fluent-plugin-windows-eventlog 0.8.0 → 0.8.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/.github/workflows/unit-test.yml +34 -0
  3. data/CHANGELOG.md +4 -0
  4. data/README.md +8 -6
  5. data/fluent-plugin-winevtlog.gemspec +2 -2
  6. data/lib/fluent/plugin/in_windows_eventlog2.rb +5 -1
  7. data/test/plugin/test_in_windows_eventlog2.rb +30 -2
  8. metadata +9 -9
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 29f3b9ced1cd226756c2c6859e50cc974ec95e42a0efdc4b0e5544d69eac9c63
4
- data.tar.gz: 61875762c40f75317704cc62a476dc16d947363c7dca6bf167b8c7a23c86a095
3
+ metadata.gz: bdf1842ac573845b2a01c853ab4dd7afb349c0e014d5538c24aff33f0c674499
4
+ data.tar.gz: 92003b55f2e2380b3d9d8ebbc3ea794c018cd75b51100562f932ef7fcd751728
5
5
  SHA512:
6
- metadata.gz: 1c126f6937f433079ddf703d141ecf73d1c3e1bd82e9fb605726109c20c97ab89f3307438da9fd62c80ef80770a39a884c3800c66874ca9519e680d17c9c9ba9
7
- data.tar.gz: f5e9178ed7c1b477977d61d4fe306745f2efb3203bf430a612c96e9a27f1186d9980ef7ea236b679ab05c805bca3426b70d77a41288458747e684eb20009609f
6
+ metadata.gz: d4f8f6b2198d8a8861b1c25a85a7a553b4757db942c03a8246e36f7d1e9a5d085328668a6b55ac32de6cad0491285d2e3009e49606eee0da03c1d7c2fab0dab8
7
+ data.tar.gz: 474b65132114f707e358d62984becd02f750f7913b2f248ff21db8ac27c668835a6541fa7f8fd3df5a944e241c255e8bdbd607cc0d143d687222bd0e6412e2f7
data/.github/workflows/unit-test.yml ADDED
@@ -0,0 +1,34 @@
1
+ name: Unit Test
2
+ on:
3
+ - push
4
+ - pull_request
5
+ jobs:
6
+ test:
7
+ runs-on: ${{ matrix.os }}
8
+ continue-on-error: ${{ matrix.experimental }}
9
+ strategy:
10
+ fail-fast: false
11
+ matrix:
12
+ ruby: [ '2.5', '2.6', '2.7', '3.0' ]
13
+ os:
14
+ - windows-latest
15
+ experimental: [false]
16
+ include:
17
+ - ruby: 'head'
18
+ os: windows-latest
19
+ experimental: true
20
+ name: Unit testing with Ruby ${{ matrix.ruby }} on ${{ matrix.os }}
21
+ steps:
22
+ - uses: actions/checkout@v2
23
+ - uses: ruby/setup-ruby@v1
24
+ with:
25
+ ruby-version: ${{ matrix.ruby }}
26
+ - name: Install
27
+ run: |
28
+ ruby --version
29
+ gem --version
30
+ gem install bundler rake
31
+ ridk exec bundle install --jobs 4 --retry 3
32
+ - name: Unit Test
33
+ run: |
34
+ bundle exec rake test
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ # Release v0.8.1 - 2021/09/16
2
+ * in_windows_eventlog2: Add trace logs for debugging
3
+ * in_windows_eventlog2: Support event query parameter on Windows EventLog channel subscriptions
4
+
1
5
  # Release v0.8.0 - 2020/09/16
2
6
  * in_windows_eventlog2: Support remoting access
3
7
 
data/README.md CHANGED
@@ -145,20 +145,21 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
145
145
  # read_all_channels false # default is false.
146
146
  # description_locale en_US # default is nil. It means that system locale is used for obtaining description.
147
147
  # refresh_subscription_interval 10m # default is nil. It specifies refresh interval for channel subscriptions.
148
+ # event_query "Event/System[EventID!=1001]" # default is "*".
148
149
  <storage>
149
150
  @type local # @type local is the default.
150
151
  persistent true # default is true. Set to false to use in-memory storage.
151
- path ./tmp/storage.json # This is required when persistent is true.
152
+ path ./tmp/storage.json # This is required when persistent is true. If migrating from eventlog v1 please ensure that you remove the old .pos folder
152
153
  # Or, please consider using <system> section's `root_dir` parameter.
153
154
  </storage>
154
- <parse>
155
- @type winevt_xml # @type winevt_xml is the default. winevt_xml and none parsers are supported for now.
155
+ # <parse> # Note: parsing is only available when render_as_xml true
156
+ # @type winevt_xml # @type winevt_xml is the default. winevt_xml and none parsers are supported for now.
156
157
  # When set up it as true, this plugin preserves "Qualifiers" and "EventID" keys.
157
158
  # When set up it as false, this plugin calculates actual "EventID" from "Qualifiers" and removing "Qualifiers".
158
159
  # With the following equation:
159
160
  # (EventID & 0xffff) | (Qualifiers & 0xffff) << 16
160
- preserve_qualifiers true
161
- </parse>
161
+ # preserve_qualifiers true # preserve_qualifiers_on_hash can be used as a setting outside <parse> if render_as_xml is false
162
+ # </parse>
162
163
  # <subscribe>
163
164
  # channles application, system
164
165
  # read_existing_events false # read_existing_events should be applied each of subscribe directive(s)
@@ -181,7 +182,7 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
181
182
 
182
183
  |name | description |
183
184
  |:----- |:----- |
184
- |`channels` | (option) No default value just empty array, but 'application' is used as default due to backward compatibility. One or more of {'application', 'system', 'setup', 'security'}. If you want to read 'setup' or 'security' logs, you must launch fluentd with administrator privileges.|
185
+ |`channels` | (option) No default value just empty array, but 'application' is used as default due to backward compatibility. One or more of {'application', 'system', 'setup', 'security'} and other evtx, which is the brand new Windows XML Event Log (EVTX) format since Windows Vista, formatted channels. Theoritically, `in_windows_ventlog2` may read all of channels except for debug and analytical typed channels. If you want to read 'setup' or 'security' logs or some privileged channels, you must launch fluentd with administrator privileges.|
185
186
  |`keys` | (option) A subset of [keys](#read-keys) to read. Defaults to all keys.|
186
187
  |`read_interval` | (option) Read interval in seconds. 2 seconds as default.|
187
188
  |`from_encoding` | (option) Input character encoding. `nil` as default.|
@@ -196,6 +197,7 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
196
197
  |`read_all_channels`| (option) Read from all channels. Default is `false`|
197
198
  |`description_locale`| (option) Specify description locale. Default is `nil`. See also: [Supported locales](https://github.com/fluent-plugins-nursery/winevt_c#multilingual-description) |
198
199
  |`refresh_subscription_interval`|(option) It specifies refresh interval for channel subscriptions. Default is `nil`.|
200
+ |`event_query`|(option) It specifies query for deny/allow/filter events with XPath 1.0 or structured XML query. Default is `"*"` (retrieving all events).|
199
201
  |`<subscribe>` | Setting for subscribe channels. |
200
202
 
201
203
  ##### subscribe section
data/fluent-plugin-winevtlog.gemspec CHANGED
@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
4
4
 
5
5
  Gem::Specification.new do |spec|
6
6
  spec.name = "fluent-plugin-windows-eventlog"
7
- spec.version = "0.8.0"
7
+ spec.version = "0.8.1"
8
8
  spec.authors = ["okahashi117", "Hiroshi Hatake", "Masahiro Nakagawa"]
9
9
  spec.email = ["naruki_okahashi@jbat.co.jp", "cosmo0920.oucc@gmail.com", "repeatedly@gmail.com"]
10
10
  spec.summary = %q{Fluentd Input plugin to read windows event log.}
@@ -19,7 +19,7 @@ Gem::Specification.new do |spec|
19
19
 
20
20
  spec.add_development_dependency "bundler"
21
21
  spec.add_development_dependency "rake"
22
- spec.add_development_dependency "test-unit", "~> 3.2.0"
22
+ spec.add_development_dependency "test-unit", "~> 3.4.0"
23
23
  spec.add_development_dependency "nokogiri", [">= 1.10", "< 1.12"]
24
24
  spec.add_development_dependency "fluent-plugin-parser-winevt_xml", ">= 0.1.2"
25
25
  spec.add_runtime_dependency "fluentd", [">= 0.14.12", "< 2"]
data/lib/fluent/plugin/in_windows_eventlog2.rb CHANGED
@@ -46,6 +46,7 @@ module Fluent::Plugin
46
46
  config_param :read_all_channels, :bool, default: false
47
47
  config_param :description_locale, :string, default: nil
48
48
  config_param :refresh_subscription_interval, :time, default: nil
49
+ config_param :event_query, :string, default: "*"
49
50
 
50
51
  config_section :subscribe, param_name: :subscribe_configs, required: false, multi: true do
51
52
  config_param :channels, :array
@@ -230,7 +231,7 @@ module Fluent::Plugin
230
231
  subscribe = Winevt::EventLog::Subscribe.new
231
232
  subscribe.read_existing_events = read_existing_events
232
233
  begin
233
- subscribe.subscribe(ch, "*", bookmark, remote_session)
234
+ subscribe.subscribe(ch, event_query, bookmark, remote_session)
234
235
  if !@render_as_xml && @preserve_qualifiers_on_hash
235
236
  subscribe.preserve_qualifiers = @preserve_qualifiers_on_hash
236
237
  end
@@ -245,6 +246,7 @@ module Fluent::Plugin
245
246
 
246
247
  def subscribe_channels(subscriptions)
247
248
  subscriptions.each do |ch, subscribe|
249
+ log.trace "Subscribing Windows EventLog at #{ch} channel"
248
250
  @timers[ch] = timer_execute("in_windows_eventlog_#{escape_channel(ch)}".to_sym, @read_interval) do
249
251
  on_notify(ch, subscribe)
250
252
  end
@@ -310,6 +312,7 @@ module Fluent::Plugin
310
312
  end
311
313
  router.emit_stream(@tag, es)
312
314
  @bookmarks_storage.put(ch, subscribe.bookmark)
315
+ log.trace "Collecting Windows EventLog from #{ch} channel. Collected size: #{es.size}"
313
316
  rescue Winevt::EventLog::Query::Error => e
314
317
  log.warn "Invalid XML data on #{ch}.", error: e
315
318
  log.warn_backtrace
@@ -340,6 +343,7 @@ module Fluent::Plugin
340
343
  end
341
344
  router.emit_stream(@tag, es)
342
345
  @bookmarks_storage.put(ch, subscribe.bookmark)
346
+ log.trace "Collecting Windows EventLog from #{ch} channel. Collected size: #{es.size}"
343
347
  rescue Winevt::EventLog::Query::Error => e
344
348
  log.warn "Invalid Hash data on #{ch}.", error: e
345
349
  log.warn_backtrace
data/test/plugin/test_in_windows_eventlog2.rb CHANGED
@@ -302,6 +302,33 @@ DESC
302
302
  assert_equal("fluent-plugins", record["ProviderName"])
303
303
  end
304
304
 
305
+ CONFIG_WITH_QUERY = config_element("ROOT", "", {"tag" => "fluent.eventlog",
306
+ "event_query" => "Event/System[EventID=65500]"}, [
307
+ config_element("storage", "", {
308
+ '@type' => 'local',
309
+ 'persistent' => false
310
+ })
311
+ ])
312
+ def test_write_with_event_query
313
+ d = create_driver(CONFIG_WITH_QUERY)
314
+
315
+ service = Fluent::Plugin::EventService.new
316
+
317
+ d.run(expect_emits: 1) do
318
+ service.run
319
+ end
320
+
321
+ assert(d.events.length >= 1)
322
+ event = d.events.last
323
+ record = event.last
324
+
325
+ assert_equal("Application", record["Channel"])
326
+ assert_equal("65500", record["EventID"])
327
+ assert_equal("4", record["Level"])
328
+ assert_equal("fluent-plugins", record["ProviderName"])
329
+ end
330
+
331
+
305
332
  CONFIG_KEYS = config_element("ROOT", "", {
306
333
  "tag" => "fluent.eventlog",
307
334
  "keys" => ["EventID", "Level", "Channel", "ProviderName"]
@@ -468,8 +495,9 @@ DESC
468
495
  service.run
469
496
  end
470
497
 
471
- assert(d2.events.length == 1) # should be tailing after previous context.
472
- event2 = d2.events.last
498
+ events = d2.events.select {|e| e.last["EventID"] == "65500" }
499
+ assert(events.length == 1) # should be tailing after previous context.
500
+ event2 = events.last
473
501
  record2 = event2.last
474
502
 
475
503
  curr_id = record2["EventRecordID"].to_i
metadata CHANGED
@@ -1,16 +1,16 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: fluent-plugin-windows-eventlog
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.8.0
4
+ version: 0.8.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - okahashi117
8
8
  - Hiroshi Hatake
9
9
  - Masahiro Nakagawa
10
- autorequire:
10
+ autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
- date: 2020-09-16 00:00:00.000000000 Z
13
+ date: 2021-09-16 00:00:00.000000000 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  name: bundler
@@ -46,14 +46,14 @@ dependencies:
46
46
  requirements:
47
47
  - - "~>"
48
48
  - !ruby/object:Gem::Version
49
- version: 3.2.0
49
+ version: 3.4.0
50
50
  type: :development
51
51
  prerelease: false
52
52
  version_requirements: !ruby/object:Gem::Requirement
53
53
  requirements:
54
54
  - - "~>"
55
55
  - !ruby/object:Gem::Version
56
- version: 3.2.0
56
+ version: 3.4.0
57
57
  - !ruby/object:Gem::Dependency
58
58
  name: nokogiri
59
59
  requirement: !ruby/object:Gem::Requirement
@@ -145,6 +145,7 @@ executables: []
145
145
  extensions: []
146
146
  extra_rdoc_files: []
147
147
  files:
148
+ - ".github/workflows/unit-test.yml"
148
149
  - ".gitignore"
149
150
  - CHANGELOG.md
150
151
  - Gemfile
@@ -166,7 +167,7 @@ homepage: https://github.com/fluent/fluent-plugin-windows-eventlog
166
167
  licenses:
167
168
  - Apache-2.0
168
169
  metadata: {}
169
- post_install_message:
170
+ post_install_message:
170
171
  rdoc_options: []
171
172
  require_paths:
172
173
  - lib
@@ -181,9 +182,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
181
182
  - !ruby/object:Gem::Version
182
183
  version: '0'
183
184
  requirements: []
184
- rubyforge_project:
185
- rubygems_version: 2.7.6.2
186
- signing_key:
185
+ rubygems_version: 3.1.4
186
+ signing_key:
187
187
  specification_version: 4
188
188
  summary: Fluentd Input plugin to read windows event log.
189
189
  test_files: