fluent-plugin-windows-eventlog 0.8.0 → 0.8.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (19) hide show
  1. checksums.yaml +4 -4
  2. data/.github/workflows/unit-test.yml +36 -0
  3. data/.gitignore +14 -14
  4. data/CHANGELOG.md +77 -70
  5. data/Gemfile +4 -4
  6. data/LICENSE.txt +203 -203
  7. data/README.md +387 -385
  8. data/Rakefile +10 -10
  9. data/appveyor.yml +24 -24
  10. data/fluent-plugin-winevtlog.gemspec +28 -28
  11. data/lib/fluent/plugin/bookmark_sax_parser.rb +30 -30
  12. data/lib/fluent/plugin/in_windows_eventlog.rb +241 -241
  13. data/lib/fluent/plugin/in_windows_eventlog2.rb +410 -402
  14. data/test/generate-windows-event.rb +47 -47
  15. data/test/helper.rb +34 -34
  16. data/test/plugin/test_bookmark_sax_parser.rb +41 -41
  17. data/test/plugin/test_in_windows_eventlog2.rb +619 -572
  18. data/test/plugin/test_in_winevtlog.rb +48 -48
  19. metadata +8 -8
data/lib/fluent/plugin/in_windows_eventlog2.rb CHANGED
@@ -1,402 +1,410 @@
1
- require 'winevt'
2
- require 'fluent/plugin/input'
3
- require 'fluent/plugin'
4
- require_relative 'bookmark_sax_parser'
5
-
6
- module Fluent::Plugin
7
- class WindowsEventLog2Input < Input
8
- Fluent::Plugin.register_input('windows_eventlog2', self)
9
-
10
- class ReconnectError < Fluent::UnrecoverableError; end
11
-
12
- helpers :timer, :storage, :parser
13
-
14
- DEFAULT_STORAGE_TYPE = 'local'
15
- KEY_MAP = {"ProviderName" => ["ProviderName", :string],
16
- "ProviderGUID" => ["ProviderGUID", :string],
17
- "EventID" => ["EventID", :string],
18
- "Qualifiers" => ["Qualifiers", :string],
19
- "Level" => ["Level", :string],
20
- "Task" => ["Task", :string],
21
- "Opcode" => ["Opcode", :string],
22
- "Keywords" => ["Keywords", :string],
23
- "TimeCreated" => ["TimeCreated", :string],
24
- "EventRecordID" => ["EventRecordID", :string],
25
- "ActivityID" => ["ActivityID", :string],
26
- "RelatedActivityID" => ["RelatedActivityID", :string],
27
- "ProcessID" => ["ProcessID", :string],
28
- "ThreadID" => ["ThreadID", :string],
29
- "Channel" => ["Channel", :string],
30
- "Computer" => ["Computer", :string],
31
- "UserID" => ["UserID", :string],
32
- "Version" => ["Version", :string],
33
- "Description" => ["Description", :string],
34
- "EventData" => ["EventData", :array]}
35
-
36
- config_param :tag, :string
37
- config_param :read_interval, :time, default: 2
38
- config_param :channels, :array, default: []
39
- config_param :keys, :array, default: []
40
- config_param :read_from_head, :bool, default: false, deprecated: "Use `read_existing_events' instead."
41
- config_param :read_existing_events, :bool, default: false
42
- config_param :parse_description, :bool, default: false
43
- config_param :render_as_xml, :bool, default: false
44
- config_param :rate_limit, :integer, default: Winevt::EventLog::Subscribe::RATE_INFINITE
45
- config_param :preserve_qualifiers_on_hash, :bool, default: false
46
- config_param :read_all_channels, :bool, default: false
47
- config_param :description_locale, :string, default: nil
48
- config_param :refresh_subscription_interval, :time, default: nil
49
-
50
- config_section :subscribe, param_name: :subscribe_configs, required: false, multi: true do
51
- config_param :channels, :array
52
- config_param :read_existing_events, :bool, default: false
53
- config_param :remote_server, :string, default: nil
54
- config_param :remote_domain, :string, default: nil
55
- config_param :remote_username, :string, default: nil
56
- config_param :remote_password, :string, default: nil, secret: true
57
- end
58
-
59
- config_section :storage do
60
- config_set_default :usage, "bookmarks"
61
- config_set_default :@type, DEFAULT_STORAGE_TYPE
62
- config_set_default :persistent, true
63
- end
64
-
65
- config_section :parse do
66
- config_set_default :@type, 'winevt_xml'
67
- config_set_default :estimate_current_event, false
68
- end
69
-
70
- def initalize
71
- super
72
- @chs = []
73
- @keynames = []
74
- end
75
-
76
- def configure(conf)
77
- super
78
- @session = nil
79
- @chs = []
80
- @subscriptions = {}
81
- @all_chs = Winevt::EventLog::Channel.new
82
- @all_chs.force_enumerate = false
83
- @timers = {}
84
-
85
- if @read_all_channels
86
- @all_chs.each do |ch|
87
- uch = ch.strip.downcase
88
- @chs.push([uch, @read_existing_events])
89
- end
90
- end
91
-
92
- @read_existing_events = @read_from_head || @read_existing_events
93
- if @channels.empty? && @subscribe_configs.empty? && !@read_all_channels
94
- @chs.push(['application', @read_existing_events, nil])
95
- else
96
- @channels.map {|ch| ch.strip.downcase }.uniq.each do |uch|
97
- @chs.push([uch, @read_existing_events, nil])
98
- end
99
- @subscribe_configs.each do |subscribe|
100
- if subscribe.remote_server
101
- @session = Winevt::EventLog::Session.new(subscribe.remote_server,
102
- subscribe.remote_domain,
103
- subscribe.remote_username,
104
- subscribe.remote_password)
105
-
106
- log.debug("connect to remote box (server: #{subscribe.remote_server}) domain: #{subscribe.remote_domain} username: #{subscribe.remote_username})")
107
- end
108
- subscribe.channels.map {|ch| ch.strip.downcase }.uniq.each do |uch|
109
- @chs.push([uch, subscribe.read_existing_events, @session])
110
- end
111
- end
112
- end
113
- @chs.uniq!
114
- @keynames = @keys.map {|k| k.strip }.uniq
115
- if @keynames.empty?
116
- @keynames = KEY_MAP.keys
117
- end
118
-
119
- @tag = tag
120
- @bookmarks_storage = storage_create(usage: "bookmarks")
121
- @winevt_xml = false
122
- @parser = nil
123
- if @render_as_xml
124
- @parser = parser_create
125
- @winevt_xml = @parser.respond_to?(:winevt_xml?) && @parser.winevt_xml?
126
- class << self
127
- alias_method :on_notify, :on_notify_xml
128
- end
129
- else
130
- class << self
131
- alias_method :on_notify, :on_notify_hash
132
- end
133
- end
134
-
135
- if @render_as_xml && @preserve_qualifiers_on_hash
136
- raise Fluent::ConfigError, "preserve_qualifiers_on_hash must be used with Hash object rendering(render_as_xml as false)."
137
- end
138
- if !@render_as_xml && !@preserve_qualifiers_on_hash
139
- @keynames.delete('Qualifiers')
140
- elsif @parser.respond_to?(:preserve_qualifiers?) && !@parser.preserve_qualifiers?
141
- @keynames.delete('Qualifiers')
142
- end
143
- @keynames.delete('EventData') if @parse_description
144
-
145
- locale = Winevt::EventLog::Locale.new
146
- if @description_locale && unsupported_locale?(locale, @description_locale)
147
- raise Fluent::ConfigError, "'#{@description_locale}' is not supported. Supported locales are: #{locale.each.map{|code, _desc| code}.join(" ")}"
148
- end
149
- end
150
-
151
- def unsupported_locale?(locale, description_locale)
152
- locale.each.select {|c, _d| c.downcase == description_locale.downcase}.empty?
153
- end
154
-
155
- def start
156
- super
157
-
158
- refresh_subscriptions
159
- if @refresh_subscription_interval
160
- timer_execute(:in_windows_eventlog_refresh_subscription_timer, @refresh_subscription_interval, &method(:refresh_subscriptions))
161
- end
162
- end
163
-
164
- def shutdown
165
- super
166
-
167
- @subscriptions.keys.each do |ch|
168
- subscription = @subscriptions.delete(ch)
169
- if subscription
170
- subscription.cancel
171
- log.debug "channel (#{ch}) subscription is canceled."
172
- end
173
- end
174
- end
175
-
176
- def retry_on_error(channel, times: 15)
177
- try = 0
178
- begin
179
- log.debug "Retry to subscribe for #{channel}...." if try > 1
180
- try += 1
181
- yield
182
- log.info "Retry to subscribe for #{channel} succeeded." if try > 1
183
- try = 0
184
- rescue Winevt::EventLog::Subscribe::RemoteHandlerError => e
185
- raise ReconnectError, "Retrying limit is exceeded." if try > times
186
- log.warn "#{e.message}. Remaining retry count(s): #{times - try}"
187
- sleep 2**try
188
- retry
189
- end
190
- end
191
-
192
- def refresh_subscriptions
193
- clear_subscritpions
194
-
195
- @chs.each do |ch, read_existing_events, session|
196
- retry_on_error(ch) do
197
- ch, subscribe = subscription(ch, read_existing_events, session)
198
- @subscriptions[ch] = subscribe
199
- end
200
- end
201
- subscribe_channels(@subscriptions)
202
- end
203
-
204
- def clear_subscritpions
205
- @subscriptions.keys.each do |ch|
206
- subscription = @subscriptions.delete(ch)
207
- if subscription
208
- if subscription.cancel
209
- log.debug "channel (#{ch}) subscription is cancelled."
210
- subscription.close
211
- log.debug "channel (#{ch}) subscription handles are closed forcibly."
212
- end
213
- end
214
- end
215
- @timers.keys.each do |ch|
216
- timer = @timers.delete(ch)
217
- if timer
218
- event_loop_detach(timer)
219
- log.debug "channel (#{ch}) subscription watcher is detached."
220
- end
221
- end
222
- end
223
-
224
- def subscription(ch, read_existing_events, remote_session)
225
- bookmarkXml = @bookmarks_storage.get(ch) || ""
226
- bookmark = nil
227
- if bookmark_validator(bookmarkXml, ch)
228
- bookmark = Winevt::EventLog::Bookmark.new(bookmarkXml)
229
- end
230
- subscribe = Winevt::EventLog::Subscribe.new
231
- subscribe.read_existing_events = read_existing_events
232
- begin
233
- subscribe.subscribe(ch, "*", bookmark, remote_session)
234
- if !@render_as_xml && @preserve_qualifiers_on_hash
235
- subscribe.preserve_qualifiers = @preserve_qualifiers_on_hash
236
- end
237
- rescue Winevt::EventLog::Query::Error => e
238
- raise Fluent::ConfigError, "Invalid Bookmark XML is loaded. #{e}"
239
- end
240
- subscribe.render_as_xml = @render_as_xml
241
- subscribe.rate_limit = @rate_limit
242
- subscribe.locale = @description_locale if @description_locale
243
- [ch, subscribe]
244
- end
245
-
246
- def subscribe_channels(subscriptions)
247
- subscriptions.each do |ch, subscribe|
248
- @timers[ch] = timer_execute("in_windows_eventlog_#{escape_channel(ch)}".to_sym, @read_interval) do
249
- on_notify(ch, subscribe)
250
- end
251
- log.debug "channel (#{ch}) subscription is subscribed."
252
- end
253
- end
254
-
255
- def bookmark_validator(bookmarkXml, channel)
256
- return false if bookmarkXml.empty?
257
-
258
- evtxml = WinevtBookmarkDocument.new
259
- parser = Nokogiri::XML::SAX::Parser.new(evtxml)
260
- parser.parse(bookmarkXml)
261
- result = evtxml.result
262
- if !result.empty? && (result[:channel].downcase == channel.downcase) && result[:is_current]
263
- true
264
- else
265
- log.warn "This stored bookmark is incomplete for using. Referring `read_existing_events` parameter to subscribe: #{bookmarkXml}, channel: #{channel}"
266
- false
267
- end
268
- end
269
-
270
- def escape_channel(ch)
271
- ch.gsub(/[^a-zA-Z0-9\s]/, '_')
272
- end
273
-
274
- def on_notify(ch, subscribe)
275
- # for safety.
276
- end
277
-
278
- def on_notify_xml(ch, subscribe)
279
- es = Fluent::MultiEventStream.new
280
- begin
281
- subscribe.each do |xml, message, string_inserts|
282
- @parser.parse(xml) do |time, record|
283
- # record.has_key?("EventData") for none parser checking.
284
- if @winevt_xml
285
- record["Description"] = message
286
- record["EventData"] = string_inserts
287
-
288
- h = {}
289
- @keynames.each do |k|
290
- type = KEY_MAP[k][1]
291
- value = record[KEY_MAP[k][0]]
292
- h[k]=case type
293
- when :string
294
- value.to_s
295
- when :array
296
- value.map {|v| v.to_s}
297
- else
298
- raise "Unknown value type: #{type}"
299
- end
300
- end
301
- parse_desc(h) if @parse_description
302
- es.add(Fluent::Engine.now, h)
303
- else
304
- record["Description"] = message
305
- record["EventData"] = string_inserts
306
- # for none parser
307
- es.add(Fluent::Engine.now, record)
308
- end
309
- end
310
- end
311
- router.emit_stream(@tag, es)
312
- @bookmarks_storage.put(ch, subscribe.bookmark)
313
- rescue Winevt::EventLog::Query::Error => e
314
- log.warn "Invalid XML data on #{ch}.", error: e
315
- log.warn_backtrace
316
- end
317
- end
318
-
319
- def on_notify_hash(ch, subscribe)
320
- es = Fluent::MultiEventStream.new
321
- begin
322
- subscribe.each do |record, message, string_inserts|
323
- record["Description"] = message
324
- record["EventData"] = string_inserts
325
- h = {}
326
- @keynames.each do |k|
327
- type = KEY_MAP[k][1]
328
- value = record[KEY_MAP[k][0]]
329
- h[k]=case type
330
- when :string
331
- value.to_s
332
- when :array
333
- value.map {|v| v.to_s}
334
- else
335
- raise "Unknown value type: #{type}"
336
- end
337
- end
338
- parse_desc(h) if @parse_description
339
- es.add(Fluent::Engine.now, h)
340
- end
341
- router.emit_stream(@tag, es)
342
- @bookmarks_storage.put(ch, subscribe.bookmark)
343
- rescue Winevt::EventLog::Query::Error => e
344
- log.warn "Invalid Hash data on #{ch}.", error: e
345
- log.warn_backtrace
346
- end
347
- end
348
-
349
- #### These lines copied from in_windows_eventlog plugin:
350
- #### https://github.com/fluent/fluent-plugin-windows-eventlog/blob/528290d896a885c7721f850943daa3a43a015f3d/lib/fluent/plugin/in_windows_eventlog.rb#L192-L232
351
- GROUP_DELIMITER = "\r\n\r\n".freeze
352
- RECORD_DELIMITER = "\r\n\t".freeze
353
- FIELD_DELIMITER = "\t\t".freeze
354
- NONE_FIELD_DELIMITER = "\t".freeze
355
-
356
- def parse_desc(record)
357
- desc = record.delete("Description".freeze)
358
- return if desc.nil?
359
-
360
- elems = desc.split(GROUP_DELIMITER)
361
- record['DescriptionTitle'] = elems.shift
362
- previous_key = nil
363
- elems.each { |elem|
364
- parent_key = nil
365
- elem.split(RECORD_DELIMITER).each { |r|
366
- key, value = if r.index(FIELD_DELIMITER)
367
- r.split(FIELD_DELIMITER)
368
- else
369
- r.split(NONE_FIELD_DELIMITER)
370
- end
371
- key = "" if key.nil?
372
- key.chop! # remove ':' from key
373
- if value.nil?
374
- parent_key = to_key(key)
375
- else
376
- # parsed value sometimes contain unexpected "\t". So remove it.
377
- value.strip!
378
- # merge empty key values into the previous non-empty key record.
379
- if key.empty?
380
- record[previous_key] = [record[previous_key], value].flatten.reject {|e| e.nil?}
381
- elsif parent_key.nil?
382
- record[to_key(key)] = value
383
- else
384
- k = "#{parent_key}.#{to_key(key)}"
385
- record[k] = value
386
- end
387
- end
388
- # XXX: This is for empty privileges record key.
389
- # We should investigate whether an another case exists or not.
390
- previous_key = to_key(key) unless key.empty?
391
- }
392
- }
393
- end
394
-
395
- def to_key(key)
396
- key.downcase!
397
- key.gsub!(' '.freeze, '_'.freeze)
398
- key
399
- end
400
- ####
401
- end
402
- end
1
+ require 'winevt'
2
+ require 'fluent/plugin/input'
3
+ require 'fluent/plugin'
4
+ require_relative 'bookmark_sax_parser'
5
+
6
+ module Fluent::Plugin
7
+ class WindowsEventLog2Input < Input
8
+ Fluent::Plugin.register_input('windows_eventlog2', self)
9
+
10
+ class ReconnectError < Fluent::UnrecoverableError; end
11
+
12
+ helpers :timer, :storage, :parser
13
+
14
+ DEFAULT_STORAGE_TYPE = 'local'
15
+ KEY_MAP = {"ProviderName" => ["ProviderName", :string],
16
+ "ProviderGUID" => ["ProviderGUID", :string],
17
+ "EventID" => ["EventID", :string],
18
+ "Qualifiers" => ["Qualifiers", :string],
19
+ "Level" => ["Level", :string],
20
+ "Task" => ["Task", :string],
21
+ "Opcode" => ["Opcode", :string],
22
+ "Keywords" => ["Keywords", :string],
23
+ "TimeCreated" => ["TimeCreated", :string],
24
+ "EventRecordID" => ["EventRecordID", :string],
25
+ "ActivityID" => ["ActivityID", :string],
26
+ "RelatedActivityID" => ["RelatedActivityID", :string],
27
+ "ProcessID" => ["ProcessID", :string],
28
+ "ThreadID" => ["ThreadID", :string],
29
+ "Channel" => ["Channel", :string],
30
+ "Computer" => ["Computer", :string],
31
+ "UserID" => ["UserID", :string],
32
+ "Version" => ["Version", :string],
33
+ "Description" => ["Description", :string],
34
+ "EventData" => ["EventData", :array]}
35
+
36
+ config_param :tag, :string
37
+ config_param :read_interval, :time, default: 2
38
+ config_param :channels, :array, default: []
39
+ config_param :keys, :array, default: []
40
+ config_param :read_from_head, :bool, default: false, deprecated: "Use `read_existing_events' instead."
41
+ config_param :read_existing_events, :bool, default: false
42
+ config_param :parse_description, :bool, default: false
43
+ config_param :render_as_xml, :bool, default: false
44
+ config_param :rate_limit, :integer, default: Winevt::EventLog::Subscribe::RATE_INFINITE
45
+ config_param :preserve_qualifiers_on_hash, :bool, default: false
46
+ config_param :read_all_channels, :bool, default: false
47
+ config_param :description_locale, :string, default: nil
48
+ config_param :refresh_subscription_interval, :time, default: nil
49
+ config_param :event_query, :string, default: "*"
50
+
51
+ config_section :subscribe, param_name: :subscribe_configs, required: false, multi: true do
52
+ config_param :channels, :array
53
+ config_param :read_existing_events, :bool, default: false
54
+ config_param :remote_server, :string, default: nil
55
+ config_param :remote_domain, :string, default: nil
56
+ config_param :remote_username, :string, default: nil
57
+ config_param :remote_password, :string, default: nil, secret: true
58
+ end
59
+
60
+ config_section :storage do
61
+ config_set_default :usage, "bookmarks"
62
+ config_set_default :@type, DEFAULT_STORAGE_TYPE
63
+ config_set_default :persistent, true
64
+ end
65
+
66
+ config_section :parse do
67
+ config_set_default :@type, 'winevt_xml'
68
+ config_set_default :estimate_current_event, false
69
+ end
70
+
71
+ def initalize
72
+ super
73
+ @chs = []
74
+ @keynames = []
75
+ end
76
+
77
+ def configure(conf)
78
+ super
79
+ @session = nil
80
+ @chs = []
81
+ @subscriptions = {}
82
+ @all_chs = Winevt::EventLog::Channel.new
83
+ @all_chs.force_enumerate = false
84
+ @timers = {}
85
+
86
+ if @read_all_channels
87
+ @all_chs.each do |ch|
88
+ uch = ch.strip.downcase
89
+ @chs.push([uch, @read_existing_events])
90
+ end
91
+ end
92
+
93
+ @read_existing_events = @read_from_head || @read_existing_events
94
+ if @channels.empty? && @subscribe_configs.empty? && !@read_all_channels
95
+ @chs.push(['application', @read_existing_events, nil])
96
+ else
97
+ @channels.map {|ch| ch.strip.downcase }.uniq.each do |uch|
98
+ @chs.push([uch, @read_existing_events, nil])
99
+ end
100
+ @subscribe_configs.each do |subscribe|
101
+ if subscribe.remote_server
102
+ @session = Winevt::EventLog::Session.new(subscribe.remote_server,
103
+ subscribe.remote_domain,
104
+ subscribe.remote_username,
105
+ subscribe.remote_password)
106
+
107
+ log.debug("connect to remote box (server: #{subscribe.remote_server}) domain: #{subscribe.remote_domain} username: #{subscribe.remote_username})")
108
+ end
109
+ subscribe.channels.map {|ch| ch.strip.downcase }.uniq.each do |uch|
110
+ @chs.push([uch, subscribe.read_existing_events, @session])
111
+ end
112
+ end
113
+ end
114
+ @chs.uniq!
115
+ @keynames = @keys.map {|k| k.strip }.uniq
116
+ if @keynames.empty?
117
+ @keynames = KEY_MAP.keys
118
+ end
119
+
120
+ @tag = tag
121
+ @bookmarks_storage = storage_create(usage: "bookmarks")
122
+ @winevt_xml = false
123
+ @parser = nil
124
+ if @render_as_xml
125
+ @parser = parser_create
126
+ @winevt_xml = @parser.respond_to?(:winevt_xml?) && @parser.winevt_xml?
127
+ class << self
128
+ alias_method :on_notify, :on_notify_xml
129
+ end
130
+ else
131
+ class << self
132
+ alias_method :on_notify, :on_notify_hash
133
+ end
134
+ end
135
+
136
+ if @render_as_xml && @preserve_qualifiers_on_hash
137
+ raise Fluent::ConfigError, "preserve_qualifiers_on_hash must be used with Hash object rendering(render_as_xml as false)."
138
+ end
139
+ if !@render_as_xml && !@preserve_qualifiers_on_hash
140
+ @keynames.delete('Qualifiers')
141
+ elsif @parser.respond_to?(:preserve_qualifiers?) && !@parser.preserve_qualifiers?
142
+ @keynames.delete('Qualifiers')
143
+ end
144
+ @keynames.delete('EventData') if @parse_description
145
+
146
+ locale = Winevt::EventLog::Locale.new
147
+ if @description_locale && unsupported_locale?(locale, @description_locale)
148
+ raise Fluent::ConfigError, "'#{@description_locale}' is not supported. Supported locales are: #{locale.each.map{|code, _desc| code}.join(" ")}"
149
+ end
150
+ end
151
+
152
+ def unsupported_locale?(locale, description_locale)
153
+ locale.each.select {|c, _d| c.downcase == description_locale.downcase}.empty?
154
+ end
155
+
156
+ def start
157
+ super
158
+
159
+ refresh_subscriptions
160
+ if @refresh_subscription_interval
161
+ timer_execute(:in_windows_eventlog_refresh_subscription_timer, @refresh_subscription_interval, &method(:refresh_subscriptions))
162
+ end
163
+ end
164
+
165
+ def shutdown
166
+ super
167
+
168
+ @subscriptions.keys.each do |ch|
169
+ subscription = @subscriptions.delete(ch)
170
+ if subscription
171
+ subscription.cancel
172
+ log.debug "channel (#{ch}) subscription is canceled."
173
+ end
174
+ end
175
+ end
176
+
177
+ def retry_on_error(channel, times: 15)
178
+ try = 0
179
+ begin
180
+ log.debug "Retry to subscribe for #{channel}...." if try > 1
181
+ try += 1
182
+ yield
183
+ log.info "Retry to subscribe for #{channel} succeeded." if try > 1
184
+ try = 0
185
+ rescue Winevt::EventLog::Subscribe::RemoteHandlerError => e
186
+ raise ReconnectError, "Retrying limit is exceeded." if try > times
187
+ log.warn "#{e.message}. Remaining retry count(s): #{times - try}"
188
+ sleep 2**try
189
+ retry
190
+ end
191
+ end
192
+
193
+ def refresh_subscriptions
194
+ clear_subscritpions
195
+
196
+ @chs.each do |ch, read_existing_events, session|
197
+ retry_on_error(ch) do
198
+ begin
199
+ ch, subscribe = subscription(ch, read_existing_events, session)
200
+ @subscriptions[ch] = subscribe
201
+ rescue Winevt::EventLog::ChannelNotFoundError => e
202
+ log.warn "#{e.message}"
203
+ end
204
+ end
205
+ end
206
+ subscribe_channels(@subscriptions)
207
+ end
208
+
209
+ def clear_subscritpions
210
+ @subscriptions.keys.each do |ch|
211
+ subscription = @subscriptions.delete(ch)
212
+ if subscription
213
+ if subscription.cancel
214
+ log.debug "channel (#{ch}) subscription is cancelled."
215
+ subscription.close
216
+ log.debug "channel (#{ch}) subscription handles are closed forcibly."
217
+ end
218
+ end
219
+ end
220
+ @timers.keys.each do |ch|
221
+ timer = @timers.delete(ch)
222
+ if timer
223
+ event_loop_detach(timer)
224
+ log.debug "channel (#{ch}) subscription watcher is detached."
225
+ end
226
+ end
227
+ end
228
+
229
+ def subscription(ch, read_existing_events, remote_session)
230
+ bookmarkXml = @bookmarks_storage.get(ch) || ""
231
+ bookmark = nil
232
+ if bookmark_validator(bookmarkXml, ch)
233
+ bookmark = Winevt::EventLog::Bookmark.new(bookmarkXml)
234
+ end
235
+ subscribe = Winevt::EventLog::Subscribe.new
236
+ subscribe.read_existing_events = read_existing_events
237
+ begin
238
+ subscribe.subscribe(ch, event_query, bookmark, remote_session)
239
+ if !@render_as_xml && @preserve_qualifiers_on_hash
240
+ subscribe.preserve_qualifiers = @preserve_qualifiers_on_hash
241
+ end
242
+ rescue Winevt::EventLog::Query::Error => e
243
+ raise Fluent::ConfigError, "Invalid Bookmark XML is loaded. #{e}"
244
+ end
245
+ subscribe.render_as_xml = @render_as_xml
246
+ subscribe.rate_limit = @rate_limit
247
+ subscribe.locale = @description_locale if @description_locale
248
+ [ch, subscribe]
249
+ end
250
+
251
+ def subscribe_channels(subscriptions)
252
+ subscriptions.each do |ch, subscribe|
253
+ log.trace "Subscribing Windows EventLog at #{ch} channel"
254
+ @timers[ch] = timer_execute("in_windows_eventlog_#{escape_channel(ch)}".to_sym, @read_interval) do
255
+ on_notify(ch, subscribe)
256
+ end
257
+ log.debug "channel (#{ch}) subscription is subscribed."
258
+ end
259
+ end
260
+
261
+ def bookmark_validator(bookmarkXml, channel)
262
+ return false if bookmarkXml.empty?
263
+
264
+ evtxml = WinevtBookmarkDocument.new
265
+ parser = Nokogiri::XML::SAX::Parser.new(evtxml)
266
+ parser.parse(bookmarkXml)
267
+ result = evtxml.result
268
+ if !result.empty? && (result[:channel].downcase == channel.downcase) && result[:is_current]
269
+ true
270
+ else
271
+ log.warn "This stored bookmark is incomplete for using. Referring `read_existing_events` parameter to subscribe: #{bookmarkXml}, channel: #{channel}"
272
+ false
273
+ end
274
+ end
275
+
276
+ def escape_channel(ch)
277
+ ch.gsub(/[^a-zA-Z0-9\s]/, '_')
278
+ end
279
+
280
+ def on_notify(ch, subscribe)
281
+ # for safety.
282
+ end
283
+
284
+ def on_notify_xml(ch, subscribe)
285
+ es = Fluent::MultiEventStream.new
286
+ begin
287
+ subscribe.each do |xml, message, string_inserts|
288
+ @parser.parse(xml) do |time, record|
289
+ # record.has_key?("EventData") for none parser checking.
290
+ if @winevt_xml
291
+ record["Description"] = message
292
+ record["EventData"] = string_inserts
293
+
294
+ h = {}
295
+ @keynames.each do |k|
296
+ type = KEY_MAP[k][1]
297
+ value = record[KEY_MAP[k][0]]
298
+ h[k]=case type
299
+ when :string
300
+ value.to_s
301
+ when :array
302
+ value.map {|v| v.to_s}
303
+ else
304
+ raise "Unknown value type: #{type}"
305
+ end
306
+ end
307
+ parse_desc(h) if @parse_description
308
+ es.add(Fluent::Engine.now, h)
309
+ else
310
+ record["Description"] = message
311
+ record["EventData"] = string_inserts
312
+ # for none parser
313
+ es.add(Fluent::Engine.now, record)
314
+ end
315
+ end
316
+ end
317
+ router.emit_stream(@tag, es)
318
+ @bookmarks_storage.put(ch, subscribe.bookmark)
319
+ log.trace "Collecting Windows EventLog from #{ch} channel. Collected size: #{es.size}"
320
+ rescue Winevt::EventLog::Query::Error => e
321
+ log.warn "Invalid XML data on #{ch}.", error: e
322
+ log.warn_backtrace
323
+ end
324
+ end
325
+
326
+ def on_notify_hash(ch, subscribe)
327
+ es = Fluent::MultiEventStream.new
328
+ begin
329
+ subscribe.each do |record, message, string_inserts|
330
+ record["Description"] = message
331
+ record["EventData"] = string_inserts
332
+ h = {}
333
+ @keynames.each do |k|
334
+ type = KEY_MAP[k][1]
335
+ value = record[KEY_MAP[k][0]]
336
+ h[k]=case type
337
+ when :string
338
+ value.to_s
339
+ when :array
340
+ value.map {|v| v.to_s}
341
+ else
342
+ raise "Unknown value type: #{type}"
343
+ end
344
+ end
345
+ parse_desc(h) if @parse_description
346
+ es.add(Fluent::Engine.now, h)
347
+ end
348
+ router.emit_stream(@tag, es)
349
+ @bookmarks_storage.put(ch, subscribe.bookmark)
350
+ log.trace "Collecting Windows EventLog from #{ch} channel. Collected size: #{es.size}"
351
+ rescue Winevt::EventLog::Query::Error => e
352
+ log.warn "Invalid Hash data on #{ch}.", error: e
353
+ log.warn_backtrace
354
+ end
355
+ end
356
+
357
+ #### These lines copied from in_windows_eventlog plugin:
358
+ #### https://github.com/fluent/fluent-plugin-windows-eventlog/blob/528290d896a885c7721f850943daa3a43a015f3d/lib/fluent/plugin/in_windows_eventlog.rb#L192-L232
359
+ GROUP_DELIMITER = "\r\n\r\n".freeze
360
+ RECORD_DELIMITER = "\r\n\t".freeze
361
+ FIELD_DELIMITER = "\t\t".freeze
362
+ NONE_FIELD_DELIMITER = "\t".freeze
363
+
364
+ def parse_desc(record)
365
+ desc = record.delete("Description".freeze)
366
+ return if desc.nil?
367
+
368
+ elems = desc.split(GROUP_DELIMITER)
369
+ record['DescriptionTitle'] = elems.shift
370
+ previous_key = nil
371
+ elems.each { |elem|
372
+ parent_key = nil
373
+ elem.split(RECORD_DELIMITER).each { |r|
374
+ key, value = if r.index(FIELD_DELIMITER)
375
+ r.split(FIELD_DELIMITER)
376
+ else
377
+ r.split(NONE_FIELD_DELIMITER)
378
+ end
379
+ key = "" if key.nil?
380
+ key.chop! # remove ':' from key
381
+ if value.nil?
382
+ parent_key = to_key(key)
383
+ else
384
+ # parsed value sometimes contain unexpected "\t". So remove it.
385
+ value.strip!
386
+ # merge empty key values into the previous non-empty key record.
387
+ if key.empty?
388
+ record[previous_key] = [record[previous_key], value].flatten.reject {|e| e.nil?}
389
+ elsif parent_key.nil?
390
+ record[to_key(key)] = value
391
+ else
392
+ k = "#{parent_key}.#{to_key(key)}"
393
+ record[k] = value
394
+ end
395
+ end
396
+ # XXX: This is for empty privileges record key.
397
+ # We should investigate whether an another case exists or not.
398
+ previous_key = to_key(key) unless key.empty?
399
+ }
400
+ }
401
+ end
402
+
403
+ def to_key(key)
404
+ key.downcase!
405
+ key.gsub!(' '.freeze, '_'.freeze)
406
+ key
407
+ end
408
+ ####
409
+ end
410
+ end