logstash-input-eventlog 4.0.2 → 4.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/Gemfile +8 -1
- data/docs/index.asciidoc +74 -0
- data/lib/logstash/inputs/eventlog.rb +26 -2
- data/logstash-input-eventlog.gemspec +2 -2
- metadata +4 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 7175056b3a1ed2a08cb34f7504e63ed8d7bd4bb3
|
|
4
|
+
data.tar.gz: a4fae43c9205b93a430e3fd6acfb4016c7e1af35
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ed5c2ab0c3b02347b5f3dcb32bf51cd2b87d94024e2addfc4afeecb8315c72e265f7977e077c34631020830c55d7e1a09ec040216f3d95feb56f83df5d366cde
|
|
7
|
+
data.tar.gz: 5f6c28975d53b9a7ee50a7e6729951f7f9daec3fc5143b7f9583fc6fdcdf73efca8a6ea063969fe87fae6efb65999648393a047b5d0517b63f2b50575223a155
|
data/CHANGELOG.md
CHANGED
data/Gemfile
CHANGED
|
@@ -1,4 +1,11 @@
|
|
|
1
1
|
source 'https://rubygems.org'
|
|
2
2
|
|
|
3
|
-
# Specify your gem's dependencies in logstash-mass_effect.gemspec
|
|
4
3
|
gemspec
|
|
4
|
+
|
|
5
|
+
logstash_path = ENV["LOGSTASH_PATH"] || "../../logstash"
|
|
6
|
+
use_logstash_source = ENV["LOGSTASH_SOURCE"] && ENV["LOGSTASH_SOURCE"].to_s == "1"
|
|
7
|
+
|
|
8
|
+
if Dir.exist?(logstash_path) && use_logstash_source
|
|
9
|
+
gem 'logstash-core', :path => "#{logstash_path}/logstash-core"
|
|
10
|
+
gem 'logstash-core-plugin-api', :path => "#{logstash_path}/logstash-core-plugin-api"
|
|
11
|
+
end
|
data/docs/index.asciidoc
ADDED
|
@@ -0,0 +1,74 @@
|
|
|
1
|
+
:plugin: eventlog
|
|
2
|
+
:type: input
|
|
3
|
+
|
|
4
|
+
///////////////////////////////////////////
|
|
5
|
+
START - GENERATED VARIABLES, DO NOT EDIT!
|
|
6
|
+
///////////////////////////////////////////
|
|
7
|
+
:version: %VERSION%
|
|
8
|
+
:release_date: %RELEASE_DATE%
|
|
9
|
+
:changelog_url: %CHANGELOG_URL%
|
|
10
|
+
:include_path: ../../../../logstash/docs/include
|
|
11
|
+
///////////////////////////////////////////
|
|
12
|
+
END - GENERATED VARIABLES, DO NOT EDIT!
|
|
13
|
+
///////////////////////////////////////////
|
|
14
|
+
|
|
15
|
+
[id="plugins-{type}-{plugin}"]
|
|
16
|
+
|
|
17
|
+
=== Eventlog
|
|
18
|
+
|
|
19
|
+
include::{include_path}/plugin_header.asciidoc[]
|
|
20
|
+
|
|
21
|
+
==== Description
|
|
22
|
+
|
|
23
|
+
This input will pull events from a http://msdn.microsoft.com/en-us/library/windows/desktop/bb309026%28v=vs.85%29.aspx[Windows Event Log].
|
|
24
|
+
Note that Windows Event Logs are stored on disk in a binary format and are only accessible from the Win32 API.
|
|
25
|
+
This means Losgtash needs to be running as an agent on Windows servers where you wish to collect logs
|
|
26
|
+
from, and will not be accesible across the network.
|
|
27
|
+
|
|
28
|
+
To collect Events from the System Event Log, use a config like:
|
|
29
|
+
[source,ruby]
|
|
30
|
+
input {
|
|
31
|
+
eventlog {
|
|
32
|
+
type => 'Win32-EventLog'
|
|
33
|
+
logfile => 'System'
|
|
34
|
+
}
|
|
35
|
+
}
|
|
36
|
+
|
|
37
|
+
[id="plugins-{type}s-{plugin}-options"]
|
|
38
|
+
==== Eventlog Input Configuration Options
|
|
39
|
+
|
|
40
|
+
This plugin supports the following configuration options plus the <<plugins-{type}s-{plugin}-common-options>> described later.
|
|
41
|
+
|
|
42
|
+
[cols="<,<,<",options="header",]
|
|
43
|
+
|=======================================================================
|
|
44
|
+
|Setting |Input type|Required
|
|
45
|
+
| <<plugins-{type}s-{plugin}-interval>> |<<number,number>>|No
|
|
46
|
+
| <<plugins-{type}s-{plugin}-logfile>> |<<string,string>>, one of `["Application", "Security", "System"]`|No
|
|
47
|
+
|=======================================================================
|
|
48
|
+
|
|
49
|
+
Also see <<plugins-{type}s-{plugin}-common-options>> for a list of options supported by all
|
|
50
|
+
input plugins.
|
|
51
|
+
|
|
52
|
+
|
|
53
|
+
|
|
54
|
+
[id="plugins-{type}s-{plugin}-interval"]
|
|
55
|
+
===== `interval`
|
|
56
|
+
|
|
57
|
+
* Value type is <<number,number>>
|
|
58
|
+
* Default value is `1000`
|
|
59
|
+
|
|
60
|
+
How frequently should tail check for new event logs in ms (default: 1 second)
|
|
61
|
+
|
|
62
|
+
[id="plugins-{type}s-{plugin}-logfile"]
|
|
63
|
+
===== `logfile`
|
|
64
|
+
|
|
65
|
+
* Value can be any of: `Application`, `Security`, `System`
|
|
66
|
+
* Default value is `"Application"`
|
|
67
|
+
|
|
68
|
+
Event Log Name
|
|
69
|
+
System and Security may require that privileges are given to the user running logstash.
|
|
70
|
+
see more at: https://social.technet.microsoft.com/forums/windowsserver/en-US/d2f813db-6142-4b5b-8d86-253ebb740473/easy-way-to-read-security-log
|
|
71
|
+
|
|
72
|
+
|
|
73
|
+
[id="plugins-{type}s-{plugin}-common-options"]
|
|
74
|
+
include::{include_path}/{type}.asciidoc[]
|
|
@@ -4,6 +4,8 @@ require "logstash/namespace"
|
|
|
4
4
|
require "logstash/timestamp"
|
|
5
5
|
require "win32/eventlog"
|
|
6
6
|
require "stud/interval"
|
|
7
|
+
require "logstash/util/charset"
|
|
8
|
+
|
|
7
9
|
|
|
8
10
|
# This input will pull events from a http://msdn.microsoft.com/en-us/library/windows/desktop/bb309026%28v=vs.85%29.aspx[Windows Event Log].
|
|
9
11
|
# Note that Windows Event Logs are stored on disk in a binary format and are only accessible from the Win32 API.
|
|
@@ -32,6 +34,10 @@ class LogStash::Inputs::EventLog < LogStash::Inputs::Base
|
|
|
32
34
|
# How frequently should tail check for new event logs in ms (default: 1 second)
|
|
33
35
|
config :interval, :validate => :number, :default => 1000
|
|
34
36
|
|
|
37
|
+
# Event Log string encoding (default: UTF-16LE), however your system might be using another encoding, if you
|
|
38
|
+
# are seeing strange characters, inspect this variable.
|
|
39
|
+
config :charset, :validate => :string, :default => "UTF-16LE"
|
|
40
|
+
|
|
35
41
|
public
|
|
36
42
|
def register
|
|
37
43
|
|
|
@@ -47,6 +53,7 @@ class LogStash::Inputs::EventLog < LogStash::Inputs::Base
|
|
|
47
53
|
end
|
|
48
54
|
raise
|
|
49
55
|
end
|
|
56
|
+
@converter = LogStash::Util::Charset.new(Encoding.find(@charset))
|
|
50
57
|
end # def register
|
|
51
58
|
|
|
52
59
|
public
|
|
@@ -73,7 +80,7 @@ class LogStash::Inputs::EventLog < LogStash::Inputs::Base
|
|
|
73
80
|
private
|
|
74
81
|
def process(log)
|
|
75
82
|
|
|
76
|
-
|
|
83
|
+
attrs = {
|
|
77
84
|
"host" => @hostname,
|
|
78
85
|
"Logfile" => @logfile,
|
|
79
86
|
"message" => log["description"].strip,
|
|
@@ -88,8 +95,25 @@ class LogStash::Inputs::EventLog < LogStash::Inputs::Base
|
|
|
88
95
|
"Type" => log["event_type"],
|
|
89
96
|
"User" => log["user"],
|
|
90
97
|
"InsertionStrings" => log["string_inserts"]
|
|
91
|
-
|
|
98
|
+
}
|
|
99
|
+
|
|
100
|
+
attrs.each do |k,v|
|
|
101
|
+
next if ["host", "Logfile"].include?(k)
|
|
102
|
+
attrs[k] = convert(v)
|
|
103
|
+
end
|
|
104
|
+
|
|
105
|
+
LogStash::Event.new(attrs)
|
|
92
106
|
end # def run
|
|
93
107
|
|
|
108
|
+
def convert(field)
|
|
109
|
+
if field.is_a?(String)
|
|
110
|
+
@converter.convert(field)
|
|
111
|
+
elsif field.is_a?(Array)
|
|
112
|
+
field.map { |v| @converter.convert(v) }
|
|
113
|
+
else
|
|
114
|
+
field
|
|
115
|
+
end
|
|
116
|
+
end
|
|
117
|
+
|
|
94
118
|
end # class LogStash::Inputs::EventLog
|
|
95
119
|
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
Gem::Specification.new do |s|
|
|
2
2
|
|
|
3
3
|
s.name = 'logstash-input-eventlog'
|
|
4
|
-
s.version = '4.
|
|
4
|
+
s.version = '4.1.1'
|
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
|
6
6
|
s.summary = "This input will pull events from a Windows Event Log"
|
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
|
@@ -11,7 +11,7 @@ Gem::Specification.new do |s|
|
|
|
11
11
|
s.require_paths = ["lib"]
|
|
12
12
|
|
|
13
13
|
# Files
|
|
14
|
-
s.files = Dir['lib/**/*','spec/**/*','vendor/**/*','*.gemspec','*.md','CONTRIBUTORS','Gemfile','LICENSE','NOTICE.TXT']
|
|
14
|
+
s.files = Dir['lib/**/*','spec/**/*','vendor/**/*','*.gemspec','*.md','CONTRIBUTORS','Gemfile','LICENSE','NOTICE.TXT', 'docs/**/*']
|
|
15
15
|
|
|
16
16
|
# Tests
|
|
17
17
|
s.test_files = s.files.grep(%r{^(test|spec|features)/})
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-input-eventlog
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.
|
|
4
|
+
version: 4.1.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Elastic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2017-06-23 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -98,6 +98,7 @@ files:
|
|
|
98
98
|
- LICENSE
|
|
99
99
|
- NOTICE.TXT
|
|
100
100
|
- README.md
|
|
101
|
+
- docs/index.asciidoc
|
|
101
102
|
- lib/logstash/inputs/eventlog.rb
|
|
102
103
|
- logstash-input-eventlog.gemspec
|
|
103
104
|
- spec/inputs/eventlog_spec.rb
|
|
@@ -123,7 +124,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
123
124
|
version: '0'
|
|
124
125
|
requirements: []
|
|
125
126
|
rubyforge_project:
|
|
126
|
-
rubygems_version: 2.
|
|
127
|
+
rubygems_version: 2.4.8
|
|
127
128
|
signing_key:
|
|
128
129
|
specification_version: 4
|
|
129
130
|
summary: This input will pull events from a Windows Event Log
|