logstash-input-eventlog 0.1.1-java

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 9b51c4a7bd08930a450dce74fc36cbd6bf15b282
+  data.tar.gz: a85b854ea1475dc6dc22e6322e652a0841092d9f
+SHA512:
+  metadata.gz: 7609c656cf0f795f4785d29d9adf3f7b248b640c3ad208f35da18d564afa333de68d3a07962a9ce41f9e6f1bb80e07973e2d181d8abc1d370d357e57c511d1e7
+  data.tar.gz: e37a071ae8c2515558fab9d49d0f932947298507451ed5af462f52ac147cd6bf28a947d4c5e479ea5653a6e17c7246845a7e4b2e314af8a845e1e0387f100c97

data/.gitignore

@@ -0,0 +1,4 @@
+*.gem
+Gemfile.lock
+.bundle
+vendor

data/Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+gemspec
+gem "logstash", :github => "elasticsearch/logstash", :branch => "1.5"

data/Gemfile.bak

@@ -0,0 +1,4 @@
+source 'http://rubygems.org'
+gem 'rake'
+gem 'gem_publisher'
+gem 'archive-tar-minitar'

data/LICENSE

@@ -0,0 +1,13 @@
+Copyright (c) 2012-2014 Elasticsearch <http://www.elasticsearch.org>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/Rakefile

@@ -0,0 +1,7 @@
+@files=[]
+
+task :default do
+  system("rake -T")
+end
+
+require "logstash/devutils/rake"

data/lib/logstash/inputs/eventlog.rb

@@ -0,0 +1,129 @@
+# encoding: utf-8
+require "logstash/inputs/base"
+require "logstash/namespace"
+require "logstash/timestamp"
+require "socket"
+
+# This input will pull events from a http://msdn.microsoft.com/en-us/library/windows/desktop/bb309026%28v=vs.85%29.aspx[Windows Event Log].
+#
+# To collect Events from the System Event Log, use a config like:
+# [source,ruby]
+#     input {
+#       eventlog {
+#         type  => 'Win32-EventLog'
+#         logfile  => 'System'
+#       }
+#     }
+class LogStash::Inputs::EventLog < LogStash::Inputs::Base
+
+  config_name "eventlog"
+  milestone 2
+
+  default :codec, "plain"
+
+  # Event Log Name
+  config :logfile, :validate => :array, :default => [ "Application", "Security", "System" ]
+
+  public
+  def register
+
+    # wrap specified logfiles in suitable OR statements
+    @logfiles = @logfile.join("' OR TargetInstance.LogFile = '")
+
+    @hostname = Socket.gethostname
+    @logger.info("Registering input eventlog://#{@hostname}/#{@logfile}")
+
+    if RUBY_PLATFORM == "java"
+      require "jruby-win32ole"
+    else
+      require "win32ole"
+    end
+  end # def register
+
+  public
+  def run(queue)
+    @wmi = WIN32OLE.connect("winmgmts://")
+
+    wmi_query = "Select * from __InstanceCreationEvent Where TargetInstance ISA 'Win32_NTLogEvent' And (TargetInstance.LogFile = '#{@logfiles}')"
+
+    begin
+      @logger.debug("Tailing Windows Event Log '#{@logfile}'")
+
+      events = @wmi.ExecNotificationQuery(wmi_query)
+
+      while
+        notification = events.NextEvent
+        event = notification.TargetInstance
+
+        timestamp = to_timestamp(event.TimeGenerated)
+
+        e = LogStash::Event.new(
+          "host" => @hostname,
+          "path" => @logfile,
+          "type" => @type,
+          LogStash::Event::TIMESTAMP => timestamp
+        )
+
+        %w{Category CategoryString ComputerName EventCode EventIdentifier
+            EventType Logfile Message RecordNumber SourceName
+            TimeGenerated TimeWritten Type User
+        }.each{
+            |property| e[property] = event.send property
+        }
+
+        if RUBY_PLATFORM == "java"
+          # unwrap jruby-win32ole racob data
+          e["InsertionStrings"] = unwrap_racob_variant_array(event.InsertionStrings)
+          data = unwrap_racob_variant_array(event.Data)
+          # Data is an array of signed shorts, so convert to bytes and pack a string
+          e["Data"] = data.map{|byte| (byte > 0) ? byte : 256 + byte}.pack("c*")
+        else
+          # win32-ole data does not need to be unwrapped
+          e["InsertionStrings"] = event.InsertionStrings
+          e["Data"] = event.Data
+        end
+
+        e["message"] = event.Message
+
+        decorate(e)
+        queue << e
+
+      end # while
+
+    rescue Exception => ex
+      @logger.error("Windows Event Log error: #{ex}\n#{ex.backtrace}")
+      sleep 1
+      retry
+    end # rescue
+
+  end # def run
+
+  private
+  def unwrap_racob_variant_array(variants)
+    variants ||= []
+    variants.map {|v| (v.respond_to? :getValue) ? v.getValue : v}
+  end # def unwrap_racob_variant_array
+
+  # the event log timestamp is a utc string in the following format: yyyymmddHHMMSS.xxxxxx±UUU
+  # http://technet.microsoft.com/en-us/library/ee198928.aspx
+  private
+  def to_timestamp(wmi_time)
+    result = ""
+    # parse the utc date string
+    /(?<w_date>\d{8})(?<w_time>\d{6})\.\d{6}(?<w_sign>[\+-])(?<w_diff>\d{3})/ =~ wmi_time
+    result = "#{w_date}T#{w_time}#{w_sign}"
+    # the offset is represented by the difference, in minutes,
+    # between the local time zone and Greenwich Mean Time (GMT).
+    if w_diff.to_i > 0
+      # calculate the timezone offset in hours and minutes
+      h_offset = w_diff.to_i / 60
+      m_offset = w_diff.to_i - (h_offset * 60)
+      result.concat("%02d%02d" % [h_offset, m_offset])
+    else
+      result.concat("0000")
+    end
+
+    return LogStash::Timestamp.new(DateTime.strptime(result, "%Y%m%dT%H%M%S%z").to_time)
+  end
+end # class LogStash::Inputs::EventLog
+

data/logstash-input-eventlog.gemspec

@@ -0,0 +1,33 @@
+Gem::Specification.new do |s|
+
+  s.name            = 'logstash-input-eventlog'
+  s.version         = '0.1.1'
+  s.licenses        = ['Apache License (2.0)']
+  s.summary         = "This input will pull events from a Windows Event Log"
+  s.description     = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program"
+  s.authors         = ["Elasticsearch"]
+  s.email           = 'info@elasticsearch.com'
+  s.homepage        = "http://www.elasticsearch.org/guide/en/logstash/current/index.html"
+  s.require_paths = ["lib"]
+
+  # Files
+  s.files = `git ls-files`.split($\)+::Dir.glob('vendor/*')
+
+  # Tests
+  s.test_files = s.files.grep(%r{^(test|spec|features)/})
+
+  # Special flag to let us know this is actually a logstash plugin
+  s.metadata = { "logstash_plugin" => "true", "logstash_group" => "input" }
+
+  # Gem dependencies
+  s.add_runtime_dependency 'logstash', '>= 1.4.0', '< 2.0.0'
+
+  s.add_runtime_dependency 'logstash-codec-plain'
+
+  if RUBY_PLATFORM == 'java'
+    s.platform = RUBY_PLATFORM
+    s.add_runtime_dependency "jruby-win32ole"                   #(unknown license)
+  end
+  s.add_development_dependency 'logstash-devutils'
+end
+

data/spec/inputs/eventlog_spec.rb

@@ -0,0 +1,5 @@
+require "logstash/devutils/rspec/spec_helper"
+require 'logstash/inputs/eventlog'
+
+describe LogStash::Inputs::EventLog do
+end

metadata

@@ -0,0 +1,116 @@
+--- !ruby/object:Gem::Specification
+name: logstash-input-eventlog
+version: !ruby/object:Gem::Version
+  version: 0.1.1
+platform: java
+authors:
+- Elasticsearch
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2014-11-19 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: logstash
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: 1.4.0
+    - - <
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: 1.4.0
+    - - <
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+  prerelease: false
+  type: :runtime
+- !ruby/object:Gem::Dependency
+  name: logstash-codec-plain
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  prerelease: false
+  type: :runtime
+- !ruby/object:Gem::Dependency
+  name: jruby-win32ole
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  prerelease: false
+  type: :runtime
+- !ruby/object:Gem::Dependency
+  name: logstash-devutils
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  prerelease: false
+  type: :development
+description: This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program
+email: info@elasticsearch.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- Gemfile.bak
+- LICENSE
+- Rakefile
+- lib/logstash/inputs/eventlog.rb
+- logstash-input-eventlog.gemspec
+- spec/inputs/eventlog_spec.rb
+homepage: http://www.elasticsearch.org/guide/en/logstash/current/index.html
+licenses:
+- Apache License (2.0)
+metadata:
+  logstash_plugin: 'true'
+  logstash_group: input
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.2.2
+signing_key:
+specification_version: 4
+summary: This input will pull events from a Windows Event Log
+test_files:
+- spec/inputs/eventlog_spec.rb