Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make it possible to work without Nokogiri #107

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Make it possible to work without Nokogiri #107

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 30 additions & 12 deletions lib/fluent/plugin/in_windows_eventlog2.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,16 @@
require 'winevt'
require 'fluent/plugin/input'
require 'fluent/plugin'
require_relative 'bookmark_sax_parser'

module Fluent::Plugin
class WindowsEventLog2Input < Input
begin
require_relative 'bookmark_sax_parser'
@@bookmark_parser_avaiable = true
rescue LoadError
@@bookmark_parser_avaiable = false
end

Fluent::Plugin.register_input('windows_eventlog2', self)

class ReconnectError < Fluent::UnrecoverableError; end
Expand Down Expand Up @@ -227,11 +233,16 @@ def clear_subscritpions
end

def subscription(ch, read_existing_events, remote_session)
bookmarkXml = @bookmarks_storage.get(ch) || ""
bookmark = nil
if bookmark_validator(bookmarkXml, ch)
bookmark = Winevt::EventLog::Bookmark.new(bookmarkXml)
bookmarkXml = @bookmarks_storage.get(ch) || ""
unless bookmarkXml.empty?
if bookmark_valid?(bookmarkXml, ch)
bookmark = Winevt::EventLog::Bookmark.new(bookmarkXml)
else
log.warn "This stored bookmark is incomplete for using. Referring `read_existing_events` parameter to subscribe: #{bookmarkXml}, channel: #{ch}"
end
end

subscribe = Winevt::EventLog::Subscribe.new
subscribe.read_existing_events = read_existing_events
begin
Expand All @@ -258,19 +269,26 @@ def subscribe_channels(subscriptions)
end
end

def bookmark_validator(bookmarkXml, channel)
return false if bookmarkXml.empty?
def bookmark_valid?(bookmarkXml, channel)
if @@bookmark_parser_avaiable
bookmark_valid_strictly?(bookmarkXml, channel)
else
bookmarklist_is_not_empty?(bookmarkXml, channel)
end
end

def bookmark_valid_strictly?(bookmarkXml, channel)
evtxml = WinevtBookmarkDocument.new
parser = Nokogiri::XML::SAX::Parser.new(evtxml)
parser.parse(bookmarkXml)
result = evtxml.result
if !result.empty? && (result[:channel].downcase == channel.downcase) && result[:is_current]
true
else
log.warn "This stored bookmark is incomplete for using. Referring `read_existing_events` parameter to subscribe: #{bookmarkXml}, channel: #{channel}"
false
end
!result.empty? && (result[:channel].downcase == channel.downcase) && result[:is_current]
end

def bookmarklist_is_not_empty?(bookmarkXml, channel)
# Empty example: "<BookmarkList>\r\n</BookmarkList>"
# Not empty example: "<BookmarkList>\r\n <Bookmark Channel='Setup' RecordId='777' IsCurrent='true'/>\r\n</BookmarkList>"
bookmarkXml.include?("Channel")
Copy link
Member

@ashie ashie Jun 8, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Although it's better than depending nokogiri mandatory, it might be better to do more something here.

In addition, I've noticed that winevt_c should check GetLastError() when it fails on EvtCreateBookmark(): https://github.com/fluent-plugins-nursery/winevt_c/blob/9dd9c81432b1e0180c7abc19de8415bb42db2e49/ext/winevt/winevt_bookmark.c#L93

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

e.g.) https://learn.microsoft.com/en-us/windows/win32/wes/bookmarking-events

end

def escape_channel(ch)
Expand Down