RubyGems - winevt_c - Versions diffs - 0.8.0 → 0.9.3 - Mend

winevt_c 0.8.0 → 0.9.3

Files changed (34) hide show

checksums.yaml +4 -4
data/.clang-format +4 -4
data/.github/workflows/linux.yml +26 -0
data/Gemfile +6 -6
data/LICENSE.txt +202 -202
data/README.md +97 -42
data/Rakefile +37 -37
data/appveyor.yml +32 -26
data/example/bookmark.rb +9 -9
data/example/enumerate_channels.rb +13 -13
data/example/eventlog.rb +13 -9
data/example/locale.rb +13 -0
data/example/rate_limit.rb +14 -14
data/example/tailing.rb +21 -15
data/ext/winevt/extconf.rb +24 -24
data/ext/winevt/winevt.c +30 -26
data/ext/winevt/winevt_bookmark.c +149 -149
data/ext/winevt/winevt_c.h +133 -109
data/ext/winevt/winevt_channel.c +327 -327
data/ext/winevt/winevt_locale.c +92 -68
data/ext/winevt/winevt_locale_info.c +68 -0
data/ext/winevt/winevt_query.c +649 -551
data/ext/winevt/winevt_session.c +425 -0
data/ext/winevt/winevt_subscribe.c +756 -652
data/ext/winevt/winevt_utils.cpp +727 -696
data/lib/winevt.rb +14 -13
data/lib/winevt/bookmark.rb +6 -6
data/lib/winevt/query.rb +6 -6
data/lib/winevt/session.rb +15 -0
data/lib/winevt/subscribe.rb +18 -15
data/lib/winevt/version.rb +3 -3
data/winevt_c.gemspec +34 -34
metadata +12 -9
data/.travis.yml +0 -15

data/ext/winevt/winevt_session.c ADDED Viewed

@@ -0,0 +1,425 @@
+#include <winevt_c.h>
+/* clang-format off */
+/*
+ * Document-class: Winevt::EventLog::Session
+ *
+ * Manage Session information for Windows EventLog.
+ *
+ * @example
+ *  require 'winevt'
+ *
+ *  @session = Winevt::EventLog::Session.new("127.0.0.1")
+ *
+ *  @session.domain = "<EXAMPLEGROUP>"
+ *  @session.username = "<username>"
+ *  @session.password = "<password>"
+ *  # Then pass @session veriable into Winevt::EventLog::Query or
+ *  # Winevt::EventLog::Subscribe#subscribe
+ *  @query = Winevt::EventLog::Query.new(
+ *    "Application",
+ *    "*[System[(Level <= 3) and TimeCreated[timediff(@SystemTime) <= 86400000]]]",
+ *    @session
+ *  )
+ *  # some stuff.
+ *
+ *  @subscribe = Winevt::EventLog::Subscribe.new
+ *  @subscribe.subscribe(
+ *    "Application",
+ *    "*[System[(Level <= 4) and TimeCreated[timediff(@SystemTime) <= 86400000]]]",
+ *    @session
+ *  )
+ *  # And some stuff.
+ * @since v0.9.0
+ */
+/* clang-format on */
+VALUE rb_cSession;
+VALUE rb_cRpcLoginFlag;
+static void session_free(void* ptr);
+static const rb_data_type_t rb_winevt_session_type = { "winevt/session",
+                                                       {
+                                                         0,
+                                                         session_free,
+                                                         0,
+                                                       },
+                                                       NULL,
+                                                       NULL,
+                                                       RUBY_TYPED_FREE_IMMEDIATELY };
+static void
+session_free(void* ptr)
+{
+  struct WinevtSession* winevtSession = (struct WinevtSession*)ptr;
+  if (winevtSession->server)
+    free(winevtSession->server);
+  if (winevtSession->domain)
+    free(winevtSession->domain);
+  if (winevtSession->username)
+    free(winevtSession->username);
+  if (winevtSession->password)
+    free(winevtSession->password);
+  xfree(ptr);
+}
+static VALUE
+rb_winevt_session_alloc(VALUE klass)
+{
+  VALUE obj;
+  struct WinevtSession* winevtSession;
+  obj = TypedData_Make_Struct(
+    klass, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  return obj;
+}
+/*
+ * Initalize Session class.
+ *
+ * @overload initialize(server, domain=nil, username=nil, password=nil, flags=Winevt::EventLog::Session::RpcLoginFlag::AuthDefault)
+ *   @param server [String] Server ip address or fqdn.
+ *   @param domain [String] Domain name.
+ *   @param username [String] username on remote server.
+ *   @param password [String] Remote server user password.
+ *   @param flags [Integer] Flags for authentication method choices.
+ * @return [Session]
+ *
+ */
+static VALUE
+rb_winevt_session_initialize(VALUE self)
+{
+  struct WinevtSession* winevtSession;
+  TypedData_Get_Struct(
+      self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  winevtSession->server = NULL;
+  winevtSession->domain = NULL;
+  winevtSession->username = NULL;
+  winevtSession->password = NULL;
+  winevtSession->flags = EvtRpcLoginAuthDefault;
+  return Qnil;
+}
+/*
+ * This method returns server for remoting access.
+ *
+ * @return [String]
+ */
+static VALUE
+rb_winevt_session_get_server(VALUE self)
+{
+  struct WinevtSession* winevtSession;
+  TypedData_Get_Struct(self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  if (winevtSession->server) {
+    return wstr_to_rb_str(CP_UTF8, winevtSession->server, -1);
+  } else {
+    return rb_str_new2("(NULL)");
+  }
+}
+/*
+ * This method specifies server for remoting access.
+ *
+ * @param rb_server [String] server
+ */
+static VALUE
+rb_winevt_session_set_server(VALUE self, VALUE rb_server)
+{
+  struct WinevtSession* winevtSession;
+  DWORD len;
+  VALUE vserverBuf;
+  PWSTR wServer;
+  Check_Type(rb_server, T_STRING);
+  TypedData_Get_Struct(self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  len =
+    MultiByteToWideChar(CP_UTF8, 0,
+                        RSTRING_PTR(rb_server), RSTRING_LEN(rb_server),
+                        NULL, 0);
+  wServer = ALLOCV_N(WCHAR, vserverBuf, len + 1);
+  MultiByteToWideChar(CP_UTF8, 0,
+                      RSTRING_PTR(rb_server), RSTRING_LEN(rb_server),
+                      wServer, len);
+  winevtSession->server = _wcsdup(wServer);
+  wServer[len] = L'\0';
+  ALLOCV_END(vserverBuf);
+  return Qnil;
+}
+/*
+ * This method returns domain for remoting access.
+ *
+ * @return [String]
+ */
+static VALUE
+rb_winevt_session_get_domain(VALUE self)
+{
+  struct WinevtSession* winevtSession;
+  TypedData_Get_Struct(self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  if (winevtSession->domain) {
+    return wstr_to_rb_str(CP_UTF8, winevtSession->domain, -1);
+  } else {
+    return rb_str_new2("(NULL)");
+  }
+}
+/*
+ * This method specifies domain for remoting access.
+ *
+ * @param rb_domain [String] domain
+ */
+static VALUE
+rb_winevt_session_set_domain(VALUE self, VALUE rb_domain)
+{
+  struct WinevtSession* winevtSession;
+  DWORD len;
+  VALUE vdomainBuf;
+  PWSTR wDomain;
+  Check_Type(rb_domain, T_STRING);
+  TypedData_Get_Struct(self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  len =
+    MultiByteToWideChar(CP_UTF8, 0,
+                        RSTRING_PTR(rb_domain), RSTRING_LEN(rb_domain),
+                        NULL, 0);
+  wDomain = ALLOCV_N(WCHAR, vdomainBuf, len + 1);
+  MultiByteToWideChar(CP_UTF8, 0,
+                      RSTRING_PTR(rb_domain), RSTRING_LEN(rb_domain),
+                      wDomain, len);
+  wDomain[len] = L'\0';
+  winevtSession->domain = _wcsdup(wDomain);
+  ALLOCV_END(vdomainBuf);
+  return Qnil;
+}
+/*
+ * This method returns username for remoting access.
+ *
+ * @return [String]
+ */
+static VALUE
+rb_winevt_session_get_username(VALUE self)
+{
+  struct WinevtSession* winevtSession;
+  TypedData_Get_Struct(self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  if (winevtSession->username) {
+    return wstr_to_rb_str(CP_UTF8, winevtSession->username, -1);
+  } else {
+    return rb_str_new2("(NULL)");
+  }
+}
+/*
+ * This method specifies username for remoting access.
+ *
+ * @param rb_username [String] username
+ */
+static VALUE
+rb_winevt_session_set_username(VALUE self, VALUE rb_username)
+{
+  struct WinevtSession* winevtSession;
+  DWORD len;
+  VALUE vusernameBuf;
+  PWSTR wUsername;
+  Check_Type(rb_username, T_STRING);
+  TypedData_Get_Struct(self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  len =
+    MultiByteToWideChar(CP_UTF8, 0,
+                        RSTRING_PTR(rb_username), RSTRING_LEN(rb_username),
+                        NULL, 0);
+  wUsername = ALLOCV_N(WCHAR, vusernameBuf, len + 1);
+  MultiByteToWideChar(CP_UTF8, 0,
+                      RSTRING_PTR(rb_username), RSTRING_LEN(rb_username),
+                      wUsername, len);
+  wUsername[len] = L'\0';
+  winevtSession->username = _wcsdup(wUsername);
+  ALLOCV_END(vusernameBuf);
+  return Qnil;
+}
+/*
+ * This method returns password for remoting access.
+ *
+ * @return [String]
+ */
+static VALUE
+rb_winevt_session_get_password(VALUE self)
+{
+  struct WinevtSession* winevtSession;
+  TypedData_Get_Struct(self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  if (winevtSession->password) {
+    return wstr_to_rb_str(CP_UTF8, winevtSession->password, -1);
+  } else {
+    return rb_str_new2("(NULL)");
+  }
+}
+/*
+ * This method specifies password for remoting access.
+ *
+ * @param rb_password [String] password
+ */
+static VALUE
+rb_winevt_session_set_password(VALUE self, VALUE rb_password)
+{
+  struct WinevtSession* winevtSession;
+  DWORD len;
+  VALUE vpasswordBuf;
+  PWSTR wPassword;
+  Check_Type(rb_password, T_STRING);
+  TypedData_Get_Struct(self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  len =
+    MultiByteToWideChar(CP_UTF8, 0,
+                        RSTRING_PTR(rb_password), RSTRING_LEN(rb_password),
+                        NULL, 0);
+  wPassword = ALLOCV_N(WCHAR, vpasswordBuf, len + 1);
+  MultiByteToWideChar(CP_UTF8, 0,
+                      RSTRING_PTR(rb_password), RSTRING_LEN(rb_password),
+                      wPassword, len);
+  wPassword[len] = L'\0';
+  winevtSession->password = _wcsdup(wPassword);
+  ALLOCV_END(vpasswordBuf);
+  return Qnil;
+}
+/*
+ * This method returns flags for remoting access.
+ *
+ * @return [Integer]
+ */
+static VALUE
+rb_winevt_session_get_flags(VALUE self)
+{
+  struct WinevtSession* winevtSession;
+  TypedData_Get_Struct(self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  return LONG2NUM(winevtSession->flags);
+}
+static DWORD
+get_session_rpc_login_flag_from_cstr(char* flag_str)
+{
+  if (strcmp(flag_str, "default") == 0)
+    return EvtRpcLoginAuthDefault;
+  else if (strcmp(flag_str, "negociate") == 0)
+    return EvtRpcLoginAuthNegotiate;
+  else if (strcmp(flag_str, "kerberos") == 0)
+    return EvtRpcLoginAuthKerberos;
+  else if (strcmp(flag_str, "ntlm") == 0)
+    return EvtRpcLoginAuthNTLM;
+  else
+    rb_raise(rb_eArgError, "Unknown rpc login flag: %s", flag_str);
+  return 0;
+}
+/*
+ * This method specifies flags for remoting access.
+ *
+ * @param rb_flags [Integer] flags
+ */
+static VALUE
+rb_winevt_session_set_flags(VALUE self, VALUE rb_flags)
+{
+  struct WinevtSession* winevtSession;
+  EVT_RPC_LOGIN_FLAGS flags = EvtRpcLoginAuthDefault;
+  TypedData_Get_Struct(self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  switch(TYPE(rb_flags)) {
+    case T_SYMBOL:
+      flags = get_session_rpc_login_flag_from_cstr(RSTRING_PTR(rb_sym2str(rb_flags)));
+      break;
+    case T_STRING:
+      flags = get_session_rpc_login_flag_from_cstr(StringValuePtr(rb_flags));
+      break;
+    case T_FIXNUM:
+      flags = NUM2LONG(rb_flags);
+      break;
+    default:
+      rb_raise(rb_eArgError, "Expected Symbol, String or Fixnum in flags");
+  }
+  winevtSession->flags = flags;
+  return Qnil;
+}
+void
+Init_winevt_session(VALUE rb_cEventLog)
+{
+  rb_cSession = rb_define_class_under(rb_cEventLog, "Session", rb_cObject);
+  rb_define_alloc_func(rb_cSession, rb_winevt_session_alloc);
+  rb_cRpcLoginFlag = rb_define_module_under(rb_cSession, "RpcLoginFlag");
+  rb_define_method(rb_cSession, "initialize", rb_winevt_session_initialize, 0);
+  rb_define_method(rb_cSession, "server", rb_winevt_session_get_server, 0);
+  rb_define_method(rb_cSession, "server=", rb_winevt_session_set_server, 1);
+  rb_define_method(rb_cSession, "domain", rb_winevt_session_get_domain, 0);
+  rb_define_method(rb_cSession, "domain=", rb_winevt_session_set_domain, 1);
+  rb_define_method(rb_cSession, "username", rb_winevt_session_get_username, 0);
+  rb_define_method(rb_cSession, "username=", rb_winevt_session_set_username, 1);
+  rb_define_method(rb_cSession, "password", rb_winevt_session_get_password, 0);
+  rb_define_method(rb_cSession, "password=", rb_winevt_session_set_password, 1);
+  rb_define_method(rb_cSession, "flags", rb_winevt_session_get_flags, 0);
+  rb_define_method(rb_cSession, "flags=", rb_winevt_session_set_flags, 1);
+  /*
+   * EVT_RPC_LOGIN_FLAGS enumeration: EvtRpcLoginAuthDefault
+   * @see https://docs.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_rpc_login_flags
+   */
+  rb_define_const(rb_cRpcLoginFlag, "AuthDefault", LONG2NUM(EvtRpcLoginAuthDefault));
+  /*
+   * EVT_RPC_LOGIN_FLAGS enumeration: EvtRpcLoginAuthNegociate
+   * @see https://docs.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_rpc_login_flags
+   */
+  rb_define_const(rb_cRpcLoginFlag, "AuthNegociate", LONG2NUM(EvtRpcLoginAuthNegotiate));
+  /*
+   * EVT_RPC_LOGIN_FLAGS enumeration: EvtRpcLoginAuthKerberos
+   * @see https://docs.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_rpc_login_flags
+   */
+  rb_define_const(rb_cRpcLoginFlag, "AuthKerberos", LONG2NUM(EvtRpcLoginAuthKerberos));
+  /*
+   * EVT_RPC_LOGIN_FLAGS enumeration: EvtRpcLoginAuthNTLM
+   * @see https://docs.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_rpc_login_flags
+   */
+  rb_define_const(rb_cRpcLoginFlag, "AuthNTLM", LONG2NUM(EvtRpcLoginAuthNTLM));
+}

data/ext/winevt/winevt_subscribe.c CHANGED Viewed

@@ -1,652 +1,756 @@
-#include <winevt_c.h>
-/* clang-format off */
-/*
- * Document-class: Winevt::EventLog::Subscribe
- *
- * Subscribe Windows EventLog channel.
- *
- * @example
- *  require 'winevt'
- *
- *  @subscribe = Winevt::EventLog::Subscribe.new
- *  @subscribe.tail = true
- *  @subscribe.rate_limit = 80
- *  @subscribe.subscribe(
- *    "Application", "*[System[(Level <= 4) and TimeCreated[timediff(@SystemTime) <= 86400000]]]"
- *  )
- *  while true do
- *    @subscribe.each do |eventlog, message, string_inserts|
- *      puts ({eventlog: eventlog, data: message})
- *    end
- *    sleep(0.1)
- *  end
- *
- * @see https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtsubscribe
- */
-/* clang-format on */
-static void subscribe_free(void* ptr);
-static const rb_data_type_t rb_winevt_subscribe_type = { "winevt/subscribe",
-                                                         {
-                                                           0,
-                                                           subscribe_free,
-                                                           0,
-                                                         },
-                                                         NULL,
-                                                         NULL,
-                                                         RUBY_TYPED_FREE_IMMEDIATELY };
-static void
-subscribe_free(void* ptr)
-{
-  struct WinevtSubscribe* winevtSubscribe = (struct WinevtSubscribe*)ptr;
-  if (winevtSubscribe->signalEvent)
-    CloseHandle(winevtSubscribe->signalEvent);
-  if (winevtSubscribe->subscription)
-    EvtClose(winevtSubscribe->subscription);
-  if (winevtSubscribe->bookmark)
-    EvtClose(winevtSubscribe->bookmark);
-  for (int i = 0; i < winevtSubscribe->count; i++) {
-    if (winevtSubscribe->hEvents[i]) {
-      EvtClose(winevtSubscribe->hEvents[i]);
-    }
-  }
-  xfree(ptr);
-}
-static VALUE
-rb_winevt_subscribe_alloc(VALUE klass)
-{
-  VALUE obj;
-  struct WinevtSubscribe* winevtSubscribe;
-  obj = TypedData_Make_Struct(
-    klass, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  return obj;
-}
-/*
- * Initalize Subscribe class.
- *
- * @return [Subscribe]
- *
- */
-static VALUE
-rb_winevt_subscribe_initialize(VALUE self)
-{
-  struct WinevtSubscribe* winevtSubscribe;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  winevtSubscribe->rateLimit = SUBSCRIBE_RATE_INFINITE;
-  winevtSubscribe->lastTime = 0;
-  winevtSubscribe->currentRate = 0;
-  winevtSubscribe->renderAsXML = TRUE;
-  winevtSubscribe->readExistingEvents = TRUE;
-  winevtSubscribe->preserveQualifiers = FALSE;
-  winevtSubscribe->localeInfo = &default_locale;
-  return Qnil;
-}
-/*
- * This method specifies whether read existing events or not.
- *
- * @param rb_read_existing_events_p [Boolean]
- */
-static VALUE
-rb_winevt_subscribe_set_read_existing_events(VALUE self, VALUE rb_read_existing_events_p)
-{
-  struct WinevtSubscribe* winevtSubscribe;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  winevtSubscribe->readExistingEvents = RTEST(rb_read_existing_events_p);
-  return Qnil;
-}
-/*
- * This method returns whether read existing events or not.
- *
- * @return [Boolean]
- */
-static VALUE
-rb_winevt_subscribe_read_existing_events_p(VALUE self)
-{
-  struct WinevtSubscribe* winevtSubscribe;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  return winevtSubscribe->readExistingEvents ? Qtrue : Qfalse;
-}
-/*
- * Subscribe into a Windows EventLog channel.
- *
- * @overload subscribe(path, query, options={})
- *   @param path [String] Subscribe Channel
- *   @param query [String] Query string for channel
- *   @option options [Bookmark] bookmark Bookmark class instance.
- * @return [Boolean]
- *
- */
-static VALUE
-rb_winevt_subscribe_subscribe(int argc, VALUE* argv, VALUE self)
-{
-  VALUE rb_path, rb_query, rb_bookmark;
-  EVT_HANDLE hSubscription = NULL, hBookmark = NULL;
-  HANDLE hSignalEvent;
-  DWORD len, flags = 0L;
-  VALUE wpathBuf, wqueryBuf, wBookmarkBuf;
-  PWSTR path, query, bookmarkXml;
-  DWORD status = ERROR_SUCCESS;
-  struct WinevtSubscribe* winevtSubscribe;
-  hSignalEvent = CreateEvent(NULL, FALSE, FALSE, NULL);
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  rb_scan_args(argc, argv, "21", &rb_path, &rb_query, &rb_bookmark);
-  Check_Type(rb_path, T_STRING);
-  Check_Type(rb_query, T_STRING);
-  if (rb_obj_is_kind_of(rb_bookmark, rb_cString)) {
-    // bookmarkXml : To wide char
-    len = MultiByteToWideChar(
-        CP_UTF8, 0, RSTRING_PTR(rb_bookmark), RSTRING_LEN(rb_bookmark), NULL, 0);
-    bookmarkXml = ALLOCV_N(WCHAR, wBookmarkBuf, len + 1);
-    MultiByteToWideChar(CP_UTF8,
-                        0,
-                        RSTRING_PTR(rb_bookmark),
-                        RSTRING_LEN(rb_bookmark),
-                        bookmarkXml,
-                        len);
-    bookmarkXml[len] = L'\0';
-    hBookmark = EvtCreateBookmark(bookmarkXml);
-    ALLOCV_END(wBookmarkBuf);
-    if (hBookmark == NULL) {
-      status = GetLastError();
-      raise_system_error(rb_eWinevtQueryError, status);
-    }
-  }
-  // path : To wide char
-  len =
-    MultiByteToWideChar(CP_UTF8, 0, RSTRING_PTR(rb_path), RSTRING_LEN(rb_path), NULL, 0);
-  path = ALLOCV_N(WCHAR, wpathBuf, len + 1);
-  MultiByteToWideChar(CP_UTF8, 0, RSTRING_PTR(rb_path), RSTRING_LEN(rb_path), path, len);
-  path[len] = L'\0';
-  // query : To wide char
-  len = MultiByteToWideChar(
-    CP_UTF8, 0, RSTRING_PTR(rb_query), RSTRING_LEN(rb_query), NULL, 0);
-  query = ALLOCV_N(WCHAR, wqueryBuf, len + 1);
-  MultiByteToWideChar(
-    CP_UTF8, 0, RSTRING_PTR(rb_query), RSTRING_LEN(rb_query), query, len);
-  query[len] = L'\0';
-  if (hBookmark) {
-    flags |= EvtSubscribeStartAfterBookmark;
-  } else if (winevtSubscribe->readExistingEvents) {
-    flags |= EvtSubscribeStartAtOldestRecord;
-  } else {
-    flags |= EvtSubscribeToFutureEvents;
-  }
-  hSubscription =
-    EvtSubscribe(NULL, hSignalEvent, path, query, hBookmark, NULL, NULL, flags);
-  if (!hSubscription) {
-    if (hBookmark != NULL) {
-      EvtClose(hBookmark);
-    }
-    if (hSignalEvent != NULL) {
-      CloseHandle(hSignalEvent);
-    }
-    status = GetLastError();
-    raise_system_error(rb_eWinevtQueryError, status);
-  }
-  if (winevtSubscribe->subscription != NULL) {
-    // should be disgarded the old event subscription handle.
-    EvtClose(winevtSubscribe->subscription);
-  }
-  ALLOCV_END(wpathBuf);
-  ALLOCV_END(wqueryBuf);
-  winevtSubscribe->signalEvent = hSignalEvent;
-  winevtSubscribe->subscription = hSubscription;
-  if (hBookmark) {
-    winevtSubscribe->bookmark = hBookmark;
-  } else {
-    winevtSubscribe->bookmark = EvtCreateBookmark(NULL);
-    if (winevtSubscribe->bookmark == NULL) {
-      if (hSubscription != NULL) {
-        EvtClose(hSubscription);
-      }
-      if (hSignalEvent != NULL) {
-        CloseHandle(hSignalEvent);
-      }
-      status = GetLastError();
-      raise_system_error(rb_eWinevtQueryError, status);
-    }
-  }
-  return Qtrue;
-}
-BOOL
-is_rate_limit_exceeded(struct WinevtSubscribe* winevtSubscribe)
-{
-  time_t now;
-  if (winevtSubscribe->rateLimit == SUBSCRIBE_RATE_INFINITE)
-    return FALSE;
-  time(&now);
-  if (now <= winevtSubscribe->lastTime) {
-    if (winevtSubscribe->currentRate >= winevtSubscribe->rateLimit) {
-      return TRUE;
-    }
-  } else {
-    winevtSubscribe->currentRate = 0;
-  }
-  return FALSE;
-}
-void
-update_to_reflect_rate_limit_state(struct WinevtSubscribe* winevtSubscribe, ULONG count)
-{
-  time_t lastTime = 0;
-  if (winevtSubscribe->rateLimit == SUBSCRIBE_RATE_INFINITE)
-    return;
-  time(&lastTime);
-  winevtSubscribe->lastTime = lastTime;
-  winevtSubscribe->currentRate += count;
-}
-/*
- * Handle the next values. Since v0.6.0, this method is used for
- * testing only. Please use #each instead.
- *
- * @return [Boolean]
- *
- * @see each
- */
-static VALUE
-rb_winevt_subscribe_next(VALUE self)
-{
-  EVT_HANDLE hEvents[SUBSCRIBE_ARRAY_SIZE];
-  ULONG count = 0;
-  DWORD status = ERROR_SUCCESS;
-  struct WinevtSubscribe* winevtSubscribe;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  if (is_rate_limit_exceeded(winevtSubscribe)) {
-    return Qfalse;
-  }
-  if (!EvtNext(winevtSubscribe->subscription,
-               SUBSCRIBE_ARRAY_SIZE,
-               hEvents,
-               INFINITE,
-               0,
-               &count)) {
-    status = GetLastError();
-    if (ERROR_NO_MORE_ITEMS != status) {
-      return Qfalse;
-    }
-  }
-  if (status == ERROR_SUCCESS) {
-    winevtSubscribe->count = count;
-    for (int i = 0; i < count; i++) {
-      winevtSubscribe->hEvents[i] = hEvents[i];
-      EvtUpdateBookmark(winevtSubscribe->bookmark, winevtSubscribe->hEvents[i]);
-    }
-    update_to_reflect_rate_limit_state(winevtSubscribe, count);
-    return Qtrue;
-  }
-  return Qfalse;
-}
-static VALUE
-rb_winevt_subscribe_render(VALUE self, EVT_HANDLE event)
-{
-  struct WinevtSubscribe* winevtSubscribe;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  if (winevtSubscribe->renderAsXML) {
-    return render_to_rb_str(event, EvtRenderEventXml);
-  } else {
-    return render_system_event(event, winevtSubscribe->preserveQualifiers);
-  }
-}
-static VALUE
-rb_winevt_subscribe_message(EVT_HANDLE event, LocaleInfo* localeInfo)
-{
-  WCHAR* wResult;
-  VALUE utf8str;
-  wResult = get_description(event, localeInfo->langID);
-  utf8str = wstr_to_rb_str(CP_UTF8, wResult, -1);
-  free(wResult);
-  return utf8str;
-}
-static VALUE
-rb_winevt_subscribe_string_inserts(EVT_HANDLE event)
-{
-  return get_values(event);
-}
-static VALUE
-rb_winevt_subscribe_close_handle(VALUE self)
-{
-  struct WinevtSubscribe* winevtSubscribe;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  for (int i = 0; i < winevtSubscribe->count; i++) {
-    if (winevtSubscribe->hEvents[i] != NULL) {
-      EvtClose(winevtSubscribe->hEvents[i]);
-      winevtSubscribe->hEvents[i] = NULL;
-    }
-  }
-  return Qnil;
-}
-static VALUE
-rb_winevt_subscribe_each_yield(VALUE self)
-{
-  RETURN_ENUMERATOR(self, 0, 0);
-  struct WinevtSubscribe* winevtSubscribe;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  for (int i = 0; i < winevtSubscribe->count; i++) {
-    rb_yield_values(3,
-                    rb_winevt_subscribe_render(self, winevtSubscribe->hEvents[i]),
-                    rb_winevt_subscribe_message(winevtSubscribe->hEvents[i], winevtSubscribe->localeInfo),
-                    rb_winevt_subscribe_string_inserts(winevtSubscribe->hEvents[i]));
-  }
-  return Qnil;
-}
-/*
- * Enumerate to obtain Windows EventLog contents.
- *
- * This method yields the following:
- * (Stringified EventLog, Stringified detail message, Stringified
- * insert values)
- *
- * @yield (String,String,String)
- *
- */
-static VALUE
-rb_winevt_subscribe_each(VALUE self)
-{
-  RETURN_ENUMERATOR(self, 0, 0);
-  while (rb_winevt_subscribe_next(self)) {
-    rb_ensure(
-      rb_winevt_subscribe_each_yield, self, rb_winevt_subscribe_close_handle, self);
-  }
-  return Qnil;
-}
-/*
- * This method renders bookmark content which is related to Subscribe class instance.
- *
- * @return [String]
- */
-static VALUE
-rb_winevt_subscribe_get_bookmark(VALUE self)
-{
-  struct WinevtSubscribe* winevtSubscribe;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  return render_to_rb_str(winevtSubscribe->bookmark, EvtRenderBookmark);
-}
-/*
- * This method returns rate limit value.
- *
- * @since 0.6.0
- * @return [Integer]
- */
-static VALUE
-rb_winevt_subscribe_get_rate_limit(VALUE self)
-{
-  struct WinevtSubscribe* winevtSubscribe;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  return INT2NUM(winevtSubscribe->rateLimit);
-}
-/*
- * This method specifies rate limit value.
- *
- * @since 0.6.0
- * @param rb_rate_limit [Integer] rate_limit value
- */
-static VALUE
-rb_winevt_subscribe_set_rate_limit(VALUE self, VALUE rb_rate_limit)
-{
-  struct WinevtSubscribe* winevtSubscribe;
-  DWORD rateLimit;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  rateLimit = NUM2LONG(rb_rate_limit);
-  if ((rateLimit != SUBSCRIBE_RATE_INFINITE) && (rateLimit < 10 || rateLimit % 10)) {
-    rb_raise(rb_eArgError, "Specify a multiples of 10 or RATE_INFINITE constant");
-  } else {
-    winevtSubscribe->rateLimit = rateLimit;
-  }
-  return Qnil;
-}
-/*
- * This method returns whether render as xml or not.
- *
- * @since 0.6.0
- * @return [Boolean]
- */
-static VALUE
-rb_winevt_subscribe_render_as_xml_p(VALUE self)
-{
-  struct WinevtSubscribe* winevtSubscribe;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  return winevtSubscribe->renderAsXML ? Qtrue : Qfalse;
-}
-/*
- * This method specifies whether render as xml or not.
- *
- * @since 0.6.0
- * @param rb_render_as_xml [Boolean]
- */
-static VALUE
-rb_winevt_subscribe_set_render_as_xml(VALUE self, VALUE rb_render_as_xml)
-{
-  struct WinevtSubscribe* winevtSubscribe;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  winevtSubscribe->renderAsXML = RTEST(rb_render_as_xml);
-  return Qnil;
-}
-/*
- * This method specifies whether preserving qualifiers key or not.
- *
- * @since 0.7.3
- * @param rb_render_as_xml [Boolean]
- */
-static VALUE
-rb_winevt_subscribe_set_preserve_qualifiers(VALUE self, VALUE rb_preserve_qualifiers)
-{
-  struct WinevtSubscribe* winevtSubscribe;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  winevtSubscribe->preserveQualifiers = RTEST(rb_preserve_qualifiers);
-  return Qnil;
-}
-/*
- * This method returns whether preserving qualifiers or not.
- *
- * @since 0.7.3
- * @return [Integer]
- */
-static VALUE
-rb_winevt_subscribe_get_preserve_qualifiers_p(VALUE self)
-{
-  struct WinevtSubscribe* winevtSubscribe;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  return winevtSubscribe->preserveQualifiers ? Qtrue : Qfalse;
-}
-/*
- * This method specifies locale with [String].
- *
- * @since 0.8.0
- * @param rb_locale_str [String]
- */
-static VALUE
-rb_winevt_subscribe_set_locale(VALUE self, VALUE rb_locale_str)
-{
-  struct WinevtSubscribe* winevtSubscribe;
-  LocaleInfo* locale_info = &default_locale;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  locale_info = get_locale_from_rb_str(rb_locale_str);
-  winevtSubscribe->localeInfo = locale_info;
-  return Qnil;
-}
-/*
- * This method obtains specified locale with [String].
- *
- * @since 0.8.0
- */
-static VALUE
-rb_winevt_subscribe_get_locale(VALUE self)
-{
-  struct WinevtSubscribe* winevtSubscribe;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  if (winevtSubscribe->localeInfo->langCode) {
-    return rb_str_new2(winevtSubscribe->localeInfo->langCode);
-  } else {
-    return rb_str_new2(default_locale.langCode);
-  }
-}
-void
-Init_winevt_subscribe(VALUE rb_cEventLog)
-{
-  rb_cSubscribe = rb_define_class_under(rb_cEventLog, "Subscribe", rb_cObject);
-  rb_define_alloc_func(rb_cSubscribe, rb_winevt_subscribe_alloc);
-  /*
-   * For Subscribe#rate_limit=. It represents unspecified rate limit.
-   * @since 0.6.0
-   */
-  rb_define_const(rb_cSubscribe, "RATE_INFINITE", SUBSCRIBE_RATE_INFINITE);
-  rb_define_method(rb_cSubscribe, "initialize", rb_winevt_subscribe_initialize, 0);
-  rb_define_method(rb_cSubscribe, "subscribe", rb_winevt_subscribe_subscribe, -1);
-  rb_define_method(rb_cSubscribe, "next", rb_winevt_subscribe_next, 0);
-  rb_define_method(rb_cSubscribe, "each", rb_winevt_subscribe_each, 0);
-  rb_define_method(rb_cSubscribe, "bookmark", rb_winevt_subscribe_get_bookmark, 0);
-  /*
-   * @since 0.7.0
-   */
-  rb_define_method(rb_cSubscribe, "read_existing_events?", rb_winevt_subscribe_read_existing_events_p, 0);
-  /*
-   * @since 0.7.0
-   */
-  rb_define_method(rb_cSubscribe, "read_existing_events=", rb_winevt_subscribe_set_read_existing_events, 1);
-  rb_define_method(rb_cSubscribe, "rate_limit", rb_winevt_subscribe_get_rate_limit, 0);
-  rb_define_method(rb_cSubscribe, "rate_limit=", rb_winevt_subscribe_set_rate_limit, 1);
-  rb_define_method(
-    rb_cSubscribe, "render_as_xml?", rb_winevt_subscribe_render_as_xml_p, 0);
-  rb_define_method(
-    rb_cSubscribe, "render_as_xml=", rb_winevt_subscribe_set_render_as_xml, 1);
-  /*
-   * @since 0.7.3
-   */
-  rb_define_method(
-    rb_cSubscribe, "preserve_qualifiers?", rb_winevt_subscribe_get_preserve_qualifiers_p, 0);
-  /*
-   * @since 0.7.3
-   */
-  rb_define_method(
-    rb_cSubscribe, "preserve_qualifiers=", rb_winevt_subscribe_set_preserve_qualifiers, 1);
-  /*
-   * @since 0.8.0
-   */
-  rb_define_method(
-    rb_cSubscribe, "locale", rb_winevt_subscribe_get_locale, 0);
-  /*
-   * @since 0.8.0
-   */
-  rb_define_method(
-    rb_cSubscribe, "locale=", rb_winevt_subscribe_set_locale, 1);
-}
+#include <winevt_c.h>
+/* clang-format off */
+/*
+ * Document-class: Winevt::EventLog::Subscribe
+ *
+ * Subscribe Windows EventLog channel.
+ *
+ * @example
+ *  require 'winevt'
+ *
+ *  @subscribe = Winevt::EventLog::Subscribe.new
+ *  @subscribe.tail = true
+ *  @subscribe.rate_limit = 80
+ *  @subscribe.subscribe(
+ *    "Application", "*[System[(Level <= 4) and TimeCreated[timediff(@SystemTime) <= 86400000]]]"
+ *  )
+ *  while true do
+ *    @subscribe.each do |eventlog, message, string_inserts|
+ *      puts ({eventlog: eventlog, data: message})
+ *    end
+ *    sleep(0.1)
+ *  end
+ *
+ * @see https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtsubscribe
+ */
+/* clang-format on */
+static void subscribe_free(void* ptr);
+static const rb_data_type_t rb_winevt_subscribe_type = { "winevt/subscribe",
+                                                         {
+                                                           0,
+                                                           subscribe_free,
+                                                           0,
+                                                         },
+                                                         NULL,
+                                                         NULL,
+                                                         RUBY_TYPED_FREE_IMMEDIATELY };
+static void
+close_handles(struct WinevtSubscribe* winevtSubscribe)
+{
+  if (winevtSubscribe->signalEvent) {
+    CloseHandle(winevtSubscribe->signalEvent);
+    winevtSubscribe->signalEvent = NULL;
+  }
+  if (winevtSubscribe->subscription) {
+    EvtClose(winevtSubscribe->subscription);
+    winevtSubscribe->subscription = NULL;
+  }
+  if (winevtSubscribe->bookmark) {
+    EvtClose(winevtSubscribe->bookmark);
+    winevtSubscribe->bookmark = NULL;
+  }
+  for (int i = 0; i < winevtSubscribe->count; i++) {
+    if (winevtSubscribe->hEvents[i]) {
+      EvtClose(winevtSubscribe->hEvents[i]);
+      winevtSubscribe->hEvents[i] = NULL;
+    }
+  }
+  winevtSubscribe->count = 0;
+  if (winevtSubscribe->remoteHandle) {
+    EvtClose(winevtSubscribe->remoteHandle);
+    winevtSubscribe->remoteHandle = NULL;
+  }
+}
+static void
+subscribe_free(void* ptr)
+{
+  struct WinevtSubscribe* winevtSubscribe = (struct WinevtSubscribe*)ptr;
+  close_handles(winevtSubscribe);
+  xfree(ptr);
+}
+static VALUE
+rb_winevt_subscribe_alloc(VALUE klass)
+{
+  VALUE obj;
+  struct WinevtSubscribe* winevtSubscribe;
+  obj = TypedData_Make_Struct(
+    klass, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  return obj;
+}
+/*
+ * Initalize Subscribe class.
+ *
+ * @return [Subscribe]
+ *
+ */
+static VALUE
+rb_winevt_subscribe_initialize(VALUE self)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  winevtSubscribe->rateLimit = SUBSCRIBE_RATE_INFINITE;
+  winevtSubscribe->lastTime = 0;
+  winevtSubscribe->currentRate = 0;
+  winevtSubscribe->renderAsXML = TRUE;
+  winevtSubscribe->readExistingEvents = TRUE;
+  winevtSubscribe->preserveQualifiers = FALSE;
+  winevtSubscribe->localeInfo = &default_locale;
+  return Qnil;
+}
+/*
+ * This method specifies whether read existing events or not.
+ *
+ * @param rb_read_existing_events_p [Boolean]
+ */
+static VALUE
+rb_winevt_subscribe_set_read_existing_events(VALUE self, VALUE rb_read_existing_events_p)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  winevtSubscribe->readExistingEvents = RTEST(rb_read_existing_events_p);
+  return Qnil;
+}
+/*
+ * This method returns whether read existing events or not.
+ *
+ * @return [Boolean]
+ */
+static VALUE
+rb_winevt_subscribe_read_existing_events_p(VALUE self)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  return winevtSubscribe->readExistingEvents ? Qtrue : Qfalse;
+}
+/*
+ * Subscribe into a Windows EventLog channel.
+ *
+ * @overload subscribe(path, query, bookmark=nil, session=nil)
+ *   @param path [String] Subscribe Channel
+ *   @param query [String] Query string for channel
+ *   @param bookmark [Bookmark] bookmark Bookmark class instance.
+ *   @param session [Session] Session information for remoting access.
+ * @return [Boolean]
+ *
+ */
+static VALUE
+rb_winevt_subscribe_subscribe(int argc, VALUE* argv, VALUE self)
+{
+  VALUE rb_path, rb_query, rb_bookmark, rb_session;
+  EVT_HANDLE hSubscription = NULL, hBookmark = NULL;
+  HANDLE hSignalEvent;
+  EVT_HANDLE hRemoteHandle = NULL;
+  DWORD len, flags = 0L;
+  DWORD err = ERROR_SUCCESS;
+  VALUE wpathBuf, wqueryBuf, wBookmarkBuf;
+  PWSTR path, query, bookmarkXml;
+  DWORD status = ERROR_SUCCESS;
+  struct WinevtSession* winevtSession;
+  struct WinevtSubscribe* winevtSubscribe;
+  hSignalEvent = CreateEvent(NULL, FALSE, FALSE, NULL);
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  rb_scan_args(argc, argv, "22", &rb_path, &rb_query, &rb_bookmark, &rb_session);
+  Check_Type(rb_path, T_STRING);
+  Check_Type(rb_query, T_STRING);
+  if (rb_obj_is_kind_of(rb_bookmark, rb_cString)) {
+    // bookmarkXml : To wide char
+    len = MultiByteToWideChar(
+        CP_UTF8, 0, RSTRING_PTR(rb_bookmark), RSTRING_LEN(rb_bookmark), NULL, 0);
+    bookmarkXml = ALLOCV_N(WCHAR, wBookmarkBuf, len + 1);
+    MultiByteToWideChar(CP_UTF8,
+                        0,
+                        RSTRING_PTR(rb_bookmark),
+                        RSTRING_LEN(rb_bookmark),
+                        bookmarkXml,
+                        len);
+    bookmarkXml[len] = L'\0';
+    hBookmark = EvtCreateBookmark(bookmarkXml);
+    ALLOCV_END(wBookmarkBuf);
+    if (hBookmark == NULL) {
+      status = GetLastError();
+      raise_system_error(rb_eWinevtQueryError, status);
+    }
+  }
+  if (rb_obj_is_kind_of(rb_session, rb_cSession)) {
+    winevtSession = EventSession(rb_session);
+    hRemoteHandle = connect_to_remote(winevtSession->server,
+                                      winevtSession->domain,
+                                      winevtSession->username,
+                                      winevtSession->password,
+                                      winevtSession->flags,
+                                      &err);
+    if (err != ERROR_SUCCESS) {
+      raise_system_error(rb_eRuntimeError, err);
+    }
+  }
+  // path : To wide char
+  len =
+    MultiByteToWideChar(CP_UTF8, 0, RSTRING_PTR(rb_path), RSTRING_LEN(rb_path), NULL, 0);
+  path = ALLOCV_N(WCHAR, wpathBuf, len + 1);
+  MultiByteToWideChar(CP_UTF8, 0, RSTRING_PTR(rb_path), RSTRING_LEN(rb_path), path, len);
+  path[len] = L'\0';
+  // query : To wide char
+  len = MultiByteToWideChar(
+    CP_UTF8, 0, RSTRING_PTR(rb_query), RSTRING_LEN(rb_query), NULL, 0);
+  query = ALLOCV_N(WCHAR, wqueryBuf, len + 1);
+  MultiByteToWideChar(
+    CP_UTF8, 0, RSTRING_PTR(rb_query), RSTRING_LEN(rb_query), query, len);
+  query[len] = L'\0';
+  if (hBookmark) {
+    flags |= EvtSubscribeStartAfterBookmark;
+  } else if (winevtSubscribe->readExistingEvents) {
+    flags |= EvtSubscribeStartAtOldestRecord;
+  } else {
+    flags |= EvtSubscribeToFutureEvents;
+  }
+  hSubscription =
+    EvtSubscribe(hRemoteHandle, hSignalEvent, path, query, hBookmark, NULL, NULL, flags);
+  if (!hSubscription) {
+    status = GetLastError();
+    if (hBookmark != NULL) {
+      EvtClose(hBookmark);
+    }
+    if (hSignalEvent != NULL) {
+      CloseHandle(hSignalEvent);
+    }
+    if (rb_obj_is_kind_of(rb_session, rb_cSession)) {
+      rb_raise(rb_eRemoteHandlerError, "Remoting subscription is not working. errCode: %ld\n", status);
+    } else {
+      raise_system_error(rb_eWinevtQueryError, status);
+    }
+  }
+  if (winevtSubscribe->subscription != NULL) {
+    // should be disgarded the old event subscription handle.
+    EvtClose(winevtSubscribe->subscription);
+  }
+  ALLOCV_END(wpathBuf);
+  ALLOCV_END(wqueryBuf);
+  winevtSubscribe->signalEvent = hSignalEvent;
+  winevtSubscribe->subscription = hSubscription;
+  winevtSubscribe->remoteHandle = hRemoteHandle;
+  if (hBookmark) {
+    winevtSubscribe->bookmark = hBookmark;
+  } else {
+    winevtSubscribe->bookmark = EvtCreateBookmark(NULL);
+    if (winevtSubscribe->bookmark == NULL) {
+      status = GetLastError();
+      if (hSubscription != NULL) {
+        EvtClose(hSubscription);
+      }
+      if (hSignalEvent != NULL) {
+        CloseHandle(hSignalEvent);
+      }
+      raise_system_error(rb_eWinevtQueryError, status);
+    }
+  }
+  return Qtrue;
+}
+BOOL
+is_rate_limit_exceeded(struct WinevtSubscribe* winevtSubscribe)
+{
+  time_t now;
+  if (winevtSubscribe->rateLimit == SUBSCRIBE_RATE_INFINITE)
+    return FALSE;
+  time(&now);
+  if (now <= winevtSubscribe->lastTime) {
+    if (winevtSubscribe->currentRate >= winevtSubscribe->rateLimit) {
+      return TRUE;
+    }
+  } else {
+    winevtSubscribe->currentRate = 0;
+  }
+  return FALSE;
+}
+void
+update_to_reflect_rate_limit_state(struct WinevtSubscribe* winevtSubscribe, ULONG count)
+{
+  time_t lastTime = 0;
+  if (winevtSubscribe->rateLimit == SUBSCRIBE_RATE_INFINITE)
+    return;
+  time(&lastTime);
+  winevtSubscribe->lastTime = lastTime;
+  winevtSubscribe->currentRate += count;
+}
+/*
+ * Handle the next values. Since v0.6.0, this method is used for
+ * testing only. Please use #each instead.
+ *
+ * @return [Boolean]
+ *
+ * @see each
+ */
+static VALUE
+rb_winevt_subscribe_next(VALUE self)
+{
+  EVT_HANDLE hEvents[SUBSCRIBE_ARRAY_SIZE];
+  ULONG count = 0;
+  DWORD status = ERROR_SUCCESS;
+  struct WinevtSubscribe* winevtSubscribe;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  if (is_rate_limit_exceeded(winevtSubscribe)) {
+    return Qfalse;
+  }
+  /* If subscription handle is NULL, it should return false. */
+  if (!winevtSubscribe->subscription) {
+    return Qfalse;
+  }
+  if (!EvtNext(winevtSubscribe->subscription,
+               SUBSCRIBE_ARRAY_SIZE,
+               hEvents,
+               INFINITE,
+               0,
+               &count)) {
+    status = GetLastError();
+    if (ERROR_CANCELLED == status) {
+      return Qfalse;
+    }
+    if (ERROR_NO_MORE_ITEMS != status) {
+      return Qfalse;
+    }
+  }
+  if (status == ERROR_SUCCESS) {
+    winevtSubscribe->count = count;
+    for (int i = 0; i < count; i++) {
+      winevtSubscribe->hEvents[i] = hEvents[i];
+      EvtUpdateBookmark(winevtSubscribe->bookmark, winevtSubscribe->hEvents[i]);
+    }
+    update_to_reflect_rate_limit_state(winevtSubscribe, count);
+    return Qtrue;
+  }
+  return Qfalse;
+}
+static VALUE
+rb_winevt_subscribe_render(VALUE self, EVT_HANDLE event)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  if (winevtSubscribe->renderAsXML) {
+    return render_to_rb_str(event, EvtRenderEventXml);
+  } else {
+    return render_system_event(event, winevtSubscribe->preserveQualifiers);
+  }
+}
+static VALUE
+rb_winevt_subscribe_message(EVT_HANDLE event, LocaleInfo* localeInfo, EVT_HANDLE hRemote)
+{
+  WCHAR* wResult;
+  VALUE utf8str;
+  wResult = get_description(event, localeInfo->langID, hRemote);
+  utf8str = wstr_to_rb_str(CP_UTF8, wResult, -1);
+  free(wResult);
+  return utf8str;
+}
+static VALUE
+rb_winevt_subscribe_string_inserts(EVT_HANDLE event)
+{
+  return get_values(event);
+}
+static VALUE
+rb_winevt_subscribe_close_handle(VALUE self)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  for (int i = 0; i < winevtSubscribe->count; i++) {
+    if (winevtSubscribe->hEvents[i] != NULL) {
+      EvtClose(winevtSubscribe->hEvents[i]);
+      winevtSubscribe->hEvents[i] = NULL;
+    }
+  }
+  return Qnil;
+}
+static VALUE
+rb_winevt_subscribe_each_yield(VALUE self)
+{
+  RETURN_ENUMERATOR(self, 0, 0);
+  struct WinevtSubscribe* winevtSubscribe;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  for (int i = 0; i < winevtSubscribe->count; i++) {
+    rb_yield_values(3,
+                    rb_winevt_subscribe_render(self, winevtSubscribe->hEvents[i]),
+                    rb_winevt_subscribe_message(winevtSubscribe->hEvents[i], winevtSubscribe->localeInfo,
+                                                winevtSubscribe->remoteHandle),
+                    rb_winevt_subscribe_string_inserts(winevtSubscribe->hEvents[i]));
+  }
+  return Qnil;
+}
+/*
+ * Enumerate to obtain Windows EventLog contents.
+ *
+ * This method yields the following:
+ * (Stringified EventLog, Stringified detail message, Stringified
+ * insert values)
+ *
+ * @yield (String,String,String)
+ *
+ */
+static VALUE
+rb_winevt_subscribe_each(VALUE self)
+{
+  RETURN_ENUMERATOR(self, 0, 0);
+  while (rb_winevt_subscribe_next(self)) {
+    rb_ensure(
+      rb_winevt_subscribe_each_yield, self, rb_winevt_subscribe_close_handle, self);
+  }
+  return Qnil;
+}
+/*
+ * This method renders bookmark content which is related to Subscribe class instance.
+ *
+ * @return [String]
+ */
+static VALUE
+rb_winevt_subscribe_get_bookmark(VALUE self)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  return render_to_rb_str(winevtSubscribe->bookmark, EvtRenderBookmark);
+}
+/*
+ * This method returns rate limit value.
+ *
+ * @since 0.6.0
+ * @return [Integer]
+ */
+static VALUE
+rb_winevt_subscribe_get_rate_limit(VALUE self)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  return INT2NUM(winevtSubscribe->rateLimit);
+}
+/*
+ * This method specifies rate limit value.
+ *
+ * @since 0.6.0
+ * @param rb_rate_limit [Integer] rate_limit value
+ */
+static VALUE
+rb_winevt_subscribe_set_rate_limit(VALUE self, VALUE rb_rate_limit)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+  DWORD rateLimit;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  rateLimit = NUM2LONG(rb_rate_limit);
+  if ((rateLimit != SUBSCRIBE_RATE_INFINITE) && (rateLimit < 10 || rateLimit % 10)) {
+    rb_raise(rb_eArgError, "Specify a multiples of 10 or RATE_INFINITE constant");
+  } else {
+    winevtSubscribe->rateLimit = rateLimit;
+  }
+  return Qnil;
+}
+/*
+ * This method returns whether render as xml or not.
+ *
+ * @since 0.6.0
+ * @return [Boolean]
+ */
+static VALUE
+rb_winevt_subscribe_render_as_xml_p(VALUE self)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  return winevtSubscribe->renderAsXML ? Qtrue : Qfalse;
+}
+/*
+ * This method specifies whether render as xml or not.
+ *
+ * @since 0.6.0
+ * @param rb_render_as_xml [Boolean]
+ */
+static VALUE
+rb_winevt_subscribe_set_render_as_xml(VALUE self, VALUE rb_render_as_xml)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  winevtSubscribe->renderAsXML = RTEST(rb_render_as_xml);
+  return Qnil;
+}
+/*
+ * This method specifies whether preserving qualifiers key or not.
+ *
+ * @since 0.7.3
+ * @param rb_preserve_qualifiers [Boolean]
+ */
+static VALUE
+rb_winevt_subscribe_set_preserve_qualifiers(VALUE self, VALUE rb_preserve_qualifiers)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  winevtSubscribe->preserveQualifiers = RTEST(rb_preserve_qualifiers);
+  return Qnil;
+}
+/*
+ * This method returns whether preserving qualifiers or not.
+ *
+ * @since 0.7.3
+ * @return [Integer]
+ */
+static VALUE
+rb_winevt_subscribe_get_preserve_qualifiers_p(VALUE self)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  return winevtSubscribe->preserveQualifiers ? Qtrue : Qfalse;
+}
+/*
+ * This method specifies locale with [String].
+ *
+ * @since 0.8.0
+ * @param rb_locale_str [String]
+ */
+static VALUE
+rb_winevt_subscribe_set_locale(VALUE self, VALUE rb_locale_str)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+  LocaleInfo* locale_info = &default_locale;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  locale_info = get_locale_info_from_rb_str(rb_locale_str);
+  winevtSubscribe->localeInfo = locale_info;
+  return Qnil;
+}
+/*
+ * This method obtains specified locale with [String].
+ *
+ * @since 0.8.0
+ */
+static VALUE
+rb_winevt_subscribe_get_locale(VALUE self)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  if (winevtSubscribe->localeInfo->langCode) {
+    return rb_str_new2(winevtSubscribe->localeInfo->langCode);
+  } else {
+    return rb_str_new2(default_locale.langCode);
+  }
+}
+/*
+ * This method cancels channel subscription.
+ *
+ * @return [Boolean]
+ * @since 0.9.1
+ */
+static VALUE
+rb_winevt_subscribe_cancel(VALUE self)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+  BOOL result = FALSE;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  if (winevtSubscribe->subscription) {
+    result = EvtCancel(winevtSubscribe->subscription);
+  }
+  if (result) {
+    return Qtrue;
+  } else {
+    return Qfalse;
+  }
+}
+/*
+ * This method closes channel handles forcibly.
+ *
+ * @since 0.9.1
+ */
+static VALUE
+rb_winevt_subscribe_close(VALUE self)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  close_handles(winevtSubscribe);
+  return Qnil;
+}
+void
+Init_winevt_subscribe(VALUE rb_cEventLog)
+{
+  rb_cSubscribe = rb_define_class_under(rb_cEventLog, "Subscribe", rb_cObject);
+  rb_define_alloc_func(rb_cSubscribe, rb_winevt_subscribe_alloc);
+  /*
+   * For Subscribe#rate_limit=. It represents unspecified rate limit.
+   * @since 0.6.0
+   */
+  rb_define_const(rb_cSubscribe, "RATE_INFINITE", SUBSCRIBE_RATE_INFINITE);
+  rb_define_method(rb_cSubscribe, "initialize", rb_winevt_subscribe_initialize, 0);
+  rb_define_method(rb_cSubscribe, "subscribe", rb_winevt_subscribe_subscribe, -1);
+  rb_define_method(rb_cSubscribe, "next", rb_winevt_subscribe_next, 0);
+  rb_define_method(rb_cSubscribe, "each", rb_winevt_subscribe_each, 0);
+  rb_define_method(rb_cSubscribe, "bookmark", rb_winevt_subscribe_get_bookmark, 0);
+  /*
+   * @since 0.7.0
+   */
+  rb_define_method(rb_cSubscribe, "read_existing_events?", rb_winevt_subscribe_read_existing_events_p, 0);
+  /*
+   * @since 0.7.0
+   */
+  rb_define_method(rb_cSubscribe, "read_existing_events=", rb_winevt_subscribe_set_read_existing_events, 1);
+  rb_define_method(rb_cSubscribe, "rate_limit", rb_winevt_subscribe_get_rate_limit, 0);
+  rb_define_method(rb_cSubscribe, "rate_limit=", rb_winevt_subscribe_set_rate_limit, 1);
+  rb_define_method(
+    rb_cSubscribe, "render_as_xml?", rb_winevt_subscribe_render_as_xml_p, 0);
+  rb_define_method(
+    rb_cSubscribe, "render_as_xml=", rb_winevt_subscribe_set_render_as_xml, 1);
+  /*
+   * @since 0.7.3
+   */
+  rb_define_method(
+    rb_cSubscribe, "preserve_qualifiers?", rb_winevt_subscribe_get_preserve_qualifiers_p, 0);
+  /*
+   * @since 0.7.3
+   */
+  rb_define_method(
+    rb_cSubscribe, "preserve_qualifiers=", rb_winevt_subscribe_set_preserve_qualifiers, 1);
+  /*
+   * @since 0.8.0
+   */
+  rb_define_method(
+    rb_cSubscribe, "locale", rb_winevt_subscribe_get_locale, 0);
+  /*
+   * @since 0.8.0
+   */
+  rb_define_method(
+    rb_cSubscribe, "locale=", rb_winevt_subscribe_set_locale, 1);
+  /*
+   * @since 0.9.1
+   */
+  rb_define_method(
+    rb_cSubscribe, "cancel", rb_winevt_subscribe_cancel, 0);
+  /*
+   * @since 0.9.1
+   */
+  rb_define_method(
+    rb_cSubscribe, "close", rb_winevt_subscribe_close, 0);
+}