fluent-plugin-windows-eventlog 0.5.2 → 0.7.1.rc1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +16 -0
  3. data/README.md +13 -2
  4. data/fluent-plugin-winevtlog.gemspec +4 -4
  5. data/lib/fluent/plugin/in_windows_eventlog.rb +1 -0
  6. data/lib/fluent/plugin/in_windows_eventlog2.rb +27 -3
  7. data/test/plugin/test_in_windows_eventlog2.rb +117 -2
  8. metadata +31 -25
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 359baf1a9205ef362e4504df9408456929e11476b8b7ca8f31b930fa75f67996
4
- data.tar.gz: 3022117b4b9650f09e7856cfbb82a39267818bb71b46fb016ca0f71deb26c4d9
3
+ metadata.gz: c5bfbe6035f27762fffa9e75863aee873ac0873ebd24694ae19733c230cb9170
4
+ data.tar.gz: 663554158b2d149821ca54701b655392afff19132c453c0be3f534aa1a684898
5
5
  SHA512:
6
- metadata.gz: c37d3b7a0a0c8b39e889efdda75fd7d22e6227b7a60eb1c47e9f2b459458c3144725a9d68f7e4ad6215315f62ce0829dde6730f7fccc4d37d93b2a47e7e8951f
7
- data.tar.gz: b1cad59577bcec5188c0009545d0a89087210abf8b5bc1f946453607ab0b3f8b87aff1dfacbbf066d0d3b61c0505b9ffdde9da3ab788ca9dd2bc53be1ee65f1e
6
+ metadata.gz: 067ec531a1b265133b924709203d54a45c9641ac982ce0a1b876dc16d4968362c691ac4950bbdb5c38516a3a9bebd0389d46a66c1d1cc1e95715d3c76a783ee6
7
+ data.tar.gz: '097951b41de440a39b7ca983b93320778e38d15c28bbaa1495aff593637d4b805f4413dedd7e2855ec8b3d89b72c90fd23c354d4e7e34d075af5d0a5ebaeb326'
data/CHANGELOG.md CHANGED
@@ -1,3 +1,19 @@
1
+ # Release v.0.7.1.rc1 - 2020/06/23
2
+ * in_windows_eventlog2: Depends on nokogiri 1.11 series
3
+
4
+ # Release v0.7.0 - 2020/05/22
5
+ * in_windows_eventlog2: Support multilingual description
6
+
7
+ # Release v0.6.0 - 2020/04/15
8
+ * Make fluent-plugin-parser-winevt_xml plugin as optional dependency
9
+ * in_windows_eventlog2: Render Ruby hash object directly by default
10
+
11
+ # Release v0.5.4 - 2020/04/10
12
+ * Permit using nokogiri 1.11.0
13
+
14
+ # Release v0.5.3 - 2020/03/17
15
+ * in_windows_eventlog2: Add Qualifiers key handling options
16
+
1
17
  # Release v0.5.2 - 2020/02/28
2
18
  * in_windows_eventlog2: Add parameter to read from all channels shortcut
3
19
 
data/README.md CHANGED
@@ -139,8 +139,11 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
139
139
  read_existing_events false
140
140
  read_interval 2
141
141
  tag winevt.raw
142
- render_as_xml false # default is true.
142
+ render_as_xml false # default is false.
143
143
  rate_limit 200 # default is -1(Winevt::EventLog::Subscribe::RATE_INFINITE).
144
+ # preserve_qualifiers_on_hash true # default is false.
145
+ # read_all_channels false # default is false.
146
+ # description_locale en_US # default is nil. It means that system locale is used for obtaining description.
144
147
  <storage>
145
148
  @type local # @type local is the default.
146
149
  persistent true # default is true. Set to false to use in-memory storage.
@@ -149,6 +152,11 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
149
152
  </storage>
150
153
  <parse>
151
154
  @type winevt_xml # @type winevt_xml is the default. winevt_xml and none parsers are supported for now.
155
+ # When set up it as true, this plugin preserves "Qualifiers" and "EventID" keys.
156
+ # When set up it as false, this plugin calculates actual "EventID" from "Qualifiers" and removing "Qualifiers".
157
+ # With the following equation:
158
+ # (EventID & 0xffff) | (Qualifiers & 0xffff) << 16
159
+ preserve_qualifiers true
152
160
  </parse>
153
161
  # <subscribe>
154
162
  # channles application, system
@@ -160,7 +168,7 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
160
168
 
161
169
  **NOTE:** When `Description` contains error message such as `The message resource is present but the message was not found in the message table.`, eventlog's resource file (.mui) related to error generating event is something wrong. This issue is also occurred in built-in Windows Event Viewer which is the part of Windows management tool.
162
170
 
163
- **NOTE:** When `render_as_xml` as `false`, the dependent winevt_c gem renders Windows EventLog as Ruby Hash object directly. This reduces bottleneck to consume EventLog. Specifying `render_as_xml` as `false` should be faster consuming than `render_as_xml` as `true` case.
171
+ **NOTE:** When `render_as_xml` as `true`, `fluent-plugin-parser-winevt_xml` plugin should be needed to parse XML rendered Windows EventLog string.
164
172
 
165
173
  **NOTE:** If you encountered CPU spike due to massively huge EventLog channel, `rate_limit` parameter may help you. Currently, this paramter can handle the multiples of 10 or -1(`Winevt::EventLog::Subscribe::RATE_INFINITE`).
166
174
 
@@ -177,8 +185,11 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
177
185
  |`parse_description`| (option) parse `description` field and set parsed result into the record. `Description` and `EventData` fields are removed|
178
186
  |`read_from_head` | **Deprecated** (option) Start to read the entries from the oldest, not from when fluentd is started. Defaults to `false`.|
179
187
  |`read_existing_events` | (option) Read the entries which already exist before fluentd is started. Defaults to `false`.|
188
+ |`render_as_xml` | (option) Render Windows EventLog as XML or Ruby Hash object directly. Defaults to `false`.|
180
189
  |`rate_limit` | (option) Specify rate limit to consume EventLog. Default is `Winevt::EventLog::Subscribe::RATE_INFINITE`.|
190
+ |`preserve_qualifiers_on_hash` | (option) When set up it as true, this plugin preserves "Qualifiers" and "EventID" keys. When set up it as false, this plugin calculates actual "EventID" from "Qualifiers" and removing "Qualifiers". Default is `false`.|
181
191
  |`read_all_channels`| (option) Read from all channels. Default is `false`|
192
+ |`description_locale`| (option) Specify description locale. Default is `nil`. See also: [Supported locales](https://github.com/fluent-plugins-nursery/winevt_c#multilingual-description) |
182
193
  |`<subscribe>` | Setting for subscribe channels. |
183
194
 
184
195
  ##### subscribe section
data/fluent-plugin-winevtlog.gemspec CHANGED
@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
4
4
 
5
5
  Gem::Specification.new do |spec|
6
6
  spec.name = "fluent-plugin-windows-eventlog"
7
- spec.version = "0.5.2"
7
+ spec.version = "0.7.1.rc1"
8
8
  spec.authors = ["okahashi117", "Hiroshi Hatake", "Masahiro Nakagawa"]
9
9
  spec.email = ["naruki_okahashi@jbat.co.jp", "cosmo0920.oucc@gmail.com", "repeatedly@gmail.com"]
10
10
  spec.summary = %q{Fluentd Input plugin to read windows event log.}
@@ -20,9 +20,9 @@ Gem::Specification.new do |spec|
20
20
  spec.add_development_dependency "bundler"
21
21
  spec.add_development_dependency "rake"
22
22
  spec.add_development_dependency "test-unit", "~> 3.2.0"
23
+ spec.add_development_dependency "nokogiri", [">= 1.11.pre", "< 1.12"]
24
+ spec.add_development_dependency "fluent-plugin-parser-winevt_xml", ">= 0.1.2"
23
25
  spec.add_runtime_dependency "fluentd", [">= 0.14.12", "< 2"]
24
26
  spec.add_runtime_dependency "win32-eventlog"
25
- spec.add_runtime_dependency "winevt_c", ">= 0.7.1"
26
- spec.add_runtime_dependency "nokogiri", "~> 1.10"
27
- spec.add_runtime_dependency "fluent-plugin-parser-winevt_xml", ">= 0.1.2"
27
+ spec.add_runtime_dependency "winevt_c", ">= 0.8.1"
28
28
  end
data/lib/fluent/plugin/in_windows_eventlog.rb CHANGED
@@ -49,6 +49,7 @@ module Fluent::Plugin
49
49
  end
50
50
 
51
51
  def configure(conf)
52
+ log.warn "in_windows_eventlog is deprecated. It will be removed in the future version."
52
53
  super
53
54
  @chs = @channels.map {|ch| ch.strip.downcase }.uniq
54
55
  if @chs.empty?
data/lib/fluent/plugin/in_windows_eventlog2.rb CHANGED
@@ -38,9 +38,11 @@ module Fluent::Plugin
38
38
  config_param :read_from_head, :bool, default: false, deprecated: "Use `read_existing_events' instead."
39
39
  config_param :read_existing_events, :bool, default: false
40
40
  config_param :parse_description, :bool, default: false
41
- config_param :render_as_xml, :bool, default: true
41
+ config_param :render_as_xml, :bool, default: false
42
42
  config_param :rate_limit, :integer, default: Winevt::EventLog::Subscribe::RATE_INFINITE
43
+ config_param :preserve_qualifiers_on_hash, :bool, default: false
43
44
  config_param :read_all_channels, :bool, default: false
45
+ config_param :description_locale, :string, default: nil
44
46
 
45
47
  config_section :subscribe, param_name: :subscribe_configs, required: false, multi: true do
46
48
  config_param :channels, :array
@@ -95,12 +97,11 @@ module Fluent::Plugin
95
97
  if @keynames.empty?
96
98
  @keynames = KEY_MAP.keys
97
99
  end
98
- @keynames.delete('Qualifiers') unless @render_as_xml
99
- @keynames.delete('EventData') if @parse_description
100
100
 
101
101
  @tag = tag
102
102
  @bookmarks_storage = storage_create(usage: "bookmarks")
103
103
  @winevt_xml = false
104
+ @parser = nil
104
105
  if @render_as_xml
105
106
  @parser = parser_create
106
107
  @winevt_xml = @parser.respond_to?(:winevt_xml?) && @parser.winevt_xml?
@@ -112,6 +113,25 @@ module Fluent::Plugin
112
113
  alias_method :on_notify, :on_notify_hash
113
114
  end
114
115
  end
116
+
117
+ if @render_as_xml && @preserve_qualifiers_on_hash
118
+ raise Fluent::ConfigError, "preserve_qualifiers_on_hash must be used with Hash object rendering(render_as_xml as false)."
119
+ end
120
+ if !@render_as_xml && !@preserve_qualifiers_on_hash
121
+ @keynames.delete('Qualifiers')
122
+ elsif @parser.respond_to?(:preserve_qualifiers?) && !@parser.preserve_qualifiers?
123
+ @keynames.delete('Qualifiers')
124
+ end
125
+ @keynames.delete('EventData') if @parse_description
126
+
127
+ locale = Winevt::EventLog::Locale.new
128
+ if @description_locale && unsupported_locale?(locale, @description_locale)
129
+ raise Fluent::ConfigError, "'#{@description_locale}' is not supported. Supported locales are: #{locale.each.map{|code, _desc| code}.join(" ")}"
130
+ end
131
+ end
132
+
133
+ def unsupported_locale?(locale, description_locale)
134
+ locale.each.select {|c, _d| c.downcase == description_locale.downcase}.empty?
115
135
  end
116
136
 
117
137
  def start
@@ -132,11 +152,15 @@ module Fluent::Plugin
132
152
  subscribe.read_existing_events = read_existing_events
133
153
  begin
134
154
  subscribe.subscribe(ch, "*", bookmark)
155
+ if !@render_as_xml && @preserve_qualifiers_on_hash
156
+ subscribe.preserve_qualifiers = @preserve_qualifiers_on_hash
157
+ end
135
158
  rescue Winevt::EventLog::Query::Error => e
136
159
  raise Fluent::ConfigError, "Invalid Bookmark XML is loaded. #{e}"
137
160
  end
138
161
  subscribe.render_as_xml = @render_as_xml
139
162
  subscribe.rate_limit = @rate_limit
163
+ subscribe.locale = @description_locale if @description_locale
140
164
  timer_execute("in_windows_eventlog_#{escape_channel(ch)}".to_sym, @read_interval) do
141
165
  on_notify(ch, subscribe)
142
166
  end
data/test/plugin/test_in_windows_eventlog2.rb CHANGED
@@ -15,6 +15,14 @@ class WindowsEventLog2InputTest < Test::Unit::TestCase
15
15
  })
16
16
  ])
17
17
 
18
+ XML_RENDERING_CONFIG = config_element("ROOT", "", {"tag" => "fluent.eventlog",
19
+ "render_as_xml" => true}, [
20
+ config_element("storage", "", {
21
+ '@type' => 'local',
22
+ 'persistent' => false
23
+ })
24
+ ])
25
+
18
26
  def create_driver(conf = CONFIG)
19
27
  Fluent::Test::Driver::Input.new(Fluent::Plugin::WindowsEventLog2Input).configure(conf)
20
28
  end
@@ -25,7 +33,7 @@ class WindowsEventLog2InputTest < Test::Unit::TestCase
25
33
  assert_equal 2, d.instance.read_interval
26
34
  assert_equal [], d.instance.channels
27
35
  assert_false d.instance.read_existing_events
28
- assert_true d.instance.render_as_xml
36
+ assert_false d.instance.render_as_xml
29
37
  end
30
38
 
31
39
  sub_test_case "configure" do
@@ -89,6 +97,51 @@ class WindowsEventLog2InputTest < Test::Unit::TestCase
89
97
  assert_equal 2, d.instance.instance_variable_get(:@chs).select {|ch, flag| ch == "system"}.size
90
98
  assert_equal expected, d.instance.instance_variable_get(:@chs)
91
99
  end
100
+
101
+ test "invalid combination for preserving qualifiers" do
102
+ assert_raise(Fluent::ConfigError) do
103
+ create_driver config_element("ROOT", "", {"tag" => "fluent.eventlog",
104
+ "render_as_xml" => true,
105
+ "preserve_qualifiers_on_hash" => true,
106
+ }, [
107
+ config_element("storage", "", {
108
+ '@type' => 'local',
109
+ 'persistent' => false
110
+ }),
111
+ ])
112
+ end
113
+ end
114
+
115
+ test "invalid description locale" do
116
+ assert_raise(Fluent::ConfigError) do
117
+ create_driver config_element("ROOT", "", {"tag" => "fluent.eventlog",
118
+ "description_locale" => "ex_EX"
119
+ }, [
120
+ config_element("storage", "", {
121
+ '@type' => 'local',
122
+ 'persistent' => false
123
+ })
124
+ ])
125
+ end
126
+ end
127
+ end
128
+
129
+ data("Japanese" => ["ja_JP", false],
130
+ "English (United States)" => ["en_US", false],
131
+ "English (UK)" => ["en_GB", false],
132
+ "Dutch" => ["nl_NL", false],
133
+ "French" => ["fr_FR", false],
134
+ "German" => ["de_DE", false],
135
+ "Russian" => ["ru_RU", false],
136
+ "Spanish" => ["es_ES", false],
137
+ "Invalid" => ["ex_EX", true],
138
+ )
139
+ def test_unsupported_locale_p(data)
140
+ description_locale, expected = data
141
+ d = create_driver CONFIG
142
+ locale = Winevt::EventLog::Locale.new
143
+ result = d.instance.unsupported_locale?(locale, description_locale)
144
+ assert_equal expected, result
92
145
  end
93
146
 
94
147
  data("application" => ["Application", "Application"],
@@ -253,6 +306,37 @@ DESC
253
306
  assert_equal("4", record["Level"])
254
307
  assert_equal("fluent-plugins", record["ProviderName"])
255
308
  end
309
+
310
+ def test_write_with_preserving_qualifiers
311
+ require 'winevt'
312
+
313
+ d = create_driver(config_element("ROOT", "", {"tag" => "fluent.eventlog",
314
+ "render_as_xml" => false,
315
+ 'preserve_qualifiers_on_hash' => true
316
+ }, [
317
+ config_element("storage", "", {
318
+ '@type' => 'local',
319
+ 'persistent' => false
320
+ }),
321
+ ]))
322
+
323
+ service = Fluent::Plugin::EventService.new
324
+ subscribe = Winevt::EventLog::Subscribe.new
325
+
326
+ omit "@parser.preserve_qualifiers does not respond" unless subscribe.respond_to?(:preserve_qualifiers?)
327
+
328
+ d.run(expect_emits: 1) do
329
+ service.run
330
+ end
331
+
332
+ assert(d.events.length >= 1)
333
+ event = d.events.last
334
+ record = event.last
335
+
336
+ assert_true(record.has_key?("Description"))
337
+ assert_true(record.has_key?("EventData"))
338
+ assert_true(record.has_key?("Qualifiers"))
339
+ end
256
340
  end
257
341
 
258
342
  class PersistBookMark < self
@@ -344,7 +428,8 @@ EOS
344
428
  end
345
429
 
346
430
  def test_write_with_none_parser
347
- d = create_driver(config_element("ROOT", "", {"tag" => "fluent.eventlog"}, [
431
+ d = create_driver(config_element("ROOT", "", {"tag" => "fluent.eventlog",
432
+ "render_as_xml" => true}, [
348
433
  config_element("storage", "", {
349
434
  '@type' => 'local',
350
435
  'persistent' => false
@@ -372,4 +457,34 @@ EOS
372
457
  assert_true(record.has_key?("Description"))
373
458
  assert_true(record.has_key?("EventData"))
374
459
  end
460
+
461
+ def test_write_with_winevt_xml_parser_without_qualifiers
462
+ d = create_driver(config_element("ROOT", "", {"tag" => "fluent.eventlog",
463
+ "render_as_xml" => true}, [
464
+ config_element("storage", "", {
465
+ '@type' => 'local',
466
+ 'persistent' => false
467
+ }),
468
+ config_element("parse", "", {
469
+ '@type' => 'winevt_xml',
470
+ 'preserve_qualifiers' => false
471
+ }),
472
+ ]))
473
+
474
+ service = Fluent::Plugin::EventService.new
475
+
476
+ omit "@parser.preserve_qualifiers does not respond" unless d.instance.instance_variable_get(:@parser).respond_to?(:preserve_qualifiers?)
477
+
478
+ d.run(expect_emits: 1) do
479
+ service.run
480
+ end
481
+
482
+ assert(d.events.length >= 1)
483
+ event = d.events.last
484
+ record = event.last
485
+
486
+ assert_true(record.has_key?("Description"))
487
+ assert_true(record.has_key?("EventData"))
488
+ assert_false(record.has_key?("Qualifiers"))
489
+ end
375
490
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: fluent-plugin-windows-eventlog
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.5.2
4
+ version: 0.7.1.rc1
5
5
  platform: ruby
6
6
  authors:
7
7
  - okahashi117
@@ -10,7 +10,7 @@ authors:
10
10
  autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
- date: 2020-02-28 00:00:00.000000000 Z
13
+ date: 2020-06-23 00:00:00.000000000 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  name: bundler
@@ -55,81 +55,87 @@ dependencies:
55
55
  - !ruby/object:Gem::Version
56
56
  version: 3.2.0
57
57
  - !ruby/object:Gem::Dependency
58
- name: fluentd
58
+ name: nokogiri
59
59
  requirement: !ruby/object:Gem::Requirement
60
60
  requirements:
61
61
  - - ">="
62
62
  - !ruby/object:Gem::Version
63
- version: 0.14.12
63
+ version: 1.11.pre
64
64
  - - "<"
65
65
  - !ruby/object:Gem::Version
66
- version: '2'
67
- type: :runtime
66
+ version: '1.12'
67
+ type: :development
68
68
  prerelease: false
69
69
  version_requirements: !ruby/object:Gem::Requirement
70
70
  requirements:
71
71
  - - ">="
72
72
  - !ruby/object:Gem::Version
73
- version: 0.14.12
73
+ version: 1.11.pre
74
74
  - - "<"
75
75
  - !ruby/object:Gem::Version
76
- version: '2'
76
+ version: '1.12'
77
77
  - !ruby/object:Gem::Dependency
78
- name: win32-eventlog
78
+ name: fluent-plugin-parser-winevt_xml
79
79
  requirement: !ruby/object:Gem::Requirement
80
80
  requirements:
81
81
  - - ">="
82
82
  - !ruby/object:Gem::Version
83
- version: '0'
84
- type: :runtime
83
+ version: 0.1.2
84
+ type: :development
85
85
  prerelease: false
86
86
  version_requirements: !ruby/object:Gem::Requirement
87
87
  requirements:
88
88
  - - ">="
89
89
  - !ruby/object:Gem::Version
90
- version: '0'
90
+ version: 0.1.2
91
91
  - !ruby/object:Gem::Dependency
92
- name: winevt_c
92
+ name: fluentd
93
93
  requirement: !ruby/object:Gem::Requirement
94
94
  requirements:
95
95
  - - ">="
96
96
  - !ruby/object:Gem::Version
97
- version: 0.7.1
97
+ version: 0.14.12
98
+ - - "<"
99
+ - !ruby/object:Gem::Version
100
+ version: '2'
98
101
  type: :runtime
99
102
  prerelease: false
100
103
  version_requirements: !ruby/object:Gem::Requirement
101
104
  requirements:
102
105
  - - ">="
103
106
  - !ruby/object:Gem::Version
104
- version: 0.7.1
107
+ version: 0.14.12
108
+ - - "<"
109
+ - !ruby/object:Gem::Version
110
+ version: '2'
105
111
  - !ruby/object:Gem::Dependency
106
- name: nokogiri
112
+ name: win32-eventlog
107
113
  requirement: !ruby/object:Gem::Requirement
108
114
  requirements:
109
- - - "~>"
115
+ - - ">="
110
116
  - !ruby/object:Gem::Version
111
- version: '1.10'
117
+ version: '0'
112
118
  type: :runtime
113
119
  prerelease: false
114
120
  version_requirements: !ruby/object:Gem::Requirement
115
121
  requirements:
116
- - - "~>"
122
+ - - ">="
117
123
  - !ruby/object:Gem::Version
118
- version: '1.10'
124
+ version: '0'
119
125
  - !ruby/object:Gem::Dependency
120
- name: fluent-plugin-parser-winevt_xml
126
+ name: winevt_c
121
127
  requirement: !ruby/object:Gem::Requirement
122
128
  requirements:
123
129
  - - ">="
124
130
  - !ruby/object:Gem::Version
125
- version: 0.1.2
131
+ version: 0.8.1
126
132
  type: :runtime
127
133
  prerelease: false
128
134
  version_requirements: !ruby/object:Gem::Requirement
129
135
  requirements:
130
136
  - - ">="
131
137
  - !ruby/object:Gem::Version
132
- version: 0.1.2
138
+ version: 0.8.1
133
139
  description: Fluentd Input plugin to read windows event log.
134
140
  email:
135
141
  - naruki_okahashi@jbat.co.jp
@@ -171,9 +177,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
171
177
  version: '0'
172
178
  required_rubygems_version: !ruby/object:Gem::Requirement
173
179
  requirements:
174
- - - ">="
180
+ - - ">"
175
181
  - !ruby/object:Gem::Version
176
- version: '0'
182
+ version: 1.3.1
177
183
  requirements: []
178
184
  rubyforge_project:
179
185
  rubygems_version: 2.7.6.2