Class: Fluent::Plugin::WinevtXMLparser

Inherits:
Parser
  • Object
show all
Defined in:
lib/fluent/plugin/parser_winevt_xml.rb

Instance Method Summary collapse

Instance Method Details

#event_id(system_elem) ⇒ Object 



22
23
24
25
26
27
28
29
30
31
32
33
 
# File 'lib/fluent/plugin/parser_winevt_xml.rb', line 22

def event_id(system_elem)
  return (system_elem/'EventID').text rescue nil if @preserve_qualifiers

  qualifiers = (system_elem/'EventID').attribute("Qualifiers").text rescue nil
  if qualifiers
    event_id = (system_elem/'EventID').text
    event_id = MAKELONG(event_id.to_i, qualifiers.to_i)
    event_id.to_s
  else
    (system_elem/'EventID').text rescue nil
  end
end

#MAKELONG(low, high) ⇒ Object 



18
19
20
 
# File 'lib/fluent/plugin/parser_winevt_xml.rb', line 18

def MAKELONG(low, high)
  (low & 0xffff) | (high & 0xffff) << 16
end

#parse(text) {|time, record| ... } ⇒ Object

Yields:

  • (time, record) 


35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
 
# File 'lib/fluent/plugin/parser_winevt_xml.rb', line 35

def parse(text)
  record = {}
  doc = Nokogiri::XML(text)
  system_elem                     = doc/'Event'/'System'
  record["ProviderName"]          = (system_elem/"Provider").attribute("Name").text rescue nil
  record["ProviderGUID"]          = (system_elem/"Provider").attribute("Guid").text rescue nil
  if @preserve_qualifiers
    record["Qualifiers"]            = (system_elem/'EventID').attribute("Qualifiers").text rescue nil
  end
  record["EventID"]               = event_id(system_elem)
  record["Level"]                 = (system_elem/'Level').text rescue nil
  record["Task"]                  = (system_elem/'Task').text rescue nil
  record["Opcode"]                = (system_elem/'Opcode').text rescue nil
  record["Keywords"]              = (system_elem/'Keywords').text rescue nil
  record["TimeCreated"]           = (system_elem/'TimeCreated').attribute("SystemTime").text rescue nil
  record["EventRecordID"]         = (system_elem/'EventRecordID').text rescue nil
  record["ActivityID"]            = (system_elem/'Correlation').attribute('ActivityID').text rescue nil
  record["RelatedActivityID"]     = (system_elem/'Correlation').attribute("RelatedActivityID").text rescue nil
  record["ThreadID"]              = (system_elem/'Execution').attribute("ThreadID").text rescue nil
  record["ProcessID"]             = (system_elem/'Execution').attribute("ProcessID").text rescue nil
  record["Channel"]               = (system_elem/'Channel').text rescue nil
  record["Computer"]              = (system_elem/"Computer").text rescue nil
  record["UserID"]                = (system_elem/'Security').attribute("UserID").text rescue nil
  record["Version"]               = (system_elem/'Version').text rescue nil
  time = @estimate_current_event ? Fluent::EventTime.now : nil
  yield time, record
end

#preserve_qualifiers?Boolean

Returns:

  • (Boolean) 


14
15
16
 
# File 'lib/fluent/plugin/parser_winevt_xml.rb', line 14

def preserve_qualifiers?
  @preserve_qualifiers
end

#winevt_xml?Boolean

Returns:

  • (Boolean) 


10
11
12
 
# File 'lib/fluent/plugin/parser_winevt_xml.rb', line 10

def winevt_xml?
  true
end