fluent-plugin-windows-eventlog 0.6.0 → 0.8.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7e3441c382ee3af99cf0a4b67e1d059903933ec07f837fbec8ae93b11a2b252c
-  data.tar.gz: 2d8555cc1d825218f03deb00b4d83ac2690df8e138395cdef197319b299b2135
+  metadata.gz: bdf1842ac573845b2a01c853ab4dd7afb349c0e014d5538c24aff33f0c674499
+  data.tar.gz: 92003b55f2e2380b3d9d8ebbc3ea794c018cd75b51100562f932ef7fcd751728
 SHA512:
-  metadata.gz: 26071af5dda0107d6269dd2a4ff641cbf914a4ff7071d725e4297001e9b1606470cb019e578900a57c7738d49d4f8093cdd8ba164db826dd246a88cef4f1b333
-  data.tar.gz: 318b12aa2ef3d12547001ae1dc17a27fe28bf0622c6249f2ec396a5cf77a12ff4b8f54bb994a746eb517a99e4d1cd8b77325ad43e9704f4b01b205fb1019fd13
+  metadata.gz: d4f8f6b2198d8a8861b1c25a85a7a553b4757db942c03a8246e36f7d1e9a5d085328668a6b55ac32de6cad0491285d2e3009e49606eee0da03c1d7c2fab0dab8
+  data.tar.gz: 474b65132114f707e358d62984becd02f750f7913b2f248ff21db8ac27c668835a6541fa7f8fd3df5a944e241c255e8bdbd607cc0d143d687222bd0e6412e2f7

data/.github/workflows/unit-test.yml

@@ -0,0 +1,34 @@
+name: Unit Test
+on:
+  - push
+  - pull_request
+jobs:
+  test:
+    runs-on: ${{ matrix.os }}
+    continue-on-error: ${{ matrix.experimental }}
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: [ '2.5', '2.6', '2.7', '3.0' ]
+        os:
+          - windows-latest
+        experimental: [false]
+        include:
+          - ruby: 'head'
+            os: windows-latest
+            experimental: true
+    name: Unit testing with Ruby ${{ matrix.ruby }} on ${{ matrix.os }}
+    steps:
+    - uses: actions/checkout@v2
+    - uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+    - name: Install
+      run: |
+        ruby --version
+        gem --version
+        gem install bundler rake
+        ridk exec bundle install --jobs 4 --retry 3
+    - name: Unit Test
+      run: |
+        bundle exec rake test

data/CHANGELOG.md

@@ -1,3 +1,16 @@
+# Release v0.8.1 - 2021/09/16
+* in_windows_eventlog2: Add trace logs for debugging
+* in_windows_eventlog2: Support event query parameter on Windows EventLog channel subscriptions
+
+# Release v0.8.0 - 2020/09/16
+* in_windows_eventlog2: Support remoting access
+
+# Release v.0.7.1.rc1 - 2020/06/23
+* in_windows_eventlog2: Depends on nokogiri 1.11 series
+
+# Release v0.7.0 - 2020/05/22
+* in_windows_eventlog2: Support multilingual description
+
 # Release v0.6.0 - 2020/04/15
 * Make fluent-plugin-parser-winevt_xml plugin as optional dependency
 * in_windows_eventlog2: Render Ruby hash object directly by default

data/README.md

@@ -142,23 +142,31 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
       render_as_xml false       # default is false.
       rate_limit 200            # default is -1(Winevt::EventLog::Subscribe::RATE_INFINITE).
       # preserve_qualifiers_on_hash true # default is false.
+      # read_all_channels false # default is false.
+      # description_locale en_US # default is nil. It means that system locale is used for obtaining description.
+      # refresh_subscription_interval 10m # default is nil. It specifies refresh interval for channel subscriptions.
+      # event_query "Event/System[EventID!=1001]" # default is "*".
       <storage>
         @type local             # @type local is the default.
         persistent true         # default is true. Set to false to use in-memory storage.
-        path ./tmp/storage.json # This is required when persistent is true.
+        path ./tmp/storage.json # This is required when persistent is true. If migrating from eventlog v1 please ensure that you remove the old .pos folder
                                 # Or, please consider using <system> section's `root_dir` parameter.
       </storage>
-      <parse>
-        @type winevt_xml # @type winevt_xml is the default. winevt_xml and none parsers are supported for now.
+      # <parse> # Note: parsing is only available when render_as_xml true
+      #  @type winevt_xml # @type winevt_xml is the default. winevt_xml and none parsers are supported for now.
         # When set up it as true, this plugin preserves "Qualifiers" and "EventID" keys.
         # When set up it as false, this plugin calculates actual "EventID" from "Qualifiers" and removing "Qualifiers".
         # With the following equation:
         # (EventID & 0xffff) | (Qualifiers & 0xffff) << 16
-        preserve_qualifiers true
-      </parse>
+        # preserve_qualifiers true # preserve_qualifiers_on_hash can be used as a setting outside <parse> if render_as_xml is false
+      # </parse>
       # <subscribe>
       #   channles application, system
       #   read_existing_events false # read_existing_events should be applied each of subscribe directive(s)
+      #   remote_server 127.0.0.1 # Remote server ip/fqdn
+      #   remote_domain WORKGROUP # Domain name
+      #   remote_username fluentd # Remoting access account name
+      #   remote_password changeme! # Remoting access account password
       # </subscribe>
     </source>
 
@@ -174,7 +182,7 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
 
 |name      | description |
 |:-----    |:-----       |
-|`channels`         | (option) No default value just empty array, but 'application' is used as default due to backward compatibility. One or more of {'application', 'system', 'setup', 'security'}. If you want to read 'setup' or 'security' logs, you must launch fluentd with administrator privileges.|
+|`channels`         | (option) No default value just empty array, but 'application' is used as default due to backward compatibility. One or more of {'application', 'system', 'setup', 'security'} and other evtx, which is the brand new Windows XML Event Log (EVTX) format since Windows Vista, formatted channels. Theoritically, `in_windows_ventlog2` may read all of channels except for debug and analytical typed channels. If you want to read 'setup' or 'security' logs or some privileged channels, you must launch fluentd with administrator privileges.|
 |`keys`             | (option) A subset of [keys](#read-keys) to read. Defaults to all keys.|
 |`read_interval`    | (option) Read interval in seconds. 2 seconds as default.|
 |`from_encoding`    | (option) Input character encoding. `nil` as default.|
@@ -187,6 +195,9 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
 |`rate_limit`      | (option) Specify rate limit to consume EventLog. Default is `Winevt::EventLog::Subscribe::RATE_INFINITE`.|
 |`preserve_qualifiers_on_hash`      | (option) When set up it as true, this plugin preserves "Qualifiers" and "EventID" keys. When set up it as false, this plugin calculates actual "EventID" from "Qualifiers" and removing "Qualifiers". Default is `false`.|
 |`read_all_channels`| (option) Read from all channels. Default is `false`|
+|`description_locale`| (option) Specify description locale. Default is `nil`. See also: [Supported locales](https://github.com/fluent-plugins-nursery/winevt_c#multilingual-description) |
+|`refresh_subscription_interval`|(option) It specifies refresh interval for channel subscriptions. Default is `nil`.|
+|`event_query`|(option) It specifies query for deny/allow/filter events with XPath 1.0 or structured XML query. Default is `"*"` (retrieving all events).|
 |`<subscribe>`          | Setting for subscribe channels. |
 
 ##### subscribe section
@@ -195,6 +206,10 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
 |:-----    |:-----       |
 |`channels`             | One or more of {'application', 'system', 'setup', 'security'}. If you want to read 'setup' or 'security' logs, you must launch fluentd with administrator privileges. |
 |`read_existing_events` | (option) Read the entries which already exist before fluentd is started. Defaults to `false`. |
+|`remote_server` | (option) Remoting access server ip address/fqdn. Defaults to `nil`. |
+|`remote_domain` | (option) Remoting access server joining domain name. Defaults to `nil`. |
+|`remote_username` | (option) Remoting access access account's username. Defaults to `nil`. |
+|`remote_password` | (option) Remoting access access account's password. Defaults to `nil`. |
 
 
 **Motivation:** subscribe directive is designed for applying `read_existing_events` each of channels which is specified in subscribe section(s).
@@ -231,6 +246,33 @@ This configuration can be handled as:
 * "Application" and "Security" channels just tailing
 * "HardwareEvent" channel read existing events before launching Fluentd
 
+###### Remoting access
+
+`<subscribe>` section supports remoting access parameters:
+
+* `remote_server`
+* `remote_domain`
+* `remote_username`
+* `remote_password`
+
+These parameters are only in `<subscribe>` directive.
+
+Note that before using this feature, remoting access users should belong to "Event Log Readers" group:
+
+```console
+> net localgroup "Event Log Readers" <domain\username> /add
+```
+
+And then, users also should set up their remote box's Firewall configuration:
+
+```console
+> netsh advfirewall firewall set rule group="Remote Event Log Management" new enable=yes
+```
+
+As a security best practices, remoting access account _should not be administrator account_.
+
+For graphical instructions, please refer to [Preconfigure a Machine to Collect Remote Windows Events | Sumo Logic](https://help.sumologic.com/03Send-Data/Sources/01Sources-for-Installed-Collectors/Remote-Windows-Event-Log-Source/Preconfigure-a-Machine-to-Collect-Remote-Windows-Events) document for example.
+
 ##### Available keys
 
 This plugin reads the following fields from Windows Event Log entries. Use the `keys` configuration option to select a subset. No other customization is allowed for now.

data/fluent-plugin-winevtlog.gemspec

@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 
 Gem::Specification.new do |spec|
   spec.name          = "fluent-plugin-windows-eventlog"
-  spec.version       = "0.6.0"
+  spec.version       = "0.8.1"
   spec.authors       = ["okahashi117", "Hiroshi Hatake", "Masahiro Nakagawa"]
   spec.email         = ["naruki_okahashi@jbat.co.jp", "cosmo0920.oucc@gmail.com", "repeatedly@gmail.com"]
   spec.summary       = %q{Fluentd Input plugin to read windows event log.}
@@ -19,10 +19,10 @@ Gem::Specification.new do |spec|
 
   spec.add_development_dependency "bundler"
   spec.add_development_dependency "rake"
-  spec.add_development_dependency "test-unit", "~> 3.2.0"
+  spec.add_development_dependency "test-unit", "~> 3.4.0"
   spec.add_development_dependency "nokogiri", [">= 1.10", "< 1.12"]
   spec.add_development_dependency "fluent-plugin-parser-winevt_xml", ">= 0.1.2"
   spec.add_runtime_dependency "fluentd", [">= 0.14.12", "< 2"]
   spec.add_runtime_dependency "win32-eventlog"
-  spec.add_runtime_dependency "winevt_c", ">= 0.7.1"
+  spec.add_runtime_dependency "winevt_c", ">= 0.9.1"
 end

data/lib/fluent/plugin/in_windows_eventlog2.rb

@@ -7,6 +7,8 @@ module Fluent::Plugin
   class WindowsEventLog2Input < Input
     Fluent::Plugin.register_input('windows_eventlog2', self)
 
+    class ReconnectError < Fluent::UnrecoverableError; end
+
     helpers :timer, :storage, :parser
 
     DEFAULT_STORAGE_TYPE = 'local'
@@ -42,10 +44,17 @@ module Fluent::Plugin
     config_param :rate_limit, :integer, default: Winevt::EventLog::Subscribe::RATE_INFINITE
     config_param :preserve_qualifiers_on_hash, :bool, default: false
     config_param :read_all_channels, :bool, default: false
+    config_param :description_locale, :string, default: nil
+    config_param :refresh_subscription_interval, :time, default: nil
+    config_param :event_query, :string, default: "*"
 
     config_section :subscribe, param_name: :subscribe_configs, required: false, multi: true do
       config_param :channels, :array
       config_param :read_existing_events, :bool, default: false
+      config_param :remote_server, :string, default: nil
+      config_param :remote_domain, :string, default: nil
+      config_param :remote_username, :string, default: nil
+      config_param :remote_password, :string, default: nil, secret: true
     end
 
     config_section :storage do
@@ -67,9 +76,12 @@ module Fluent::Plugin
 
     def configure(conf)
       super
+      @session = nil
       @chs = []
+      @subscriptions = {}
       @all_chs = Winevt::EventLog::Channel.new
       @all_chs.force_enumerate = false
+      @timers = {}
 
       if @read_all_channels
         @all_chs.each do |ch|
@@ -80,14 +92,22 @@ module Fluent::Plugin
 
       @read_existing_events = @read_from_head || @read_existing_events
       if @channels.empty? && @subscribe_configs.empty? && !@read_all_channels
-        @chs.push(['application', @read_existing_events])
+        @chs.push(['application', @read_existing_events, nil])
       else
         @channels.map {|ch| ch.strip.downcase }.uniq.each do |uch|
-          @chs.push([uch, @read_existing_events])
+          @chs.push([uch, @read_existing_events, nil])
         end
         @subscribe_configs.each do |subscribe|
+          if subscribe.remote_server
+            @session = Winevt::EventLog::Session.new(subscribe.remote_server,
+                                                     subscribe.remote_domain,
+                                                     subscribe.remote_username,
+                                                     subscribe.remote_password)
+
+            log.debug("connect to remote box (server: #{subscribe.remote_server}) domain: #{subscribe.remote_domain} username: #{subscribe.remote_username})")
+          end
           subscribe.channels.map {|ch| ch.strip.downcase }.uniq.each do |uch|
-            @chs.push([uch, subscribe.read_existing_events])
+            @chs.push([uch, subscribe.read_existing_events, @session])
           end
         end
       end
@@ -122,17 +142,87 @@ module Fluent::Plugin
         @keynames.delete('Qualifiers')
       end
       @keynames.delete('EventData') if @parse_description
+
+      locale = Winevt::EventLog::Locale.new
+      if @description_locale && unsupported_locale?(locale, @description_locale)
+        raise Fluent::ConfigError, "'#{@description_locale}' is not supported. Supported locales are: #{locale.each.map{|code, _desc| code}.join(" ")}"
+      end
+    end
+
+    def unsupported_locale?(locale, description_locale)
+      locale.each.select {|c, _d| c.downcase == description_locale.downcase}.empty?
     end
 
     def start
       super
 
-      @chs.each do |ch, read_existing_events|
-        subscribe_channel(ch, read_existing_events)
+      refresh_subscriptions
+      if @refresh_subscription_interval
+        timer_execute(:in_windows_eventlog_refresh_subscription_timer, @refresh_subscription_interval, &method(:refresh_subscriptions))
       end
     end
 
-    def subscribe_channel(ch, read_existing_events)
+    def shutdown
+      super
+
+      @subscriptions.keys.each do |ch|
+        subscription = @subscriptions.delete(ch)
+        if subscription
+          subscription.cancel
+          log.debug "channel (#{ch}) subscription is canceled."
+        end
+      end
+    end
+
+    def retry_on_error(channel, times: 15)
+      try = 0
+      begin
+        log.debug "Retry to subscribe for #{channel}...." if try > 1
+        try += 1
+        yield
+        log.info "Retry to subscribe for #{channel} succeeded." if try > 1
+        try = 0
+      rescue Winevt::EventLog::Subscribe::RemoteHandlerError => e
+        raise ReconnectError, "Retrying limit is exceeded." if try > times
+        log.warn "#{e.message}. Remaining retry count(s): #{times - try}"
+        sleep 2**try
+        retry
+      end
+    end
+
+    def refresh_subscriptions
+      clear_subscritpions
+
+      @chs.each do |ch, read_existing_events, session|
+        retry_on_error(ch) do
+          ch, subscribe = subscription(ch, read_existing_events, session)
+          @subscriptions[ch] = subscribe
+        end
+      end
+      subscribe_channels(@subscriptions)
+    end
+
+    def clear_subscritpions
+      @subscriptions.keys.each do |ch|
+        subscription = @subscriptions.delete(ch)
+        if subscription
+          if subscription.cancel
+            log.debug "channel (#{ch}) subscription is cancelled."
+            subscription.close
+            log.debug "channel (#{ch}) subscription handles are closed forcibly."
+          end
+        end
+      end
+      @timers.keys.each do |ch|
+        timer = @timers.delete(ch)
+        if timer
+          event_loop_detach(timer)
+          log.debug "channel (#{ch}) subscription watcher is detached."
+        end
+      end
+    end
+
+    def subscription(ch, read_existing_events, remote_session)
       bookmarkXml = @bookmarks_storage.get(ch) || ""
       bookmark = nil
       if bookmark_validator(bookmarkXml, ch)
@@ -141,8 +231,8 @@ module Fluent::Plugin
       subscribe = Winevt::EventLog::Subscribe.new
       subscribe.read_existing_events = read_existing_events
       begin
-        subscribe.subscribe(ch, "*", bookmark)
-        if !@render_as_xml && @preserve_qualifiers_on_hash && subscribe.respond_to?(:preserve_qualifiers=)
+        subscribe.subscribe(ch, event_query, bookmark, remote_session)
+        if !@render_as_xml && @preserve_qualifiers_on_hash
           subscribe.preserve_qualifiers = @preserve_qualifiers_on_hash
         end
       rescue Winevt::EventLog::Query::Error => e
@@ -150,8 +240,17 @@ module Fluent::Plugin
       end
       subscribe.render_as_xml = @render_as_xml
       subscribe.rate_limit = @rate_limit
-      timer_execute("in_windows_eventlog_#{escape_channel(ch)}".to_sym, @read_interval) do
-        on_notify(ch, subscribe)
+      subscribe.locale = @description_locale if @description_locale
+      [ch, subscribe]
+    end
+
+    def subscribe_channels(subscriptions)
+      subscriptions.each do |ch, subscribe|
+        log.trace "Subscribing Windows EventLog at #{ch} channel"
+        @timers[ch] = timer_execute("in_windows_eventlog_#{escape_channel(ch)}".to_sym, @read_interval) do
+          on_notify(ch, subscribe)
+        end
+        log.debug "channel (#{ch}) subscription is subscribed."
       end
     end
 
@@ -211,12 +310,13 @@ module Fluent::Plugin
             end
           end
         end
+        router.emit_stream(@tag, es)
+        @bookmarks_storage.put(ch, subscribe.bookmark)
+        log.trace "Collecting Windows EventLog from #{ch} channel. Collected size: #{es.size}"
       rescue Winevt::EventLog::Query::Error => e
-        log.warn "Invalid XML data", error: e
+        log.warn "Invalid XML data on #{ch}.", error: e
         log.warn_backtrace
       end
-      router.emit_stream(@tag, es)
-      @bookmarks_storage.put(ch, subscribe.bookmark)
     end
 
     def on_notify_hash(ch, subscribe)
@@ -241,12 +341,13 @@ module Fluent::Plugin
           parse_desc(h) if @parse_description
           es.add(Fluent::Engine.now, h)
         end
+        router.emit_stream(@tag, es)
+        @bookmarks_storage.put(ch, subscribe.bookmark)
+        log.trace "Collecting Windows EventLog from #{ch} channel. Collected size: #{es.size}"
       rescue Winevt::EventLog::Query::Error => e
-        log.warn "Invalid Hash data", error: e
+        log.warn "Invalid Hash data on #{ch}.", error: e
         log.warn_backtrace
       end
-      router.emit_stream(@tag, es)
-      @bookmarks_storage.put(ch, subscribe.bookmark)
     end
 
     #### These lines copied from in_windows_eventlog plugin:

data/test/plugin/test_in_windows_eventlog2.rb

@@ -2,6 +2,17 @@ require 'helper'
 require 'fileutils'
 require 'generate-windows-event'
 
+# Monkey patch for testing
+class Winevt::EventLog::Session
+  def ==(obj)
+    self.server == obj.server &&
+      self.domain == obj.domain &&
+      self.username == obj.username &&
+      self.password == obj.password &&
+      self.flags == obj.flags
+  end
+end
+
 class WindowsEventLog2InputTest < Test::Unit::TestCase
 
   def setup
@@ -34,9 +45,21 @@ class WindowsEventLog2InputTest < Test::Unit::TestCase
     assert_equal [], d.instance.channels
     assert_false d.instance.read_existing_events
     assert_false d.instance.render_as_xml
+    assert_nil d.instance.refresh_subscription_interval
   end
 
   sub_test_case "configure" do
+    test "refresh subscription interval" do
+      d = create_driver config_element("ROOT", "", {"tag" => "fluent.eventlog",
+                                                    "refresh_subscription_interval" => "2m"}, [
+                                         config_element("storage", "", {
+                                                          '@type' => 'local',
+                                                          'persistent' => false
+                                                        })
+                                       ])
+      assert_equal 120, d.instance.refresh_subscription_interval
+    end
+
     test "subscribe directive" do
       d = create_driver config_element("ROOT", "", {"tag" => "fluent.eventlog"}, [
                                          config_element("storage", "", {
@@ -51,7 +74,36 @@ class WindowsEventLog2InputTest < Test::Unit::TestCase
                                                           'read_existing_events' => true
                                                         }),
                                        ])
-      expected = [["system", false], ["windows powershell", false], ["security", true]]
+      expected = [["system", false, nil], ["windows powershell", false, nil], ["security", true, nil]]
+      assert_equal expected, d.instance.instance_variable_get(:@chs)
+    end
+
+    test "subscribe directive with remote server session" do
+      d = create_driver config_element("ROOT", "", {"tag" => "fluent.eventlog"}, [
+                                         config_element("storage", "", {
+                                                          '@type' => 'local',
+                                                          'persistent' => false
+                                                        }),
+                                         config_element("subscribe", "", {
+                                                          'channels' => ['System', 'Windows PowerShell'],
+                                                          'remote_server' => '127.0.0.1',
+                                                        }),
+                                         config_element("subscribe", "", {
+                                                          'channels' => ['Security'],
+                                                          'read_existing_events' => true,
+                                                          'remote_server' => '192.168.0.1',
+                                                          'remote_username' => 'fluentd',
+                                                          'remote_password' => 'changeme!'
+                                                        }),
+                                       ])
+      localhost_session = Winevt::EventLog::Session.new("127.0.0.1")
+      remote_session = Winevt::EventLog::Session.new("192.168.0.1",
+                                                     nil,
+                                                     "fluentd",
+                                                     "changeme!")
+      expected = [["system", false, localhost_session],
+                  ["windows powershell", false, localhost_session],
+                  ["security", true, remote_session]]
       assert_equal expected, d.instance.instance_variable_get(:@chs)
     end
 
@@ -71,7 +123,7 @@ class WindowsEventLog2InputTest < Test::Unit::TestCase
                                                           'read_existing_events' => true
                                                         }),
                                        ])
-      expected = [["system", false], ["windows powershell", false], ["security", true]]
+      expected = [["system", false, nil], ["windows powershell", false, nil], ["security", true, nil]]
       assert_equal 1, d.instance.instance_variable_get(:@chs).select {|ch, flag| ch == "system"}.size
       assert_equal expected, d.instance.instance_variable_get(:@chs)
     end
@@ -93,7 +145,7 @@ class WindowsEventLog2InputTest < Test::Unit::TestCase
                                                           'read_existing_events' => true
                                                         }),
                                        ])
-      expected = [["system", false], ["windows powershell", false], ["system", true], ["windows powershell", true], ["security", true]]
+      expected = [["system", false, nil], ["windows powershell", false, nil], ["system", true, nil], ["windows powershell", true, nil], ["security", true, nil]]
       assert_equal 2, d.instance.instance_variable_get(:@chs).select {|ch, flag| ch == "system"}.size
       assert_equal expected, d.instance.instance_variable_get(:@chs)
     end
@@ -111,6 +163,37 @@ class WindowsEventLog2InputTest < Test::Unit::TestCase
                                      ])
       end
     end
+
+    test "invalid description locale" do
+      assert_raise(Fluent::ConfigError) do
+        create_driver config_element("ROOT", "", {"tag" => "fluent.eventlog",
+                                                  "description_locale" => "ex_EX"
+                                                 }, [
+                                       config_element("storage", "", {
+                                                        '@type' => 'local',
+                                                        'persistent' => false
+                                                      })
+                                     ])
+      end
+    end
+  end
+
+  data("Japanese"                => ["ja_JP", false],
+       "English (United States)" => ["en_US", false],
+       "English (UK)"            => ["en_GB", false],
+       "Dutch"                   => ["nl_NL", false],
+       "French"                  => ["fr_FR", false],
+       "German"                  => ["de_DE", false],
+       "Russian"                 => ["ru_RU", false],
+       "Spanish"                 => ["es_ES", false],
+       "Invalid"                 => ["ex_EX", true],
+      )
+  def test_unsupported_locale_p(data)
+    description_locale, expected = data
+    d = create_driver CONFIG
+    locale = Winevt::EventLog::Locale.new
+    result = d.instance.unsupported_locale?(locale, description_locale)
+    assert_equal expected, result
   end
 
   data("application"        => ["Application", "Application"],
@@ -219,6 +302,33 @@ DESC
     assert_equal("fluent-plugins", record["ProviderName"])
   end
 
+  CONFIG_WITH_QUERY = config_element("ROOT", "", {"tag" => "fluent.eventlog",
+                                                  "event_query" => "Event/System[EventID=65500]"}, [
+                                       config_element("storage", "", {
+                                                        '@type' => 'local',
+                                                        'persistent' => false
+                                                      })
+                          ])
+  def test_write_with_event_query
+    d = create_driver(CONFIG_WITH_QUERY)
+
+    service = Fluent::Plugin::EventService.new
+
+    d.run(expect_emits: 1) do
+      service.run
+    end
+
+    assert(d.events.length >= 1)
+    event = d.events.last
+    record = event.last
+
+    assert_equal("Application", record["Channel"])
+    assert_equal("65500", record["EventID"])
+    assert_equal("4", record["Level"])
+    assert_equal("fluent-plugins", record["ProviderName"])
+  end
+
+
   CONFIG_KEYS = config_element("ROOT", "", {
                                  "tag" => "fluent.eventlog",
                                  "keys" => ["EventID", "Level", "Channel", "ProviderName"]
@@ -238,7 +348,7 @@ DESC
     end
 
     assert(d.events.length >= 1)
-    event = d.events.last
+    event = d.events.select {|e| e.last["EventID"] == "65500" }.last
     record = event.last
 
     expected = {"EventID"      => "65500",
@@ -249,6 +359,36 @@ DESC
     assert_equal(expected, record)
   end
 
+  REMOTING_ACCESS_CONFIG = config_element("ROOT", "", {"tag" => "fluent.eventlog"}, [
+                                            config_element("storage", "", {
+                                                             '@type' => 'local',
+                                                             'persistent' => false
+                                                           }),
+                                            config_element("subscribe", "", {
+                                                             'channels' => ['Application'],
+                                                             'remote_server' => '127.0.0.1',
+                                                           }),
+                                          ])
+
+  def test_write_with_remoting_access
+    d = create_driver(REMOTING_ACCESS_CONFIG)
+
+    service = Fluent::Plugin::EventService.new
+
+    d.run(expect_emits: 1) do
+      service.run
+    end
+
+    assert(d.events.length >= 1)
+    event = d.events.select {|e| e.last["EventID"] == "65500" }.last
+    record = event.last
+
+    assert_equal("Application", record["Channel"])
+    assert_equal("65500", record["EventID"])
+    assert_equal("4", record["Level"])
+    assert_equal("fluent-plugins", record["ProviderName"])
+  end
+
   class HashRendered < self
     def test_write
       d = create_driver(config_element("ROOT", "", {"tag" => "fluent.eventlog",
@@ -355,8 +495,9 @@ DESC
         service.run
       end
 
-      assert(d2.events.length == 1) # should be tailing after previous context.
-      event2 = d2.events.last
+      events = d2.events.select {|e| e.last["EventID"] == "65500" }
+      assert(events.length == 1) # should be tailing after previous context.
+      event2 = events.last
       record2 = event2.last
 
       curr_id = record2["EventRecordID"].to_i

metadata

@@ -1,16 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: fluent-plugin-windows-eventlog
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 0.8.1
 platform: ruby
 authors:
 - okahashi117
 - Hiroshi Hatake
 - Masahiro Nakagawa
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-04-15 00:00:00.000000000 Z
+date: 2021-09-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -46,14 +46,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.2.0
+        version: 3.4.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.2.0
+        version: 3.4.0
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -128,14 +128,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.7.1
+        version: 0.9.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.7.1
+        version: 0.9.1
 description: Fluentd Input plugin to read windows event log.
 email:
 - naruki_okahashi@jbat.co.jp
@@ -145,6 +145,7 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/unit-test.yml"
 - ".gitignore"
 - CHANGELOG.md
 - Gemfile
@@ -166,7 +167,7 @@ homepage: https://github.com/fluent/fluent-plugin-windows-eventlog
 licenses:
 - Apache-2.0
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -181,9 +182,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6.2
-signing_key: 
+rubygems_version: 3.1.4
+signing_key:
 specification_version: 4
 summary: Fluentd Input plugin to read windows event log.
 test_files: