From 7914d3b203ae39a66b05975f769d11e417a8ea89 Mon Sep 17 00:00:00 2001
From: Blake Hensley <22hensbl@gmail.com>
Date: Wed, 31 Jul 2024 14:37:24 -0400
Subject: [PATCH 1/4] Add new parameters to readme.

---
 README.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index c230bef..5f3aca8 100644
--- a/README.md
+++ b/README.md
@@ -81,6 +81,9 @@ Fluentd Input plugin for the Windows Event Log using newer Windows Event Logging
 |`<storage>`        | Setting for `storage` plugin for recording read position like `in_tail`'s `pos_file`.|
 |`<parse>`          | Setting for `parser` plugin for parsing raw XML EventLog records. |
 |`parse_description`| (option) parse `description` field and set parsed result into the record. `Description` and `EventData` fields are removed|
+|`description_key_delimiter`| (option) (Only applicable if parse_description is true) Change the character placed between the parent_key and key. Set the value to "" for no delimiter. Defaults to `.` .|
+|`description_word_delimiter`| (option) (Only applicable if parse_description is true) Change the character placed between each word of the key. Set the value to "" for no delimiter. Defaults to `_` .|
+|`downcase_description_keys`| (option) (Only applicable if parse_description is true) Specify whether to downcase the keys that are parsed from the Description. Defaults to `true`.|
 |`read_from_head`   | **Deprecated** (option) Start to read the entries from the oldest, not from when fluentd is started. Defaults to `false`.|
 |`read_existing_events` | (option) Read the entries which already exist before fluentd is started. Defaults to `false`.|
 |`render_as_xml` | (option) Render Windows EventLog as XML or Ruby Hash object directly. Defaults to `false`.|
@@ -276,4 +279,4 @@ If your `description` doesn't follow this format, the parsed result is only `des
 ### Copyright
 Copyright(C) 2014- @okahashi117
 ### License
-Apache License, Version 2.0
+Apache License, Version 2.0
\ No newline at end of file

From 18503b6c789cb050d375e2cdf1f61dfc593098d7 Mon Sep 17 00:00:00 2001
From: Blake Hensley <22hensbl@gmail.com>
Date: Wed, 31 Jul 2024 14:38:07 -0400
Subject: [PATCH 2/4] Add changes as parameters in_windows_eventlog2.

---
 lib/fluent/plugin/in_windows_eventlog2.rb | 28 ++++++++---------------
 1 file changed, 10 insertions(+), 18 deletions(-)

diff --git a/lib/fluent/plugin/in_windows_eventlog2.rb b/lib/fluent/plugin/in_windows_eventlog2.rb
index b1624a7..55cdf46 100644
--- a/lib/fluent/plugin/in_windows_eventlog2.rb
+++ b/lib/fluent/plugin/in_windows_eventlog2.rb
@@ -19,7 +19,7 @@ class ReconnectError < Fluent::UnrecoverableError; end
                "Level"             => ["Level",                 :string],
                "Task"              => ["Task",                  :string],
                "Opcode"            => ["Opcode",                :string],
-               "EventType"         => ["Keywords",              :string], # Edited
+               "Keywords"          => ["Keywords",              :string],
                "TimeCreated"       => ["TimeCreated",           :string],
                "EventRecordID"     => ["EventRecordID",         :string],
                "ActivityID"        => ["ActivityID",            :string],
@@ -40,6 +40,9 @@ class ReconnectError < Fluent::UnrecoverableError; end
     config_param :read_from_head, :bool, default: false, deprecated: "Use `read_existing_events' instead."
     config_param :read_existing_events, :bool, default: false
     config_param :parse_description, :bool, default: false
+    config_param :description_key_delimiter, :string, default: "."
+    config_param :description_word_delimiter, :string, default: "_"
+    config_param :downcase_description_keys, :bool, default: true
     config_param :render_as_xml, :bool, default: false
     config_param :rate_limit, :integer, default: Winevt::EventLog::Subscribe::RATE_INFINITE
     config_param :preserve_qualifiers_on_hash, :bool, default: false
@@ -360,24 +363,12 @@ def on_notify_hash(ch, subscribe)
     RECORD_DELIMITER = "\r\n\t".freeze
     FIELD_DELIMITER = "\t\t".freeze
     NONE_FIELD_DELIMITER = "\t".freeze
-    SYSMON_DELIMITER = "\r\n".freeze
-
 
     def parse_desc(record)
       desc = record.delete("Description".freeze)
-      providername = record["ProviderName"]
       return if desc.nil?
-      elems = desc.split(GROUP_DELIMITER)
-      elem2 = desc.split(SYSMON_DELIMITER)
-
-      if providername == "Microsoft-Windows-Sysmon"
-        elem2.each { |x| # Loop through each line of Sysmon event description, parsing the field name from the field value.
-          key, value = x.split(":", 2)
-          parent_key = "#{to_key(key)}"
-          record[parent_key] = value
-        }
-      end
 
+      elems = desc.split(GROUP_DELIMITER)
       record['DescriptionTitle'] = elems.shift
       previous_key = nil
       elems.each { |elem|
@@ -401,7 +392,7 @@ def parse_desc(record)
             elsif parent_key.nil?
               record[to_key(key)] = value
             else
-              k = "#{parent_key}#{to_key(key)}" #Edited to remove "." between words
+              k = "#{parent_key}#{@description_key_delimiter}#{to_key(key)}"
               record[k] = value
             end
           end
@@ -412,10 +403,11 @@ def parse_desc(record)
       }
     end
 
-    def to_key(key) #Edited to remove key.downcase and '_' to camelcase
-      key.gsub!(' '.freeze, ''.freeze)
+    def to_key(key)
+      key.downcase! if @downcase_description_keys
+      key.gsub!(' '.freeze, @description_word_delimiter)
       key
     end
     ####
   end
-end
+end
\ No newline at end of file

From 915d21ab446a470574caf7c678303b81c8524969 Mon Sep 17 00:00:00 2001
From: Blake Hensley <22hensbl@gmail.com>
Date: Wed, 31 Jul 2024 14:39:02 -0400
Subject: [PATCH 3/4] Add in test for CamelCase.

---
 test/plugin/test_in_windows_eventlog2.rb | 32 +++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/test/plugin/test_in_windows_eventlog2.rb b/test/plugin/test_in_windows_eventlog2.rb
index 79d8668..57e745f 100644
--- a/test/plugin/test_in_windows_eventlog2.rb
+++ b/test/plugin/test_in_windows_eventlog2.rb
@@ -226,6 +226,36 @@ def test_parse_desc
     assert_equal(expected, h)
   end
 
+  def test_parse_desc_camelcase
+    d = create_driver(config_element("ROOT", "", {"tag" => "fluent.eventlog",
+                                                  "parse_description" => true,
+                                                  "description_key_delimiter" => "",
+                                                  "description_word_delimiter" => "",
+                                                  "downcase_description_keys" => false
+                                                  }, [
+                                       config_element("storage", "", {
+                                                        '@type' => 'local',
+                                                        'persistent' => false
+                                                      }),
+                                     ]))
+    desc =<<-DESC
+A user's local group membership was enumerated.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-X-Y-XX-WWWWWW-VVVV\r\n\tAccount Name:\t\tAdministrator\r\n\tAccount Domain:\t\tDESKTOP-FLUENTTEST\r\n\tLogon ID:\t\t0x3185B1\r\n\r\nUser:\r\n\tSecurity ID:\t\tS-X-Y-XX-WWWWWW-VVVV\r\n\tAccount Name:\t\tAdministrator\r\n\tAccount Domain:\t\tDESKTOP-FLUENTTEST\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x50b8\r\n\tProcess Name:\t\tC:\\msys64\\usr\\bin\\make.exe
+DESC
+    h = {"Description" => desc}
+    expected = {"DescriptionTitle"                 => "A user's local group membership was enumerated.",
+                "SubjectSecurityID"                => "S-X-Y-XX-WWWWWW-VVVV",
+                "SubjectAccountName"               => "Administrator",
+                "SubjectAccountDomain"             => "DESKTOP-FLUENTTEST",
+                "SubjectLogonID"                   => "0x3185B1",
+                "UserSecurityID"                   => "S-X-Y-XX-WWWWWW-VVVV",
+                "UserAccountName"                  => "Administrator",
+                "UserAccountDomain"                => "DESKTOP-FLUENTTEST",
+                "ProcessInformationProcessID"      => "0x50b8",
+                "ProcessInformationProcessName"    => "C:\\msys64\\usr\\bin\\make.exe"}
+    d.instance.parse_desc(h)
+    assert_equal(expected, h)
+  end
+
   def test_parse_privileges_description
     d = create_driver
     desc = ["Special privileges assigned to new logon.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-X-Y-ZZ\r\n\t",
@@ -616,4 +646,4 @@ def test_write_with_winevt_xml_parser_without_qualifiers
     assert_true(record.has_key?("EventData"))
     assert_false(record.has_key?("Qualifiers"))
   end
-end
+end
\ No newline at end of file

From 6cacc88cd24bc6d584561d6e21f5128e41b2f1b4 Mon Sep 17 00:00:00 2001
From: Blake Hensley <22hensbl@gmail.com>
Date: Wed, 31 Jul 2024 15:28:47 -0400
Subject: [PATCH 4/4] Add built gemfile.

---
 fluent-plugin-windows-eventlog-0.9.0.gem | Bin 0 -> 14848 bytes
 fluent-plugin-winevtlog.gemspec          |   2 +-
 2 files changed, 1 insertion(+), 1 deletion(-)
 create mode 100644 fluent-plugin-windows-eventlog-0.9.0.gem

diff --git a/fluent-plugin-windows-eventlog-0.9.0.gem b/fluent-plugin-windows-eventlog-0.9.0.gem
new file mode 100644
index 0000000000000000000000000000000000000000..1810b1ce4652a635fd0dbc5b4d4a72a9b84d3eb8
GIT binary patch
literal 14848
zcmeHuV~{98mu1_w?e5pMZNIi{<F#$uwr$(CZQGhRyFX^)`>`7{5i>g*@!g83tgOte
zym_+fR8-};*2YfyM*2?rw5IL=|5Zl+*O-}^0sb}pYyX%sFtaiN{N1rIve2`zG5xK_
zz{JeL0zg3jU**uhzpk^RlfJ`Wmt4$@jjjHD!9N`T-^%~@*#2#B|Iqw@Y8F2N0$?+u
z+yn^tN=-p-gC4<qrsmdlkJ3CIjW8e9PZT@>EMc`VMCSJ)`^q459n*%N%EI%8i>$^v
z9LO*Frle#Q3s2q+mmM$DkMnj~x1w{S&A2gCdgLrYOpzQaJ<ncD7A+{TStKGx3JZkc
zs&LMO{;oZuB)0V+OB6Il$7%s{rReLlE2)hm1c!=45Af_8B~TXNvhmPW2DmC2+N5Zl
zlu^Q|vS~MjOT&vu>M&RbQCM6csOhp|4yZ9u-1*3Dc`g;IR|QAVxP)ALEfEkOT(I#$
zni3q<ujeg^G67vdzRR}n?hV+`8?mXChZ6X=^Fnz)aRGX`C=M4d&NPe2xhk~WLNs$g
zs10Nx$-rY?Zd%i=($3uI3iYsvoU8#hE|~#Ve4r*To4l<j7X`Cn)O3_0j2uCggd!?X
zD5%`^-~==*6T&d`NVSMLss2hD&~L*}IR@6;C{1V^9hlRd5V`ucizmArHT=aHMh}VF
zAe`|?>h3>^;5xIn?u=6x<TLdxQEPYc+jN+3L&Qz_k^%MP)LI#?N@y2kfj6K!tzL0f
zQ#zC&XJGtW5B|4nkI*NKa!dWUNUS_6bVo1ofFqCR!3~xdWZERngnHCkL}b{Q8@`+U
zH_JysO&p+8C^gc=9xFD=hh3!>LhC{S7-7^4iPGl`^9UIP4LsnI<ItL25as8DF(oWZ
zbIO8IBZV%?`s4}iiQfXJ9`z=d6b%8j4TH2n3_}i-zlI$RFaRrHWuPh}tpq@cf%~z%
zHk6oE%8c%O<(${qGViX|?uN{N21b6@NY}Zo@$qupwA_HoabB5hnrmN>D8fmV2iFxB
zwDREaByCoVi*N%HWScxgmFF!@8AGB@#X`0*Bt>&(MP_u$RxV_9>#1pbgC#?U0oPJp
zax222XA;s>t&E@=bF>obKuXc0NXcWx<@97qS|B^-!Tt(w1*y8amkr3WGT6>%(?=83
zyEox=vY?VSoG5$s+xLho@o8}KD~Mro(#KY#Ck#-mS&Ed%*XX=XU3hx#B(P(i0YO*i
z4zxc!ed}R2Dd!PeA+5LRbnjlvH;;bw0SL5!ht)v*pZXyGC;j?g-2ayW|KIUHBQrA#
z!$0yr6Wc%e|35jS|FLHO#{ZXIA1)iL^|#-fj_-T~_dJ%ANu?oI?91pacf+z53!SX8
zEo+?JNWc2fEW?x}#-p)6e0rDyzyXm84+~{(w&~6XkRV{ddi8Wt0dqcUU-mx&OzC=F
zOb&X!Bywb17Tjvv-ddtx4}WZ|ZC$>Xw>)c?HvDg}<!d_Tw$?wfFFvoBJkcc1M|{VZ
z0w2spx{PNY0zTm1D(hA}$G-v_CZbyooYf+pIJ>6)n09QPd3`N;Jsa(ZoOn*szOq1n
zsUu`JG*D!}QA!d28DB^onalw@A?$#fhvaHK)Nj8j>8=zZFt{!OAWAP0K-mXojVYMW
zgOQ1;PEbc_)}3~{JoxQ1J`Kc++t7wjKD)M}>-CisbRc9awA(s&?X<Cld%24mV=6F?
zw(1)+C*p)R2zcSXB~x<%FpCV}el;!I@d5w{vbReGF*2vjxXbQq?zDZ;P!ORPT_BBC
zGDZO>%h3ym>4Q%~xu{Q^nieaUK!&nlMPkluDpvyS%Kpb`19j_9-G+@wi^l<jl%dZc
z=BKP#`|ziey|?UwLinWtZ_Iw80^)~t-+^VOkk7Dv5Wr222zH&|Oul1K4;J1p+5KM4
zd0|t`ZK#0MnS2!0e*7rc_>fcQPV1VBp@M3#kKC;d3h<7Z6K))Gb`VGN4w^mt-UtX=
zYzW&XkFFz#8MFoFRG?w#+-`=I1O<SvUVyH(Ya7DTlW$N{)5g=PHz&Y|MZx(aduaE=
zl(XG0tMNhLV{!+0c|LX;yy)r)M9(M|gJ*Yp_bD=OM*X?78qdUfdxU|UGnRmR2EGTt
zAE0W@?cy-Y5{Dco+z%ruYi5AjxoaC$<V!yNYoOIOd%;W~amz?1s*w!#+!y9YosO4U
zEO*h-+9}_R$TfAGDc>9ECt9O1kY$HPyD8z7ON+7Tg9bM!WNZ<1CcbWfTTdrH;57S7
zN^ujoS6pE4C1Fbc35;;HvEBHCUbA`jC|iCluy@oc<aEEp89lI8J|IE%1>hHzb<TJU
zF^dp@-)TU-tJE;23m$rKA)%k<x4Z$d3baH#F`y$H2WMvf$j&L*%}#P#l31?-laXrJ
zg*Ax&zPO}Cfo+!hMe`EOf1Jtx2&1oJ(C^hdpEnF(hLfMtMgzLZjNhVj+;hM>^b5qk
z^`Q)6NehB788E4V;VcLB2aDz{Y@gEN-f_dx<|R001E@#lyGB~JiNcup8dmS(ddHR$
zA~d_>2)IIeIA_kW+fjfQ^8hbUHPbOD%a2feh_p0{h43NsJbp-CKYsiO?}31-nV+7v
zSw3%8ZCCSVfI`OgR<H}&JGRo9jsvzD0+B_lf^r_JT45kV<Gn)O-{nn(BF(z$(S=h9
z6GD1?d}1nc*InW>CU^NS2J-Y51Kyh|76z-)=lbUz=0gaNCJT^h0sx^;`oTiOhe+NN
zL=_|Ra~(fWK+Z!n0vDdV?K@$SAm<wNYM0a2!>={cM`5oq=f}UwOBZC*uTY?3;dwAY
zA_XlF0hR}|&L&wACZRWtJ?r4QLp{saB@yoND9u}rPQOhWNtDvI#Zg2SmY8{BD`T@D
zkxLPv)LWCQM+v~g?P|k*0)BSDxW*Gf!ulf=^U4Ib8r165>OfkM(_@n=ZT+68i!x|;
zK;YAlpq0H?(WU(QdFtE#ehA>3d)2h~v9_{$#5=s~*$&V-iTHYPyX4b!Nm5!+R1$h@
z9?lkSa6=J{d#%!lTGMCOEwm6j*cQtFB`#>?OtUs2;T2!}P`G2GtF7&Z6pcP~auwWH
zB|hfZPgEx9Ik;<FKq2k5%2k<S&)}c*D8(j>DTj8;fmv(B>1PLwd(IqIT)U6~kovsM
z4z;3?LdFBKx{Bg__r~0w4VVctX3wml7p9~j>v!^2f;fo@7mY%E33!g5U3X#DSN$0q
zITk_R&S+77T~{wkxR;5`6)Yc9d;oTNmf$`#5UjO6fbgf+=^PqzU>6zu0Gi(ME!5SL
zAiGAC-1y<`QT8yO1|=Rgs6>Mm!W`&_47#3~IDWhuvMd_{UYG*hkjQVC(qEcCZjUuf
zQGxN!@H&XwIws!;&G`?%V-m<_x_vh7@vp=PSe|+Y@N$q1ki{p9zS0(TSF}tz1KqTo
zR-Bl4GsKwJmVI=?n1u@t(`fVL7y(FXuhJ?~AKn}=;`5R;Epk1LT9)RJ-vBCMKAfZh
zAYmS_;+oVua7-RUzY(&Q$1$bJS}Z^a<vGnlr3>QU$5n0(eyA#}PBnp|T>(xdexs{q
z;u*1<DMNzjhhXAYC{$?DQ5A?;IDLIzbg_X444})w>*92Cn3<hgnjQEmbsq-oG$wI{
z_5-FJns@Fhw^oJS4ZvZYj-d~fTN#;Q2ADJ7&%Hx}^Wm;l_3NG24WLNl;k)W`-t{%3
zL{M(<<EjlZAR0M^(=eL;Qg_YnV<!h*z)!5wY+-VI$(nqFI3ZC0NVN&*;_Q+Ztr2Db
z-m58}t8a`kgBW={u>0AjErs7oNZ<0f@|FR1OZ0`gooT?$e}<3&YB=ljL?UrWK~kf$
z<PAYh*5TFACFj^fHo_gO9*Q650sgcfHl;`*F(EU<PxPqCnm)FEx?KT@;+&c?_}&0&
zUQ<i82BT`1LqKiV#c2a^H=G++#KwK%qQr4cr7@rl1p<X`KboEK?Kk2y!5fuT%RR$z
zR&73P7}goqIQOlT8Fis<eIypJ-|=V0+S{)t*Xs~g-~`aorx;zcXnL4v8peyW`1<AP
zfmqa8Gv%JxK?tGpgS1LvPnwRLA+eijl*{;BnrUk}l)u@Z5i{Ekp>PaM4Z%(-Z9o*s
z+!n{rhz;F7>@Av!lp8RV2?%{Z#K@v<fx#6X1aM?hU61vok`SmPG$UFM!Z?=(i$&qq
z$S(tAhg)<yFiC)9kK#_E*!#wkvx-{)nI4bCoF%HNhF%&!D6&(jn!;1p(=h$P^vb*n
zTY){@TlqOh9BdO<Srt%0Wuq}<C*~c>7`}=n9UAi>gbk=fS|}wW-KQQc@1Lm$)NUEk
zE-FEG1(S}XWi@WyM(I|iUZaIYB@pYADxD8%C6?F@fdy8C;|WKn&ttyYHKo@9V^(gk
zd}Zx{`&u$F%Rfji%?o*a)vz<1S8&Fj?kBCs*W>wh@KU4u{RowP6_Jn7TvY%l?GYK%
z2uScT{`vJvt^v?N<wyULa0tbtPRyyEe&>NouVm~vc25mLDk%Vz^!*)?Vhi{FvQ^GQ
z;imfSOvF<)tR6~VjZ9LSv(0VIBYbGED#P!Jw?1W0^z;=*=h-B9t__@mD`KdhEq4|x
z#nc(tjCGl3X+Y>IN+Q=4Xv;W|_~*@T=aJgXL)3NNgr2;YL18Y7AX=zVPKodm6^n14
z%^D}Q<+nL&DW~cz1Ot13I&MLq0k3pigZn^nGSP(u*dq-<wdRXSL~h;)!~wc%)<dim
z1Bn(}DYw|EFDbb>PSA;llpI<hVcFW8S!1ZeARt*ugkE~Hf9KDmuHP+;3=l^B;R<~V
z<u#15<8cVDB7(Z~+#*L62RNQA9wR2kmEBlb)Sql)P3A*Snqj%7u?=!g-}!#P47;<#
z+ISPZ`6-|$60_ICCAmm6^-`FJU7+Sq|4}QjNB9ps;awv@>Lk7n%XORnNiL3uJkXr!
zI=Un0fsj`i%u;R(0xJHWc^ntuNvo94r(6nn)s@5$SUERP#{H3aYy*_XwmR-dw%f{`
zet4dV?tMB}R;BcNc}oHU<v`>{Kq~*`e*UpQw|D2b!h5UU7{i}-iNhY7+H>bBh=KQt
zVTW+JueqV5m`{pyKL@l-umysy=T)g$Ks#lk)lPaQd>U7oX4+IfFQExJPr&-%;ft2W
zm!J_;lRK}4;)8|MMi}oRb1+CsCZ7xNANPmmyy-OoWGrLR`yPJJSD7~$wgO&of8%3B
zCwO+*5_-tup)|})am+(4fsAc-QJ?^y!4va8o6<tQu&iBVp)k%A4K0~H{(9qOy>1g^
zLO6y(hz`M*!iH8jxx~4c)%%OOf%I~ct+C{r_%pp$ep81fC>*)6!rVlti)q2h^%k+?
zc#sOR(gzrp*^4U(b7<bS6pcL1bmByPNSWx0gAkp@op6r3x(BIEO#zuegW~MLV`pVG
zV11Cj>uQ)LuXqx$!JaGkZ?li_5O*YlFisLSberP8jZj;sPfalLk6~lLM(acB+46Q^
zrq=4*k+o*dr73sxl1!b<AtdB3=knP$Q!)GSLXvB=2Av6%_rm3)>K<(mNT__+p7)Lh
z3EMuM&B8!Pl^pe#BOyr_%z{Zl4nrCGUtt!{>BjOAGB9PJW|5%{6`ECqhI<ffG{}9|
z?!|CO1>J|-N{x`Q>Rs8xR{M3$vHO|&iuD4U(wPZTMW@KR^Vp1Z^l3@~y_)-C-zA{1
ztgtHI>Vz;)^Mq9i@mAp+E)qQZ#iI+qL7xfi)lcP}3u2Su5J`|Etc+myeh0KVh$q<S
zS$SD8ruMcFUS)l}yl|YV5i14or&?adC@RTF_pl%U2bUOm<(Fj@5~+nk4Pn+FI+d~$
z!ek$a3NhkIM>>EF*7n9uZU?R2m8{-t1k&~i=Hy9t7|tZ489PfbP=Owme9|a|)F?ff
znz6VQS0`_?GXx!<CaFy_qEbG<9e4t056yk(1<RQ5da6&VwWem}zkEqs{`j{Ers-|>
z&mlpQOHx?b2>kd}MlkTy*EfzafJt*J5dy1v0|0|))1@L&5&GoRXKKZbLhX`3%;7DT
zr_D}2I_bX*sJOVYk;<eK&#JgV3%rqt=?tPd;;>ASmLXEq`|;;fGmN#)B_(BztFxG(
zyjT<QfJ*ErNvLz3eDR2C=l(LeG@<~NXsgrJ`s7<)xp%{*S$;=-ZaO2xJAQE@+#Ca~
zBw!0fc0FC?B9lXHvhvmU6)uYwdB1!W_vjUVBH_a004KG!KlgjzY^EtMM5UE)YqhCp
z_+Vk0uQuMD)pNk3;+`GA<_V8^;zSP--@>9jt(Oh-(KsF6bKVeBv<=8kiuad`#+g^%
z=@xvkQ4Qqr8*c}27eIzrC+w@WFWstvRp&V#tqjw#3j^&8Rz#0lNI@c{bwn{<v?rFS
zXE`Wyn*E+DP6N1?IG)$83X5sNSk)yLRbB}mp<OAt0$ix(!kEH<;3h=ZfoonZCNtWb
z)dan-iQ|SD|MZf|qrTB4_1p+*kqvg~L~=d4>cDngDu?O3?coL|Na^>34bPwkLWaL^
zL&^-9pNawTjKWPpkmf~TYPdt)App&*{W%Y_OSQY{6zE42q6jdH%Y{q8{Ym#uM}i4V
zk$d}Nl>73yzN<+JD`77uBU@&UBgZBE*Z?ah4j&?fKlk}gy>;8#oMQc?k+2kfs55lK
z_j>mV<s08CZ9%T<bM)vR!Gr@4?Un2AH;Hphib|UijwfDz;?BVRXHZ<pHoj?|{~ORz
z3@!}R%?0&9LCTjk8V0wH6aDM#yWxzO93_2^QF3QkLe+_=&^2t=Sk1-=aaKWkjIwj_
z_hHyxq~6#=Tq?Bgt(vs{j!x$$!w8h6oBz`?Rm_L=il-a;^CZG9RDNxqBod)>TdTI-
zroqT5;m^@Ti>TnMGXr_Qj^Y^hqJ&}mOg_C<g@YD{x&fL5p&pv~v^AQAH?>eUk`1nI
zE{WJ5f2~|*sKbkz+fkL&bqBn`HhP6)%ohbf3$$S3KUv!)3lN&Zigje<6j1t#r85U+
z462V2COXWZ^{;3!Wl9tUN_}gOaj9W07LPmitm40AL_GF=$*d%uPOSv@Nuq#UaR%>C
z!?Q$h1h%<@=5*s|ZRT^Z`#_T7CYY84eFRSLfY`bAx-}C{oYxStFAActIKtgRW#hIi
zrCk+PBL?II#_2;K@#y{hka|JT$+fadVGmzpe+uHv%OvaPeV3mo@oopdJq53IVSt64
z(NN8Cp#a)jZo6=L1hF;hWbtQ5qWGip$@S3lm*_&wIG~UgjnEq)LU1A(6M$l9x#>>|
zD3cS+=hoPPOqK<IbU#9)i{t;4Q1>+XUTZMMM#X5>Pf*CN=dUDRHi>jK=e8u9t+C$O
zy!{Gup^id{O@<bnAKibK550f+hAAFgkbKF8Q{(6Q?MP!TPlPPtFmf?pBoVB`Kp;z%
z?}R1+TeP!b;>Xwr7emf5)kgQVgNK(MdJu|8-)@HXc}?wuwZ^Do1Z-vmu+<F0D1-mh
zq{`@Z1A68kw10!%w@Q&bd`}Nf!W0!^a>t}szM!8s!RGD2Kx1(4z#Bg7nM(H^r%P<e
z1Ro0_PJh6NZ9nP&(M?7^o9D_u<S}}nXKP&g`_9rH%7R-t0R0VIsAB@Mx|zeB%A4p=
z!dsSp`i~#4P6viuZWScT&`<v=!DGzEQ1S&go8%tfjD?iD^HB4|u1MuWfD`Il9+7ie
zq5R`46nME&u&&P&V3EgEVTwl1QZ{%2yJUWYk}Wl9yrxHly{~7*a-)X#&%z#W^Ji^O
z+u9ZP>1ER&yi2Pl))tQ+vn!|XyTYZ7O`rOfhMuLh)s4=isH7CIb!(d&?!=;CDKNZI
z!F<lotvFC|+t-ecyV@4Y36Q$9CX_6NwU3Z2osmxpdCVn!9vDPxXS~LCE?Z9QFPoB`
zGj}d{53Y>WcXVWDiFjt;kd3TtECEsXVF)NAiG`(&^|dv=)$3+=xfZUfsj057<>~K)
zkScObxt!-`IJ|2Y`0VmC#X`ve@7vqFbJ=++G}G`FSE4ag{40E%uh-+Fisg)e0=D})
z0!?5siP~crtikXh50Y?!@o)$p!gW&|o~AL7NPQTiT|zq@C&uV5m%9#xA1;kp%Qm^5
z-$A5Yn>RgDdoCB&7dutDg9AL25OHW{Wnr&AYtF(nFiZ1<jQL>n#sq&Ldmg+4Y^jy(
zW{+GuL8ZT8TR-omN<gxBeiNnS8xmEyC*y?T2JbszG$8@<^C`S$zY~9iU4KjbY;m<w
z?sOr?rDAuv+{91Jkw_}W^qj2D7AhK1);f(4VU?Kd(Va7(JM-tU;G0lZCpVn=oGEtU
zwFj#7y@DDp_9VxY2eb5{wKZA8q&bV7$a<&B%L0J;dg|NhVr*t%Ze|c<-N)=YASn{1
zW|la83-B*kU!iMDl-=hQijUAzEut<XEl*$3YCDEo$vs<MwqU`H_^EokM7X;x;@}Ka
zr|uo81+?wz1rQv#XVWHxTByjYYwk55HH^N3i2Mly<~F}(tgX<$Lox*z6wXO9b}@&@
z=q7~}z%PASlfQc=<V~I|z2z<{0qT6BFA}3_p_txdigxv9hyubkuSMpSL7mqNHXBv5
zx(K8c30EN|PNMG%0PVnsF;U`BNIYchi4J&>pfVVa%z3x`k^ugV#in^_@3eOyp*K4;
z=wA5)bGd=ACF9{pzufx1W#n*Em;HjD;PtZNQ`}d^-DC-U&{#F!4<7d8P0%0E`T8i=
z`BSoSWxf8E(`92@@k09Z;OJR+ky=#|c<#JeR6uD*PnHk;O?alS%fXFThhA^f^Yi@H
z;QeEEW8G7ON1XDsz>GI|7-;C#$1BXZk($Gx_hb$LHGad${#kcO*Ks*eMInLa7?;>T
zV80wKy8>odfIVW!OPZsOtL~O?3n7c{YS%LnEoXG;X(t+@ZRL`(w76@*=^?A<xS0aC
zgKU=O$8nvB<02PJ9F2y<lnXTl5&_niV7WRJtb+yXU%o8BnA>|wKgDvR;E1~ySXz*$
zO$|`MF(xB}Hlc$~I2I*{`dZh&`FBxHCE)udsN$Ra!AER+FlYRyV`IyPZRUrKQ}^2E
zqw^Dg*|T6}8I!<OmOAHf3>YSVeuRX_WDX;Sb&yc4=SOmzxIYz*T3nmTM5Zv152<X=
zKWyz+S89$Sm=Skw_r-<Vy_Ri$&qrk*Qt{m*K#b!%<!X_A!jrLhlY6(%t<z13sV$h8
ztxos$$G6_?@lFk#?^sm=Lo@C9r|a!a-$R!wMUq8)NrY=3*2Y(|IWOIKDYQ`~xr`XC
zG3*@1s1jyvEGR&S9V&#Xo~9q3b#sb{lt#pBG5=Ggcl9Dv!FSakwOU1~$T*&ueakhC
zFRghMBV5Se(#$BNQt45JSvIUn#!~6|MU<MmE2K@Z1EQ>qlF3n1?fW9IGgKfDiTw@^
z6`{(Rw=kz#XcX&wD_O1CnsdoAb-?LVfO$3XH&?7w#{9snSiU-YSmEta2Ag6fP@<iq
z2N(Q>X<<qkw^#*zgK0~g*8;r0-OFbbhzqn9v{v<nvE9<gbE7z#494Wu%dS+%7H*21
z>YTmU>3(NSEE<?&`G15g3K)MRi>H=sipa#}DxbrVD3)ROHFUH22_0^gpn|qAGO9KP
zo3BR;M)#LMF;1{hWxXU%rY)*Mh3^bmqaV9a%E8QD8F`WZ5HFh7r;q=UuuyKohaNuM
zzfzv6e|#^F6R$?y%KXKYPEx*UJdRNeUG^lOm1wFBa2N(drAl=TF?NYx;G(#*^yY-y
za|WWfI8pt{Zp0EYOy<9)R1CDWV23JQLPRf4(<lwZqZvDLuE;LO{VbVz8DR;7gV|UD
zji~EL$~f2{bhTOiXJ*I{H;?n-<Z@uj%mMf~EX0XpW->$577?tctXQu`-!g{rvwNad
zL7HuoQd>YPOVDK;a0-R4M?;mT27Auo*cy62esGf}zdsM0#Jb{BlDAmifgw8r`wyY$
z0Y;$3Z;UWV87jQ&P;82uRcyz@-lxxO8+p|r+;WKU(JP#Hzn=@F_SQcuve7F_C74<I
zRne|?W8g%KRHBu2GoCyzVw=-y=$*0fASvcbO?zM}OY{R~cHp(ch4~Ol(&nn#>kJrk
zaiUqT@;iq@QRiM7sdb<_xUsD!5GPadWMsoGBzDlz5=T^df%}|G%i1oBlh4&GJj3kj
ztPrUb0><V1;vwzTvv!I>Je!IHDpjIu+(#<Ckdi-x)&-RNiBcKDo^VE_H!#O6D<E7g
zlJy<oqc8R7ISI&t$zVx;SB_%#vnPA#F7G!>Y2vF-C^ow8%Eu&6!GSKjth&<MSck92
zYy}|qX#};km)KOgGb3>hCT`Y05tfERqKgk7sgv07M9gA{gAK@p!mwBvzM#`u>YlnB
zvzNsZf_Y+^lSgfA)V}bVgXnHYKC(vUT+j;ke*1nfr7x%(B!{pKuGd;OALJQxr8BQF
z<hT<l+v%;PRt~kxEc1*xA4L_%{dK^TN%Z*!z}5kntMqyv8O##jH}s1`wM;DZz#0}e
zY3!+zQmh6hJUFi|4if>6e*=EH`YNuf_IOCP0eigj!N^|27XPPZ=iRI3NvfpDao(o>
zsjofbiprcBRxo=OWu7g-lfMtrp0bRa+|$w1H@-@NCBOYxjr<TQ79!z_HGNZ~A}!2C
z<PSPqGeEv&Xk#c}H-AaBwvZ9PH6yn)sHoB6W#(bw8i=HeNH?{wvpDBCU6a+&W(mP4
zPv_r{e0Bs-X34yGzatPT4QT7r`{G7;z@KHne5Flj9gPpl!3sp7q%au6n}#O%*O%sF
zAXA&r{uybxaydyB@&i1YLLg~lo@o_LYVQ$rnV0rCH94EAqG)0#82|<_^DhSVCrNRf
zK>oPR00vg|vFdpL5i}Mv_)txCi-_1BaP^qDA0<W0@E$MIFTibI0XiJDX3MM(o|XWW
zeeVgd+s1Pf>&g?1xT2!b--&(+3D@;Vcp0`?qGf!zrI&gZCaA_=h#86gLEWknDVL1I
z1neE~^y2cl%xTDXkX!pgZyoyvn7@i7>9>t>h0qB_Pcv!TsidNO)9ZSEwlG3LM}9Sz
zn{=KH&m5Yej+QmcL;TigtKUhK1{swFg<Y2r9}evq8<teYWxBY$i31$$T!*1k&x5hS
ztRt)#@l}#s;VUaYUhVc%_x@4x9#0;#x)p~VzU1ui4x?4CcmLR=244r;`V!;<H!aUL
zg!%fO>+6dF?hH)ds_h>rq0{~8d~yE?rDA@X_Zny~c1TV5u3reAXq^DN+N|9v9o9km
zoR(|s_Cu${vg|D(>u6x1N53fKFYo*AYZy2Qv4ztaa9UJSlbhm-;86W8SOJ&&`x0?k
zl)iG8gNM&PswjGsq|@nU$6&WKdAct~hV0LLm-!ymF1n|#2{_YC+{M8{U%v0xd)F34
zb{&sI5r~O@Lpjv7@pcIRxpODnHTwz_hXQaLBVm{NwJP}a-fMHa66JPR+?{K@!tIGZ
zMMCw4YG!6uS2O{bSgf)f>)}q2|N7x>(_MjsP<QEYL?-n~0F`aIMeV!(j<Eg2m@fR_
zL9`NM1EYOY16@PU&3w^c8&pq@wi;+L#bU;HTLkxW^!GQM-EyLwrZkOxJwTViJuA1#
zDU0y%C556m*zr?U8lGfztH(34eO=_>j9(`iH?TbkyT6&L^RF>boBAerb@Udz(h|(l
z{A8+*4vLFH!GI;G#trAoRCk;PhsJFt=(+QDRb5jHu7t6qo%M8(N%jOf0sNnl13vd0
zG=TcUFL?Oo4*2^!{ERHRJD(h$?*QH69E2A_e3;XC`A#|gEkucT#5=++Ie3J#BVu7;
zu~aXFU;??oljk_FkKds*Z}B6keG>3LIb-S*`%>xmM$F%<{K(W1!t`2^h_w?LX%rMO
zthEc0IJu>sEb{Nw1(!m(N^VRmxj>0-a`BMk6t>k6l7|gy#vqc3Y|!DdpcLbQ`Xcg5
zI)O@{l4P?e{A2gWxcq0688{T$+ge_}qTbOg`~{t3D&$~U%?ZR{e@}uY#*G@n&Qj<m
zVT6|n04ddVw)GDqns>5ztT)^rk1tfuN8LLWjjQSkB;_TRP%C?f@Ra^ezt2^AJ69Wf
zECFhoxbKkfkjxwpP&{(M$W2qQ@MoO35xh#=Io0!0$|eq;!Ru5;rF}{xDohtGl*kF~
z_qv*m@1;{s;2Jcl!b?!H(sZ}2q?WHZ7VY`$Rw0k|!xmqYDI4lD>XUpkXSO--9KbP3
zVHG4M>31B|YSH{EmN?l@)V*^>M|oHw@jgU~z=pX&Xi;^e)3+~37Wpw=f#H<c_pV~r
zk(F`&J!m11BDh0=AByI56#-#7?~zcgg>tAE*+Q*PbgkjCoht$`93+yopgXU4=;tjh
z<qSAG(x}`*k~B18aBDeP^~)RsItT5eRJyc>?3p2^qjjkR%Q0-i{TVOlsr($L6!In(
z_cS0%s(*x_AX5%HfR>Np*r5qP3fl%~9ADP|h>P~wM4R1W(5aueuMNqbJKeBYG3G(g
zJE^9oz{-fzl~?|TK|QaWj)}Ikmo6%S0CW?VXaJ+z%%}w;-5iu#@8gXqZ7~MjwfKH@
zh(H#LIxvyL)@Q>xXq&xa-7lZ9TPe_Om*MyTD1#YqyCSp5DzNQB8owirFjkaRZ-c`#
zWpu?#8LiD&-F({7^-ycL`b>W7OpJ{~tjBv-U3zmlHHv3n9(|Ch@YWr&@%SD+j)M=>
zPEqz#VYl)2wE%!B%wQ16h!ElNKFVFDy?D^L_57Jb1)V7fk&ZOMbt9Ioo%148tmR!&
z#gz2vwpqbaX>i);>KkF67O5pHHDVmKD=X3P3`!&cmyq@4yWjOX+|}yWQwlh#DU{%!
zUF*&%S~}{(imqRTWWquEEUAFN<=vi5t*2Y1dQVSk+UUIrZYa^<=8xK4IZLnA0+(tk
zjN?(R5Dt^P?!wm^j>-c2zz#&S8BfjxiVLqc1vb^4L!o?S(2Z)z(2f0(;r1!m0u`hz
zN?oXOL$1G%Q9)fZY_(=<N^3UE%08~Kv#G}bgY9eBqdh8M3sXyDIowucFv|k29h?qM
zMG$6rl(&=*rXiGyRLt0B?kl0*x|LH7J;<(C*p#>ek6inxBdrn7Rb|HKZ_dZHoSDrl
zMcFSb@o}PTSCrecuNMr1JiZw?V2T1gr2y(}52JdI3K$4P8UQcxyf@uli(I>gEru~&
z)G73r_^F4@4G3>qL8K92d;8k)^B{!zx|=Ybp$L!E`6cJzV^=e}`xWHTQnp-%jJXKM
z9*Re#J`sIX-{@sMv7?MF6Qt27r<KQOR$1X7o9o3r3W&nNJMuP--+Vn9;)S*l=&mr|
z_C{d_7?sG2{TtQ2t_IA2-eZGA`Pqzw40)?1UF^ZqOYT@0Im5ZDE>v$7A|-R2TOQeS
z@t6e391-imifa%_wpPmN!bTvR1~Ytj+;7ViQYjWcSR)KjygVB$leG*POSWLQ9hwB`
z_Ce2IEe67;BLT;5w=8l9&f@t(OK<KMF+O0LDdUE2Mecyo_&ZZ+W3Z>%cvRw`+nxnZ
zmj2>#QtNrd@(ZuvV(?rdfM}Squ`~!^DmK$-{4Mk8dMCtzdX(WqU6ug#QlI(AyArR+
z@vf9cvuJD+t47Jy)*&=aIBjNb6fsA<j^4>q=@+c$g%sCc%y}IfM+(Ly!0wn+n3V)s
z=HKp!By;vJB(w(=yGNV2&cB17sH>9Oc>?1Pc~|bgiazOIM*EQX{3(xH4dQOr*F;^;
zgt{Ej6Q&?xv^jX7WJ^}Iwb2#cJIjyLEp|yJ%1Ilf<f^vEr1+xp-vH?N@np`GitZTd
zkH_W2kmF2f^tRNGD_dEbz<amz#@RioD;xaP%M_7j8&oQeG*K&sac6)vMCpeour5U5
zWlW~30E=1=mYOsVVHx$9%ULTostUb8g1xn`*yZznNOcBr1}62+Y#R}l&7-jd&m<Eu
ze^;z2lA%?%6yH=sl%xtOWzPEShvx3uj8!%b#D@BpB^9yhfV%dT#pGij{_3exuBtYj
znX(C!>o3jeGKQnR&>c!&XLZEXw$YRZ<Y+cJl32oHAq|(xt=*g$rLn(p=p;(XYot;6
ztrVRueJ2w^S?17kj!Oy_5;rL)c{Gy-X8}_-iRcBsSEwJ=Rg`?>Kr7;P)POn)Z{WaD
zT6rbBbz)2vy5Pl<KNiq<GU=?oPrcX6e@)KMdTE09W$z&BrI~MbT6TfTL`y6g$rSDW
zEh{u3pB&U)NvPNZg^rZI%#W6D^Rdi`dKKk~Nw!^?Cj!{D3Rz<;s36S>(M1LJ^vE=;
zOTFEcq-~;?&QLmx?dVj2-eQZvHvFg7GtWob;=ZGhk;82*Sq+))_F=}={YqJgpH>Yh
z2xlssj&B6m#{f=@Qu=t3WL$BrI1LdrN_?w*?6O1TGJzsOF)pyI3nB;s6PE4m5iU&#
zL=ZASqq_pzUJ3T?J1({&3wVA0v|rkBa+4<QqLn16Km18>Ii<sbP?u*Qpc373@r?;9
z4N6B`TZiz+qY1~38eWUQ><F2woNfwKmlB^_Dnr0q7qW=^XCn@nHonVNs$8|0#Y=0t
z<)F5_@HF~u$DqOO+f_?9xmugGkuON_iq-P1%PEAAoo>2poWI^1L;Xt6kl-b5>}s=9
zs#ia>v~x0&xQr9FM36*x`fxFXLUn3Bl=}&Z3PCh=Eo^W=B;Hh%55EA>^j`L?r}Wu>
ze(%6pF)%<i-7^N3kLV@a>77p(0YXqs25r-?_(pO@MCW5<yP+<#$NQZJJBj-#`o%o)
zVg6_8#iVkSspl3cB4rlx8h={))Ju2YI3|&KMs$u_9-Xhf8VLnc$E(2kETiWN-M59L
zG#O}#H%qkSs%m>+Th{c`?!@osc5m6tqhp1~qjhO*Z4=|;JGiH9&!t_{6#L-0+~s!-
z&&Bnl#*905*H6RSGn(aB!^72sZ6&2ti|WlU+T%qZiNPOWq`NrR)6t2f;_n}!{BJA@
zggXw?!?9e<y!NoxOIDVhOxST7>I$+K**?2LiHQ*l^+H=kW~8sW3a$B#Fc;RRyJu^<
z<DPJS5buFOk{z^5-x=>Se%iwUNz1mc2U?O|Wsi^NDo^})*SuJ*UN;;qu;1R(Pnt`1
zRF}nkj!)lP1f7Gcw~mpnV7Ou1+UFs+HJ(wFR7Qtnl7}0Uzr;C~jUrXFhtKkZ<T_;p
zUgIYeUCVDYT(z?Kl-%F^V~3AfV05pUUhm)jZt7nTe1CP6KR>_#fOni00FD1KQRV+f
zwGGXT4J{p=tsQCI^sTM_YgEAh8XEC`i2tBxW}*KF{Vy{s1M5HIKmI#zqkq%?8pm?P
zqwvFke7OyI>OtUE6|4*loPb*3s<98Mb!MB$+)9;Ix_9Zs-0XD6pN<^7eXiY<x{jpa
z_wZ$}afpdb1Dw(ViZ<g6msa&{n^rKbF*2#z_*(CYRxjI|(B33GMeF8p6K!-Pt|peP
zRxAYQ8$XVdW%6*9OjqxQMr(&gN-ZvZ`F=m46#j5Wpjwo{1LYVE6}A7;j$MHoCAnZm
z7`G0jC*;~REgTaUuSUTsGw1MjzdRO&X3gxX?YL`=FJUN26lc^|JS|txYku3wF2Bkj
z3jySkasr)`jX0QfziEOVlS7?e=Yp?d9Eh%s4HE9<r0JIZ@M>hfluUcoHf0t`E+Nio
rL+%&Y_IlfA9z243eg)nh8OvV;{O_2FfA;ZD1pbM@KN0xvMc`im)l%J<

literal 0
HcmV?d00001

diff --git a/fluent-plugin-winevtlog.gemspec b/fluent-plugin-winevtlog.gemspec
index b041ad9..7c78304 100644
--- a/fluent-plugin-winevtlog.gemspec
+++ b/fluent-plugin-winevtlog.gemspec
@@ -12,7 +12,7 @@ Gem::Specification.new do |spec|
   spec.homepage      = "https://github.com/EncoreTechnologies/fluent-plugin-windows-eventlog"
   spec.license       = "Apache-2.0"
 
-  spec.files         = `git ls-files -z`.split("\x0")
+  spec.files         = Dir["lib/**/*.rb", "bin/*", "README*", "LICENSE", "CHANGELOG*", "spec/**/*"]
   spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ["lib"]