fluent-plugin-windows-eventlog 0.8.3 → 0.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2d253822f3e13ee264e9ad58b1d25c0e1e91460a417aa3ab1c21a6e45acb795a
-  data.tar.gz: ae2c835ac4bb63b9544c5ddab3f732fa7d0fd2d33606cf0b1456c5a5875e90eb
+  metadata.gz: b003ba2ba48568f0aef6dbc9cb8181990d6c0c7aaf519c46716575f647bcc1f2
+  data.tar.gz: 6031954f7b32595d6c2ab9be37eb464c9bf5b0797ca5cd5eb4838b78adb29d36
 SHA512:
-  metadata.gz: 5e259db40fe86886390b797cbbf3580427da285126fccfde89aab5867900c9600a9e01544a42e994de695ec67c65f525e6113ecb8aa2900de7508e4185c6e1d5
-  data.tar.gz: b2753c7604157cfd598a63726bba34d1001dae4702bd895fc3d4afaaf1d57ee1dfad41d064a70b3514b2f6a3242cde4e4ef72bbb746ea5fb05f729672629215a
+  metadata.gz: fc3ae080dd4fb87945a4ec803204e3d2a2753e4daeaa3ef316df6788514799c07d47b80b561755371d657cd151b60404a298a7ed8fa6887e422f1dd083421cb9
+  data.tar.gz: 941626f0a4e9656682eaf44b570590080f8aa9437307dbfd02c22efcd1355dbf8523d15e8531745b1a9a52c962847e874dae49addf818ca2b775011c2316ab36

data/.github/workflows/unit-test.yml

@@ -21,7 +21,7 @@ jobs:
             experimental: true
     name: Ruby ${{ matrix.ruby }} on ${{ matrix.os }}
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - uses: ruby/setup-ruby@v1
       with:
         ruby-version: ${{ matrix.ruby }}

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+# Release v0.9.0 - 2024/08/02
+* in_windows_eventlog2: Enable expanding user names from SID and add `preserve_sid_on_hash` option
+* in_windows_eventlog2: Add Delimiter and Casing options for parsing
+* in_windows_eventlog2: Not to load WinevtXMLparser by default
+* in_windows_eventlog2: Make it possible to work without Nokogiri
+
 # Release v0.8.3 - 2023/01/19
 * Permit using nokogiri 1.14.0
 

data/README.md

@@ -6,131 +6,24 @@
 
 [Fluentd](https://www.fluentd.org/) plugin to read the Windows Event Log.
 
-## Installation
-    ridk exec gem install fluent-plugin-windows-eventlog
-
-## Configuration
-
-### in_windows_eventlog
-
-Check [in_windows_eventlog2](https://github.com/fluent/fluent-plugin-windows-eventlog#in_windows_eventlog2) first. `in_windows_eventlog` will be replaced with `in_windows_eventlog2`.
-
-fluentd Input plugin for the Windows Event Log using old Windows Event Logging API
-
-    <source>
-      @type windows_eventlog
-      @id windows_eventlog
-      channels application,system
-      read_interval 2
-      tag winevt.raw
-      <storage>
-        @type local             # @type local is the default.
-        persistent true         # default is true. Set to false to use in-memory storage.
-        path ./tmp/storage.json # This is required when persistent is true.
-                                # Or, please consider using <system> section's `root_dir` parameter.
-      </storage>
-    </source>
-
-#### parameters
-
-|name      | description |
-|:-----    |:-----       |
-|`channels`         | (option) 'application' as default. One or more of {'application', 'system', 'setup', 'security'}. If you want to read 'setup' or 'security' logs, you must launch fluentd with administrator privileges.|
-|`keys`             | (option) A subset of [keys](#read-keys) to read. Defaults to all keys.|
-|`read_interval`    | (option) Read interval in seconds. 2 seconds as default.|
-|`from_encoding`    | (option) Input character encoding. `nil` as default.|
-|`encoding`         | (option) Output character encoding. `nil` as default.|
-|`read_from_head`   | (option) Start to read the entries from the oldest, not from when fluentd is started. Defaults to `false`.|
-|`<storage>`        | Setting for `storage` plugin for recording read position like `in_tail`'s `pos_file`.|
-|`parse_description`| (option) parse `description` field and set parsed result into the record. `parse` and `string_inserts` fields are removed|
-
-##### Available keys
-
-This plugin reads the following fields from Windows Event Log entries. Use the `keys` configuration option to select a subset. No other customization is allowed for now.
-
-|key|
-|:-----    |
-|`record_number` |
-|`time_generated`|
-|`time_written`  |
-|`event_id`      |
-|`event_type`    |
-|`event_category`|
-|`source_name`   |
-|`computer_name` |
-|`user`          |
-|`description`   |
-|`string_inserts`|
-
-##### `parse_description` details
+This repository contains 2 Fluentd plugins:
 
-Here is an example with `parse_description true`.
+* in_windows_eventlog
+* in_windows_eventlog2
 
-```
-{
-  "channel": "security",
-  "record_number": "91698",
-  "time_generated": "2017-08-29 20:12:29 +0000",
-  "time_written": "2017-08-29 20:12:29 +0000",
-  "event_id": "4798",
-  "event_type": "audit_success",
-  "event_category": "13824",
-  "source_name": "Microsoft-Windows-Security-Auditing",
-  "computer_name": "TEST",
-  "user": "",
-  "description": "A user's local group membership was enumerated.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-XXX\r\n\tAccount Name:\t\tTEST$\r\n\tAccount Domain:\t\tWORKGROUP\r\n\tLogon ID:\t\t0x3e7\r\n\r\nUser:\r\n\tSecurity ID:\t\tS-XXX-YYY-ZZZ\r\n\tAccount Name:\t\tAdministrator\r\n\tAccount Domain:\t\tTEST\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x7dc\r\n\tProcess Name:\t\tC:\\Windows\\System32\\LogonUI.exe\r\n",
-  "string_inserts": [
-    "Administrator",
-    "TEST",
-    "S-XXX-YYY-ZZZ",
-    "S-XXX",
-    "TEST$",
-    "WORKGROUP",
-    "0x3e7",
-    "0x7dc",
-    "C:\\Windows\\System32\\LogonUI.exe"
-  ]
-}
-```
+The former one is obsolete, please don't use in newly deployment.
 
-This record is transformed to
+This document describes about the later one.
+If you want to know about the obsolete one, please see [in_windows_eventlog(old).md](in_windows_eventlog(old).md)
 
-```
-{
-  "channel": "security",
-  "record_number": "91698",
-  "time_generated": "2017-08-29 20:12:29 +0000",
-  "time_written": "2017-08-29 20:12:29 +0000",
-  "event_id": "4798",
-  "event_type": "audit_success",
-  "event_category": "13824",
-  "source_name": "Microsoft-Windows-Security-Auditing",
-  "computer_name": "TEST",
-  "user": "",
-  "description_title": "A user's local group membership was enumerated.",
-  "subject.security_id": "S-XXX",
-  "subject.account_name": "TEST$",
-  "subject.account_domain": "WORKGROUP",
-  "subject.logon_id": "0x3e7",
-  "user.security_id": "S-XXX-YYY-ZZZ",
-  "user.account_name": "Administrator",
-  "user.account_domain": "TEST",
-  "process_information.process_id": "0x7dc",
-  "process_information.process_name": "C:\\Windows\\System32\\LogonUI.exe\r\n"
-}
-```
-
-NOTE: This feature assumes `description` field has following formats:
-
-- group delimiter: `\r\n\r\n`
-- record delimiter: `\r\n\t`
-- field delimiter: `\t\t`
+## Installation
+    ridk exec gem install fluent-plugin-windows-eventlog
 
-If your `description` doesn't follow this format, the parsed result is only `description_title` field with same `description` content.
+## in_windows_eventlog2
 
-### in_windows_eventlog2
+Fluentd Input plugin for the Windows Event Log using newer Windows Event Logging API. This is successor to [in_windows_eventlog](in_windows_eventlog(old).md). See also [this slide](https://www.slideshare.net/cosmo0920/fluentd-meetup-2019) for the details of `in_windows_eventlog2` plugin.
 
-fluentd Input plugin for the Windows Event Log using newer Windows Event Logging API. This is successor to `in_windows_eventlog`. See also [this slide](https://www.slideshare.net/cosmo0920/fluentd-meetup-2019) for the details of `in_windows_eventlog2` plugin.
+## Configuration
 
     <source>
       @type windows_eventlog2
@@ -142,6 +35,7 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
       render_as_xml false       # default is false.
       rate_limit 200            # default is -1(Winevt::EventLog::Subscribe::RATE_INFINITE).
       # preserve_qualifiers_on_hash true # default is false.
+      # preserve_sid_on_hash false # default is true.
       # read_all_channels false # default is false.
       # description_locale en_US # default is nil. It means that system locale is used for obtaining description.
       # refresh_subscription_interval 10m # default is nil. It specifies refresh interval for channel subscriptions.
@@ -176,31 +70,34 @@ fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
 
 **NOTE:** When `render_as_xml` as `true`, `fluent-plugin-parser-winevt_xml` plugin should be needed to parse XML rendered Windows EventLog string.
 
-**NOTE:** If you encountered CPU spike due to massively huge EventLog channel, `rate_limit` parameter may help you. Currently, this paramter can handle the multiples of 10 or -1(`Winevt::EventLog::Subscribe::RATE_INFINITE`).
+**NOTE:** If you encountered CPU or memory spike due to massively huge EventLog channel, `rate_limit` parameter may help you. This paramter can handle the multiples of 10 or -1(`Winevt::EventLog::Subscribe::RATE_INFINITE`).
 
-#### parameters
+### parameters
 
 |name      | description |
 |:-----    |:-----       |
 |`channels`         | (option) No default value just empty array, but 'application' is used as default due to backward compatibility. One or more of {'application', 'system', 'setup', 'security'} and other evtx, which is the brand new Windows XML Event Log (EVTX) format since Windows Vista, formatted channels. Theoritically, `in_windows_ventlog2` may read all of channels except for debug and analytical typed channels. If you want to read 'setup' or 'security' logs or some privileged channels, you must launch fluentd with administrator privileges.|
 |`keys`             | (option) A subset of [keys](#read-keys) to read. Defaults to all keys.|
 |`read_interval`    | (option) Read interval in seconds. 2 seconds as default.|
-|`from_encoding`    | (option) Input character encoding. `nil` as default.|
 |`<storage>`        | Setting for `storage` plugin for recording read position like `in_tail`'s `pos_file`.|
 |`<parse>`          | Setting for `parser` plugin for parsing raw XML EventLog records. |
 |`parse_description`| (option) parse `description` field and set parsed result into the record. `Description` and `EventData` fields are removed|
+|`description_key_delimiter`| (option) (Only applicable if parse_description is true) Change the character placed between the parent_key and key. Set the value to "" for no delimiter. Defaults to `.` .|
+|`description_word_delimiter`| (option) (Only applicable if parse_description is true) Change the character placed between each word of the key. Set the value to "" for no delimiter. Defaults to `_` .|
+|`downcase_description_keys`| (option) (Only applicable if parse_description is true) Specify whether to downcase the keys that are parsed from the Description. Defaults to `true`.|
 |`read_from_head`   | **Deprecated** (option) Start to read the entries from the oldest, not from when fluentd is started. Defaults to `false`.|
 |`read_existing_events` | (option) Read the entries which already exist before fluentd is started. Defaults to `false`.|
 |`render_as_xml` | (option) Render Windows EventLog as XML or Ruby Hash object directly. Defaults to `false`.|
-|`rate_limit`      | (option) Specify rate limit to consume EventLog. Default is `Winevt::EventLog::Subscribe::RATE_INFINITE`.|
+|`rate_limit`      | (option) Specify rate limit to consume EventLog. This is the approximate maximum number of records read per second. If more than this value is read in a second, this stops reading and waits until the next `read_interval`. This value must be a multiple of 10. Default is `-1`(`Winevt::EventLog::Subscribe::RATE_INFINITE`) and this means there is no upper limit. The log flow rate for setting this is approximately as follows: `rate_limit / read_interval [logs/second]` |
 |`preserve_qualifiers_on_hash`      | (option) When set up it as true, this plugin preserves "Qualifiers" and "EventID" keys. When set up it as false, this plugin calculates actual "EventID" from "Qualifiers" and removing "Qualifiers". Default is `false`.|
+|`preserve_sid_on_hash`      | (option) When set up it as true, this plugin preserves "UserID" key which includes SID of users. When set up it as false, this plugin just eliminates "UserID". This option is only effective for hash format (render_as_xml false) . Default is `true`.|
 |`read_all_channels`| (option) Read from all channels. Default is `false`|
 |`description_locale`| (option) Specify description locale. Default is `nil`. See also: [Supported locales](https://github.com/fluent-plugins-nursery/winevt_c#multilingual-description) |
 |`refresh_subscription_interval`|(option) It specifies refresh interval for channel subscriptions. Default is `nil`.|
 |`event_query`|(option) It specifies query for deny/allow/filter events with XPath 1.0 or structured XML query. Default is `"*"` (retrieving all events).|
 |`<subscribe>`          | Setting for subscribe channels. |
 
-##### subscribe section
+#### subscribe section
 
 |name      | description |
 |:-----    |:-----       |
@@ -246,7 +143,7 @@ This configuration can be handled as:
 * "Application" and "Security" channels just tailing
 * "HardwareEvent" channel read existing events before launching Fluentd
 
-###### Remoting access
+##### Remoting access
 
 `<subscribe>` section supports remoting access parameters:
 
@@ -273,7 +170,7 @@ As a security best practices, remoting access account _should not be administrat
 
 For graphical instructions, please refer to [Preconfigure a Machine to Collect Remote Windows Events | Sumo Logic](https://help.sumologic.com/03Send-Data/Sources/01Sources-for-Installed-Collectors/Remote-Windows-Event-Log-Source/Preconfigure-a-Machine-to-Collect-Remote-Windows-Events) document for example.
 
-##### Available keys
+#### Available keys
 
 This plugin reads the following fields from Windows Event Log entries. Use the `keys` configuration option to select a subset. No other customization is allowed for now.
 
@@ -300,7 +197,7 @@ This plugin reads the following fields from Windows Event Log entries. Use the `
 |`Description`      |
 |`EventData`        |
 
-##### `parse_description` details
+#### `parse_description` details
 
 Here is an example with `parse_description true`.
 

data/fluent-plugin-winevtlog.gemspec

@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 
 Gem::Specification.new do |spec|
   spec.name          = "fluent-plugin-windows-eventlog"
-  spec.version       = "0.8.3"
+  spec.version       = "0.9.0"
   spec.authors       = ["okahashi117", "Hiroshi Hatake", "Masahiro Nakagawa"]
   spec.email         = ["naruki_okahashi@jbat.co.jp", "cosmo0920.oucc@gmail.com", "repeatedly@gmail.com"]
   spec.summary       = %q{Fluentd Input plugin to read windows event log.}
@@ -24,5 +24,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "fluent-plugin-parser-winevt_xml", ">= 0.1.2"
   spec.add_runtime_dependency "fluentd", [">= 0.14.12", "< 2"]
   spec.add_runtime_dependency "win32-eventlog"
-  spec.add_runtime_dependency "winevt_c", ">= 0.10.1"
+  spec.add_runtime_dependency "winevt_c", ">= 0.11.0"
 end

data/in_windows_eventlog(old).md

@@ -0,0 +1,120 @@
+# in_windows_eventlog (old)
+
+This is a document about `in_windows_eventlog`, which is the old version of `in_windows_eventlog2`.
+
+Please use `in_windows_eventlog2` since this will be replaced with it.
+
+## Configuration
+
+fluentd Input plugin for the Windows Event Log using old Windows Event Logging API
+
+    <source>
+      @type windows_eventlog
+      @id windows_eventlog
+      channels application,system
+      read_interval 2
+      tag winevt.raw
+      <storage>
+        @type local             # @type local is the default.
+        persistent true         # default is true. Set to false to use in-memory storage.
+        path ./tmp/storage.json # This is required when persistent is true.
+                                # Or, please consider using <system> section's `root_dir` parameter.
+      </storage>
+    </source>
+
+### parameters
+
+|name      | description |
+|:-----    |:-----       |
+|`channels`         | (option) 'application' as default. One or more of {'application', 'system', 'setup', 'security'}. If you want to read 'setup' or 'security' logs, you must launch fluentd with administrator privileges.|
+|`keys`             | (option) A subset of [keys](#read-keys) to read. Defaults to all keys.|
+|`read_interval`    | (option) Read interval in seconds. 2 seconds as default.|
+|`from_encoding`    | (option) Input character encoding. `nil` as default.|
+|`encoding`         | (option) Output character encoding. `nil` as default.|
+|`read_from_head`   | (option) Start to read the entries from the oldest, not from when fluentd is started. Defaults to `false`.|
+|`<storage>`        | Setting for `storage` plugin for recording read position like `in_tail`'s `pos_file`.|
+|`parse_description`| (option) parse `description` field and set parsed result into the record. `parse` and `string_inserts` fields are removed|
+
+### Available keys
+
+This plugin reads the following fields from Windows Event Log entries. Use the `keys` configuration option to select a subset. No other customization is allowed for now.
+
+|key|
+|:-----    |
+|`record_number` |
+|`time_generated`|
+|`time_written`  |
+|`event_id`      |
+|`event_type`    |
+|`event_category`|
+|`source_name`   |
+|`computer_name` |
+|`user`          |
+|`description`   |
+|`string_inserts`|
+
+### `parse_description` details
+
+Here is an example with `parse_description true`.
+
+```
+{
+  "channel": "security",
+  "record_number": "91698",
+  "time_generated": "2017-08-29 20:12:29 +0000",
+  "time_written": "2017-08-29 20:12:29 +0000",
+  "event_id": "4798",
+  "event_type": "audit_success",
+  "event_category": "13824",
+  "source_name": "Microsoft-Windows-Security-Auditing",
+  "computer_name": "TEST",
+  "user": "",
+  "description": "A user's local group membership was enumerated.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-XXX\r\n\tAccount Name:\t\tTEST$\r\n\tAccount Domain:\t\tWORKGROUP\r\n\tLogon ID:\t\t0x3e7\r\n\r\nUser:\r\n\tSecurity ID:\t\tS-XXX-YYY-ZZZ\r\n\tAccount Name:\t\tAdministrator\r\n\tAccount Domain:\t\tTEST\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x7dc\r\n\tProcess Name:\t\tC:\\Windows\\System32\\LogonUI.exe\r\n",
+  "string_inserts": [
+    "Administrator",
+    "TEST",
+    "S-XXX-YYY-ZZZ",
+    "S-XXX",
+    "TEST$",
+    "WORKGROUP",
+    "0x3e7",
+    "0x7dc",
+    "C:\\Windows\\System32\\LogonUI.exe"
+  ]
+}
+```
+
+This record is transformed to
+
+```
+{
+  "channel": "security",
+  "record_number": "91698",
+  "time_generated": "2017-08-29 20:12:29 +0000",
+  "time_written": "2017-08-29 20:12:29 +0000",
+  "event_id": "4798",
+  "event_type": "audit_success",
+  "event_category": "13824",
+  "source_name": "Microsoft-Windows-Security-Auditing",
+  "computer_name": "TEST",
+  "user": "",
+  "description_title": "A user's local group membership was enumerated.",
+  "subject.security_id": "S-XXX",
+  "subject.account_name": "TEST$",
+  "subject.account_domain": "WORKGROUP",
+  "subject.logon_id": "0x3e7",
+  "user.security_id": "S-XXX-YYY-ZZZ",
+  "user.account_name": "Administrator",
+  "user.account_domain": "TEST",
+  "process_information.process_id": "0x7dc",
+  "process_information.process_name": "C:\\Windows\\System32\\LogonUI.exe\r\n"
+}
+```
+
+NOTE: This feature assumes `description` field has following formats:
+
+- group delimiter: `\r\n\r\n`
+- record delimiter: `\r\n\t`
+- field delimiter: `\t\t`
+
+If your `description` doesn't follow this format, the parsed result is only `description_title` field with same `description` content.

data/lib/fluent/plugin/in_windows_eventlog.rb

@@ -49,7 +49,7 @@ module Fluent::Plugin
     end
 
     def configure(conf)
-      log.warn "in_windows_eventlog is deprecated. It will be removed in the future version."
+      log.warn "in_windows_eventlog is deprecated. It will be removed in the future version. Please use in_windows_eventlog2 bundled with this plugin instead."
       super
       @chs = @channels.map {|ch| ch.strip.downcase }.uniq
       if @chs.empty?

data/lib/fluent/plugin/in_windows_eventlog2.rb

@@ -1,10 +1,16 @@
 require 'winevt'
 require 'fluent/plugin/input'
 require 'fluent/plugin'
-require_relative 'bookmark_sax_parser'
 
 module Fluent::Plugin
   class WindowsEventLog2Input < Input
+    begin
+      require_relative 'bookmark_sax_parser'
+      @@bookmark_parser_avaiable = true
+    rescue LoadError
+      @@bookmark_parser_avaiable = false
+    end
+
     Fluent::Plugin.register_input('windows_eventlog2', self)
 
     class ReconnectError < Fluent::UnrecoverableError; end
@@ -29,6 +35,7 @@ module Fluent::Plugin
                "Channel"           => ["Channel",               :string],
                "Computer"          => ["Computer",              :string],
                "UserID"            => ["UserID",                :string],
+               "User"              => ["User",                  :string],
                "Version"           => ["Version",               :string],
                "Description"       => ["Description",           :string],
                "EventData"         => ["EventData",             :array]}
@@ -40,9 +47,13 @@ module Fluent::Plugin
     config_param :read_from_head, :bool, default: false, deprecated: "Use `read_existing_events' instead."
     config_param :read_existing_events, :bool, default: false
     config_param :parse_description, :bool, default: false
+    config_param :description_key_delimiter, :string, default: "."
+    config_param :description_word_delimiter, :string, default: "_"
+    config_param :downcase_description_keys, :bool, default: true
     config_param :render_as_xml, :bool, default: false
     config_param :rate_limit, :integer, default: Winevt::EventLog::Subscribe::RATE_INFINITE
     config_param :preserve_qualifiers_on_hash, :bool, default: false
+    config_param :preserve_sid_on_hash, :bool, default: true
     config_param :read_all_channels, :bool, default: false
     config_param :description_locale, :string, default: nil
     config_param :refresh_subscription_interval, :time, default: nil
@@ -64,7 +75,7 @@ module Fluent::Plugin
     end
 
     config_section :parse do
-      config_set_default :@type, 'winevt_xml'
+      config_set_default :@type, 'windows_eventlog2_dummy'
       config_set_default :estimate_current_event, false
     end
 
@@ -122,7 +133,12 @@ module Fluent::Plugin
       @winevt_xml = false
       @parser = nil
       if @render_as_xml
-        @parser = parser_create
+        parser_config = @parser_configs.first
+        if parser_config["@type"] == "windows_eventlog2_dummy"
+          @parser = parser_create(usage: "parse_xml", type: "winevt_xml", conf: conf.elements("parse").first)
+        else
+          @parser = parser_create
+        end
         @winevt_xml = @parser.respond_to?(:winevt_xml?) && @parser.winevt_xml?
         class << self
           alias_method :on_notify, :on_notify_xml
@@ -142,6 +158,15 @@ module Fluent::Plugin
         @keynames.delete('Qualifiers')
       end
       @keynames.delete('EventData') if @parse_description
+      if @render_as_xml && !@preserve_sid_on_hash
+        raise Fluent::ConfigError, "preserve_sid_on_hash is effective with Hash object rendering(render_as_xml as false)."
+      end
+      if @render_as_xml
+        @keynames.delete('User')
+      end
+      if !@render_as_xml && !@preserve_sid_on_hash
+        @keynames.delete('UserID')
+      end
 
       locale = Winevt::EventLog::Locale.new
       if @description_locale && unsupported_locale?(locale, @description_locale)
@@ -227,11 +252,16 @@ module Fluent::Plugin
     end
 
     def subscription(ch, read_existing_events, remote_session)
-      bookmarkXml = @bookmarks_storage.get(ch) || ""
       bookmark = nil
-      if bookmark_validator(bookmarkXml, ch)
-        bookmark = Winevt::EventLog::Bookmark.new(bookmarkXml)
+      bookmarkXml = @bookmarks_storage.get(ch) || ""
+      unless bookmarkXml.empty?
+        if bookmark_valid?(bookmarkXml, ch)
+          bookmark = Winevt::EventLog::Bookmark.new(bookmarkXml)
+        else
+          log.warn "This stored bookmark is incomplete for using. Referring `read_existing_events` parameter to subscribe: #{bookmarkXml}, channel: #{ch}"
+        end
       end
+
       subscribe = Winevt::EventLog::Subscribe.new
       subscribe.read_existing_events = read_existing_events
       begin
@@ -239,6 +269,9 @@ module Fluent::Plugin
         if !@render_as_xml && @preserve_qualifiers_on_hash
           subscribe.preserve_qualifiers = @preserve_qualifiers_on_hash
         end
+        if !@render_as_xml && !@preserve_sid_on_hash
+          subscribe.preserve_sid = @preserve_sid_on_hash
+        end
       rescue Winevt::EventLog::Query::Error => e
         raise Fluent::ConfigError, "Invalid Bookmark XML is loaded. #{e}"
       end
@@ -258,19 +291,26 @@ module Fluent::Plugin
       end
     end
 
-    def bookmark_validator(bookmarkXml, channel)
-      return false if bookmarkXml.empty?
+    def bookmark_valid?(bookmarkXml, channel)
+      if @@bookmark_parser_avaiable
+        bookmark_valid_strictly?(bookmarkXml, channel)
+      else
+        bookmarklist_is_not_empty?(bookmarkXml, channel)
+      end
+    end
 
+    def bookmark_valid_strictly?(bookmarkXml, channel)
       evtxml = WinevtBookmarkDocument.new
       parser = Nokogiri::XML::SAX::Parser.new(evtxml)
       parser.parse(bookmarkXml)
       result = evtxml.result
-      if !result.empty? && (result[:channel].downcase == channel.downcase) && result[:is_current]
-        true
-      else
-        log.warn "This stored bookmark is incomplete for using. Referring `read_existing_events` parameter to subscribe: #{bookmarkXml}, channel: #{channel}"
-        false
-      end
+      !result.empty? && (result[:channel].downcase == channel.downcase) && result[:is_current]
+    end
+
+    def bookmarklist_is_not_empty?(bookmarkXml, channel)
+      # Empty example: "<BookmarkList>\r\n</BookmarkList>"
+      # Not empty example: "<BookmarkList>\r\n  <Bookmark Channel='Setup' RecordId='777' IsCurrent='true'/>\r\n</BookmarkList>"
+      bookmarkXml.include?("Channel")
     end
 
     def escape_channel(ch)
@@ -389,7 +429,7 @@ module Fluent::Plugin
             elsif parent_key.nil?
               record[to_key(key)] = value
             else
-              k = "#{parent_key}.#{to_key(key)}"
+              k = "#{parent_key}#{@description_key_delimiter}#{to_key(key)}"
               record[k] = value
             end
           end
@@ -401,10 +441,22 @@ module Fluent::Plugin
     end
 
     def to_key(key)
-      key.downcase!
-      key.gsub!(' '.freeze, '_'.freeze)
+      key.downcase! if @downcase_description_keys
+      key.gsub!(' '.freeze, @description_word_delimiter)
       key
     end
     ####
   end
+
+  class WindowsEventLog2DummyParser < Parser
+    Fluent::Plugin.register_parser('windows_eventlog2_dummy', self)
+
+    def configure(conf)
+      super
+    end
+
+    def parse(text)
+      raise NotImplementedError, "This is a dummy parser for the default setting and can not be used actually."
+    end
+  end
 end

data/test/plugin/test_in_windows_eventlog2.rb

@@ -176,6 +176,18 @@ class WindowsEventLog2InputTest < Test::Unit::TestCase
                                      ])
       end
     end
+
+    test "default parser should not be WinevtXMLparser" do
+      # Because it is not a mandatory dependency.
+      d = create_driver CONFIG
+      assert_equal 1, d.instance._parsers.size
+      assert_not_equal "Fluent::Plugin::WinevtXMLparser", d.instance._parsers.values.first.class.name
+    end
+
+    test "parser should be WinevtXMLparser if render_as_xml is enabled" do
+      d = create_driver XML_RENDERING_CONFIG
+      assert_equal Fluent::Plugin::WinevtXMLparser, d.instance.instance_variable_get(:@parser).class
+    end
   end
 
   data("Japanese"                => ["ja_JP", false],
@@ -226,6 +238,36 @@ DESC
     assert_equal(expected, h)
   end
 
+  def test_parse_desc_camelcase
+    d = create_driver(config_element("ROOT", "", {"tag" => "fluent.eventlog",
+                                                  "parse_description" => true,
+                                                  "description_key_delimiter" => "",
+                                                  "description_word_delimiter" => "",
+                                                  "downcase_description_keys" => false
+                                                  }, [
+                                       config_element("storage", "", {
+                                                        '@type' => 'local',
+                                                        'persistent' => false
+                                                      }),
+                                     ]))
+    desc =<<-DESC
+A user's local group membership was enumerated.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-X-Y-XX-WWWWWW-VVVV\r\n\tAccount Name:\t\tAdministrator\r\n\tAccount Domain:\t\tDESKTOP-FLUENTTEST\r\n\tLogon ID:\t\t0x3185B1\r\n\r\nUser:\r\n\tSecurity ID:\t\tS-X-Y-XX-WWWWWW-VVVV\r\n\tAccount Name:\t\tAdministrator\r\n\tAccount Domain:\t\tDESKTOP-FLUENTTEST\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x50b8\r\n\tProcess Name:\t\tC:\\msys64\\usr\\bin\\make.exe
+DESC
+    h = {"Description" => desc}
+    expected = {"DescriptionTitle"                 => "A user's local group membership was enumerated.",
+                "SubjectSecurityID"                => "S-X-Y-XX-WWWWWW-VVVV",
+                "SubjectAccountName"               => "Administrator",
+                "SubjectAccountDomain"             => "DESKTOP-FLUENTTEST",
+                "SubjectLogonID"                   => "0x3185B1",
+                "UserSecurityID"                   => "S-X-Y-XX-WWWWWW-VVVV",
+                "UserAccountName"                  => "Administrator",
+                "UserAccountDomain"                => "DESKTOP-FLUENTTEST",
+                "ProcessInformationProcessID"      => "0x50b8",
+                "ProcessInformationProcessName"    => "C:\\msys64\\usr\\bin\\make.exe"}
+    d.instance.parse_desc(h)
+    assert_equal(expected, h)
+  end
+
   def test_parse_privileges_description
     d = create_driver
     desc = ["Special privileges assigned to new logon.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-X-Y-ZZ\r\n\t",
@@ -284,7 +326,7 @@ DESC
   end
 
   def test_write
-    d = create_driver
+    d = create_driver XML_RENDERING_CONFIG
 
     service = Fluent::Plugin::EventService.new
 
@@ -300,6 +342,7 @@ DESC
     assert_equal("65500", record["EventID"])
     assert_equal("4", record["Level"])
     assert_equal("fluent-plugins", record["ProviderName"])
+    assert_false(record.has_key?("User"))
   end
 
   CONFIG_WITH_NON_EXISTENT_CHANNEL = config_element("ROOT", "", {
@@ -345,6 +388,7 @@ DESC
     assert_equal("65500", record["EventID"])
     assert_equal("4", record["Level"])
     assert_equal("fluent-plugins", record["ProviderName"])
+    assert_true(record.has_key?("User"))
   end
 
 
@@ -406,6 +450,7 @@ DESC
     assert_equal("65500", record["EventID"])
     assert_equal("4", record["Level"])
     assert_equal("fluent-plugins", record["ProviderName"])
+    assert_true(record.has_key?("User"))
   end
 
   class HashRendered < self
@@ -451,7 +496,7 @@ DESC
       service = Fluent::Plugin::EventService.new
       subscribe = Winevt::EventLog::Subscribe.new
 
-      omit "@parser.preserve_qualifiers does not respond" unless subscribe.respond_to?(:preserve_qualifiers?)
+      omit "subscribe.preserve_qualifiers? does not respond" unless subscribe.respond_to?(:preserve_qualifiers?)
 
       d.run(expect_emits: 1) do
         service.run
@@ -465,6 +510,70 @@ DESC
       assert_true(record.has_key?("EventData"))
       assert_true(record.has_key?("Qualifiers"))
     end
+
+    def test_write_with_preserving_sid
+      require 'winevt'
+
+      d = create_driver(config_element("ROOT", "", {"tag" => "fluent.eventlog",
+                                                    "render_as_xml" => false,
+                                                    'preserve_sid_on_hash' => true
+                                                   }, [
+                                         config_element("storage", "", {
+                                                          '@type' => 'local',
+                                                          'persistent' => false
+                                                        }),
+                                       ]))
+
+      service = Fluent::Plugin::EventService.new
+      subscribe = Winevt::EventLog::Subscribe.new
+
+      omit "subscribe.preserve_sid? does not respond" unless subscribe.respond_to?(:preserve_sid?)
+
+      d.run(expect_emits: 1) do
+        service.run
+      end
+
+      assert(d.events.length >= 1)
+      event = d.events.last
+      record = event.last
+
+      assert_true(record.has_key?("Description"))
+      assert_true(record.has_key?("EventData"))
+      assert_true(record.has_key?("UserID"))
+      assert_true(record.has_key?("User"))
+    end
+
+    def test_write_with_not_preserving_sid
+      require 'winevt'
+
+      d = create_driver(config_element("ROOT", "", {"tag" => "fluent.eventlog",
+                                                    "render_as_xml" => false,
+                                                    'preserve_sid_on_hash' => false
+                                                   }, [
+                                         config_element("storage", "", {
+                                                          '@type' => 'local',
+                                                          'persistent' => false
+                                                        }),
+                                       ]))
+
+      service = Fluent::Plugin::EventService.new
+      subscribe = Winevt::EventLog::Subscribe.new
+
+      omit "subscribe.preserve_sid? does not respond" unless subscribe.respond_to?(:preserve_sid?)
+
+      d.run(expect_emits: 1) do
+        service.run
+      end
+
+      assert(d.events.length >= 1)
+      event = d.events.last
+      record = event.last
+
+      assert_true(record.has_key?("Description"))
+      assert_true(record.has_key?("EventData"))
+      assert_false(record.has_key?("UserID"))
+      assert_true(record.has_key?("User"))
+    end
   end
 
   class PersistBookMark < self

metadata

@@ -1,16 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: fluent-plugin-windows-eventlog
 version: !ruby/object:Gem::Version
-  version: 0.8.3
+  version: 0.9.0
 platform: ruby
 authors:
 - okahashi117
 - Hiroshi Hatake
 - Masahiro Nakagawa
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-01-19 00:00:00.000000000 Z
+date: 2024-08-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -128,14 +128,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.10.1
+        version: 0.11.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.10.1
+        version: 0.11.0
 description: Fluentd Input plugin to read windows event log.
 email:
 - naruki_okahashi@jbat.co.jp
@@ -154,6 +154,7 @@ files:
 - README.md
 - Rakefile
 - fluent-plugin-winevtlog.gemspec
+- in_windows_eventlog(old).md
 - lib/fluent/plugin/bookmark_sax_parser.rb
 - lib/fluent/plugin/in_windows_eventlog.rb
 - lib/fluent/plugin/in_windows_eventlog2.rb
@@ -167,7 +168,7 @@ homepage: https://github.com/fluent/fluent-plugin-windows-eventlog
 licenses:
 - Apache-2.0
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -182,8 +183,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.5
-signing_key: 
+rubygems_version: 3.4.1
+signing_key:
 specification_version: 4
 summary: Fluentd Input plugin to read windows event log.
 test_files: