fluent-plugin-winevtlog 0.0.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: f20f0df26f1be8901b84ec7cb3da2296af8be98b
+  data.tar.gz: 2bb0885a56495b74783de4ccc6c02e464ad37595
+SHA512:
+  metadata.gz: a42c58a4c327a8e57e6d017162fc05b5aa4194f787505a22433a0744f0a005cffdb6ea2770a5e2b8ba89f0720b0ddced404cfa27d10ce103d7cf33cd66408e39
+  data.tar.gz: 89baa6e3dae8da65c5d66c29925c27039aa5132543573089f380eb376559a828047ad6d61fc16be0573253f17f3b5c767f9e3b9fc9978bfbfd0d470e1d717234

data/.gitignore

@@ -0,0 +1,14 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/spec/reports/
+pkg/*
+/tmp/
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in fluent-plugin-winevtlog.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2014 okahashi117
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,3 @@
+# Fluent::Plugin::Winevtlog
+
+

data/Rakefile

@@ -0,0 +1,10 @@
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/test_*.rb'
+  test.verbose = true
+end
+
+task :default => :test

data/fluent-plugin-winevtlog.gemspec

@@ -0,0 +1,24 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+
+Gem::Specification.new do |spec|
+  spec.name          = "fluent-plugin-winevtlog"
+  spec.version       = "0.0.2"
+  spec.authors       = ["okahashi117"]
+  spec.email         = ["naruki_okahashi@jbat.co.jp"]
+  spec.summary       = %q{Input plugin to read windows event log.}
+  spec.description   = %q{Input plugin to read windwos event log.}
+  spec.homepage      = ""
+  spec.license       = "Apache license"
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler"
+  spec.add_development_dependency "rake"
+  spec.add_runtime_dependency "fluentd"
+  spec.add_runtime_dependency "win32-eventlog"
+end

data/lib/fluent/plugin/in_winevtlog.rb

@@ -0,0 +1,295 @@
+
+require 'win32/eventlog'
+include Win32
+
+module Fluent
+  class WinEvtLog < Fluent::Input
+    Fluent::Plugin.register_input('winevtlog', self)
+
+    @@KEY_MAP = {"record_number" => :record_number, 
+                    "time_generated" => :time_generated, 
+                    "time_written" => :time_written, 
+                    "event_id" => :event_id, 
+                    "event_type" => :event_type, 
+                    "event_category" => :category, 
+                    "source_name" => :source, 
+                    "computer_name" => :computer, 
+                    "user" => :user, 
+                    "description" => :description}
+
+    config_param :tag, :string
+    config_param :read_interval, :time, :default => 2
+    config_param :pos_file, :string, :default => nil
+    config_param :category, :string, :default => 'Application' 
+    config_param :keys, :string, :default => ''
+    config_param :read_from_head, :bool, :default => false
+
+    attr_reader :cats
+
+    def initialize
+      super
+      @cats = []
+      @keynames = []
+      @tails = {}
+    end
+
+    def configure(conf)
+      super
+      @cats = @category.split(',').map {|cat| cat.strip }.uniq
+      if @cats.empty?
+        raise ConfigError, "winevtlog: 'category' parameter is required on winevtlog input"
+      end
+      @keynames = @keys.split(',').map {|k| k.strip }.uniq
+      if @keynames.empty?
+        @keynames = @@KEY_MAP.keys
+      end
+      @tag = tag
+      @stop = false
+    end
+
+    def start
+      if @pos_file
+        @pf_file = File.open(@pos_file, File::RDWR|File::CREAT|File::BINARY, DEFAULT_FILE_PERMISSION)
+        @pf_file.sync = true
+        @pf = PositionFile.parse(@pf_file)
+      end
+      @loop = Coolio::Loop.new
+      start_watchers(@cats)
+      @thread = Thread.new(&method(:run))
+    end
+
+    def shutdown
+      stop_watchers(@tails.keys, true)
+      @loop.stop rescue nil
+      @thread.join
+      @pf_file.close if @pf_file
+    end
+
+    def setup_wacther(cat, pe)
+      wlw = WindowsLogWatcher.new(cat, pe, &method(:receive_lines))
+      wlw.attach(@loop)
+      wlw
+    end
+
+    def start_watchers(cats)
+      cats.each { |cat|
+        pe = nil
+        if @pf
+          pe = @pf[cat]
+          if @read_from_head && pe.read_num.zero?
+            el = EventLog.open(cat)
+            pe.update(el.oldest_record_number-1,1)
+            el.close
+          end
+        end
+        @tails[cat] = setup_wacther(cat, pe)
+      }
+    end
+
+    def stop_watchers(cats, unwatched = false)
+      cats.each { |cat|
+        wlw = @tails.delete(cat)
+        if wlw
+          wlw.unwatched = unwatched
+          close_watcher(wlw)
+        end
+      }
+    end
+
+    def close_watcher(wlw)
+      wlw.close
+      # flush_buffer(wlw)
+    end
+
+    def run
+      @loop.run
+    rescue
+      $log.error "unexpected error", :error=>$!.to_s
+      $log.error_backtrace
+    end
+
+    def receive_lines(lines, pe)
+      return if lines.empty?
+      begin
+        for r in lines
+          h = Hash[@keynames.map {|k| [k, r.send(@@KEY_MAP[k])]}]
+          Engine.emit(@tag, Engine.now, h)
+          pe[1] +=1
+        end
+      rescue
+        $log.error "unexpected error", :error=>$!.to_s
+        $log.error_backtrace
+      end
+    end
+
+
+    class WindowsLogWatcher
+      def initialize(cat, pe, &receive_lines)
+        @cat = cat
+        @pe = pe || MemoryPositionEntry.new
+        @receive_lines = receive_lines
+        @timer_trigger = TimerWatcher.new(1, true, &method(:on_notify))
+      end
+
+      attr_reader   :cat
+      attr_accessor :unwatched
+      attr_accessor :pe
+
+      def attach(loop)
+        @timer_trigger.attach(loop)
+        on_notify
+      end
+
+      def detach
+        @timer_trigger.detach if @timer_trigger.attached?
+      end
+
+      def close
+        detach
+      end
+
+      def on_notify
+        el = EventLog.open(@cat)
+        rl_sn = [el.oldest_record_number, el.total_records]
+        pe_sn = [@pe.read_start, @pe.read_num]
+        # if total_records is zero, oldest_record_number has no meaning.
+        if rl_sn[1] == 0
+          return
+        end
+        
+        if pe_sn[0] == 0 && pe_sn[1] == 0
+          @pe.update(rl_sn[0], rl_sn[1])
+          return
+        end
+
+        cur_end = rl_sn[0] + rl_sn[1] -1
+        old_end = pe_sn[0] + pe_sn[1] -1
+
+        if (rl_sn[0] < pe_sn[0])
+          # may be a record number rotated.
+          cur_end += 0xFFFFFFFF
+        end
+
+        if (cur_end <= old_end)
+          # something occured.
+          @pe.update(rl_sn[0], rl_sn[1])
+          return
+        end
+
+        read_more = false
+        begin
+          numlines = cur_end - old_end
+          winlogs = el.read(Windows::Constants::EVENTLOG_SEEK_READ | Windows::Constants::EVENTLOG_FORWARDS_READ, old_end + 1)
+          @receive_lines.call(winlogs, pe_sn)
+          @pe.update(pe_sn[0], pe_sn[1])
+          old_end = pe_sn[0] + pe_sn[1] -1
+        end while read_more
+        el.close
+        
+      end
+
+      class TimerWatcher < Coolio::TimerWatcher
+        def initialize(interval, repeat, &callback)
+          @callback = callback
+          super(interval, repeat)
+        end
+
+        def on_timer
+          @callback.call
+        rescue
+          # TODO log?
+          $log.error $!.to_s
+          $log.error_backtrace
+        end
+      end
+    end
+
+    class PositionFile
+      def initialize(file, map, last_pos)
+        @file = file
+        @map = map
+        @last_pos = last_pos
+      end
+
+      def [](cat)
+        if m = @map[cat]
+          return m
+        end
+        @file.pos = @last_pos
+        @file.write cat
+        @file.write "\t"
+        seek = @file.pos
+        @file.write "00000000\t00000000\n"
+        @last_pos = @file.pos
+        @map[cat] = FilePositionEntry.new(@file, seek)
+      end
+
+      # parsing file and rebuild mysself
+      def self.parse(file)
+        map = {}
+        file.pos = 0
+        file.each_line {|line|
+          # check and get a matched line as m
+          m = /^([^\t]+)\t([0-9a-fA-F]+)\t([0-9a-fA-F]+)/.match(line)
+          next unless m
+          cat = m[1] 
+          pos = m[2].to_i(16)
+          seek = file.pos - line.bytesize + cat.bytesize + 1
+          map[cat] = FilePositionEntry.new(file, seek)
+        }
+        new(file, map, file.pos)
+      end
+    end
+
+    class FilePositionEntry
+      START_SIZE = 8
+      NUM_OFFSET = 9
+      NUM_SIZE   = 8
+      LN_OFFSET = 17
+      SIZE = 18
+
+      def initialize(file, seek)
+        @file = file
+        @seek = seek
+      end
+
+      def update(start, num)
+        @file.pos = @seek
+        @file.write "%08x\t%08x" % [start, num]
+      end
+      
+      def read_start
+        @file.pos = @seek
+        raw = @file.read(START_SIZE)
+        raw ? raw.to_i(16) : 0
+      end
+
+      def read_num
+        @file.pos = @seek + NUM_OFFSET
+        raw = @file.read(NUM_SIZE)
+        raw ? raw.to_i(16) : 0
+      end
+    end
+
+    class MemoryPositionEntry
+      def initialize
+        @start = 0
+        @num = 0
+      end
+
+      def update(start, num)
+        @start = start
+        @num = num
+      end
+      
+      def read_start
+        @start
+      end
+
+      def read_num
+        @num
+      end
+    end
+
+  end
+end

data/test/helper.rb

@@ -0,0 +1,28 @@
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'test/unit'
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'fluent/test'
+unless ENV.has_key?('VERBOSE')
+  nulllogger = Object.new
+  nulllogger.instance_eval {|obj|
+    def method_missing(method, *args)
+      # pass
+    end
+  }
+  $log = nulllogger
+end
+
+require 'fluent/plugin/in_winevtlog'
+
+class Test::Unit::TestCase
+end

data/test/plugin/test_in_winevtlog.rb

@@ -0,0 +1,56 @@
+require 'helper'
+
+class WinEvtLogTest < Test::Unit::TestCase
+  def setup
+    Fluent::Test.setup
+  end
+
+  CONFIG = %[
+  ]
+  # CONFIG = %[
+  #   path #{TMP_DIR}/out_file_test
+  #   compress gz
+  #   utc
+  # ]
+
+  def create_driver(conf = CONFIG, tag='test')
+    Fluent::Test::InputTestDriver.new(Fluent::WinEvtLog).configure(conf)
+  end
+
+  def test_configure
+    #### set configurations
+    # d = create_driver %[
+    #   path test_path
+    #   compress gz
+    # ]
+    #### check configurations
+    # assert_equal 'test_path', d.instance.path
+    # assert_equal :gz, d.instance.compress
+  end
+
+  def test_format
+    d = create_driver
+
+    # time = Time.parse("2011-01-02 13:14:15 UTC").to_i
+    # d.emit({"a"=>1}, time)
+    # d.emit({"a"=>2}, time)
+
+    # d.expect_format %[2011-01-02T13:14:15Z\ttest\t{"a":1}\n]
+    # d.expect_format %[2011-01-02T13:14:15Z\ttest\t{"a":2}\n]
+
+    # d.run
+  end
+
+  def test_write
+    d = create_driver
+
+    # time = Time.parse("2011-01-02 13:14:15 UTC").to_i
+    # d.emit({"a"=>1}, time)
+    # d.emit({"a"=>2}, time)
+
+    # ### FileOutput#write returns path
+    # path = d.run
+    # expect_path = "#{TMP_DIR}/out_file_test._0.log.gz"
+    # assert_equal expect_path, path
+  end
+end

metadata

@@ -0,0 +1,111 @@
+--- !ruby/object:Gem::Specification
+name: fluent-plugin-winevtlog
+version: !ruby/object:Gem::Version
+  version: 0.0.2
+platform: ruby
+authors:
+- okahashi117
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-09-24 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: fluentd
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: win32-eventlog
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Input plugin to read windwos event log.
+email:
+- naruki_okahashi@jbat.co.jp
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- fluent-plugin-winevtlog.gemspec
+- lib/fluent/plugin/in_winevtlog.rb
+- test/helper.rb
+- test/plugin/test_in_winevtlog.rb
+homepage: ''
+licenses:
+- Apache license
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.0.14
+signing_key: 
+specification_version: 4
+summary: Input plugin to read windows event log.
+test_files:
+- test/helper.rb
+- test/plugin/test_in_winevtlog.rb