logstash-input-eventlog 0.1.5-java → 0.1.6-java
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +0 -0
- data/NOTICE.TXT +5 -0
- data/README.md +1 -1
- data/lib/logstash/inputs/eventlog.rb +61 -51
- data/logstash-input-eventlog.gemspec +1 -1
- metadata +19 -17
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f13c329a36f6b929b09ee978a555c75e0e9eab64
|
|
4
|
+
data.tar.gz: 43ecd5b9bd0bfb3c5cbc8597ef787262eafec6e2
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b0767c8d4d1c883d1a5d720988f10162576cb6658d3c4e37f73944f6bca7abfcc8d75e0265e5ac6ccef0b6a82c906c5e3d1f35f121030efce542191f566ced8b
|
|
7
|
+
data.tar.gz: d4d927c303db0878130950cb38256761834b96864c164113f82ccc573fb1713d8823974926c3897dc041639a36c284b82179cd9a81c994e15726f08cb521e94c
|
data/CHANGELOG.md
ADDED
|
File without changes
|
data/NOTICE.TXT
ADDED
data/README.md
CHANGED
|
@@ -13,7 +13,7 @@ Logstash provides infrastructure to automatically generate documentation for thi
|
|
|
13
13
|
|
|
14
14
|
## Need Help?
|
|
15
15
|
|
|
16
|
-
Need help? Try #logstash on freenode IRC or the logstash
|
|
16
|
+
Need help? Try #logstash on freenode IRC or the https://discuss.elastic.co/c/logstash discussion forum.
|
|
17
17
|
|
|
18
18
|
## Developing
|
|
19
19
|
|
|
@@ -41,62 +41,72 @@ class LogStash::Inputs::EventLog < LogStash::Inputs::Base
|
|
|
41
41
|
|
|
42
42
|
public
|
|
43
43
|
def run(queue)
|
|
44
|
-
@wmi = WIN32OLE.connect("winmgmts://")
|
|
45
44
|
|
|
45
|
+
@wmi = WIN32OLE.connect("winmgmts://")
|
|
46
46
|
wmi_query = "Select * from __InstanceCreationEvent Where TargetInstance ISA 'Win32_NTLogEvent' And (TargetInstance.LogFile = '#{@logfiles}')"
|
|
47
47
|
|
|
48
|
+
@logger.debug("Tailing Windows Event Log '#{@logfile}'")
|
|
49
|
+
|
|
48
50
|
begin
|
|
49
|
-
@
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
event = notification.TargetInstance
|
|
56
|
-
|
|
57
|
-
timestamp = to_timestamp(event.TimeGenerated)
|
|
58
|
-
|
|
59
|
-
e = LogStash::Event.new(
|
|
60
|
-
"host" => @hostname,
|
|
61
|
-
"path" => @logfile,
|
|
62
|
-
"type" => @type,
|
|
63
|
-
LogStash::Event::TIMESTAMP => timestamp
|
|
64
|
-
)
|
|
65
|
-
|
|
66
|
-
%w{Category CategoryString ComputerName EventCode EventIdentifier
|
|
67
|
-
EventType Logfile Message RecordNumber SourceName
|
|
68
|
-
TimeGenerated TimeWritten Type User
|
|
69
|
-
}.each{
|
|
70
|
-
|property| e[property] = event.send property
|
|
71
|
-
}
|
|
72
|
-
|
|
73
|
-
if RUBY_PLATFORM == "java"
|
|
74
|
-
# unwrap jruby-win32ole racob data
|
|
75
|
-
e["InsertionStrings"] = unwrap_racob_variant_array(event.InsertionStrings)
|
|
76
|
-
data = unwrap_racob_variant_array(event.Data)
|
|
77
|
-
# Data is an array of signed shorts, so convert to bytes and pack a string
|
|
78
|
-
e["Data"] = data.map{|byte| (byte > 0) ? byte : 256 + byte}.pack("c*")
|
|
79
|
-
else
|
|
80
|
-
# win32-ole data does not need to be unwrapped
|
|
81
|
-
e["InsertionStrings"] = event.InsertionStrings
|
|
82
|
-
e["Data"] = event.Data
|
|
83
|
-
end
|
|
84
|
-
|
|
85
|
-
e["message"] = event.Message
|
|
86
|
-
|
|
87
|
-
decorate(e)
|
|
88
|
-
queue << e
|
|
89
|
-
|
|
90
|
-
end # loop
|
|
91
|
-
|
|
92
|
-
rescue LogStash::ShutdownSignal
|
|
93
|
-
return
|
|
94
|
-
rescue Exception => ex
|
|
95
|
-
@logger.error("Windows Event Log error: #{ex}\n#{ex.backtrace}")
|
|
96
|
-
sleep 1
|
|
97
|
-
retry
|
|
98
|
-
end # rescue
|
|
51
|
+
@events = @wmi.ExecNotificationQuery(wmi_query)
|
|
52
|
+
rescue => e
|
|
53
|
+
@logger.fatal("Unable to tail Windows Event Log: #{e.message}")
|
|
54
|
+
@logger.info("Windows Event Log Query: #{wmi_query}")
|
|
55
|
+
return # fatal scenario => exit
|
|
56
|
+
end
|
|
99
57
|
|
|
58
|
+
loop do
|
|
59
|
+
|
|
60
|
+
begin
|
|
61
|
+
# timeout is needed here otherwise NextEvent prevents logstash from exiting
|
|
62
|
+
notification = @events.NextEvent(1000) # 1000 ms
|
|
63
|
+
rescue Java::OrgRacobCom::ComFailException
|
|
64
|
+
next
|
|
65
|
+
end
|
|
66
|
+
|
|
67
|
+
event = notification.TargetInstance
|
|
68
|
+
|
|
69
|
+
timestamp = to_timestamp(event.TimeGenerated)
|
|
70
|
+
|
|
71
|
+
e = LogStash::Event.new(
|
|
72
|
+
"host" => @hostname,
|
|
73
|
+
"path" => @logfile,
|
|
74
|
+
"type" => @type,
|
|
75
|
+
LogStash::Event::TIMESTAMP => timestamp
|
|
76
|
+
)
|
|
77
|
+
|
|
78
|
+
%w{Category CategoryString ComputerName EventCode EventIdentifier
|
|
79
|
+
EventType Logfile Message RecordNumber SourceName
|
|
80
|
+
TimeGenerated TimeWritten Type User
|
|
81
|
+
}.each{
|
|
82
|
+
|property| e[property] = event.send property
|
|
83
|
+
}
|
|
84
|
+
|
|
85
|
+
if RUBY_PLATFORM == "java"
|
|
86
|
+
# unwrap jruby-win32ole racob data
|
|
87
|
+
e["InsertionStrings"] = unwrap_racob_variant_array(event.InsertionStrings)
|
|
88
|
+
data = unwrap_racob_variant_array(event.Data)
|
|
89
|
+
# Data is an array of signed shorts, so convert to bytes and pack a string
|
|
90
|
+
e["Data"] = data.map{|byte| (byte > 0) ? byte : 256 + byte}.pack("c*")
|
|
91
|
+
else
|
|
92
|
+
# win32-ole data does not need to be unwrapped
|
|
93
|
+
e["InsertionStrings"] = event.InsertionStrings
|
|
94
|
+
e["Data"] = event.Data
|
|
95
|
+
end
|
|
96
|
+
|
|
97
|
+
e["message"] = event.Message
|
|
98
|
+
|
|
99
|
+
decorate(e)
|
|
100
|
+
queue << e
|
|
101
|
+
|
|
102
|
+
end # loop
|
|
103
|
+
|
|
104
|
+
rescue LogStash::ShutdownSignal
|
|
105
|
+
return
|
|
106
|
+
rescue => ex
|
|
107
|
+
@logger.error("Windows Event Log error: #{ex}\n#{ex.backtrace}")
|
|
108
|
+
sleep 1
|
|
109
|
+
retry
|
|
100
110
|
end # def run
|
|
101
111
|
|
|
102
112
|
private
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
Gem::Specification.new do |s|
|
|
2
2
|
|
|
3
3
|
s.name = 'logstash-input-eventlog'
|
|
4
|
-
s.version = '0.1.
|
|
4
|
+
s.version = '0.1.6'
|
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
|
6
6
|
s.summary = "This input will pull events from a Windows Event Log"
|
|
7
7
|
s.description = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program"
|
metadata
CHANGED
|
@@ -1,17 +1,18 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-input-eventlog
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.6
|
|
5
5
|
platform: java
|
|
6
6
|
authors:
|
|
7
7
|
- Elastic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2015-
|
|
11
|
+
date: 2015-06-22 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
|
-
|
|
14
|
+
name: logstash-core
|
|
15
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
15
16
|
requirements:
|
|
16
17
|
- - '>='
|
|
17
18
|
- !ruby/object:Gem::Version
|
|
@@ -19,10 +20,7 @@ dependencies:
|
|
|
19
20
|
- - <
|
|
20
21
|
- !ruby/object:Gem::Version
|
|
21
22
|
version: 2.0.0
|
|
22
|
-
|
|
23
|
-
prerelease: false
|
|
24
|
-
type: :runtime
|
|
25
|
-
version_requirements: !ruby/object:Gem::Requirement
|
|
23
|
+
requirement: !ruby/object:Gem::Requirement
|
|
26
24
|
requirements:
|
|
27
25
|
- - '>='
|
|
28
26
|
- !ruby/object:Gem::Version
|
|
@@ -30,48 +28,50 @@ dependencies:
|
|
|
30
28
|
- - <
|
|
31
29
|
- !ruby/object:Gem::Version
|
|
32
30
|
version: 2.0.0
|
|
31
|
+
prerelease: false
|
|
32
|
+
type: :runtime
|
|
33
33
|
- !ruby/object:Gem::Dependency
|
|
34
|
+
name: logstash-codec-plain
|
|
35
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
36
|
+
requirements:
|
|
37
|
+
- - '>='
|
|
38
|
+
- !ruby/object:Gem::Version
|
|
39
|
+
version: '0'
|
|
34
40
|
requirement: !ruby/object:Gem::Requirement
|
|
35
41
|
requirements:
|
|
36
42
|
- - '>='
|
|
37
43
|
- !ruby/object:Gem::Version
|
|
38
44
|
version: '0'
|
|
39
|
-
name: logstash-codec-plain
|
|
40
45
|
prerelease: false
|
|
41
46
|
type: :runtime
|
|
47
|
+
- !ruby/object:Gem::Dependency
|
|
48
|
+
name: jruby-win32ole
|
|
42
49
|
version_requirements: !ruby/object:Gem::Requirement
|
|
43
50
|
requirements:
|
|
44
51
|
- - '>='
|
|
45
52
|
- !ruby/object:Gem::Version
|
|
46
53
|
version: '0'
|
|
47
|
-
- !ruby/object:Gem::Dependency
|
|
48
54
|
requirement: !ruby/object:Gem::Requirement
|
|
49
55
|
requirements:
|
|
50
56
|
- - '>='
|
|
51
57
|
- !ruby/object:Gem::Version
|
|
52
58
|
version: '0'
|
|
53
|
-
name: jruby-win32ole
|
|
54
59
|
prerelease: false
|
|
55
60
|
type: :runtime
|
|
61
|
+
- !ruby/object:Gem::Dependency
|
|
62
|
+
name: logstash-devutils
|
|
56
63
|
version_requirements: !ruby/object:Gem::Requirement
|
|
57
64
|
requirements:
|
|
58
65
|
- - '>='
|
|
59
66
|
- !ruby/object:Gem::Version
|
|
60
67
|
version: '0'
|
|
61
|
-
- !ruby/object:Gem::Dependency
|
|
62
68
|
requirement: !ruby/object:Gem::Requirement
|
|
63
69
|
requirements:
|
|
64
70
|
- - '>='
|
|
65
71
|
- !ruby/object:Gem::Version
|
|
66
72
|
version: '0'
|
|
67
|
-
name: logstash-devutils
|
|
68
73
|
prerelease: false
|
|
69
74
|
type: :development
|
|
70
|
-
version_requirements: !ruby/object:Gem::Requirement
|
|
71
|
-
requirements:
|
|
72
|
-
- - '>='
|
|
73
|
-
- !ruby/object:Gem::Version
|
|
74
|
-
version: '0'
|
|
75
75
|
description: This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program
|
|
76
76
|
email: info@elastic.co
|
|
77
77
|
executables: []
|
|
@@ -79,10 +79,12 @@ extensions: []
|
|
|
79
79
|
extra_rdoc_files: []
|
|
80
80
|
files:
|
|
81
81
|
- .gitignore
|
|
82
|
+
- CHANGELOG.md
|
|
82
83
|
- CONTRIBUTORS
|
|
83
84
|
- Gemfile
|
|
84
85
|
- Gemfile.bak
|
|
85
86
|
- LICENSE
|
|
87
|
+
- NOTICE.TXT
|
|
86
88
|
- README.md
|
|
87
89
|
- Rakefile
|
|
88
90
|
- lib/logstash/inputs/eventlog.rb
|