fluent-plugin-windows-eventlog 0.5.0 → 0.5.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +3 -0
- data/fluent-plugin-winevtlog.gemspec +1 -1
- data/lib/fluent/plugin/bookmark_sax_parser.rb +30 -0
- data/lib/fluent/plugin/in_windows_eventlog2.rb +20 -5
- data/test/helper.rb +1 -0
- data/test/plugin/test_bookmark_sax_parser.rb +41 -0
- data/test/plugin/test_in_windows_eventlog2.rb +16 -0
- metadata +5 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 2946ba1ffbe8219ffc2a06da14574510f677bc9de02fbb47744b7a38cae77671
|
4
|
+
data.tar.gz: 9655f498e66267796daf2f0fc0cc3c4262b426e5b86a1a52546223ce7d1446fc
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: b3ae256e9f3bacc2c25b98224bf73872a0edea8de4ede5b56c3d0a966827fba7d10dc5ff99640ee1e8271a31560f82fa4f95f18a1eb63ffd63a2c98b5795d95c
|
7
|
+
data.tar.gz: 300b90957142a1bb66cf19b12cbdcc63c61eb1ef7f32a6408d9661d4d86fd6851ebb32ea3d35075bf6e5c0862ef00620fba7329d7cfc99e49d4aeb9afa98a72b
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,6 @@
|
|
1
|
+
# Release v0.5.1 - 2020/02/26
|
2
|
+
* in_windows_eventlog2: Add empty bookmark checking mechanism
|
3
|
+
|
1
4
|
# Release v0.5.0 - 2020/02/17
|
2
5
|
* in_windows_eventlog2: Support subscribe directive to handle read_existing_events paratemer each of channels.
|
3
6
|
* in_windows_eventlog2: Depends on winevt_c v0.7.0 or later.
|
@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
|
4
4
|
|
5
5
|
Gem::Specification.new do |spec|
|
6
6
|
spec.name = "fluent-plugin-windows-eventlog"
|
7
|
-
spec.version = "0.5.
|
7
|
+
spec.version = "0.5.1"
|
8
8
|
spec.authors = ["okahashi117", "Hiroshi Hatake", "Masahiro Nakagawa"]
|
9
9
|
spec.email = ["naruki_okahashi@jbat.co.jp", "cosmo0920.oucc@gmail.com", "repeatedly@gmail.com"]
|
10
10
|
spec.summary = %q{Fluentd Input plugin to read windows event log.}
|
@@ -0,0 +1,30 @@
|
|
1
|
+
require 'nokogiri'
|
2
|
+
|
3
|
+
class WinevtBookmarkDocument < Nokogiri::XML::SAX::Document
|
4
|
+
attr_reader :result
|
5
|
+
|
6
|
+
def initialize
|
7
|
+
@result = {}
|
8
|
+
super
|
9
|
+
end
|
10
|
+
|
11
|
+
def start_document
|
12
|
+
end
|
13
|
+
|
14
|
+
def start_element(name, attributes = [])
|
15
|
+
if name == "Bookmark"
|
16
|
+
@result[:channel] = attributes[0][1] rescue nil
|
17
|
+
@result[:record_id] = attributes[1][1].to_i rescue nil
|
18
|
+
@result[:is_current] = attributes[2][1].downcase == "true" rescue nil
|
19
|
+
end
|
20
|
+
end
|
21
|
+
|
22
|
+
def characters(string)
|
23
|
+
end
|
24
|
+
|
25
|
+
def end_element(name, attributes = [])
|
26
|
+
end
|
27
|
+
|
28
|
+
def end_document
|
29
|
+
end
|
30
|
+
end
|
@@ -1,6 +1,7 @@
|
|
1
1
|
require 'winevt'
|
2
2
|
require 'fluent/plugin/input'
|
3
3
|
require 'fluent/plugin'
|
4
|
+
require_relative 'bookmark_sax_parser'
|
4
5
|
|
5
6
|
module Fluent::Plugin
|
6
7
|
class WindowsEventLog2Input < Input
|
@@ -113,12 +114,11 @@ module Fluent::Plugin
|
|
113
114
|
|
114
115
|
def subscribe_channel(ch, read_existing_events)
|
115
116
|
bookmarkXml = @bookmarks_storage.get(ch) || ""
|
117
|
+
bookmark = nil
|
118
|
+
if bookmark_validator(bookmarkXml, ch)
|
119
|
+
bookmark = Winevt::EventLog::Bookmark.new(bookmarkXml)
|
120
|
+
end
|
116
121
|
subscribe = Winevt::EventLog::Subscribe.new
|
117
|
-
bookmark = unless bookmarkXml.empty?
|
118
|
-
Winevt::EventLog::Bookmark.new(bookmarkXml)
|
119
|
-
else
|
120
|
-
nil
|
121
|
-
end
|
122
122
|
subscribe.read_existing_events = read_existing_events
|
123
123
|
begin
|
124
124
|
subscribe.subscribe(ch, "*", bookmark)
|
@@ -132,6 +132,21 @@ module Fluent::Plugin
|
|
132
132
|
end
|
133
133
|
end
|
134
134
|
|
135
|
+
def bookmark_validator(bookmarkXml, channel)
|
136
|
+
return false if bookmarkXml.empty?
|
137
|
+
|
138
|
+
evtxml = WinevtBookmarkDocument.new
|
139
|
+
parser = Nokogiri::XML::SAX::Parser.new(evtxml)
|
140
|
+
parser.parse(bookmarkXml)
|
141
|
+
result = evtxml.result
|
142
|
+
if !result.empty? && (result[:channel].downcase == channel.downcase) && result[:is_current]
|
143
|
+
true
|
144
|
+
else
|
145
|
+
log.warn "This stored bookmark is incomplete for using. Referring `read_existing_events` parameter to subscribe: #{bookmarkXml}, channel: #{channel}"
|
146
|
+
false
|
147
|
+
end
|
148
|
+
end
|
149
|
+
|
135
150
|
def escape_channel(ch)
|
136
151
|
ch.gsub(/[^a-zA-Z0-9\s]/, '_')
|
137
152
|
end
|
data/test/helper.rb
CHANGED
@@ -0,0 +1,41 @@
|
|
1
|
+
require_relative '../helper'
|
2
|
+
|
3
|
+
class BookmarkSAXParserTest < Test::Unit::TestCase
|
4
|
+
|
5
|
+
def setup
|
6
|
+
@evtxml = WinevtBookmarkDocument.new
|
7
|
+
@parser = Nokogiri::XML::SAX::Parser.new(@evtxml)
|
8
|
+
end
|
9
|
+
|
10
|
+
def test_parse
|
11
|
+
bookmark_str = <<EOS
|
12
|
+
<BookmarkList>
|
13
|
+
<Bookmark Channel='Application' RecordId='161332' IsCurrent='true'/>
|
14
|
+
</BookmarkList>
|
15
|
+
EOS
|
16
|
+
@parser.parse(bookmark_str)
|
17
|
+
expected = {channel: "Application", record_id: 161332, is_current: true}
|
18
|
+
assert_equal expected, @evtxml.result
|
19
|
+
end
|
20
|
+
|
21
|
+
def test_parse_2
|
22
|
+
bookmark_str = <<EOS
|
23
|
+
<BookmarkList>
|
24
|
+
<Bookmark Channel='Security' RecordId='25464' IsCurrent='true'/>
|
25
|
+
</BookmarkList>
|
26
|
+
EOS
|
27
|
+
@parser.parse(bookmark_str)
|
28
|
+
expected = {channel: "Security", record_id: 25464, is_current: true}
|
29
|
+
assert_equal expected, @evtxml.result
|
30
|
+
end
|
31
|
+
|
32
|
+
def test_parse_empty_bookmark_list
|
33
|
+
bookmark_str = <<EOS
|
34
|
+
<BookmarkList>
|
35
|
+
</BookmarkList>
|
36
|
+
EOS
|
37
|
+
@parser.parse(bookmark_str)
|
38
|
+
expected = {}
|
39
|
+
assert_equal expected, @evtxml.result
|
40
|
+
end
|
41
|
+
end
|
@@ -261,6 +261,7 @@ DESC
|
|
261
261
|
config_element("storage", "", {
|
262
262
|
'@type' => 'local',
|
263
263
|
'@id' => 'test-02',
|
264
|
+
'@log_level' => "info",
|
264
265
|
'path' => File.join(TEST_PLUGIN_STORAGE_PATH,
|
265
266
|
'json', 'test-02.json'),
|
266
267
|
'persistent' => true,
|
@@ -324,6 +325,21 @@ EOS
|
|
324
325
|
assert_raise(Fluent::ConfigError) do
|
325
326
|
d2.instance.start
|
326
327
|
end
|
328
|
+
assert_equal 0, d2.logs.grep(/This stored bookmark is incomplete for using. Referring `read_existing_events` parameter to subscribe:/).length
|
329
|
+
end
|
330
|
+
|
331
|
+
def test_start_with_empty_bookmark
|
332
|
+
invalid_storage_contents = <<-EOS
|
333
|
+
<BookmarkList>\r\n</BookmarkList>
|
334
|
+
EOS
|
335
|
+
d = create_driver(CONFIG2)
|
336
|
+
storage = d.instance.instance_variable_get(:@bookmarks_storage)
|
337
|
+
storage.put('application', invalid_storage_contents)
|
338
|
+
assert File.exist?(File.join(TEST_PLUGIN_STORAGE_PATH, 'json', 'test-02.json'))
|
339
|
+
|
340
|
+
d2 = create_driver(CONFIG2)
|
341
|
+
d2.instance.start
|
342
|
+
assert_equal 1, d2.logs.grep(/This stored bookmark is incomplete for using. Referring `read_existing_events` parameter to subscribe:/).length
|
327
343
|
end
|
328
344
|
end
|
329
345
|
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: fluent-plugin-windows-eventlog
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.5.
|
4
|
+
version: 0.5.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- okahashi117
|
@@ -10,7 +10,7 @@ authors:
|
|
10
10
|
autorequire:
|
11
11
|
bindir: bin
|
12
12
|
cert_chain: []
|
13
|
-
date: 2020-02-
|
13
|
+
date: 2020-02-26 00:00:00.000000000 Z
|
14
14
|
dependencies:
|
15
15
|
- !ruby/object:Gem::Dependency
|
16
16
|
name: bundler
|
@@ -147,11 +147,13 @@ files:
|
|
147
147
|
- Rakefile
|
148
148
|
- appveyor.yml
|
149
149
|
- fluent-plugin-winevtlog.gemspec
|
150
|
+
- lib/fluent/plugin/bookmark_sax_parser.rb
|
150
151
|
- lib/fluent/plugin/in_windows_eventlog.rb
|
151
152
|
- lib/fluent/plugin/in_windows_eventlog2.rb
|
152
153
|
- test/data/eventid_6416
|
153
154
|
- test/generate-windows-event.rb
|
154
155
|
- test/helper.rb
|
156
|
+
- test/plugin/test_bookmark_sax_parser.rb
|
155
157
|
- test/plugin/test_in_windows_eventlog2.rb
|
156
158
|
- test/plugin/test_in_winevtlog.rb
|
157
159
|
homepage: https://github.com/fluent/fluent-plugin-windows-eventlog
|
@@ -182,5 +184,6 @@ test_files:
|
|
182
184
|
- test/data/eventid_6416
|
183
185
|
- test/generate-windows-event.rb
|
184
186
|
- test/helper.rb
|
187
|
+
- test/plugin/test_bookmark_sax_parser.rb
|
185
188
|
- test/plugin/test_in_windows_eventlog2.rb
|
186
189
|
- test/plugin/test_in_winevtlog.rb
|