fluent-plugin-windows-eventlog 0.5.3 → 0.8.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +16 -0
  3. data/README.md +43 -3
  4. data/fluent-plugin-winevtlog.gemspec +4 -4
  5. data/lib/fluent/plugin/in_windows_eventlog2.rb +114 -17
  6. data/test/plugin/test_in_windows_eventlog2.rb +130 -7
  7. metadata +29 -23
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f42851f147127453f0392e3e14ab31ed86983508c75453d9b41d2674441d8abc
4
- data.tar.gz: fbfe63f1ee0034df3fd4346376b728b6728105b76130c82902768e67b4b5c1fe
3
+ metadata.gz: 29f3b9ced1cd226756c2c6859e50cc974ec95e42a0efdc4b0e5544d69eac9c63
4
+ data.tar.gz: 61875762c40f75317704cc62a476dc16d947363c7dca6bf167b8c7a23c86a095
5
5
  SHA512:
6
- metadata.gz: a8326aa48c8661fcc9165e708db19ea3a4dd5ff0ec1407c35b7a6ef4db29fda70816eaba2c0a7b2e4e8c1255d47626b1330d8e1725c869e1ed7c5601e1681070
7
- data.tar.gz: 22d9526b59591eca30044c625107a8aecc51c5e9b85448607450fec333e7630c44dccf4cc737539b5131d78bff1c2225f6ab0eb0f618832ffb06bc0b70c9ecd0
6
+ metadata.gz: 1c126f6937f433079ddf703d141ecf73d1c3e1bd82e9fb605726109c20c97ab89f3307438da9fd62c80ef80770a39a884c3800c66874ca9519e680d17c9c9ba9
7
+ data.tar.gz: f5e9178ed7c1b477977d61d4fe306745f2efb3203bf430a612c96e9a27f1186d9980ef7ea236b679ab05c805bca3426b70d77a41288458747e684eb20009609f
data/CHANGELOG.md CHANGED
@@ -1,3 +1,19 @@
1
+ # Release v0.8.0 - 2020/09/16
2
+ * in_windows_eventlog2: Support remoting access
3
+
4
+ # Release v.0.7.1.rc1 - 2020/06/23
5
+ * in_windows_eventlog2: Depends on nokogiri 1.11 series
6
+
7
+ # Release v0.7.0 - 2020/05/22
8
+ * in_windows_eventlog2: Support multilingual description
9
+
10
+ # Release v0.6.0 - 2020/04/15
11
+ * Make fluent-plugin-parser-winevt_xml plugin as optional dependency
12
+ * in_windows_eventlog2: Render Ruby hash object directly by default
13
+
14
+ # Release v0.5.4 - 2020/04/10
15
+ * Permit using nokogiri 1.11.0
16
+
1
17
  # Release v0.5.3 - 2020/03/17
2
18
  * in_windows_eventlog2: Add Qualifiers key handling options
3
19
 
data/README.md CHANGED
@@ -139,9 +139,12 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
139
139
  read_existing_events false
140
140
  read_interval 2
141
141
  tag winevt.raw
142
- render_as_xml false # default is true.
142
+ render_as_xml false # default is false.
143
143
  rate_limit 200 # default is -1(Winevt::EventLog::Subscribe::RATE_INFINITE).
144
144
  # preserve_qualifiers_on_hash true # default is false.
145
+ # read_all_channels false # default is false.
146
+ # description_locale en_US # default is nil. It means that system locale is used for obtaining description.
147
+ # refresh_subscription_interval 10m # default is nil. It specifies refresh interval for channel subscriptions.
145
148
  <storage>
146
149
  @type local # @type local is the default.
147
150
  persistent true # default is true. Set to false to use in-memory storage.
@@ -159,6 +162,10 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
159
162
  # <subscribe>
160
163
  # channles application, system
161
164
  # read_existing_events false # read_existing_events should be applied each of subscribe directive(s)
165
+ # remote_server 127.0.0.1 # Remote server ip/fqdn
166
+ # remote_domain WORKGROUP # Domain name
167
+ # remote_username fluentd # Remoting access account name
168
+ # remote_password changeme! # Remoting access account password
162
169
  # </subscribe>
163
170
  </source>
164
171
 
@@ -166,7 +173,7 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
166
173
 
167
174
  **NOTE:** When `Description` contains error message such as `The message resource is present but the message was not found in the message table.`, eventlog's resource file (.mui) related to error generating event is something wrong. This issue is also occurred in built-in Windows Event Viewer which is the part of Windows management tool.
168
175
 
169
- **NOTE:** When `render_as_xml` as `false`, the dependent winevt_c gem renders Windows EventLog as Ruby Hash object directly. This reduces bottleneck to consume EventLog. Specifying `render_as_xml` as `false` should be faster consuming than `render_as_xml` as `true` case.
176
+ **NOTE:** When `render_as_xml` as `true`, `fluent-plugin-parser-winevt_xml` plugin should be needed to parse XML rendered Windows EventLog string.
170
177
 
171
178
  **NOTE:** If you encountered CPU spike due to massively huge EventLog channel, `rate_limit` parameter may help you. Currently, this paramter can handle the multiples of 10 or -1(`Winevt::EventLog::Subscribe::RATE_INFINITE`).
172
179
 
@@ -183,10 +190,12 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
183
190
  |`parse_description`| (option) parse `description` field and set parsed result into the record. `Description` and `EventData` fields are removed|
184
191
  |`read_from_head` | **Deprecated** (option) Start to read the entries from the oldest, not from when fluentd is started. Defaults to `false`.|
185
192
  |`read_existing_events` | (option) Read the entries which already exist before fluentd is started. Defaults to `false`.|
186
- |`render_as_xml` | (option) Render Windows EventLog as XML or Ruby Hash object directly. Defaults to `true`.|
193
+ |`render_as_xml` | (option) Render Windows EventLog as XML or Ruby Hash object directly. Defaults to `false`.|
187
194
  |`rate_limit` | (option) Specify rate limit to consume EventLog. Default is `Winevt::EventLog::Subscribe::RATE_INFINITE`.|
188
195
  |`preserve_qualifiers_on_hash` | (option) When set up it as true, this plugin preserves "Qualifiers" and "EventID" keys. When set up it as false, this plugin calculates actual "EventID" from "Qualifiers" and removing "Qualifiers". Default is `false`.|
189
196
  |`read_all_channels`| (option) Read from all channels. Default is `false`|
197
+ |`description_locale`| (option) Specify description locale. Default is `nil`. See also: [Supported locales](https://github.com/fluent-plugins-nursery/winevt_c#multilingual-description) |
198
+ |`refresh_subscription_interval`|(option) It specifies refresh interval for channel subscriptions. Default is `nil`.|
190
199
  |`<subscribe>` | Setting for subscribe channels. |
191
200
 
192
201
  ##### subscribe section
@@ -195,6 +204,10 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
195
204
  |:----- |:----- |
196
205
  |`channels` | One or more of {'application', 'system', 'setup', 'security'}. If you want to read 'setup' or 'security' logs, you must launch fluentd with administrator privileges. |
197
206
  |`read_existing_events` | (option) Read the entries which already exist before fluentd is started. Defaults to `false`. |
207
+ |`remote_server` | (option) Remoting access server ip address/fqdn. Defaults to `nil`. |
208
+ |`remote_domain` | (option) Remoting access server joining domain name. Defaults to `nil`. |
209
+ |`remote_username` | (option) Remoting access access account's username. Defaults to `nil`. |
210
+ |`remote_password` | (option) Remoting access access account's password. Defaults to `nil`. |
198
211
 
199
212
 
200
213
  **Motivation:** subscribe directive is designed for applying `read_existing_events` each of channels which is specified in subscribe section(s).
@@ -231,6 +244,33 @@ This configuration can be handled as:
231
244
  * "Application" and "Security" channels just tailing
232
245
  * "HardwareEvent" channel read existing events before launching Fluentd
233
246
 
247
+ ###### Remoting access
248
+
249
+ `<subscribe>` section supports remoting access parameters:
250
+
251
+ * `remote_server`
252
+ * `remote_domain`
253
+ * `remote_username`
254
+ * `remote_password`
255
+
256
+ These parameters are only in `<subscribe>` directive.
257
+
258
+ Note that before using this feature, remoting access users should belong to "Event Log Readers" group:
259
+
260
+ ```console
261
+ > net localgroup "Event Log Readers" <domain\username> /add
262
+ ```
263
+
264
+ And then, users also should set up their remote box's Firewall configuration:
265
+
266
+ ```console
267
+ > netsh advfirewall firewall set rule group="Remote Event Log Management" new enable=yes
268
+ ```
269
+
270
+ As a security best practices, remoting access account _should not be administrator account_.
271
+
272
+ For graphical instructions, please refer to [Preconfigure a Machine to Collect Remote Windows Events | Sumo Logic](https://help.sumologic.com/03Send-Data/Sources/01Sources-for-Installed-Collectors/Remote-Windows-Event-Log-Source/Preconfigure-a-Machine-to-Collect-Remote-Windows-Events) document for example.
273
+
234
274
  ##### Available keys
235
275
 
236
276
  This plugin reads the following fields from Windows Event Log entries. Use the `keys` configuration option to select a subset. No other customization is allowed for now.
data/fluent-plugin-winevtlog.gemspec CHANGED
@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
4
4
 
5
5
  Gem::Specification.new do |spec|
6
6
  spec.name = "fluent-plugin-windows-eventlog"
7
- spec.version = "0.5.3"
7
+ spec.version = "0.8.0"
8
8
  spec.authors = ["okahashi117", "Hiroshi Hatake", "Masahiro Nakagawa"]
9
9
  spec.email = ["naruki_okahashi@jbat.co.jp", "cosmo0920.oucc@gmail.com", "repeatedly@gmail.com"]
10
10
  spec.summary = %q{Fluentd Input plugin to read windows event log.}
@@ -20,9 +20,9 @@ Gem::Specification.new do |spec|
20
20
  spec.add_development_dependency "bundler"
21
21
  spec.add_development_dependency "rake"
22
22
  spec.add_development_dependency "test-unit", "~> 3.2.0"
23
+ spec.add_development_dependency "nokogiri", [">= 1.10", "< 1.12"]
24
+ spec.add_development_dependency "fluent-plugin-parser-winevt_xml", ">= 0.1.2"
23
25
  spec.add_runtime_dependency "fluentd", [">= 0.14.12", "< 2"]
24
26
  spec.add_runtime_dependency "win32-eventlog"
25
- spec.add_runtime_dependency "winevt_c", ">= 0.7.1"
26
- spec.add_runtime_dependency "nokogiri", "~> 1.10"
27
- spec.add_runtime_dependency "fluent-plugin-parser-winevt_xml", ">= 0.1.2"
27
+ spec.add_runtime_dependency "winevt_c", ">= 0.9.1"
28
28
  end
data/lib/fluent/plugin/in_windows_eventlog2.rb CHANGED
@@ -7,6 +7,8 @@ module Fluent::Plugin
7
7
  class WindowsEventLog2Input < Input
8
8
  Fluent::Plugin.register_input('windows_eventlog2', self)
9
9
 
10
+ class ReconnectError < Fluent::UnrecoverableError; end
11
+
10
12
  helpers :timer, :storage, :parser
11
13
 
12
14
  DEFAULT_STORAGE_TYPE = 'local'
@@ -38,14 +40,20 @@ module Fluent::Plugin
38
40
  config_param :read_from_head, :bool, default: false, deprecated: "Use `read_existing_events' instead."
39
41
  config_param :read_existing_events, :bool, default: false
40
42
  config_param :parse_description, :bool, default: false
41
- config_param :render_as_xml, :bool, default: true
43
+ config_param :render_as_xml, :bool, default: false
42
44
  config_param :rate_limit, :integer, default: Winevt::EventLog::Subscribe::RATE_INFINITE
43
45
  config_param :preserve_qualifiers_on_hash, :bool, default: false
44
46
  config_param :read_all_channels, :bool, default: false
47
+ config_param :description_locale, :string, default: nil
48
+ config_param :refresh_subscription_interval, :time, default: nil
45
49
 
46
50
  config_section :subscribe, param_name: :subscribe_configs, required: false, multi: true do
47
51
  config_param :channels, :array
48
52
  config_param :read_existing_events, :bool, default: false
53
+ config_param :remote_server, :string, default: nil
54
+ config_param :remote_domain, :string, default: nil
55
+ config_param :remote_username, :string, default: nil
56
+ config_param :remote_password, :string, default: nil, secret: true
49
57
  end
50
58
 
51
59
  config_section :storage do
@@ -67,9 +75,12 @@ module Fluent::Plugin
67
75
 
68
76
  def configure(conf)
69
77
  super
78
+ @session = nil
70
79
  @chs = []
80
+ @subscriptions = {}
71
81
  @all_chs = Winevt::EventLog::Channel.new
72
82
  @all_chs.force_enumerate = false
83
+ @timers = {}
73
84
 
74
85
  if @read_all_channels
75
86
  @all_chs.each do |ch|
@@ -80,14 +91,22 @@ module Fluent::Plugin
80
91
 
81
92
  @read_existing_events = @read_from_head || @read_existing_events
82
93
  if @channels.empty? && @subscribe_configs.empty? && !@read_all_channels
83
- @chs.push(['application', @read_existing_events])
94
+ @chs.push(['application', @read_existing_events, nil])
84
95
  else
85
96
  @channels.map {|ch| ch.strip.downcase }.uniq.each do |uch|
86
- @chs.push([uch, @read_existing_events])
97
+ @chs.push([uch, @read_existing_events, nil])
87
98
  end
88
99
  @subscribe_configs.each do |subscribe|
100
+ if subscribe.remote_server
101
+ @session = Winevt::EventLog::Session.new(subscribe.remote_server,
102
+ subscribe.remote_domain,
103
+ subscribe.remote_username,
104
+ subscribe.remote_password)
105
+
106
+ log.debug("connect to remote box (server: #{subscribe.remote_server}) domain: #{subscribe.remote_domain} username: #{subscribe.remote_username})")
107
+ end
89
108
  subscribe.channels.map {|ch| ch.strip.downcase }.uniq.each do |uch|
90
- @chs.push([uch, subscribe.read_existing_events])
109
+ @chs.push([uch, subscribe.read_existing_events, @session])
91
110
  end
92
111
  end
93
112
  end
@@ -122,17 +141,87 @@ module Fluent::Plugin
122
141
  @keynames.delete('Qualifiers')
123
142
  end
124
143
  @keynames.delete('EventData') if @parse_description
144
+
145
+ locale = Winevt::EventLog::Locale.new
146
+ if @description_locale && unsupported_locale?(locale, @description_locale)
147
+ raise Fluent::ConfigError, "'#{@description_locale}' is not supported. Supported locales are: #{locale.each.map{|code, _desc| code}.join(" ")}"
148
+ end
149
+ end
150
+
151
+ def unsupported_locale?(locale, description_locale)
152
+ locale.each.select {|c, _d| c.downcase == description_locale.downcase}.empty?
125
153
  end
126
154
 
127
155
  def start
128
156
  super
129
157
 
130
- @chs.each do |ch, read_existing_events|
131
- subscribe_channel(ch, read_existing_events)
158
+ refresh_subscriptions
159
+ if @refresh_subscription_interval
160
+ timer_execute(:in_windows_eventlog_refresh_subscription_timer, @refresh_subscription_interval, &method(:refresh_subscriptions))
132
161
  end
133
162
  end
134
163
 
135
- def subscribe_channel(ch, read_existing_events)
164
+ def shutdown
165
+ super
166
+
167
+ @subscriptions.keys.each do |ch|
168
+ subscription = @subscriptions.delete(ch)
169
+ if subscription
170
+ subscription.cancel
171
+ log.debug "channel (#{ch}) subscription is canceled."
172
+ end
173
+ end
174
+ end
175
+
176
+ def retry_on_error(channel, times: 15)
177
+ try = 0
178
+ begin
179
+ log.debug "Retry to subscribe for #{channel}...." if try > 1
180
+ try += 1
181
+ yield
182
+ log.info "Retry to subscribe for #{channel} succeeded." if try > 1
183
+ try = 0
184
+ rescue Winevt::EventLog::Subscribe::RemoteHandlerError => e
185
+ raise ReconnectError, "Retrying limit is exceeded." if try > times
186
+ log.warn "#{e.message}. Remaining retry count(s): #{times - try}"
187
+ sleep 2**try
188
+ retry
189
+ end
190
+ end
191
+
192
+ def refresh_subscriptions
193
+ clear_subscritpions
194
+
195
+ @chs.each do |ch, read_existing_events, session|
196
+ retry_on_error(ch) do
197
+ ch, subscribe = subscription(ch, read_existing_events, session)
198
+ @subscriptions[ch] = subscribe
199
+ end
200
+ end
201
+ subscribe_channels(@subscriptions)
202
+ end
203
+
204
+ def clear_subscritpions
205
+ @subscriptions.keys.each do |ch|
206
+ subscription = @subscriptions.delete(ch)
207
+ if subscription
208
+ if subscription.cancel
209
+ log.debug "channel (#{ch}) subscription is cancelled."
210
+ subscription.close
211
+ log.debug "channel (#{ch}) subscription handles are closed forcibly."
212
+ end
213
+ end
214
+ end
215
+ @timers.keys.each do |ch|
216
+ timer = @timers.delete(ch)
217
+ if timer
218
+ event_loop_detach(timer)
219
+ log.debug "channel (#{ch}) subscription watcher is detached."
220
+ end
221
+ end
222
+ end
223
+
224
+ def subscription(ch, read_existing_events, remote_session)
136
225
  bookmarkXml = @bookmarks_storage.get(ch) || ""
137
226
  bookmark = nil
138
227
  if bookmark_validator(bookmarkXml, ch)
@@ -141,8 +230,8 @@ module Fluent::Plugin
141
230
  subscribe = Winevt::EventLog::Subscribe.new
142
231
  subscribe.read_existing_events = read_existing_events
143
232
  begin
144
- subscribe.subscribe(ch, "*", bookmark)
145
- if !@render_as_xml && @preserve_qualifiers_on_hash && subscribe.respond_to?(:preserve_qualifiers=)
233
+ subscribe.subscribe(ch, "*", bookmark, remote_session)
234
+ if !@render_as_xml && @preserve_qualifiers_on_hash
146
235
  subscribe.preserve_qualifiers = @preserve_qualifiers_on_hash
147
236
  end
148
237
  rescue Winevt::EventLog::Query::Error => e
@@ -150,8 +239,16 @@ module Fluent::Plugin
150
239
  end
151
240
  subscribe.render_as_xml = @render_as_xml
152
241
  subscribe.rate_limit = @rate_limit
153
- timer_execute("in_windows_eventlog_#{escape_channel(ch)}".to_sym, @read_interval) do
154
- on_notify(ch, subscribe)
242
+ subscribe.locale = @description_locale if @description_locale
243
+ [ch, subscribe]
244
+ end
245
+
246
+ def subscribe_channels(subscriptions)
247
+ subscriptions.each do |ch, subscribe|
248
+ @timers[ch] = timer_execute("in_windows_eventlog_#{escape_channel(ch)}".to_sym, @read_interval) do
249
+ on_notify(ch, subscribe)
250
+ end
251
+ log.debug "channel (#{ch}) subscription is subscribed."
155
252
  end
156
253
  end
157
254
 
@@ -211,12 +308,12 @@ module Fluent::Plugin
211
308
  end
212
309
  end
213
310
  end
311
+ router.emit_stream(@tag, es)
312
+ @bookmarks_storage.put(ch, subscribe.bookmark)
214
313
  rescue Winevt::EventLog::Query::Error => e
215
- log.warn "Invalid XML data", error: e
314
+ log.warn "Invalid XML data on #{ch}.", error: e
216
315
  log.warn_backtrace
217
316
  end
218
- router.emit_stream(@tag, es)
219
- @bookmarks_storage.put(ch, subscribe.bookmark)
220
317
  end
221
318
 
222
319
  def on_notify_hash(ch, subscribe)
@@ -241,12 +338,12 @@ module Fluent::Plugin
241
338
  parse_desc(h) if @parse_description
242
339
  es.add(Fluent::Engine.now, h)
243
340
  end
341
+ router.emit_stream(@tag, es)
342
+ @bookmarks_storage.put(ch, subscribe.bookmark)
244
343
  rescue Winevt::EventLog::Query::Error => e
245
- log.warn "Invalid Hash data", error: e
344
+ log.warn "Invalid Hash data on #{ch}.", error: e
246
345
  log.warn_backtrace
247
346
  end
248
- router.emit_stream(@tag, es)
249
- @bookmarks_storage.put(ch, subscribe.bookmark)
250
347
  end
251
348
 
252
349
  #### These lines copied from in_windows_eventlog plugin:
data/test/plugin/test_in_windows_eventlog2.rb CHANGED
@@ -2,6 +2,17 @@ require 'helper'
2
2
  require 'fileutils'
3
3
  require 'generate-windows-event'
4
4
 
5
+ # Monkey patch for testing
6
+ class Winevt::EventLog::Session
7
+ def ==(obj)
8
+ self.server == obj.server &&
9
+ self.domain == obj.domain &&
10
+ self.username == obj.username &&
11
+ self.password == obj.password &&
12
+ self.flags == obj.flags
13
+ end
14
+ end
15
+
5
16
  class WindowsEventLog2InputTest < Test::Unit::TestCase
6
17
 
7
18
  def setup
@@ -15,6 +26,14 @@ class WindowsEventLog2InputTest < Test::Unit::TestCase
15
26
  })
16
27
  ])
17
28
 
29
+ XML_RENDERING_CONFIG = config_element("ROOT", "", {"tag" => "fluent.eventlog",
30
+ "render_as_xml" => true}, [
31
+ config_element("storage", "", {
32
+ '@type' => 'local',
33
+ 'persistent' => false
34
+ })
35
+ ])
36
+
18
37
  def create_driver(conf = CONFIG)
19
38
  Fluent::Test::Driver::Input.new(Fluent::Plugin::WindowsEventLog2Input).configure(conf)
20
39
  end
@@ -25,10 +44,22 @@ class WindowsEventLog2InputTest < Test::Unit::TestCase
25
44
  assert_equal 2, d.instance.read_interval
26
45
  assert_equal [], d.instance.channels
27
46
  assert_false d.instance.read_existing_events
28
- assert_true d.instance.render_as_xml
47
+ assert_false d.instance.render_as_xml
48
+ assert_nil d.instance.refresh_subscription_interval
29
49
  end
30
50
 
31
51
  sub_test_case "configure" do
52
+ test "refresh subscription interval" do
53
+ d = create_driver config_element("ROOT", "", {"tag" => "fluent.eventlog",
54
+ "refresh_subscription_interval" => "2m"}, [
55
+ config_element("storage", "", {
56
+ '@type' => 'local',
57
+ 'persistent' => false
58
+ })
59
+ ])
60
+ assert_equal 120, d.instance.refresh_subscription_interval
61
+ end
62
+
32
63
  test "subscribe directive" do
33
64
  d = create_driver config_element("ROOT", "", {"tag" => "fluent.eventlog"}, [
34
65
  config_element("storage", "", {
@@ -43,7 +74,36 @@ class WindowsEventLog2InputTest < Test::Unit::TestCase
43
74
  'read_existing_events' => true
44
75
  }),
45
76
  ])
46
- expected = [["system", false], ["windows powershell", false], ["security", true]]
77
+ expected = [["system", false, nil], ["windows powershell", false, nil], ["security", true, nil]]
78
+ assert_equal expected, d.instance.instance_variable_get(:@chs)
79
+ end
80
+
81
+ test "subscribe directive with remote server session" do
82
+ d = create_driver config_element("ROOT", "", {"tag" => "fluent.eventlog"}, [
83
+ config_element("storage", "", {
84
+ '@type' => 'local',
85
+ 'persistent' => false
86
+ }),
87
+ config_element("subscribe", "", {
88
+ 'channels' => ['System', 'Windows PowerShell'],
89
+ 'remote_server' => '127.0.0.1',
90
+ }),
91
+ config_element("subscribe", "", {
92
+ 'channels' => ['Security'],
93
+ 'read_existing_events' => true,
94
+ 'remote_server' => '192.168.0.1',
95
+ 'remote_username' => 'fluentd',
96
+ 'remote_password' => 'changeme!'
97
+ }),
98
+ ])
99
+ localhost_session = Winevt::EventLog::Session.new("127.0.0.1")
100
+ remote_session = Winevt::EventLog::Session.new("192.168.0.1",
101
+ nil,
102
+ "fluentd",
103
+ "changeme!")
104
+ expected = [["system", false, localhost_session],
105
+ ["windows powershell", false, localhost_session],
106
+ ["security", true, remote_session]]
47
107
  assert_equal expected, d.instance.instance_variable_get(:@chs)
48
108
  end
49
109
 
@@ -63,7 +123,7 @@ class WindowsEventLog2InputTest < Test::Unit::TestCase
63
123
  'read_existing_events' => true
64
124
  }),
65
125
  ])
66
- expected = [["system", false], ["windows powershell", false], ["security", true]]
126
+ expected = [["system", false, nil], ["windows powershell", false, nil], ["security", true, nil]]
67
127
  assert_equal 1, d.instance.instance_variable_get(:@chs).select {|ch, flag| ch == "system"}.size
68
128
  assert_equal expected, d.instance.instance_variable_get(:@chs)
69
129
  end
@@ -85,7 +145,7 @@ class WindowsEventLog2InputTest < Test::Unit::TestCase
85
145
  'read_existing_events' => true
86
146
  }),
87
147
  ])
88
- expected = [["system", false], ["windows powershell", false], ["system", true], ["windows powershell", true], ["security", true]]
148
+ expected = [["system", false, nil], ["windows powershell", false, nil], ["system", true, nil], ["windows powershell", true, nil], ["security", true, nil]]
89
149
  assert_equal 2, d.instance.instance_variable_get(:@chs).select {|ch, flag| ch == "system"}.size
90
150
  assert_equal expected, d.instance.instance_variable_get(:@chs)
91
151
  end
@@ -103,6 +163,37 @@ class WindowsEventLog2InputTest < Test::Unit::TestCase
103
163
  ])
104
164
  end
105
165
  end
166
+
167
+ test "invalid description locale" do
168
+ assert_raise(Fluent::ConfigError) do
169
+ create_driver config_element("ROOT", "", {"tag" => "fluent.eventlog",
170
+ "description_locale" => "ex_EX"
171
+ }, [
172
+ config_element("storage", "", {
173
+ '@type' => 'local',
174
+ 'persistent' => false
175
+ })
176
+ ])
177
+ end
178
+ end
179
+ end
180
+
181
+ data("Japanese" => ["ja_JP", false],
182
+ "English (United States)" => ["en_US", false],
183
+ "English (UK)" => ["en_GB", false],
184
+ "Dutch" => ["nl_NL", false],
185
+ "French" => ["fr_FR", false],
186
+ "German" => ["de_DE", false],
187
+ "Russian" => ["ru_RU", false],
188
+ "Spanish" => ["es_ES", false],
189
+ "Invalid" => ["ex_EX", true],
190
+ )
191
+ def test_unsupported_locale_p(data)
192
+ description_locale, expected = data
193
+ d = create_driver CONFIG
194
+ locale = Winevt::EventLog::Locale.new
195
+ result = d.instance.unsupported_locale?(locale, description_locale)
196
+ assert_equal expected, result
106
197
  end
107
198
 
108
199
  data("application" => ["Application", "Application"],
@@ -230,7 +321,7 @@ DESC
230
321
  end
231
322
 
232
323
  assert(d.events.length >= 1)
233
- event = d.events.last
324
+ event = d.events.select {|e| e.last["EventID"] == "65500" }.last
234
325
  record = event.last
235
326
 
236
327
  expected = {"EventID" => "65500",
@@ -241,6 +332,36 @@ DESC
241
332
  assert_equal(expected, record)
242
333
  end
243
334
 
335
+ REMOTING_ACCESS_CONFIG = config_element("ROOT", "", {"tag" => "fluent.eventlog"}, [
336
+ config_element("storage", "", {
337
+ '@type' => 'local',
338
+ 'persistent' => false
339
+ }),
340
+ config_element("subscribe", "", {
341
+ 'channels' => ['Application'],
342
+ 'remote_server' => '127.0.0.1',
343
+ }),
344
+ ])
345
+
346
+ def test_write_with_remoting_access
347
+ d = create_driver(REMOTING_ACCESS_CONFIG)
348
+
349
+ service = Fluent::Plugin::EventService.new
350
+
351
+ d.run(expect_emits: 1) do
352
+ service.run
353
+ end
354
+
355
+ assert(d.events.length >= 1)
356
+ event = d.events.select {|e| e.last["EventID"] == "65500" }.last
357
+ record = event.last
358
+
359
+ assert_equal("Application", record["Channel"])
360
+ assert_equal("65500", record["EventID"])
361
+ assert_equal("4", record["Level"])
362
+ assert_equal("fluent-plugins", record["ProviderName"])
363
+ end
364
+
244
365
  class HashRendered < self
245
366
  def test_write
246
367
  d = create_driver(config_element("ROOT", "", {"tag" => "fluent.eventlog",
@@ -389,7 +510,8 @@ EOS
389
510
  end
390
511
 
391
512
  def test_write_with_none_parser
392
- d = create_driver(config_element("ROOT", "", {"tag" => "fluent.eventlog"}, [
513
+ d = create_driver(config_element("ROOT", "", {"tag" => "fluent.eventlog",
514
+ "render_as_xml" => true}, [
393
515
  config_element("storage", "", {
394
516
  '@type' => 'local',
395
517
  'persistent' => false
@@ -419,7 +541,8 @@ EOS
419
541
  end
420
542
 
421
543
  def test_write_with_winevt_xml_parser_without_qualifiers
422
- d = create_driver(config_element("ROOT", "", {"tag" => "fluent.eventlog"}, [
544
+ d = create_driver(config_element("ROOT", "", {"tag" => "fluent.eventlog",
545
+ "render_as_xml" => true}, [
423
546
  config_element("storage", "", {
424
547
  '@type' => 'local',
425
548
  'persistent' => false
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: fluent-plugin-windows-eventlog
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.5.3
4
+ version: 0.8.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - okahashi117
@@ -10,7 +10,7 @@ authors:
10
10
  autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
- date: 2020-03-17 00:00:00.000000000 Z
13
+ date: 2020-09-16 00:00:00.000000000 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  name: bundler
@@ -55,81 +55,87 @@ dependencies:
55
55
  - !ruby/object:Gem::Version
56
56
  version: 3.2.0
57
57
  - !ruby/object:Gem::Dependency
58
- name: fluentd
58
+ name: nokogiri
59
59
  requirement: !ruby/object:Gem::Requirement
60
60
  requirements:
61
61
  - - ">="
62
62
  - !ruby/object:Gem::Version
63
- version: 0.14.12
63
+ version: '1.10'
64
64
  - - "<"
65
65
  - !ruby/object:Gem::Version
66
- version: '2'
67
- type: :runtime
66
+ version: '1.12'
67
+ type: :development
68
68
  prerelease: false
69
69
  version_requirements: !ruby/object:Gem::Requirement
70
70
  requirements:
71
71
  - - ">="
72
72
  - !ruby/object:Gem::Version
73
- version: 0.14.12
73
+ version: '1.10'
74
74
  - - "<"
75
75
  - !ruby/object:Gem::Version
76
- version: '2'
76
+ version: '1.12'
77
77
  - !ruby/object:Gem::Dependency
78
- name: win32-eventlog
78
+ name: fluent-plugin-parser-winevt_xml
79
79
  requirement: !ruby/object:Gem::Requirement
80
80
  requirements:
81
81
  - - ">="
82
82
  - !ruby/object:Gem::Version
83
- version: '0'
84
- type: :runtime
83
+ version: 0.1.2
84
+ type: :development
85
85
  prerelease: false
86
86
  version_requirements: !ruby/object:Gem::Requirement
87
87
  requirements:
88
88
  - - ">="
89
89
  - !ruby/object:Gem::Version
90
- version: '0'
90
+ version: 0.1.2
91
91
  - !ruby/object:Gem::Dependency
92
- name: winevt_c
92
+ name: fluentd
93
93
  requirement: !ruby/object:Gem::Requirement
94
94
  requirements:
95
95
  - - ">="
96
96
  - !ruby/object:Gem::Version
97
- version: 0.7.1
97
+ version: 0.14.12
98
+ - - "<"
99
+ - !ruby/object:Gem::Version
100
+ version: '2'
98
101
  type: :runtime
99
102
  prerelease: false
100
103
  version_requirements: !ruby/object:Gem::Requirement
101
104
  requirements:
102
105
  - - ">="
103
106
  - !ruby/object:Gem::Version
104
- version: 0.7.1
107
+ version: 0.14.12
108
+ - - "<"
109
+ - !ruby/object:Gem::Version
110
+ version: '2'
105
111
  - !ruby/object:Gem::Dependency
106
- name: nokogiri
112
+ name: win32-eventlog
107
113
  requirement: !ruby/object:Gem::Requirement
108
114
  requirements:
109
- - - "~>"
115
+ - - ">="
110
116
  - !ruby/object:Gem::Version
111
- version: '1.10'
117
+ version: '0'
112
118
  type: :runtime
113
119
  prerelease: false
114
120
  version_requirements: !ruby/object:Gem::Requirement
115
121
  requirements:
116
- - - "~>"
122
+ - - ">="
117
123
  - !ruby/object:Gem::Version
118
- version: '1.10'
124
+ version: '0'
119
125
  - !ruby/object:Gem::Dependency
120
- name: fluent-plugin-parser-winevt_xml
126
+ name: winevt_c
121
127
  requirement: !ruby/object:Gem::Requirement
122
128
  requirements:
123
129
  - - ">="
124
130
  - !ruby/object:Gem::Version
125
- version: 0.1.2
131
+ version: 0.9.1
126
132
  type: :runtime
127
133
  prerelease: false
128
134
  version_requirements: !ruby/object:Gem::Requirement
129
135
  requirements:
130
136
  - - ">="
131
137
  - !ruby/object:Gem::Version
132
- version: 0.1.2
138
+ version: 0.9.1
133
139
  description: Fluentd Input plugin to read windows event log.
134
140
  email:
135
141
  - naruki_okahashi@jbat.co.jp