public void ConvertsIISLogs() { string log = @"#Software: Microsoft Internet Information Services 10.0 #Version: 1.0 #Date: 2017-05-31 06:00:30 #Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken 2017-05-31 06:00:30 W3SVC1 EC2AMAZ-HCNHA1G 10.10.10.10 POST /DoWork - 443 EXAMPLE\jonsmith 11.11.11.11 HTTP/1.1 SEA-HDFEHW23455/1.0.9/jonsmith - - localhost 500 2 0 1950 348 158 2017-05-31 06:00:30 W3SVC1 EC2AMAZ-HCNHA1G ::1 GET / - 80 - ::1 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - - localhost 200 0 0 950 348 128 2017-05-31 06:00:30 W3SVC1 EC2AMAZ-HCNHA1G ::1 GET / - 80 - ::1 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - - localhost 401 1 0 50 348 150 2017-05-31 06:00:30 W3SVC1 EC2AMAZ-HCNHA1G ::1 GET / - 80 - ::1 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - - localhost 503 7 0 550 348 192 2017-05-31 06:00:30 W3SVC1 EC2AMAZ-HCNHA1G ::1 GET /iisstart.png - 80 - ::1 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - http://localhost/ localhost 200 0 0 99960 317 3"; var config = TestUtility.GetConfig("Pipes", "IISEMFTestPipe"); using (var logger = new MemoryLogger(nameof(EMFPipeTests))) { var context = new PluginContext(config, logger, null); var source = new MockEventSource <W3SVCLogRecord>(context); var sink = new MockEventSink(context); context.ContextData[PluginContext.SOURCE_TYPE] = source.GetType(); context.ContextData[PluginContext.SOURCE_OUTPUT_TYPE] = source.GetOutputType(); context.ContextData[PluginContext.SINK_TYPE] = sink.GetType(); //var pipe = new PipeFactory().CreateInstance(PipeFactory.REGEX_FILTER_PIPE, context); var pipe = new EMFPipe <W3SVCLogRecord>(context); source.Subscribe(pipe); pipe.Subscribe(sink); using (var sr = new StreamReader(Utility.StringToStream(log))) { var parser = new W3SVCLogParser(null); var records = parser.ParseRecords(sr, new DelimitedLogContext { FilePath = "Memory" }); foreach (var r in records) { source.MockEvent(r.Data); } Assert.Equal(5, sink.Records.Count); var jo = JObject.Parse(sink.Records.First()); Assert.Equal("10.10.10.10", jo["s-ip"].ToString()); Assert.Equal("POST", jo["cs-method"].ToString()); Assert.Equal("/DoWork", jo["cs-uri-stem"].ToString()); Assert.Equal("443", jo["s-port"].ToString()); Assert.Equal("11.11.11.11", jo["c-ip"].ToString()); Assert.Equal(@"EXAMPLE\jonsmith", jo["cs-username"].ToString()); Assert.Equal(@"SEA-HDFEHW23455/1.0.9/jonsmith", jo["cs-User-Agent"].ToString()); Assert.Equal("500", jo["sc-status"].ToString()); Assert.Equal("2", jo["sc-substatus"].ToString()); Assert.Equal("0", jo["Version"].ToString()); Assert.Equal("IISNamespace", jo["CloudWatchMetrics"][0]["Namespace"].ToString()); Assert.Equal("time-taken", jo["CloudWatchMetrics"][0]["Metrics"][0]["Name"].ToString()); } } }
public void ConvertsPowerShellSource() { var records = new List <Envelope <JObject> > { new Envelope <JObject>(JObject.Parse("{\"ComputerName\":\"MyComputer\",\"Name\":\"TrustedInstaller\",\"Status\":\"Running\"}")), new Envelope <JObject>(JObject.Parse("{\"ComputerName\":\"MyComputer\",\"Name\":\"WinRM\",\"Status\":\"Stopped\"}")) }; var config = TestUtility.GetConfig("Pipes", "PSEMFTestPipe"); using (var logger = new MemoryLogger(nameof(EMFPipeTests))) { var context = new PluginContext(config, logger, null); var source = new MockEventSource <JObject>(context); var sink = new MockEventSink(context); context.ContextData[PluginContext.SOURCE_TYPE] = source.GetType(); context.ContextData[PluginContext.SOURCE_OUTPUT_TYPE] = source.GetOutputType(); context.ContextData[PluginContext.SINK_TYPE] = sink.GetType(); var pipe = new EMFPipe <JObject>(context); source.Subscribe(pipe); pipe.Subscribe(sink); foreach (var r in records) { source.MockEvent(r.Data); } Assert.Equal(2, sink.Records.Count); var jo = JObject.Parse(sink.Records.First()); Assert.Equal("PSNamespace", jo["_aws"]["CloudWatchMetrics"][0]["Namespace"].ToString()); Assert.Equal("ServiceStatus", jo["_aws"]["CloudWatchMetrics"][0]["Metrics"][0]["Name"].ToString()); Assert.Equal(1, jo["ServiceStatus"].ToObject <int>()); Assert.Equal("Running", jo["Status"].ToString()); Assert.Equal("TrustedInstaller", jo["Name"].ToString()); var dims = jo["_aws"]["CloudWatchMetrics"][0]["Dimensions"][0].ToArray().Select(i => i.ToString()).ToList(); Assert.Equal(3, dims.Count); Assert.Contains("Name", dims); Assert.Contains("ComputerName", dims); Assert.Contains("Status", dims); jo = JObject.Parse(sink.Records.Last()); Assert.Equal("Stopped", jo["Status"].ToString()); Assert.Equal("WinRM", jo["Name"].ToString()); } }
public void ConvertsIISLogs() { var logs = new string[] { "2017-05-31 06:00:30 W3SVC1 EC2AMAZ-HCNHA1G 10.10.10.10 POST /DoWork - 443 EXAMPLE\\jonsmith 11.11.11.11 HTTP/1.1 SEA-HDFEHW23455/1.0.9/jonsmith - - localhost 500 2 0 1950 348 158", "2017-05-31 06:00:30 W3SVC1 EC2AMAZ-HCNHA1G ::1 GET / - 80 - ::1 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - - localhost 200 0 0 950 348 128", "2017-05-31 06:00:30 W3SVC1 EC2AMAZ-HCNHA1G ::1 GET / - 80 - ::1 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - - localhost 401 1 0 50 348 150", "2017-05-31 06:00:30 W3SVC1 EC2AMAZ-HCNHA1G ::1 GET / - 80 - ::1 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - - localhost 503 7 0 550 348 192", "2017-05-31 06:00:30 W3SVC1 EC2AMAZ-HCNHA1G ::1 GET /iisstart.png - 80 - ::1 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - http://localhost/ localhost 200 0 0 99960 317 3" }; var config = TestUtility.GetConfig("Pipes", "IISEMFTestPipe"); var context = new PluginContext(config, NullLogger.Instance, null); var sink = new MockEventSink(context); context.ContextData[PluginContext.SINK_TYPE] = sink.GetType(); var pipe = new EMFPipe <IDictionary <string, string> >(context); pipe.Subscribe(sink); var records = ParseW3SVCLogs(logs); foreach (var record in records) { pipe.OnNext(new Envelope <IDictionary <string, string> >(record)); } Assert.Equal(5, sink.Records.Count); var jo = JObject.Parse(sink.Records.First()); Assert.Equal("10.10.10.10", jo["s-ip"].ToString()); Assert.Equal("POST", jo["cs-method"].ToString()); Assert.Equal("/DoWork", jo["cs-uri-stem"].ToString()); Assert.Equal("443", jo["s-port"].ToString()); Assert.Equal("11.11.11.11", jo["c-ip"].ToString()); Assert.Equal(@"EXAMPLE\jonsmith", jo["cs-username"].ToString()); Assert.Equal(@"SEA-HDFEHW23455/1.0.9/jonsmith", jo["cs-User-Agent"].ToString()); Assert.Equal("500", jo["sc-status"].ToString()); Assert.Equal("2", jo["sc-substatus"].ToString()); Assert.Equal("IISNamespace", jo["_aws"]["CloudWatchMetrics"][0]["Namespace"].ToString()); Assert.Equal("time-taken", jo["_aws"]["CloudWatchMetrics"][0]["Metrics"][0]["Name"].ToString()); }