parser_create
         @winevt_xml = @parser.respond_to?(:winevt_xml?) && @parser.winevt_xml?
@@ -112,6 +112,16 @@ module Fluent::Plugin
           alias_method :on_notify, :on_notify_hash
         end
       end
+
+      if @render_as_xml && @preserve_qualifiers_on_hash
+        raise Fluent::ConfigError, "preserve_qualifiers_on_hash must be used with Hash object rendering(render_as_xml as false)."
+      end
+      if !@render_as_xml && !@preserve_qualifiers_on_hash
+        @keynames.delete('Qualifiers')
+      elsif @parser.respond_to?(:preserve_qualifiers?) && !@parser.preserve_qualifiers?
+        @keynames.delete('Qualifiers')
+      end
+      @keynames.delete('EventData') if @parse_description
     end
 
     def start
@@ -132,6 +142,9 @@ module Fluent::Plugin
       subscribe.read_existing_events = read_existing_events
       begin
         subscribe.subscribe(ch, "*", bookmark)
+        if !@render_as_xml && @preserve_qualifiers_on_hash && subscribe.respond_to?(:preserve_qualifiers=)
+          subscribe.preserve_qualifiers = @preserve_qualifiers_on_hash
+        end
       rescue Winevt::EventLog::Query::Error => e
         raise Fluent::ConfigError, "Invalid Bookmark XML is loaded. #{e}"
       end

data/test/plugin/test_in_windows_eventlog2.rb

@@ -89,6 +89,20 @@ class WindowsEventLog2InputTest < Test::Unit::TestCase
       assert_equal 2, d.instance.instance_variable_get(:@chs).select {|ch, flag| ch == "system"}.size
       assert_equal expected, d.instance.instance_variable_get(:@chs)
     end
+
+    test "invalid combination for preserving qualifiers" do
+      assert_raise(Fluent::ConfigError) do
+        create_driver config_element("ROOT", "", {"tag" => "fluent.eventlog",
+                                                  "render_as_xml" => true,
+                                                  "preserve_qualifiers_on_hash" => true,
+                                                 }, [
+                                       config_element("storage", "", {
+                                                        '@type' => 'local',
+                                                        'persistent' => false
+                                                      }),
+                                     ])
+      end
+    end
   end
 
   data("application"        => ["Application", "Application"],
@@ -253,6 +267,37 @@ DESC
       assert_equal("4", record["Level"])
       assert_equal("fluent-plugins", record["ProviderName"])
     end
+
+    def test_write_with_preserving_qualifiers
+      require 'winevt'
+
+      d = create_driver(config_element("ROOT", "", {"tag" => "fluent.eventlog",
+                                                    "render_as_xml" => false,
+                                                    'preserve_qualifiers_on_hash' => true
+                                                   }, [
+                                         config_element("storage", "", {
+                                                          '@type' => 'local',
+                                                          'persistent' => false
+                                                        }),
+                                       ]))
+
+      service = Fluent::Plugin::EventService.new
+      subscribe = Winevt::EventLog::Subscribe.new
+
+      omit "@parser.preserve_qualifiers does not respond" unless subscribe.respond_to?(:preserve_qualifiers?)
+
+      d.run(expect_emits: 1) do
+        service.run
+      end
+
+      assert(d.events.length >= 1)
+      event = d.events.last
+      record = event.last
+
+      assert_true(record.has_key?("Description"))
+      assert_true(record.has_key?("EventData"))
+      assert_true(record.has_key?("Qualifiers"))
+    end
   end
 
   class PersistBookMark < self
@@ -372,4 +417,33 @@ EOS
     assert_true(record.has_key?("Description"))
     assert_true(record.has_key?("EventData"))
   end
+
+  def test_write_with_winevt_xml_parser_without_qualifiers
+    d = create_driver(config_element("ROOT", "", {"tag" => "fluent.eventlog"}, [
+                                       config_element("storage", "", {
+                                                        '@type' => 'local',
+                                                        'persistent' => false
+                                                      }),
+                                       config_element("parse", "", {
+                                                        '@type' => 'winevt_xml',
+                                                        'preserve_qualifiers' => false
+                                                      }),
+                                     ]))
+
+    service = Fluent::Plugin::EventService.new
+
+    omit "@parser.preserve_qualifiers does not respond" unless d.instance.instance_variable_get(:@parser).respond_to?(:preserve_qualifiers?)
+
+    d.run(expect_emits: 1) do
+      service.run
+    end
+
+    assert(d.events.length >= 1)
+    event = d.events.last
+    record = event.last
+
+    assert_true(record.has_key?("Description"))
+    assert_true(record.has_key?("EventData"))
+    assert_false(record.has_key?("Qualifiers"))
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: fluent-plugin-windows-eventlog
 version: !ruby/object:Gem::Version
-  version: 0.5.2
+  version: 0.5.3
 platform: ruby
 authors:
 - okahashi117
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-02-28 00:00:00.000000000 Z
+date: 2020-03-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler