Class: WinevtXMLDocument
- Inherits:
-
Nokogiri::XML::SAX::Document
- Object
- Nokogiri::XML::SAX::Document
- WinevtXMLDocument
- Defined in:
- lib/fluent/plugin/winevt_sax_document.rb
Instance Method Summary collapse
- #characters(string) ⇒ Object
- #end_document ⇒ Object
- #end_element(name, attributes = []) ⇒ Object
- #event_id ⇒ Object
-
#initialize(preserve_qualifiers) ⇒ WinevtXMLDocument
constructor
A new instance of WinevtXMLDocument.
- #MAKELONG(low, high) ⇒ Object
- #result ⇒ Object
- #start_document ⇒ Object
- #start_element(name, attributes = []) ⇒ Object
Constructor Details
#initialize(preserve_qualifiers) ⇒ WinevtXMLDocument
Returns a new instance of WinevtXMLDocument.
4 5 6 7 8 9 |
# File 'lib/fluent/plugin/winevt_sax_document.rb', line 4 def initialize(preserve_qualifiers) @stack = [] @result = {} @preserve_qualifiers = preserve_qualifiers super() end |
Instance Method Details
#characters(string) ⇒ Object
59 60 61 62 63 64 65 66 |
# File 'lib/fluent/plugin/winevt_sax_document.rb', line 59 def characters(string) element = @stack.last if /^EventID|Level|Task|Opcode|Keywords|EventRecordID| ActivityID|Channel|Computer|Security|Version$/ === element @result[element] = string end end |
#end_document ⇒ Object
71 72 |
# File 'lib/fluent/plugin/winevt_sax_document.rb', line 71 def end_document end |
#end_element(name, attributes = []) ⇒ Object
68 69 |
# File 'lib/fluent/plugin/winevt_sax_document.rb', line 68 def end_element(name, attributes = []) end |
#event_id ⇒ Object
15 16 17 18 19 20 21 22 23 24 |
# File 'lib/fluent/plugin/winevt_sax_document.rb', line 15 def event_id if @result.has_key?("Qualifiers") qualifiers = @result.delete("Qualifiers") event_id = @result['EventID'] event_id = MAKELONG(event_id.to_i, qualifiers.to_i) @result['EventID'] = event_id.to_s else @result['EventID'] end end |
#MAKELONG(low, high) ⇒ Object
11 12 13 |
# File 'lib/fluent/plugin/winevt_sax_document.rb', line 11 def MAKELONG(low, high) (low & 0xffff) | (high & 0xffff) << 16 end |
#result ⇒ Object
26 27 28 29 30 31 32 33 |
# File 'lib/fluent/plugin/winevt_sax_document.rb', line 26 def result return @result if @preserve_qualifiers if @result @result['EventID'] = event_id end @result end |
#start_document ⇒ Object
35 36 |
# File 'lib/fluent/plugin/winevt_sax_document.rb', line 35 def start_document end |
#start_element(name, attributes = []) ⇒ Object
38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 |
# File 'lib/fluent/plugin/winevt_sax_document.rb', line 38 def start_element(name, attributes = []) @stack << name if name == "Provider" @result["ProviderName"] = attributes[0][1] rescue nil @result["ProviderGUID"] = attributes[1][1] rescue nil elsif name == "EventID" @result["Qualifiers"] = attributes[0][1] rescue nil elsif name == "TimeCreated" @result["TimeCreated"] = attributes[0][1] rescue nil elsif name == "Correlation" @result["ActivityID"] = attributes[0][1] rescue nil @result["RelatedActivityID"] = attributes[1][1] rescue nil elsif name == "Execution" @result["ProcessID"] = attributes[0][1] rescue nil @result["ThreadID"] = attributes[1][1] rescue nil elsif name == "Security" @result["UserID"] = attributes[0][1] rescue nil end end |