Class: WinevtXMLDocument

Inherits:

Nokogiri::XML::SAX::Document

• Object
• Nokogiri::XML::SAX::Document
• WinevtXMLDocument

Defined in:

lib/fluent/plugin/winevt_sax_document.rb

Instance Method Summary

• #characters(string) ⇒ Object
• #end_document ⇒ Object
• #end_element(name, attributes = []) ⇒ Object
• #event_id ⇒ Object
• #initialize(preserve_qualifiers) ⇒ WinevtXMLDocument constructor

  A new instance of WinevtXMLDocument.

• #MAKELONG(low, high) ⇒ Object
• #result ⇒ Object
• #start_document ⇒ Object
• #start_element(name, attributes = []) ⇒ Object

Constructor Details

#initialize(preserve_qualifiers) ⇒ WinevtXMLDocument

Returns a new instance of WinevtXMLDocument.

# File 'lib/fluent/plugin/winevt_sax_document.rb', line 4

def initialize(preserve_qualifiers)
  @stack = []
  @result = {}
  @preserve_qualifiers = preserve_qualifiers
  super()
end

Instance Method Details

#characters(string) ⇒ Object

# File 'lib/fluent/plugin/winevt_sax_document.rb', line 59

def characters(string)
  element = @stack.last

  if /^EventID|Level|Task|Opcode|Keywords|EventRecordID|
      ActivityID|Channel|Computer|Security|Version$/ === element
    @result[element] = string
  end
end

#end_document ⇒ Object

# File 'lib/fluent/plugin/winevt_sax_document.rb', line 71

def end_document
end

#end_element(name, attributes = []) ⇒ Object

# File 'lib/fluent/plugin/winevt_sax_document.rb', line 68

def end_element(name, attributes = [])
end

#event_id ⇒ Object

# File 'lib/fluent/plugin/winevt_sax_document.rb', line 15

def event_id
  if @result.has_key?("Qualifiers")
    qualifiers = @result.delete("Qualifiers")
    event_id = @result['EventID']
    event_id = MAKELONG(event_id.to_i, qualifiers.to_i)
    @result['EventID'] = event_id.to_s
  else
    @result['EventID']
  end
end

#MAKELONG(low, high) ⇒ Object

# File 'lib/fluent/plugin/winevt_sax_document.rb', line 11

def MAKELONG(low, high)
  (low & 0xffff) | (high & 0xffff) << 16
end

#result ⇒ Object

# File 'lib/fluent/plugin/winevt_sax_document.rb', line 26

def result
  return @result if @preserve_qualifiers

  if @result
    @result['EventID'] = event_id
  end
  @result
end

#start_document ⇒ Object

# File 'lib/fluent/plugin/winevt_sax_document.rb', line 35

def start_document
end

#start_element(name, attributes = []) ⇒ Object

# File 'lib/fluent/plugin/winevt_sax_document.rb', line 38

def start_element(name, attributes = [])
  @stack << name

  if name == "Provider"
    @result["ProviderName"] = attributes[0][1] rescue nil
    @result["ProviderGUID"] = attributes[1][1] rescue nil
  elsif name == "EventID"
    @result["Qualifiers"] = attributes[0][1] rescue nil
  elsif name == "TimeCreated"
    @result["TimeCreated"] = attributes[0][1] rescue nil
  elsif name == "Correlation"
    @result["ActivityID"] = attributes[0][1] rescue nil
    @result["RelatedActivityID"] = attributes[1][1] rescue nil
  elsif name == "Execution"
    @result["ProcessID"] = attributes[0][1] rescue nil
    @result["ThreadID"] = attributes[1][1] rescue nil
  elsif name == "Security"
    @result["UserID"] = attributes[0][1] rescue nil
  end
end