logstash-input-eventlog 0.1.5-java → 0.1.6-java
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +0 -0
- data/NOTICE.TXT +5 -0
- data/README.md +1 -1
- data/lib/logstash/inputs/eventlog.rb +61 -51
- data/logstash-input-eventlog.gemspec +1 -1
- metadata +19 -17
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f13c329a36f6b929b09ee978a555c75e0e9eab64
|
|
4
|
+
data.tar.gz: 43ecd5b9bd0bfb3c5cbc8597ef787262eafec6e2
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b0767c8d4d1c883d1a5d720988f10162576cb6658d3c4e37f73944f6bca7abfcc8d75e0265e5ac6ccef0b6a82c906c5e3d1f35f121030efce542191f566ced8b
|
|
7
|
+
data.tar.gz: d4d927c303db0878130950cb38256761834b96864c164113f82ccc573fb1713d8823974926c3897dc041639a36c284b82179cd9a81c994e15726f08cb521e94c
|
data/CHANGELOG.md
ADDED
|
File without changes
|
data/NOTICE.TXT
ADDED
data/README.md
CHANGED
|
@@ -13,7 +13,7 @@ Logstash provides infrastructure to automatically generate documentation for thi
|
|
|
13
13
|
|
|
14
14
|
## Need Help?
|
|
15
15
|
|
|
16
|
-
Need help? Try #logstash on freenode IRC or the logstash
|
|
16
|
+
Need help? Try #logstash on freenode IRC or the https://discuss.elastic.co/c/logstash discussion forum.
|
|
17
17
|
|
|
18
18
|
## Developing
|
|
19
19
|
|
|
@@ -41,62 +41,72 @@ class LogStash::Inputs::EventLog < LogStash::Inputs::Base
|
|
|
41
41
|
|
|
42
42
|
public
|
|
43
43
|
def run(queue)
|
|
44
|
-
@wmi = WIN32OLE.connect("winmgmts://")
|
|
45
44
|
|
|
45
|
+
@wmi = WIN32OLE.connect("winmgmts://")
|
|
46
46
|
wmi_query = "Select * from __InstanceCreationEvent Where TargetInstance ISA 'Win32_NTLogEvent' And (TargetInstance.LogFile = '#{@logfiles}')"
|
|
47
47
|
|
|
48
|
+
@logger.debug("Tailing Windows Event Log '#{@logfile}'")
|
|
49
|
+
|
|
48
50
|
begin
|
|
49
|
-
@
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
event = notification.TargetInstance
|
|
56
|
-
|
|
57
|
-
timestamp = to_timestamp(event.TimeGenerated)
|
|
58
|
-
|
|
59
|
-
e = LogStash::Event.new(
|
|
60
|
-
"host" => @hostname,
|
|
61
|
-
"path" => @logfile,
|
|
62
|
-
"type" => @type,
|
|
63
|
-
LogStash::Event::TIMESTAMP => timestamp
|
|
64
|
-
)
|
|
65
|
-
|
|
66
|
-
%w{Category CategoryString ComputerName EventCode EventIdentifier
|
|
67
|
-
EventType Logfile Message RecordNumber SourceName
|
|
68
|
-
TimeGenerated TimeWritten Type User
|
|
69
|
-
}.each{
|
|
70
|
-
|property| e[property] = event.send property
|
|
71
|
-
}
|
|
72
|
-
|
|
73
|
-
if RUBY_PLATFORM == "java"
|
|
74
|
-
# unwrap jruby-win32ole racob data
|
|
75
|
-
e["InsertionStrings"] = unwrap_racob_variant_array(event.InsertionStrings)
|
|
76
|
-
data = unwrap_racob_variant_array(event.Data)
|
|
77
|
-
# Data is an array of signed shorts, so convert to bytes and pack a string
|
|
78
|
-
e["Data"] = data.map{|byte| (byte > 0) ? byte : 256 + byte}.pack("c*")
|
|
79
|
-
else
|
|
80
|
-
# win32-ole data does not need to be unwrapped
|
|
81
|
-
e["InsertionStrings"] = event.InsertionStrings
|
|
82
|
-
e["Data"] = event.Data
|
|
83
|
-
end
|
|
84
|
-
|
|
85
|
-
e["message"] = event.Message
|
|
86
|
-
|
|
87
|
-
decorate(e)
|
|
88
|
-
queue << e
|
|
89
|
-
|
|
90
|
-
end # loop
|
|
91
|
-
|
|
92
|
-
rescue LogStash::ShutdownSignal
|
|
93
|
-
return
|
|
94
|
-
rescue Exception => ex
|
|
95
|
-
@logger.error("Windows Event Log error: #{ex}\n#{ex.backtrace}")
|
|
96
|
-
sleep 1
|
|
97
|
-
retry
|
|
98
|
-
end # rescue
|
|
51
|
+
@events = @wmi.ExecNotificationQuery(wmi_query)
|
|
52
|
+
rescue => e
|
|
53
|
+
@logger.fatal("Unable to tail Windows Event Log: #{e.message}")
|
|
54
|
+
@logger.info("Windows Event Log Query: #{wmi_query}")
|
|
55
|
+
return # fatal scenario => exit
|
|
56
|
+
end
|
|
99
57
|
|
|
58
|
+
loop do
|
|
59
|
+
|
|
60
|
+
begin
|
|
61
|
+
# timeout is needed here otherwise NextEvent prevents logstash from exiting
|
|
62
|
+
notification = @events.NextEvent(1000) # 1000 ms
|
|
63
|
+
rescue Java::OrgRacobCom::ComFailException
|
|
64
|
+
next
|
|
65
|
+
end
|
|
66
|
+
|
|
67
|
+
event = notification.TargetInstance
|
|
68
|
+
|
|
69
|
+
timestamp = to_timestamp(event.TimeGenerated)
|
|
70
|
+
|
|
71
|
+
e = LogStash::Event.new(
|
|
72
|
+
"host" => @hostname,
|
|
73
|
+
"path" => @logfile,
|
|
74
|
+
"type" => @type,
|
|
75
|
+
LogStash::Event::TIMESTAMP => timestamp
|
|
76
|
+
)
|
|
77
|
+
|
|
78
|
+
%w{Category CategoryString ComputerName EventCode EventIdentifier
|
|
79
|
+
EventType Logfile Message RecordNumber SourceName
|
|
80
|
+
TimeGenerated TimeWritten Type User
|
|
81
|
+
}.each{
|
|
82
|
+
|property| e[property] = event.send property
|
|
83
|
+
}
|
|
84
|
+
|
|
85
|
+
if RUBY_PLATFORM == "java"
|
|
86
|
+
# unwrap jruby-win32ole racob data
|
|
87
|
+
e["InsertionStrings"] = unwrap_racob_variant_array(event.InsertionStrings)
|
|
88
|
+
data = unwrap_racob_variant_array(event.Data)
|
|
89
|
+
# Data is an array of signed shorts, so convert to bytes and pack a string
|
|
90
|
+
e["Data"] = data.map{|byte| (byte > 0) ? byte : 256 + byte}.pack("c*")
|
|
91
|
+
else
|
|
92
|
+
# win32-ole data does not need to be unwrapped
|
|
93
|
+
e["InsertionStrings"] = event.InsertionStrings
|
|
94
|
+
e["Data"] = event.Data
|
|
95
|
+
end
|
|
96
|
+
|
|
97
|
+
e["message"] = event.Message
|
|
98
|
+
|
|
99
|
+
decorate(e)
|
|
100
|
+
queue << e
|
|
101
|
+
|
|
102
|
+
end # loop
|
|
103
|
+
|
|
104
|
+
rescue LogStash::ShutdownSignal
|
|
105
|
+
return
|
|
106
|
+
rescue => ex
|
|
107
|
+
@logger.error("Windows Event Log error: #{ex}\n#{ex.backtrace}")
|
|
108
|
+
sleep 1
|
|
109
|
+
retry
|
|
100
110
|
end # def run
|
|
101
111
|
|
|
102
112
|
private
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
Gem::Specification.new do |s|
|
|
2
2
|
|
|
3
3
|
s.name = 'logstash-input-eventlog'
|
|
4
|
-
s.version = '0.1.
|
|
4
|
+
s.version = '0.1.6'
|
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
|
6
6
|
s.summary = "This input will pull events from a Windows Event Log"
|
|
7
7
|
s.description = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program"
|
metadata
CHANGED
|
@@ -1,17 +1,18 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-input-eventlog
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.6
|
|
5
5
|
platform: java
|
|
6
6
|
authors:
|
|
7
7
|
- Elastic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2015-
|
|
11
|
+
date: 2015-06-22 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
|
-
|
|
14
|
+
name: logstash-core
|
|
15
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
15
16
|
requirements:
|
|
16
17
|
- - '>='
|
|
17
18
|
- !ruby/object:Gem::Version
|
|
@@ -19,10 +20,7 @@ dependencies:
|
|
|
19
20
|
- - <
|
|
20
21
|
- !ruby/object:Gem::Version
|
|
21
22
|
version: 2.0.0
|
|
22
|
-
|
|
23
|
-
prerelease: false
|
|
24
|
-
type: :runtime
|
|
25
|
-
version_requirements: !ruby/object:Gem::Requirement
|
|
23
|
+
requirement: !ruby/object:Gem::Requirement
|
|
26
24
|
requirements:
|
|
27
25
|
- - '>='
|
|
28
26
|
- !ruby/object:Gem::Version
|
|
@@ -30,48 +28,50 @@ dependencies:
|
|
|
30
28
|
- - <
|
|
31
29
|
- !ruby/object:Gem::Version
|
|
32
30
|
version: 2.0.0
|
|
31
|
+
prerelease: false
|
|
32
|
+
type: :runtime
|
|
33
33
|
- !ruby/object:Gem::Dependency
|
|
34
|
+
name: logstash-codec-plain
|
|
35
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
36
|
+
requirements:
|
|
37
|
+
- - '>='
|
|
38
|
+
- !ruby/object:Gem::Version
|
|
39
|
+
version: '0'
|
|
34
40
|
requirement: !ruby/object:Gem::Requirement
|
|
35
41
|
requirements:
|
|
36
42
|
- - '>='
|
|
37
43
|
- !ruby/object:Gem::Version
|
|
38
44
|
version: '0'
|
|
39
|
-
name: logstash-codec-plain
|
|
40
45
|
prerelease: false
|
|
41
46
|
type: :runtime
|
|
47
|
+
- !ruby/object:Gem::Dependency
|
|
48
|
+
name: jruby-win32ole
|
|
42
49
|
version_requirements: !ruby/object:Gem::Requirement
|
|
43
50
|
requirements:
|
|
44
51
|
- - '>='
|
|
45
52
|
- !ruby/object:Gem::Version
|
|
46
53
|
version: '0'
|
|
47
|
-
- !ruby/object:Gem::Dependency
|
|
48
54
|
requirement: !ruby/object:Gem::Requirement
|
|
49
55
|
requirements:
|
|
50
56
|
- - '>='
|
|
51
57
|
- !ruby/object:Gem::Version
|
|
52
58
|
version: '0'
|
|
53
|
-
name: jruby-win32ole
|
|
54
59
|
prerelease: false
|
|
55
60
|
type: :runtime
|
|
61
|
+
- !ruby/object:Gem::Dependency
|
|
62
|
+
name: logstash-devutils
|
|
56
63
|
version_requirements: !ruby/object:Gem::Requirement
|
|
57
64
|
requirements:
|
|
58
65
|
- - '>='
|
|
59
66
|
- !ruby/object:Gem::Version
|
|
60
67
|
version: '0'
|
|
61
|
-
- !ruby/object:Gem::Dependency
|
|
62
68
|
requirement: !ruby/object:Gem::Requirement
|
|
63
69
|
requirements:
|
|
64
70
|
- - '>='
|
|
65
71
|
- !ruby/object:Gem::Version
|
|
66
72
|
version: '0'
|
|
67
|
-
name: logstash-devutils
|
|
68
73
|
prerelease: false
|
|
69
74
|
type: :development
|
|
70
|
-
version_requirements: !ruby/object:Gem::Requirement
|
|
71
|
-
requirements:
|
|
72
|
-
- - '>='
|
|
73
|
-
- !ruby/object:Gem::Version
|
|
74
|
-
version: '0'
|
|
75
75
|
description: This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program
|
|
76
76
|
email: info@elastic.co
|
|
77
77
|
executables: []
|
|
@@ -79,10 +79,12 @@ extensions: []
|
|
|
79
79
|
extra_rdoc_files: []
|
|
80
80
|
files:
|
|
81
81
|
- .gitignore
|
|
82
|
+
- CHANGELOG.md
|
|
82
83
|
- CONTRIBUTORS
|
|
83
84
|
- Gemfile
|
|
84
85
|
- Gemfile.bak
|
|
85
86
|
- LICENSE
|
|
87
|
+
- NOTICE.TXT
|
|
86
88
|
- README.md
|
|
87
89
|
- Rakefile
|
|
88
90
|
- lib/logstash/inputs/eventlog.rb
|