Class: LogStash::Inputs::EventLog

Inherits:
Base show all
Defined in:
lib/logstash/inputs/eventlog.rb

Overview

Pull events from a Windows Event Log

To collect Events from the System Event Log, use a config like:

input {
  eventlog {
    type  => 'Win32-EventLog'
    logfile  => 'System'
  }
}

Constant Summary

Constants included from Config::Mixin

Config::Mixin::CONFIGSORT

Instance Attribute Summary

Attributes inherited from Base

#params, #threadable

Attributes included from Config::Mixin

#config, #original_params

Attributes inherited from Plugin

#logger, #params

Instance Method Summary collapse

Methods inherited from Base

#initialize, #tag

Methods included from Config::Mixin

#config_init, included

Methods inherited from Plugin

#eql?, #finished, #finished?, #hash, #initialize, #inspect, lookup, #reload, #running?, #shutdown, #teardown, #terminating?, #to_s

Constructor Details

This class inherits a constructor from LogStash::Inputs::Base

Instance Method Details

#registerObject 



27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
 
# File 'lib/logstash/inputs/eventlog.rb', line 27

def register

  # wrap specified logfiles in suitable OR statements
  @logfiles = @logfile.join("' OR TargetInstance.LogFile = '")

  @hostname = Socket.gethostname
  @logger.info("Registering input eventlog://#{@hostname}/#{@logfile}")

  if RUBY_PLATFORM == "java"
    require "logstash/inputs/eventlog/racob_fix"
    require "jruby-win32ole"
  else
    require "win32ole"
  end
end

#run(queue) ⇒ Object 



44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
 
# File 'lib/logstash/inputs/eventlog.rb', line 44

def run(queue)
  @wmi = WIN32OLE.connect("winmgmts://")

  wmi_query = "Select * from __InstanceCreationEvent Where TargetInstance ISA 'Win32_NTLogEvent' And (TargetInstance.LogFile = '#{@logfiles}')"

  begin
    @logger.debug("Tailing Windows Event Log '#{@logfile}'")

    events = @wmi.ExecNotificationQuery(wmi_query)

    while
      notification = events.NextEvent
      event = notification.TargetInstance

      timestamp = to_timestamp(event.TimeGenerated)

      e = LogStash::Event.new(
        "host" => @hostname,
        "path" => @logfile,
        "type" => @type,
        "@timestamp" => timestamp
      )

      %w{Category CategoryString ComputerName EventCode EventIdentifier
          EventType Logfile Message RecordNumber SourceName
          TimeGenerated TimeWritten Type User
      }.each{
          |property| e[property] = event.send property 
      }

      if RUBY_PLATFORM == "java"
        # unwrap jruby-win32ole racob data
        e["InsertionStrings"] = unwrap_racob_variant_array(event.InsertionStrings)
        data = unwrap_racob_variant_array(event.Data)
        # Data is an array of signed shorts, so convert to bytes and pack a string
        e["Data"] = data.map{|byte| (byte > 0) ? byte : 256 + byte}.pack("c*")
      else
        # win32-ole data does not need to be unwrapped
        e["InsertionStrings"] = event.InsertionStrings
        e["Data"] = event.Data
      end

      e["message"] = event.Message

      decorate(e)
      queue << e

    end # while

  rescue Exception => ex
    @logger.error("Windows Event Log error: #{ex}\n#{ex.backtrace}")
    sleep 1
    retry
  end # rescue

end