logstash-input-eventlog 0.1.1-java

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: 9b51c4a7bd08930a450dce74fc36cbd6bf15b282
4
+ data.tar.gz: a85b854ea1475dc6dc22e6322e652a0841092d9f
5
+ SHA512:
6
+ metadata.gz: 7609c656cf0f795f4785d29d9adf3f7b248b640c3ad208f35da18d564afa333de68d3a07962a9ce41f9e6f1bb80e07973e2d181d8abc1d370d357e57c511d1e7
7
+ data.tar.gz: e37a071ae8c2515558fab9d49d0f932947298507451ed5af462f52ac147cd6bf28a947d4c5e479ea5653a6e17c7246845a7e4b2e314af8a845e1e0387f100c97
data/.gitignore ADDED
@@ -0,0 +1,4 @@
1
+ *.gem
2
+ Gemfile.lock
3
+ .bundle
4
+ vendor
data/Gemfile ADDED
@@ -0,0 +1,3 @@
1
+ source 'https://rubygems.org'
2
+ gemspec
3
+ gem "logstash", :github => "elasticsearch/logstash", :branch => "1.5"
data/Gemfile.bak ADDED
@@ -0,0 +1,4 @@
1
+ source 'http://rubygems.org'
2
+ gem 'rake'
3
+ gem 'gem_publisher'
4
+ gem 'archive-tar-minitar'
data/LICENSE ADDED
@@ -0,0 +1,13 @@
1
+ Copyright (c) 2012-2014 Elasticsearch <http://www.elasticsearch.org>
2
+
3
+ Licensed under the Apache License, Version 2.0 (the "License");
4
+ you may not use this file except in compliance with the License.
5
+ You may obtain a copy of the License at
6
+
7
+ http://www.apache.org/licenses/LICENSE-2.0
8
+
9
+ Unless required by applicable law or agreed to in writing, software
10
+ distributed under the License is distributed on an "AS IS" BASIS,
11
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
+ See the License for the specific language governing permissions and
13
+ limitations under the License.
data/Rakefile ADDED
@@ -0,0 +1,7 @@
1
+ @files=[]
2
+
3
+ task :default do
4
+ system("rake -T")
5
+ end
6
+
7
+ require "logstash/devutils/rake"
@@ -0,0 +1,129 @@
1
+ # encoding: utf-8
2
+ require "logstash/inputs/base"
3
+ require "logstash/namespace"
4
+ require "logstash/timestamp"
5
+ require "socket"
6
+
7
+ # This input will pull events from a http://msdn.microsoft.com/en-us/library/windows/desktop/bb309026%28v=vs.85%29.aspx[Windows Event Log].
8
+ #
9
+ # To collect Events from the System Event Log, use a config like:
10
+ # [source,ruby]
11
+ # input {
12
+ # eventlog {
13
+ # type => 'Win32-EventLog'
14
+ # logfile => 'System'
15
+ # }
16
+ # }
17
+ class LogStash::Inputs::EventLog < LogStash::Inputs::Base
18
+
19
+ config_name "eventlog"
20
+ milestone 2
21
+
22
+ default :codec, "plain"
23
+
24
+ # Event Log Name
25
+ config :logfile, :validate => :array, :default => [ "Application", "Security", "System" ]
26
+
27
+ public
28
+ def register
29
+
30
+ # wrap specified logfiles in suitable OR statements
31
+ @logfiles = @logfile.join("' OR TargetInstance.LogFile = '")
32
+
33
+ @hostname = Socket.gethostname
34
+ @logger.info("Registering input eventlog://#{@hostname}/#{@logfile}")
35
+
36
+ if RUBY_PLATFORM == "java"
37
+ require "jruby-win32ole"
38
+ else
39
+ require "win32ole"
40
+ end
41
+ end # def register
42
+
43
+ public
44
+ def run(queue)
45
+ @wmi = WIN32OLE.connect("winmgmts://")
46
+
47
+ wmi_query = "Select * from __InstanceCreationEvent Where TargetInstance ISA 'Win32_NTLogEvent' And (TargetInstance.LogFile = '#{@logfiles}')"
48
+
49
+ begin
50
+ @logger.debug("Tailing Windows Event Log '#{@logfile}'")
51
+
52
+ events = @wmi.ExecNotificationQuery(wmi_query)
53
+
54
+ while
55
+ notification = events.NextEvent
56
+ event = notification.TargetInstance
57
+
58
+ timestamp = to_timestamp(event.TimeGenerated)
59
+
60
+ e = LogStash::Event.new(
61
+ "host" => @hostname,
62
+ "path" => @logfile,
63
+ "type" => @type,
64
+ LogStash::Event::TIMESTAMP => timestamp
65
+ )
66
+
67
+ %w{Category CategoryString ComputerName EventCode EventIdentifier
68
+ EventType Logfile Message RecordNumber SourceName
69
+ TimeGenerated TimeWritten Type User
70
+ }.each{
71
+ |property| e[property] = event.send property
72
+ }
73
+
74
+ if RUBY_PLATFORM == "java"
75
+ # unwrap jruby-win32ole racob data
76
+ e["InsertionStrings"] = unwrap_racob_variant_array(event.InsertionStrings)
77
+ data = unwrap_racob_variant_array(event.Data)
78
+ # Data is an array of signed shorts, so convert to bytes and pack a string
79
+ e["Data"] = data.map{|byte| (byte > 0) ? byte : 256 + byte}.pack("c*")
80
+ else
81
+ # win32-ole data does not need to be unwrapped
82
+ e["InsertionStrings"] = event.InsertionStrings
83
+ e["Data"] = event.Data
84
+ end
85
+
86
+ e["message"] = event.Message
87
+
88
+ decorate(e)
89
+ queue << e
90
+
91
+ end # while
92
+
93
+ rescue Exception => ex
94
+ @logger.error("Windows Event Log error: #{ex}\n#{ex.backtrace}")
95
+ sleep 1
96
+ retry
97
+ end # rescue
98
+
99
+ end # def run
100
+
101
+ private
102
+ def unwrap_racob_variant_array(variants)
103
+ variants ||= []
104
+ variants.map {|v| (v.respond_to? :getValue) ? v.getValue : v}
105
+ end # def unwrap_racob_variant_array
106
+
107
+ # the event log timestamp is a utc string in the following format: yyyymmddHHMMSS.xxxxxx±UUU
108
+ # http://technet.microsoft.com/en-us/library/ee198928.aspx
109
+ private
110
+ def to_timestamp(wmi_time)
111
+ result = ""
112
+ # parse the utc date string
113
+ /(?<w_date>\d{8})(?<w_time>\d{6})\.\d{6}(?<w_sign>[\+-])(?<w_diff>\d{3})/ =~ wmi_time
114
+ result = "#{w_date}T#{w_time}#{w_sign}"
115
+ # the offset is represented by the difference, in minutes,
116
+ # between the local time zone and Greenwich Mean Time (GMT).
117
+ if w_diff.to_i > 0
118
+ # calculate the timezone offset in hours and minutes
119
+ h_offset = w_diff.to_i / 60
120
+ m_offset = w_diff.to_i - (h_offset * 60)
121
+ result.concat("%02d%02d" % [h_offset, m_offset])
122
+ else
123
+ result.concat("0000")
124
+ end
125
+
126
+ return LogStash::Timestamp.new(DateTime.strptime(result, "%Y%m%dT%H%M%S%z").to_time)
127
+ end
128
+ end # class LogStash::Inputs::EventLog
129
+
@@ -0,0 +1,33 @@
1
+ Gem::Specification.new do |s|
2
+
3
+ s.name = 'logstash-input-eventlog'
4
+ s.version = '0.1.1'
5
+ s.licenses = ['Apache License (2.0)']
6
+ s.summary = "This input will pull events from a Windows Event Log"
7
+ s.description = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program"
8
+ s.authors = ["Elasticsearch"]
9
+ s.email = 'info@elasticsearch.com'
10
+ s.homepage = "http://www.elasticsearch.org/guide/en/logstash/current/index.html"
11
+ s.require_paths = ["lib"]
12
+
13
+ # Files
14
+ s.files = `git ls-files`.split($\)+::Dir.glob('vendor/*')
15
+
16
+ # Tests
17
+ s.test_files = s.files.grep(%r{^(test|spec|features)/})
18
+
19
+ # Special flag to let us know this is actually a logstash plugin
20
+ s.metadata = { "logstash_plugin" => "true", "logstash_group" => "input" }
21
+
22
+ # Gem dependencies
23
+ s.add_runtime_dependency 'logstash', '>= 1.4.0', '< 2.0.0'
24
+
25
+ s.add_runtime_dependency 'logstash-codec-plain'
26
+
27
+ if RUBY_PLATFORM == 'java'
28
+ s.platform = RUBY_PLATFORM
29
+ s.add_runtime_dependency "jruby-win32ole" #(unknown license)
30
+ end
31
+ s.add_development_dependency 'logstash-devutils'
32
+ end
33
+
@@ -0,0 +1,5 @@
1
+ require "logstash/devutils/rspec/spec_helper"
2
+ require 'logstash/inputs/eventlog'
3
+
4
+ describe LogStash::Inputs::EventLog do
5
+ end
metadata ADDED
@@ -0,0 +1,116 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: logstash-input-eventlog
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.1.1
5
+ platform: java
6
+ authors:
7
+ - Elasticsearch
8
+ autorequire:
9
+ bindir: bin
10
+ cert_chain: []
11
+ date: 2014-11-19 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: logstash
15
+ version_requirements: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - '>='
18
+ - !ruby/object:Gem::Version
19
+ version: 1.4.0
20
+ - - <
21
+ - !ruby/object:Gem::Version
22
+ version: 2.0.0
23
+ requirement: !ruby/object:Gem::Requirement
24
+ requirements:
25
+ - - '>='
26
+ - !ruby/object:Gem::Version
27
+ version: 1.4.0
28
+ - - <
29
+ - !ruby/object:Gem::Version
30
+ version: 2.0.0
31
+ prerelease: false
32
+ type: :runtime
33
+ - !ruby/object:Gem::Dependency
34
+ name: logstash-codec-plain
35
+ version_requirements: !ruby/object:Gem::Requirement
36
+ requirements:
37
+ - - '>='
38
+ - !ruby/object:Gem::Version
39
+ version: '0'
40
+ requirement: !ruby/object:Gem::Requirement
41
+ requirements:
42
+ - - '>='
43
+ - !ruby/object:Gem::Version
44
+ version: '0'
45
+ prerelease: false
46
+ type: :runtime
47
+ - !ruby/object:Gem::Dependency
48
+ name: jruby-win32ole
49
+ version_requirements: !ruby/object:Gem::Requirement
50
+ requirements:
51
+ - - '>='
52
+ - !ruby/object:Gem::Version
53
+ version: '0'
54
+ requirement: !ruby/object:Gem::Requirement
55
+ requirements:
56
+ - - '>='
57
+ - !ruby/object:Gem::Version
58
+ version: '0'
59
+ prerelease: false
60
+ type: :runtime
61
+ - !ruby/object:Gem::Dependency
62
+ name: logstash-devutils
63
+ version_requirements: !ruby/object:Gem::Requirement
64
+ requirements:
65
+ - - '>='
66
+ - !ruby/object:Gem::Version
67
+ version: '0'
68
+ requirement: !ruby/object:Gem::Requirement
69
+ requirements:
70
+ - - '>='
71
+ - !ruby/object:Gem::Version
72
+ version: '0'
73
+ prerelease: false
74
+ type: :development
75
+ description: This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program
76
+ email: info@elasticsearch.com
77
+ executables: []
78
+ extensions: []
79
+ extra_rdoc_files: []
80
+ files:
81
+ - .gitignore
82
+ - Gemfile
83
+ - Gemfile.bak
84
+ - LICENSE
85
+ - Rakefile
86
+ - lib/logstash/inputs/eventlog.rb
87
+ - logstash-input-eventlog.gemspec
88
+ - spec/inputs/eventlog_spec.rb
89
+ homepage: http://www.elasticsearch.org/guide/en/logstash/current/index.html
90
+ licenses:
91
+ - Apache License (2.0)
92
+ metadata:
93
+ logstash_plugin: 'true'
94
+ logstash_group: input
95
+ post_install_message:
96
+ rdoc_options: []
97
+ require_paths:
98
+ - lib
99
+ required_ruby_version: !ruby/object:Gem::Requirement
100
+ requirements:
101
+ - - '>='
102
+ - !ruby/object:Gem::Version
103
+ version: '0'
104
+ required_rubygems_version: !ruby/object:Gem::Requirement
105
+ requirements:
106
+ - - '>='
107
+ - !ruby/object:Gem::Version
108
+ version: '0'
109
+ requirements: []
110
+ rubyforge_project:
111
+ rubygems_version: 2.2.2
112
+ signing_key:
113
+ specification_version: 4
114
+ summary: This input will pull events from a Windows Event Log
115
+ test_files:
116
+ - spec/inputs/eventlog_spec.rb