in_windows_eventlog2: fix parser to handle both tab and space delimiters

Watson1978 · Watson1978 · commit 8261decd4ffb · 2025-10-22T14:32:41.000+09:00
Signed-off-by: Shizuo Fujita &lt;fujita@clear-code.com&gt;
diff --git a/lib/fluent/plugin/in_windows_eventlog2.rb b/lib/fluent/plugin/in_windows_eventlog2.rb
@@ -417,6 +417,7 @@ def parse_desc(record)
                          r.split(NONE_FIELD_DELIMITER)
                        end
           key = "" if key.nil?
+          key.strip! # parsed key sometimes contain unexpected " ". So remove it.
           key.chop!  # remove ':' from key
           if value.nil?
             parent_key = to_key(key)
diff --git a/test/data/eventid_4697 b/test/data/eventid_4697
@@ -0,0 +1,14 @@
+A service was installed in the system.
+
+Subject:
+	Security ID:		SYSTEM
+	Account Name:		824ZWL3$
+	Account Domain:		WORKGROUP
+	Logon ID:		0x3E7
+
+Service Information:
+	Service Name: 		WpnUserService_a46b7
+	Service File Name:	C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup
+	Service Type: 		0xE0
+	Service Start Type:	2
+	Service Account: 	LocalSystem
diff --git a/test/plugin/test_in_windows_eventlog2.rb b/test/plugin/test_in_windows_eventlog2.rb
@@ -325,6 +325,27 @@ def test_parse_privileges_description
     assert_equal(expected, h)
   end
 
+  test "A service was installed in the system." do
+    d = create_driver
+    desc = nil
+    File.open('./test/data/eventid_4697', 'r') do |f|
+      desc = f.read.gsub(/\R/, "\r\n")
+    end
+    h = {"Description" => desc}
+    expected = {"DescriptionTitle"                       => "A service was installed in the system.",
+                "service_information.service_account"    => "LocalSystem",
+                "service_information.service_file_name"  => "C:\\WINDOWS\\system32\\svchost.exe -k UnistackSvcGroup",
+                "service_information.service_name"       => "WpnUserService_a46b7",
+                "service_information.service_start_type" => "2",
+                "service_information.service_type"       => "0xE0",
+                "subject.account_domain" => "WORKGROUP",
+                "subject.account_name"   => "824ZWL3$",
+                "subject.logon_id"       => "0x3E7",
+                "subject.security_id"    => "SYSTEM"}
+    d.instance.parse_desc(h)
+    assert_equal(expected, h)
+  end
+
   def test_write
     d = create_driver XML_RENDERING_CONFIG
 
