Merge pull request #114 from fluent/add-preserve_sid_on_hash-option

ashie · web-flow · commit a198f14eeb12 · 2024-08-02T11:17:48.000+09:00
in_windows_eventlog2: Add preserve_sid_on_hash option
diff --git a/README.md b/README.md
@@ -35,6 +35,7 @@ Fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
       render_as_xml false       # default is false.
       rate_limit 200            # default is -1(Winevt::EventLog::Subscribe::RATE_INFINITE).
       # preserve_qualifiers_on_hash true # default is false.
+      # preserve_sid_on_hash false # default is true.
       # read_all_channels false # default is false.
       # description_locale en_US # default is nil. It means that system locale is used for obtaining description.
       # refresh_subscription_interval 10m # default is nil. It specifies refresh interval for channel subscriptions.
@@ -86,6 +87,7 @@ Fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
 |`render_as_xml` | (option) Render Windows EventLog as XML or Ruby Hash object directly. Defaults to `false`.|
 |`rate_limit`      | (option) Specify rate limit to consume EventLog. This is the approximate maximum number of records read per second. If more than this value is read in a second, this stops reading and waits until the next `read_interval`. This value must be a multiple of 10. Default is `-1`(`Winevt::EventLog::Subscribe::RATE_INFINITE`) and this means there is no upper limit. The log flow rate for setting this is approximately as follows: `rate_limit / read_interval [logs/second]` |
 |`preserve_qualifiers_on_hash`      | (option) When set up it as true, this plugin preserves "Qualifiers" and "EventID" keys. When set up it as false, this plugin calculates actual "EventID" from "Qualifiers" and removing "Qualifiers". Default is `false`.|
+|`preserve_sid_on_hash`      | (option) When set up it as true, this plugin preserves "UserID" key which includes SID of users. When set up it as false, this plugin just eliminates "UserID". This option is only effective for hash format (render_as_xml false) . Default is `true`.|
 |`read_all_channels`| (option) Read from all channels. Default is `false`|
 |`description_locale`| (option) Specify description locale. Default is `nil`. See also: [Supported locales](https://github.com/fluent-plugins-nursery/winevt_c#multilingual-description) |
 |`refresh_subscription_interval`|(option) It specifies refresh interval for channel subscriptions. Default is `nil`.|
diff --git a/fluent-plugin-winevtlog.gemspec b/fluent-plugin-winevtlog.gemspec
@@ -24,5 +24,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "fluent-plugin-parser-winevt_xml", ">= 0.1.2"
   spec.add_runtime_dependency "fluentd", [">= 0.14.12", "< 2"]
   spec.add_runtime_dependency "win32-eventlog"
-  spec.add_runtime_dependency "winevt_c", ">= 0.10.1"
+  spec.add_runtime_dependency "winevt_c", ">= 0.11.0"
 end
diff --git a/lib/fluent/plugin/in_windows_eventlog2.rb b/lib/fluent/plugin/in_windows_eventlog2.rb
@@ -29,6 +29,7 @@ class ReconnectError < Fluent::UnrecoverableError; end
                "Channel"           => ["Channel",               :string],
                "Computer"          => ["Computer",              :string],
                "UserID"            => ["UserID",                :string],
+               "User"              => ["User",                  :string],
                "Version"           => ["Version",               :string],
                "Description"       => ["Description",           :string],
                "EventData"         => ["EventData",             :array]}
@@ -43,6 +44,7 @@ class ReconnectError < Fluent::UnrecoverableError; end
     config_param :render_as_xml, :bool, default: false
     config_param :rate_limit, :integer, default: Winevt::EventLog::Subscribe::RATE_INFINITE
     config_param :preserve_qualifiers_on_hash, :bool, default: false
+    config_param :preserve_sid_on_hash, :bool, default: true
     config_param :read_all_channels, :bool, default: false
     config_param :description_locale, :string, default: nil
     config_param :refresh_subscription_interval, :time, default: nil
@@ -147,6 +149,15 @@ class << self
         @keynames.delete('Qualifiers')
       end
       @keynames.delete('EventData') if @parse_description
+      if @render_as_xml && !@preserve_sid_on_hash
+        raise Fluent::ConfigError, "preserve_sid_on_hash is effective with Hash object rendering(render_as_xml as false)."
+      end
+      if @render_as_xml
+        @keynames.delete('User')
+      end
+      if !@render_as_xml && !@preserve_sid_on_hash
+        @keynames.delete('UserID')
+      end
 
       locale = Winevt::EventLog::Locale.new
       if @description_locale && unsupported_locale?(locale, @description_locale)
@@ -244,6 +255,9 @@ def subscription(ch, read_existing_events, remote_session)
         if !@render_as_xml && @preserve_qualifiers_on_hash
           subscribe.preserve_qualifiers = @preserve_qualifiers_on_hash
         end
+        if !@render_as_xml && !@preserve_sid_on_hash
+          subscribe.preserve_sid = @preserve_sid_on_hash
+        end
       rescue Winevt::EventLog::Query::Error => e
         raise Fluent::ConfigError, "Invalid Bookmark XML is loaded. #{e}"
       end
diff --git a/test/plugin/test_in_windows_eventlog2.rb b/test/plugin/test_in_windows_eventlog2.rb
@@ -296,7 +296,7 @@ def test_parse_privileges_description
   end
 
   def test_write
-    d = create_driver
+    d = create_driver XML_RENDERING_CONFIG
 
     service = Fluent::Plugin::EventService.new
 
@@ -312,6 +312,7 @@ def test_write
     assert_equal("65500", record["EventID"])
     assert_equal("4", record["Level"])
     assert_equal("fluent-plugins", record["ProviderName"])
+    assert_false(record.has_key?("User"))
   end
 
   CONFIG_WITH_NON_EXISTENT_CHANNEL = config_element("ROOT", "", {
@@ -357,6 +358,7 @@ def test_write_with_event_query
     assert_equal("65500", record["EventID"])
     assert_equal("4", record["Level"])
     assert_equal("fluent-plugins", record["ProviderName"])
+    assert_true(record.has_key?("User"))
   end
 
 
@@ -418,6 +420,7 @@ def test_write_with_remoting_access
     assert_equal("65500", record["EventID"])
     assert_equal("4", record["Level"])
     assert_equal("fluent-plugins", record["ProviderName"])
+    assert_true(record.has_key?("User"))
   end
 
   class HashRendered < self
@@ -463,7 +466,7 @@ def test_write_with_preserving_qualifiers
       service = Fluent::Plugin::EventService.new
       subscribe = Winevt::EventLog::Subscribe.new
 
-      omit "@parser.preserve_qualifiers does not respond" unless subscribe.respond_to?(:preserve_qualifiers?)
+      omit "subscribe.preserve_qualifiers? does not respond" unless subscribe.respond_to?(:preserve_qualifiers?)
 
       d.run(expect_emits: 1) do
         service.run
@@ -477,6 +480,70 @@ def test_write_with_preserving_qualifiers
       assert_true(record.has_key?("EventData"))
       assert_true(record.has_key?("Qualifiers"))
     end
+
+    def test_write_with_preserving_sid
+      require 'winevt'
+
+      d = create_driver(config_element("ROOT", "", {"tag" => "fluent.eventlog",
+                                                    "render_as_xml" => false,
+                                                    'preserve_sid_on_hash' => true
+                                                   }, [
+                                         config_element("storage", "", {
+                                                          '@type' => 'local',
+                                                          'persistent' => false
+                                                        }),
+                                       ]))
+
+      service = Fluent::Plugin::EventService.new
+      subscribe = Winevt::EventLog::Subscribe.new
+
+      omit "subscribe.preserve_sid? does not respond" unless subscribe.respond_to?(:preserve_sid?)
+
+      d.run(expect_emits: 1) do
+        service.run
+      end
+
+      assert(d.events.length >= 1)
+      event = d.events.last
+      record = event.last
+
+      assert_true(record.has_key?("Description"))
+      assert_true(record.has_key?("EventData"))
+      assert_true(record.has_key?("UserID"))
+      assert_true(record.has_key?("User"))
+    end
+
+    def test_write_with_not_preserving_sid
+      require 'winevt'
+
+      d = create_driver(config_element("ROOT", "", {"tag" => "fluent.eventlog",
+                                                    "render_as_xml" => false,
+                                                    'preserve_sid_on_hash' => false
+                                                   }, [
+                                         config_element("storage", "", {
+                                                          '@type' => 'local',
+                                                          'persistent' => false
+                                                        }),
+                                       ]))
+
+      service = Fluent::Plugin::EventService.new
+      subscribe = Winevt::EventLog::Subscribe.new
+
+      omit "subscribe.preserve_sid? does not respond" unless subscribe.respond_to?(:preserve_sid?)
+
+      d.run(expect_emits: 1) do
+        service.run
+      end
+
+      assert(d.events.length >= 1)
+      event = d.events.last
+      record = event.last
+
+      assert_true(record.has_key?("Description"))
+      assert_true(record.has_key?("EventData"))
+      assert_false(record.has_key?("UserID"))
+      assert_true(record.has_key?("User"))
+    end
   end
 
   class PersistBookMark < self
