8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
# File 'lib/fluent/plugin/parser_winevt_xml.rb', line 8
def parse(text)
record = {}
doc = Nokogiri::XML(text)
system_elem = doc/'Event'/'System'
record["ProviderName"] = (system_elem/"Provider").attribute("Name").text rescue nil
record["ProviderGUID"] = (system_elem/"Provider").attribute("Guid").text rescue nil
record["EventID"] = (system_elem/'EventID').text rescue nil
record["Qualifiers"] = (system_elem/'EventID').attribute("Qualifiers").text rescue nil
record["Level"] = (system_elem/'Level').text rescue nil
record["Task"] = (system_elem/'Task').text rescue nil
record["Opcode"] = (system_elem/'Opcode').text rescue nil
record["Keywords"] = (system_elem/'Keywords').text rescue nil
record["TimeCreated"] = (system_elem/'TimeCreated').attribute("SystemTime").text rescue nil
record["EventRecordID"] = (system_elem/'EventRecordID').text rescue nil
record["ActivityID"] = (system_elem/'ActivityID').text rescue nil
record["RelatedActivityID"] = (system_elem/'Correlation').attribute("ActivityID").text rescue nil
record["ThreadID"] = (system_elem/'Execution').attribute("ThreadID").text rescue nil
record["Channel"] = (system_elem/'Channel').text rescue nil
record["Computer"] = (system_elem/"Computer").text rescue nil
record["UserID"] = (system_elem/'Security').attribute("UserID").text rescue nil
record["Version"] = (system_elem/'Version').text rescue nil
record["EventData"] = [] time = @estimate_current_event ? Fluent::EventTime.now : nil
yield time, record
end
|