Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expand SID with actual user name and domain #46

Merged
merged 12 commits into from
Aug 1, 2024
Merged

Expand SID with actual user name and domain #46

merged 12 commits into from
Aug 1, 2024

Conversation

cosmo0920
Copy link
Member

This is needed to compete for the competitor of elastic beats.
ref: https://www.elastic.co/guide/en/beats/filebeat/current/processor-translate-sid.html

@cosmo0920
utils: Expand SID with actual user name and domain
dace409 
This is needed to compete for the competitor of elastic beats.
ref: https://www.elastic.co/guide/en/beats/filebeat/current/processor-translate-sid.html

Signed-off-by: Hiroshi Hatake <[email protected]>
@cosmo0920 cosmo0920 requested review from ashie, kenhys and daipom July 25, 2024 08:49
@cosmo0920
Copy link
Member Author

In addition, we already implemented this feature on Fluent Bit. I ported and modified for winevt_c adoptions.

@cosmo0920 cosmo0920 changed the title Expand sid with actual user name and domain Expand SID with actual user name and domain Jul 25, 2024
@cosmo0920 cosmo0920 force-pushed the expand-sid-with-actual-user-name-and-domain branch from 28925e9 to 3354fe3 Compare July 25, 2024 09:25
@cosmo0920 cosmo0920 force-pushed the expand-sid-with-actual-user-name-and-domain branch 3 times, most recently from 7177dc9 to 004c57e Compare July 25, 2024 09:51
@cosmo0920
Copy link
Member Author

AppVeyor failures on Ruby 2.6 and 2.7 is reported here: appveyor/ci#3928

@cosmo0920 cosmo0920 force-pushed the expand-sid-with-actual-user-name-and-domain branch 8 times, most recently from dd2f57f to 36c86f9 Compare July 26, 2024 09:07
@cosmo0920 cosmo0920 force-pushed the expand-sid-with-actual-user-name-and-domain branch from 36c86f9 to 360e2b7 Compare July 26, 2024 09:08
ashie
ashie reviewed Jul 28, 2024
View reviewed changes
ext/winevt/winevt_utils.cpp Outdated Show resolved Hide resolved
ext/winevt/winevt_utils.cpp Outdated Show resolved Hide resolved
kenhys
kenhys reviewed Jul 29, 2024
View reviewed changes
ext/winevt/winevt_utils.cpp Outdated Show resolved Hide resolved
kenhys
kenhys reviewed Jul 29, 2024
View reviewed changes
ext/winevt/winevt_utils.cpp Outdated Show resolved Hide resolved
kenhys
kenhys reviewed Jul 29, 2024
View reviewed changes
ext/winevt/winevt_utils.cpp Outdated Show resolved Hide resolved
@cosmo0920
utils: Address comments
c907012 
Signed-off-by: Hiroshi Hatake <[email protected]>
@cosmo0920
Copy link
Member Author

With applying this patch, the example xml false case could retrieve SID translated User record:

{:eventlog=>{"ProviderName"=>"IPF", "ProviderGuid"=>"{D3CB85D1-D61C-4BCF-9674-7910EE54D6AF}", "Qualifiers"=>"", "EventID"=>17, "Version"=>0, "Level"=>2, "Task"=>0, "Opcode"=>0, "Keywords"=>"0x8000000000000000", "TimeCreated"=>"2024/07/30 02:56:21.199507400", "EventRecordID"=>"65489", "ProcessID"=>7688, "ThreadID"=>39268, "Channel"=>"Application", "Computer"=>"hiroshi-14-eu", "UserID"=>"S-1-5-19", "User"=>"NT AUTHORITY\\LOCAL SERVICE"}, :data=>"ESIF(1.0.11406.42226) TYPE: ERROR MODULE: IPF TIME 1670614500 ms\n\n[<IPFSRV>AuthMgr_EsifPrimitive@ipfsrv_authmgr.c#1631]<1670614500 ms>: \nUnauthorized EsifPrimitive: GET_SUPPORTED_POLICIES (92)"}

"UserID"=>"S-1-5-19", "User"=>"NT AUTHORITY\LOCAL SERVICE"

daipom
daipom approved these changes Jul 30, 2024
View reviewed changes
Copy link

@daipom daipom left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.
Thanks for this enhancement!

ashie
ashie reviewed Jul 30, 2024
View reviewed changes
ext/winevt/winevt_utils.cpp Outdated Show resolved Hide resolved
ashie
ashie reviewed Jul 30, 2024
View reviewed changes
ext/winevt/winevt_utils.cpp Outdated Show resolved Hide resolved
ext/winevt/winevt_utils.cpp Outdated Show resolved Hide resolved
ext/winevt/winevt_utils.cpp Outdated Show resolved Hide resolved
ext/winevt/winevt_utils.cpp Outdated Show resolved Hide resolved
ashie
ashie reviewed Jul 30, 2024
View reviewed changes
ext/winevt/winevt_utils.cpp Outdated Show resolved Hide resolved
cosmo0920 added 2 commits July 31, 2024 09:49
@cosmo0920
utils: Initialize with NULL
616a664 
Signed-off-by: Hiroshi Hatake <[email protected]>
@cosmo0920
utils: Remove needless NULL check
89c429e 
This Ruby C extension does not need to pass valgrind check.
We can remove them without this check because free(3) is safe for
passing NULL.

Signed-off-by: Hiroshi Hatake <[email protected]>
@cosmo0920
Copy link
Member Author

@ashie @kenhys Is there anything else we have to address in this PR?

ashie
ashie approved these changes Aug 1, 2024
View reviewed changes
Copy link
Member

@ashie ashie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

There is nothing else to be concerned at this time.
If we have any other concerns later, we'll address them in other PR.

Thanks for your effort!

@ashie ashie merged commit fe12efd into master Aug 1, 2024
8 checks passed
@ashie ashie deleted the expand-sid-with-actual-user-name-and-domain branch August 1, 2024 00:34
@ashie
Copy link
Member

ashie commented Aug 1, 2024

@cosmo0920
I'm considering to release it as 0.11.0.
Are you O.K.?

@cosmo0920
Copy link
Member Author

Yes, go ahead.
BTW, we added the new options was assumed to be released as v0.10.3.
So, could you modify the versions for Yard doc?
Otherwise, it’s fine on our side.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@daipom daipom daipom approved these changes

@kenhys kenhys kenhys left review comments

@kou kou kou left review comments

@ashie ashie ashie approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@cosmo0920 @ashie @kou @kenhys @daipom