Merge pull request #113 from BlakeHensleyy/delimiter-options-for-pars…

…ing-fixed Add Delimiter and Casing options for parsing
fluent · Aug 2, 2024 · f093143 · f093143
2 parents a198f14 + 76a6e4b
commit f093143
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -82,6 +82,9 @@ Fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
 |`<storage>`        | Setting for `storage` plugin for recording read position like `in_tail`'s `pos_file`.|
 |`<parse>`          | Setting for `parser` plugin for parsing raw XML EventLog records. |
 |`parse_description`| (option) parse `description` field and set parsed result into the record. `Description` and `EventData` fields are removed|
+|`description_key_delimiter`| (option) (Only applicable if parse_description is true) Change the character placed between the parent_key and key. Set the value to "" for no delimiter. Defaults to `.` .|
+|`description_word_delimiter`| (option) (Only applicable if parse_description is true) Change the character placed between each word of the key. Set the value to "" for no delimiter. Defaults to `_` .|
+|`downcase_description_keys`| (option) (Only applicable if parse_description is true) Specify whether to downcase the keys that are parsed from the Description. Defaults to `true`.|
 |`read_from_head`   | **Deprecated** (option) Start to read the entries from the oldest, not from when fluentd is started. Defaults to `false`.|
 |`read_existing_events` | (option) Read the entries which already exist before fluentd is started. Defaults to `false`.|
 |`render_as_xml` | (option) Render Windows EventLog as XML or Ruby Hash object directly. Defaults to `false`.|

diff --git a/lib/fluent/plugin/in_windows_eventlog2.rb b/lib/fluent/plugin/in_windows_eventlog2.rb
@@ -41,6 +41,9 @@ class ReconnectError < Fluent::UnrecoverableError; end
     config_param :read_from_head, :bool, default: false, deprecated: "Use `read_existing_events' instead."
     config_param :read_existing_events, :bool, default: false
     config_param :parse_description, :bool, default: false
+    config_param :description_key_delimiter, :string, default: "."
+    config_param :description_word_delimiter, :string, default: "_"
+    config_param :downcase_description_keys, :bool, default: true
     config_param :render_as_xml, :bool, default: false
     config_param :rate_limit, :integer, default: Winevt::EventLog::Subscribe::RATE_INFINITE
     config_param :preserve_qualifiers_on_hash, :bool, default: false
@@ -408,7 +411,7 @@ def parse_desc(record)
             elsif parent_key.nil?
               record[to_key(key)] = value
             else
-              k = "#{parent_key}.#{to_key(key)}"
+              k = "#{parent_key}#{@description_key_delimiter}#{to_key(key)}"
               record[k] = value
             end
           end
@@ -420,8 +423,8 @@ def parse_desc(record)
     end
 
     def to_key(key)
-      key.downcase!
-      key.gsub!(' '.freeze, '_'.freeze)
+      key.downcase! if @downcase_description_keys
+      key.gsub!(' '.freeze, @description_word_delimiter)
       key
     end
     ####

diff --git a/test/plugin/test_in_windows_eventlog2.rb b/test/plugin/test_in_windows_eventlog2.rb
@@ -238,6 +238,36 @@ def test_parse_desc
     assert_equal(expected, h)
   end
 
+  def test_parse_desc_camelcase
+    d = create_driver(config_element("ROOT", "", {"tag" => "fluent.eventlog",
+                                                  "parse_description" => true,
+                                                  "description_key_delimiter" => "",
+                                                  "description_word_delimiter" => "",
+                                                  "downcase_description_keys" => false
+                                                  }, [
+                                       config_element("storage", "", {
+                                                        '@type' => 'local',
+                                                        'persistent' => false
+                                                      }),
+                                     ]))
+    desc =<<-DESC
+A user's local group membership was enumerated.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-X-Y-XX-WWWWWW-VVVV\r\n\tAccount Name:\t\tAdministrator\r\n\tAccount Domain:\t\tDESKTOP-FLUENTTEST\r\n\tLogon ID:\t\t0x3185B1\r\n\r\nUser:\r\n\tSecurity ID:\t\tS-X-Y-XX-WWWWWW-VVVV\r\n\tAccount Name:\t\tAdministrator\r\n\tAccount Domain:\t\tDESKTOP-FLUENTTEST\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x50b8\r\n\tProcess Name:\t\tC:\\msys64\\usr\\bin\\make.exe
+DESC
+    h = {"Description" => desc}
+    expected = {"DescriptionTitle"                 => "A user's local group membership was enumerated.",
+                "SubjectSecurityID"                => "S-X-Y-XX-WWWWWW-VVVV",
+                "SubjectAccountName"               => "Administrator",
+                "SubjectAccountDomain"             => "DESKTOP-FLUENTTEST",
+                "SubjectLogonID"                   => "0x3185B1",
+                "UserSecurityID"                   => "S-X-Y-XX-WWWWWW-VVVV",
+                "UserAccountName"                  => "Administrator",
+                "UserAccountDomain"                => "DESKTOP-FLUENTTEST",
+                "ProcessInformationProcessID"      => "0x50b8",
+                "ProcessInformationProcessName"    => "C:\\msys64\\usr\\bin\\make.exe"}
+    d.instance.parse_desc(h)
+    assert_equal(expected, h)
+  end
+
   def test_parse_privileges_description
     d = create_driver
     desc = ["Special privileges assigned to new logon.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-X-Y-ZZ\r\n\t",