fluent-plugin-windows-eventlog 0.4.2 → 0.4.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 06511272a8c96f22e69b50f60d2a6c5b7ac377c0c446d48fc842cc4e2b272b7b
-  data.tar.gz: 78635a96981173d47b640f887b62e4ba7d0d773b1eaf39bfb0c59be488073364
+  metadata.gz: 300dbf6a1600969a0b6a5401dad54494bea12c9a32435b995f26b391926b460a
+  data.tar.gz: 69a35513989955c04f7aea4f3a44b6ca203783f968b6469c264b44487204e34c
 SHA512:
-  metadata.gz: ccabe68cf1bd5188e12f3eaa46670488b6eb458aca556d15d09022489722bf5be9ca6cace64b93abbb2d4aeecb5a4a8210a2e9787de96a201d6a24bdca201f1a
-  data.tar.gz: 290a21af0606ef47c61e3f9c63f45b25b0f1d90dcf2268a950c3f460e02faa59e72b4a0e6bdc3452bae10121c550b53d4b410610c587042498837075e081977e
+  metadata.gz: 89bdf9b1e43f88a8784968f88ab29956eec7036381078d95453e91fee2c754f2796de7a06c0a229c77f632ec6a95f6bd49409f1974f69f2a10cb6b5975125648
+  data.tar.gz: 8454063733dc798315f054819c444d9bf6e739ccb0150e07284f9e8c1c3c962b218d471fee85e924b9d92f3442d2c70d14bba5acdbbc3eb86667b4f609ebf6bf

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+# Release v0.4.3 - 2019/10/31
+* in_windows_eventlog2: Handle privileges record on #parse_desc
+* in_windows_eventlog2: Raise error when handling invalid bookmark xml
+
 # Release v0.4.2 - 2019/10/16
 * in_windows_eventlog2: Handle invalid data error from `Winevt::EventLog::Query::Error`
 

data/fluent-plugin-winevtlog.gemspec

@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 
 Gem::Specification.new do |spec|
   spec.name          = "fluent-plugin-windows-eventlog"
-  spec.version       = "0.4.2"
+  spec.version       = "0.4.3"
   spec.authors       = ["okahashi117", "Hiroshi Hatake", "Masahiro Nakagawa"]
   spec.email         = ["naruki_okahashi@jbat.co.jp", "cosmo0920.oucc@gmail.com", "repeatedly@gmail.com"]
   spec.summary       = %q{Fluentd Input plugin to read windows event log.}
@@ -22,7 +22,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "test-unit", "~> 3.2.0"
   spec.add_runtime_dependency "fluentd", [">= 0.14.12", "< 2"]
   spec.add_runtime_dependency "win32-eventlog"
-  spec.add_runtime_dependency "winevt_c", ">= 0.6.0"
+  spec.add_runtime_dependency "winevt_c", ">= 0.6.1"
   spec.add_runtime_dependency "nokogiri", "~> 1.10"
   spec.add_runtime_dependency "fluent-plugin-parser-winevt_xml", ">= 0.1.2"
 end

data/lib/fluent/plugin/in_windows_eventlog2.rb

@@ -89,9 +89,17 @@ module Fluent::Plugin
       @chs.each do |ch|
         bookmarkXml = @bookmarks_storage.get(ch) || ""
         subscribe = Winevt::EventLog::Subscribe.new
-        bookmark = Winevt::EventLog::Bookmark.new(bookmarkXml)
+        bookmark = unless bookmarkXml.empty?
+                     Winevt::EventLog::Bookmark.new(bookmarkXml)
+                   else
+                     nil
+                   end
         subscribe.tail = @tailing
-        subscribe.subscribe(ch, "*", bookmark)
+        begin
+          subscribe.subscribe(ch, "*", bookmark)
+        rescue Winevt::EventLog::Query::Error => e
+          raise Fluent::ConfigError, "Invalid Bookmark XML is loaded. #{e}"
+        end
         subscribe.render_as_xml = @render_as_xml
         subscribe.rate_limit = @rate_limit
         timer_execute("in_windows_eventlog_#{escape_channel(ch)}".to_sym, @read_interval) do
@@ -192,6 +200,7 @@ module Fluent::Plugin
 
       elems = desc.split(GROUP_DELIMITER)
       record['DescriptionTitle'] = elems.shift
+      previous_key = nil
       elems.each { |elem|
         parent_key = nil
         elem.split(RECORD_DELIMITER).each { |r|
@@ -206,13 +215,19 @@ module Fluent::Plugin
           else
             # parsed value sometimes contain unexpected "\t". So remove it.
             value.strip!
-            if parent_key.nil?
+            # merge empty key values into the previous non-empty key record.
+            if key.empty?
+              record[previous_key] = [record[previous_key], value].flatten
+            elsif parent_key.nil?
               record[to_key(key)] = value
             else
               k = "#{parent_key}.#{to_key(key)}"
               record[k] = value
             end
           end
+          # XXX: This is for empty privileges record key.
+          # We should investigate whether an another case exists or not.
+          previous_key = to_key(key) unless key.empty?
         }
       }
     end

data/test/plugin/test_in_windows_eventlog2.rb

@@ -48,6 +48,38 @@ DESC
     assert_equal(expected, h)
   end
 
+  def test_parse_privileges_description
+    d = create_driver
+    desc = ["Special privileges assigned to new logon.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-X-Y-ZZ\r\n\t",
+            "AccountName:\t\tSYSTEM\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x3E7\r\n\r\n",
+            "Privileges:\t\tSeAssignPrimaryTokenPrivilege\r\n\t\t\tSeTcbPrivilege\r\n\t\t\t",
+            "SeSecurityPrivilege\r\n\t\t\tSeTakeOwnershipPrivilege\r\n\t\t\tSeLoadDriverPrivilege\r\n\t\t\t",
+            "SeBackupPrivilege\r\n\t\t\tSeRestorePrivilege\r\n\t\t\tSeDebugPrivilege\r\n\t\t\t",
+            "SeAuditPrivilege\r\n\t\t\tSeSystemEnvironmentPrivilege\r\n\t\t\tSeImpersonatePrivilege\r\n\t\t\t",
+            "SeDelegateSessionUserImpersonatePrivilege"].join("")
+
+    h = {"Description" => desc}
+    expected = {"DescriptionTitle"       => "Special privileges assigned to new logon.",
+                "subject.security_id"    => "S-X-Y-ZZ",
+                "subject.accountname"    => "SYSTEM",
+                "subject.account_domain" => "NT AUTHORITY",
+                "subject.logon_id"       => "0x3E7",
+                "privileges"             => ["SeAssignPrimaryTokenPrivilege",
+                                             "SeTcbPrivilege",
+                                             "SeSecurityPrivilege",
+                                             "SeTakeOwnershipPrivilege",
+                                             "SeLoadDriverPrivilege",
+                                             "SeBackupPrivilege",
+                                             "SeRestorePrivilege",
+                                             "SeDebugPrivilege",
+                                             "SeAuditPrivilege",
+                                             "SeSystemEnvironmentPrivilege",
+                                             "SeImpersonatePrivilege",
+                                             "SeDelegateSessionUserImpersonatePrivilege"]}
+    d.instance.parse_desc(h)
+    assert_equal(expected, h)
+  end
+
   def test_write
     d = create_driver
 
@@ -180,6 +212,21 @@ DESC
 
       assert File.exist?(File.join(TEST_PLUGIN_STORAGE_PATH, 'json', 'test-02.json'))
     end
+
+    def test_start_with_invalid_bookmark
+      invalid_storage_contents = <<-EOS
+<BookmarkList>\r\n  <Bookmark Channel='Application' RecordId='20063' IsCurrent='true'/>\r\n
+EOS
+      d = create_driver(CONFIG2)
+      storage = d.instance.instance_variable_get(:@bookmarks_storage)
+      storage.put('application', invalid_storage_contents)
+      assert File.exist?(File.join(TEST_PLUGIN_STORAGE_PATH, 'json', 'test-02.json'))
+
+      d2 = create_driver(CONFIG2)
+      assert_raise(Fluent::ConfigError) do
+        d2.instance.start
+      end
+    end
   end
 
   def test_write_with_none_parser

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: fluent-plugin-windows-eventlog
 version: !ruby/object:Gem::Version
-  version: 0.4.2
+  version: 0.4.3
 platform: ruby
 authors:
 - okahashi117
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-10-16 00:00:00.000000000 Z
+date: 2019-10-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -94,14 +94,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.6.0
+        version: 0.6.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.6.0
+        version: 0.6.1
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement