diff --git a/winlogbeat/tests/system/test_eventlogging.py b/winlogbeat/tests/system/test_eventlogging.py index 5389f7aff78..c95abc78705 100644 --- a/winlogbeat/tests/system/test_eventlogging.py +++ b/winlogbeat/tests/system/test_eventlogging.py @@ -1,3 +1,4 @@ +import os import sys import time import unittest @@ -29,6 +30,27 @@ def test_read_one_event(self): self.assertTrue(len(evts), 1) self.assert_common_fields(evts[0], msg=msg) + def test_resume_reading_events(self): + """ + eventlogging - Resume reading events + """ + msg = "First event" + self.write_event_log(msg) + evts = self.read_events() + self.assertTrue(len(evts), 1) + self.assert_common_fields(evts[0], msg=msg) + + # remove the output file, otherwise there is a race condition + # in read_events() below where it reads the results of the previous + # execution + os.unlink(os.path.join(self.working_dir, "output", self.beat_name)) + + msg = "Second event" + self.write_event_log(msg) + evts = self.read_events() + self.assertTrue(len(evts), 1) + self.assert_common_fields(evts[0], msg=msg) + def test_read_unknown_event_id(self): """ eventlogging - Read unknown event ID @@ -178,7 +200,7 @@ def test_registry_data(self): evts = self.read_events() self.assertTrue(len(evts), 1) - event_logs = self.read_registry() + event_logs = self.read_registry(requireBookmark=False) self.assertTrue(len(event_logs.keys()), 1) self.assertIn(self.providerName, event_logs) record_number = event_logs[self.providerName]["record_number"] diff --git a/winlogbeat/tests/system/test_wineventlog.py b/winlogbeat/tests/system/test_wineventlog.py index c36b04f7505..3d6aa32dd38 100644 --- a/winlogbeat/tests/system/test_wineventlog.py +++ b/winlogbeat/tests/system/test_wineventlog.py @@ -1,3 +1,4 @@ +import os import sys import time import unittest @@ -33,6 +34,33 @@ def test_read_one_event(self): "opcode": "Info", }) + def test_resume_reading_events(self): + """ + wineventlog - Resume reading events + """ + msg = "First event" + self.write_event_log(msg) + evts = self.read_events() + self.assertTrue(len(evts), 1) + self.assert_common_fields(evts[0], msg=msg, extra={ + "keywords": ["Classic"], + "opcode": "Info", + }) + + # remove the output file, otherwise there is a race condition + # in read_events() below where it reads the results of the previous + # execution + os.unlink(os.path.join(self.working_dir, "output", self.beat_name)) + + msg = "Second event" + self.write_event_log(msg) + evts = self.read_events() + self.assertTrue(len(evts), 1) + self.assert_common_fields(evts[0], msg=msg, extra={ + "keywords": ["Classic"], + "opcode": "Info", + }) + def test_read_unknown_event_id(self): """ wineventlog - Read unknown event ID @@ -316,7 +344,7 @@ def test_registry_data(self): evts = self.read_events() self.assertTrue(len(evts), 1) - event_logs = self.read_registry() + event_logs = self.read_registry(requireBookmark=True) self.assertTrue(len(event_logs.keys()), 1) self.assertIn(self.providerName, event_logs) record_number = event_logs[self.providerName]["record_number"] diff --git a/winlogbeat/tests/system/winlogbeat.py b/winlogbeat/tests/system/winlogbeat.py index 80e37e501f0..94656e4f102 100644 --- a/winlogbeat/tests/system/winlogbeat.py +++ b/winlogbeat/tests/system/winlogbeat.py @@ -93,10 +93,9 @@ def read_events(self, config=None, expected_events=1): proc = self.start_beat() self.wait_until(lambda: self.output_has(expected_events)) proc.check_kill_and_wait() - return self.read_output() - def read_registry(self): + def read_registry(self, requireBookmark=False): f = open(os.path.join(self.working_dir, "data", ".winlogbeat.yml"), "r") data = yaml.load(f) self.assertIn("update_time", data) @@ -107,6 +106,8 @@ def read_registry(self): self.assertIn("name", event_log) self.assertIn("record_number", event_log) self.assertIn("timestamp", event_log) + if requireBookmark: + self.assertIn("bookmark", event_log) name = event_log["name"] event_logs[name] = event_log @@ -145,5 +146,6 @@ def assert_common_fields(self, evt, msg=None, eventID=10, sid=None, if extra != None: self.assertDictContainsSubset(extra, evt) + def host_name(fqdn): return fqdn.split('.')[0]