From 92c65a04533f5c3cbb79b48fa6e07923db187d8e Mon Sep 17 00:00:00 2001 From: ac-rn <92640851+ac-rn@users.noreply.github.com> Date: Wed, 3 Jul 2024 13:48:10 -0500 Subject: [PATCH] Preserve order when using JSON output (#242) * Preserve order when using JSON * fix tests * Update remainder of tests --- Cargo.toml | 2 +- src/json_output.rs | 4 +- ...event_json_missing_string_cache_entry.snap | 42 +++--- ...multiple_empty_data_nodes_not_ignored.snap | 33 +++-- ...est_record_samples__event_json_sample.snap | 39 +++-- ...es__event_json_sample_with_event_data.snap | 69 +++++---- ...h_event_data_with_attributes_and_text.snap | 47 +++--- ..._sample_with_separate_json_attributes.snap | 53 ++++--- ...nt_json_with_multiple_data_elements-2.snap | 51 ++++--- ...nt_json_with_multiple_nodes_same_name.snap | 135 +++++++++--------- ...ith_multiple_nodes_same_name_separate.snap | 118 +++++++-------- ...ecord_samples__event_json_with_size_t.snap | 62 ++++---- 12 files changed, 324 insertions(+), 331 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index e901c42d..ee8abde8 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -34,7 +34,7 @@ dialoguer = { version = "0.11", optional = true } indoc = { version = "2", optional = true } serde = "1" -serde_json = "1" +serde_json = { version = "1", features = ["preserve_order"]} [target.'cfg(not(windows))'.dependencies] # jemalloc is significantly more peformant than the system allocator. diff --git a/src/json_output.rs b/src/json_output.rs index 8cccf290..e5285937 100644 --- a/src/json_output.rs +++ b/src/json_output.rs @@ -536,10 +536,10 @@ mod tests { let s2 = r#" { "HTTPResponseHeadersInfo": { - "Header": "HTTP/1.1 200 OK", "Header_attributes": { "attribute1": "NoProxy" - } + }, + "Header": "HTTP/1.1 200 OK" } } "# diff --git a/tests/snapshots/test_record_samples__event_json_missing_string_cache_entry.snap b/tests/snapshots/test_record_samples__event_json_missing_string_cache_entry.snap index f19a51ae..8f0dc6c6 100644 --- a/tests/snapshots/test_record_samples__event_json_missing_string_cache_entry.snap +++ b/tests/snapshots/test_record_samples__event_json_missing_string_cache_entry.snap @@ -3,34 +3,34 @@ source: tests/test_record_samples.rs expression: "&value" --- { + "Event_attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, "Event": { - "EventData": null, "System": { - "Channel": "Security", - "Computer": "37L4247F27-25", - "Correlation": null, - "EventID": 4608, - "EventRecordID": 1, - "Execution_attributes": { - "ProcessID": 456, - "ThreadID": 460 - }, - "Keywords": "0x8020000000000000", - "Level": 0, - "Opcode": 0, "Provider_attributes": { - "Guid": "54849625-5478-4994-A5BA-3E3B0328C30D", - "Name": "Microsoft-Windows-Security-Auditing" + "Name": "Microsoft-Windows-Security-Auditing", + "Guid": "54849625-5478-4994-A5BA-3E3B0328C30D" }, - "Security": null, + "EventID": 4608, + "Version": 0, + "Level": 0, "Task": 12288, + "Opcode": 0, + "Keywords": "0x8020000000000000", "TimeCreated_attributes": { "SystemTime": "2016-07-08T18:12:51.681640Z" }, - "Version": 0 - } - }, - "Event_attributes": { - "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + "EventRecordID": 1, + "Correlation": null, + "Execution_attributes": { + "ProcessID": 456, + "ThreadID": 460 + }, + "Channel": "Security", + "Computer": "37L4247F27-25", + "Security": null + }, + "EventData": null } } diff --git a/tests/snapshots/test_record_samples__event_json_multiple_empty_data_nodes_not_ignored.snap b/tests/snapshots/test_record_samples__event_json_multiple_empty_data_nodes_not_ignored.snap index a1620ee3..979ed94e 100644 --- a/tests/snapshots/test_record_samples__event_json_multiple_empty_data_nodes_not_ignored.snap +++ b/tests/snapshots/test_record_samples__event_json_multiple_empty_data_nodes_not_ignored.snap @@ -1,34 +1,33 @@ --- source: tests/test_record_samples.rs expression: "&value" - --- { + "Event_attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, "Event": { - "EventData": { - "Data": "Set-Mailbox-Identity \"Administrateur\" -DeliverToMailboxAndForward \"False\" -ForwardingSmtpAddress \"smtp:test2@example.com\"ave.local/Users/AdministrateurS-1-5-21-186559946-3925841745-111227986-500S-1-5-21-186559946-3925841745-111227986-500Remote-ManagementShell-Unknown5668 w3wp#MSExchangePowerShellAppPool500:00:26.0389557Afficher la forêt entière : 'False', Portée par défaut : « ave.local », Configuration du contrôleur de domaine : « DC.ave.local », Catalogue global préféré : « DC.ave.local », Contrôleurs de domaine préférés : « { DC.ave.local } »False0 objects execution has been proxied to remote server.0ActivityId: a3591746-a27b-447a-b8be-ff54ae3a46f1ServicePlan:;IsAdmin:True;fr-FR" - }, "System": { - "Channel": "MSExchange Management", - "Computer": "WEC.ave.local", - "EventID": "1", + "Provider_attributes": { + "Name": "MSExchange CmdletLogs" + }, "EventID_attributes": { "Qualifiers": "16384" }, - "EventRecordID": "3229", - "Keywords": "0x80000000000000", + "EventID": "1", "Level": "4", - "Provider_attributes": { - "Name": "MSExchange CmdletLogs" - }, - "Security": null, "Task": "1", + "Keywords": "0x80000000000000", "TimeCreated_attributes": { "SystemTime": "2021-11-19T16:52:33.833733500Z" - } + }, + "EventRecordID": "3229", + "Channel": "MSExchange Management", + "Computer": "WEC.ave.local", + "Security": null + }, + "EventData": { + "Data": "Set-Mailbox-Identity \"Administrateur\" -DeliverToMailboxAndForward \"False\" -ForwardingSmtpAddress \"smtp:test2@example.com\"ave.local/Users/AdministrateurS-1-5-21-186559946-3925841745-111227986-500S-1-5-21-186559946-3925841745-111227986-500Remote-ManagementShell-Unknown5668 w3wp#MSExchangePowerShellAppPool500:00:26.0389557Afficher la forêt entière : 'False', Portée par défaut : « ave.local », Configuration du contrôleur de domaine : « DC.ave.local », Catalogue global préféré : « DC.ave.local », Contrôleurs de domaine préférés : « { DC.ave.local } »False0 objects execution has been proxied to remote server.0ActivityId: a3591746-a27b-447a-b8be-ff54ae3a46f1ServicePlan:;IsAdmin:True;fr-FR" } - }, - "Event_attributes": { - "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" } } diff --git a/tests/snapshots/test_record_samples__event_json_sample.snap b/tests/snapshots/test_record_samples__event_json_sample.snap index 958aeb6a..c83159df 100644 --- a/tests/snapshots/test_record_samples__event_json_sample.snap +++ b/tests/snapshots/test_record_samples__event_json_sample.snap @@ -1,43 +1,42 @@ --- source: tests/test_record_samples.rs expression: "&value" - --- { "Event": { "#attributes": { "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" }, - "EventData": null, "System": { - "Channel": "Security", - "Computer": "37L4247F27-25", - "Correlation": null, - "EventID": 4608, - "EventRecordID": 1, - "Execution": { + "Provider": { "#attributes": { - "ProcessID": 456, - "ThreadID": 460 + "Name": "Microsoft-Windows-Security-Auditing", + "Guid": "54849625-5478-4994-A5BA-3E3B0328C30D" } }, - "Keywords": "0x8020000000000000", + "EventID": 4608, + "Version": 0, "Level": 0, + "Task": 12288, "Opcode": 0, - "Provider": { + "Keywords": "0x8020000000000000", + "TimeCreated": { "#attributes": { - "Guid": "54849625-5478-4994-A5BA-3E3B0328C30D", - "Name": "Microsoft-Windows-Security-Auditing" + "SystemTime": "2016-07-08T18:12:51.681640Z" } }, - "Security": null, - "Task": 12288, - "TimeCreated": { + "EventRecordID": 1, + "Correlation": null, + "Execution": { "#attributes": { - "SystemTime": "2016-07-08T18:12:51.681640Z" + "ProcessID": 456, + "ThreadID": 460 } }, - "Version": 0 - } + "Channel": "Security", + "Computer": "37L4247F27-25", + "Security": null + }, + "EventData": null } } diff --git a/tests/snapshots/test_record_samples__event_json_sample_with_event_data.snap b/tests/snapshots/test_record_samples__event_json_sample_with_event_data.snap index 66ebdb91..0cc4a9c4 100644 --- a/tests/snapshots/test_record_samples__event_json_sample_with_event_data.snap +++ b/tests/snapshots/test_record_samples__event_json_sample_with_event_data.snap @@ -1,59 +1,58 @@ --- source: tests/test_record_samples.rs expression: "&value" - --- { "Event": { "#attributes": { "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" }, - "EventData": { - "CommandLine": "", - "MandatoryLabel": "S-1-16-16384", - "NewProcessId": "0x58", - "NewProcessName": "Registry", - "ParentProcessName": "", - "ProcessId": "0x4", - "SubjectDomainName": "-", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "-", - "SubjectUserSid": "S-1-5-18", - "TargetDomainName": "-", - "TargetLogonId": "0x0", - "TargetUserName": "-", - "TargetUserSid": "S-1-0-0", - "TokenElevationType": "%%1936" - }, "System": { - "Channel": "Security", - "Computer": "WIN-LL0C19JS506", - "Correlation": null, - "EventID": 4688, - "EventRecordID": 1, - "Execution": { + "Provider": { "#attributes": { - "ProcessID": 4, - "ThreadID": 32 + "Name": "Microsoft-Windows-Security-Auditing", + "Guid": "54849625-5478-4994-A5BA-3E3B0328C30D" } }, - "Keywords": "0x8020000000000000", + "EventID": 4688, + "Version": 2, "Level": 0, + "Task": 13312, "Opcode": 0, - "Provider": { + "Keywords": "0x8020000000000000", + "TimeCreated": { "#attributes": { - "Guid": "54849625-5478-4994-A5BA-3E3B0328C30D", - "Name": "Microsoft-Windows-Security-Auditing" + "SystemTime": "2018-07-28T07:24:45.754787Z" } }, - "Security": null, - "Task": 13312, - "TimeCreated": { + "EventRecordID": 1, + "Correlation": null, + "Execution": { "#attributes": { - "SystemTime": "2018-07-28T07:24:45.754787Z" + "ProcessID": 4, + "ThreadID": 32 } }, - "Version": 2 + "Channel": "Security", + "Computer": "WIN-LL0C19JS506", + "Security": null + }, + "EventData": { + "SubjectUserSid": "S-1-5-18", + "SubjectUserName": "-", + "SubjectDomainName": "-", + "SubjectLogonId": "0x3e7", + "NewProcessId": "0x58", + "NewProcessName": "Registry", + "TokenElevationType": "%%1936", + "ProcessId": "0x4", + "CommandLine": "", + "TargetUserSid": "S-1-0-0", + "TargetUserName": "-", + "TargetDomainName": "-", + "TargetLogonId": "0x0", + "ParentProcessName": "", + "MandatoryLabel": "S-1-16-16384" } } } diff --git a/tests/snapshots/test_record_samples__event_json_sample_with_event_data_with_attributes_and_text.snap b/tests/snapshots/test_record_samples__event_json_sample_with_event_data_with_attributes_and_text.snap index b818dca9..db6af3f9 100644 --- a/tests/snapshots/test_record_samples__event_json_sample_with_event_data_with_attributes_and_text.snap +++ b/tests/snapshots/test_record_samples__event_json_sample_with_event_data_with_attributes_and_text.snap @@ -1,6 +1,5 @@ --- source: tests/test_record_samples.rs -assertion_line: 92 expression: "&value" --- { @@ -8,42 +7,42 @@ expression: "&value" "#attributes": { "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" }, - "EventData": { - "Binary": null, - "Data": { - "#text": [ - "10.00.", - "15063", - "", - "Multiprocessor Free", - "0" - ] - } - }, "System": { - "Channel": "System", - "Computer": "WIN-P4SIAA0SQCO", + "Provider": { + "#attributes": { + "Name": "EventLog" + } + }, "EventID": { "#attributes": { "Qualifiers": 32768 }, "#text": 6009 }, - "EventRecordID": 1, - "Keywords": "0x80000000000000", "Level": 4, - "Provider": { - "#attributes": { - "Name": "EventLog" - } - }, - "Security": null, "Task": 0, + "Keywords": "0x80000000000000", "TimeCreated": { "#attributes": { "SystemTime": "2017-07-12T17:16:28.214161Z" } - } + }, + "EventRecordID": 1, + "Channel": "System", + "Computer": "WIN-P4SIAA0SQCO", + "Security": null + }, + "EventData": { + "Data": { + "#text": [ + "10.00.", + "15063", + "", + "Multiprocessor Free", + "0" + ] + }, + "Binary": null } } } diff --git a/tests/snapshots/test_record_samples__event_json_sample_with_separate_json_attributes.snap b/tests/snapshots/test_record_samples__event_json_sample_with_separate_json_attributes.snap index 3829ceb1..e48c401b 100644 --- a/tests/snapshots/test_record_samples__event_json_sample_with_separate_json_attributes.snap +++ b/tests/snapshots/test_record_samples__event_json_sample_with_separate_json_attributes.snap @@ -1,45 +1,44 @@ --- source: tests/test_record_samples.rs -assertion_line: 208 expression: "&value" --- { + "Event_attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, "Event": { - "EventData": { - "param1": "86400", - "param2": "SuppressDuplicateDuration", - "param3": "Software\\Microsoft\\EventSystem\\EventLog" - }, "System": { - "Channel": "Application", - "Computer": "37L4247D28-05", - "Correlation": null, - "EventID": 4625, + "Provider_attributes": { + "Name": "Microsoft-Windows-EventSystem", + "Guid": "{899daace-4868-4295-afcd-9eb8fb497561}", + "EventSourceName": "EventSystem" + }, "EventID_attributes": { "Qualifiers": 16384 }, - "EventRecordID": 1, - "Execution_attributes": { - "ProcessID": 0, - "ThreadID": 0 - }, - "Keywords": "0x80000000000000", + "EventID": 4625, + "Version": 0, "Level": 4, - "Opcode": 0, - "Provider_attributes": { - "EventSourceName": "EventSystem", - "Guid": "{899daace-4868-4295-afcd-9eb8fb497561}", - "Name": "Microsoft-Windows-EventSystem" - }, - "Security": null, "Task": 0, + "Opcode": 0, + "Keywords": "0x80000000000000", "TimeCreated_attributes": { "SystemTime": "2010-11-10T18:18:51.000000Z" }, - "Version": 0 + "EventRecordID": 1, + "Correlation": null, + "Execution_attributes": { + "ProcessID": 0, + "ThreadID": 0 + }, + "Channel": "Application", + "Computer": "37L4247D28-05", + "Security": null + }, + "EventData": { + "param1": "86400", + "param2": "SuppressDuplicateDuration", + "param3": "Software\\Microsoft\\EventSystem\\EventLog" } - }, - "Event_attributes": { - "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" } } diff --git a/tests/snapshots/test_record_samples__event_json_with_multiple_data_elements-2.snap b/tests/snapshots/test_record_samples__event_json_with_multiple_data_elements-2.snap index 9504d747..64aee619 100644 --- a/tests/snapshots/test_record_samples__event_json_with_multiple_data_elements-2.snap +++ b/tests/snapshots/test_record_samples__event_json_with_multiple_data_elements-2.snap @@ -1,6 +1,5 @@ --- source: tests/test_record_samples.rs -assertion_line: 238 expression: "&value" --- { @@ -8,6 +7,31 @@ expression: "&value" "#attributes": { "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" }, + "System": { + "Provider": { + "#attributes": { + "Name": "MSExchange CmdletLogs" + } + }, + "EventID": { + "#attributes": { + "Qualifiers": "16384" + }, + "#text": "1" + }, + "Level": "4", + "Task": "1", + "Keywords": "0x80000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2021-11-19T16:52:33.833733500Z" + } + }, + "EventRecordID": "3229", + "Channel": "MSExchange Management", + "Computer": "WEC.ave.local", + "Security": null + }, "EventData": { "Data": { "#text": [ @@ -29,31 +53,6 @@ expression: "&value" "fr-FR" ] } - }, - "System": { - "Channel": "MSExchange Management", - "Computer": "WEC.ave.local", - "EventID": { - "#attributes": { - "Qualifiers": "16384" - }, - "#text": "1" - }, - "EventRecordID": "3229", - "Keywords": "0x80000000000000", - "Level": "4", - "Provider": { - "#attributes": { - "Name": "MSExchange CmdletLogs" - } - }, - "Security": null, - "Task": "1", - "TimeCreated": { - "#attributes": { - "SystemTime": "2021-11-19T16:52:33.833733500Z" - } - } } } } diff --git a/tests/snapshots/test_record_samples__event_json_with_multiple_nodes_same_name.snap b/tests/snapshots/test_record_samples__event_json_with_multiple_nodes_same_name.snap index f466abd0..70eeaa3e 100644 --- a/tests/snapshots/test_record_samples__event_json_with_multiple_nodes_same_name.snap +++ b/tests/snapshots/test_record_samples__event_json_with_multiple_nodes_same_name.snap @@ -1,7 +1,6 @@ --- source: tests/test_record_samples.rs expression: "&value" - --- { "Event": { @@ -9,42 +8,76 @@ expression: "&value" "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" }, "System": { - "Channel": "Microsoft-Windows-CAPI2/Operational", - "Computer": "WIN-M5327EF98B9", - "Correlation": null, - "EventID": 53, - "EventRecordID": 28, - "Execution": { + "Provider": { "#attributes": { - "ProcessID": 1396, - "ThreadID": 2132 + "Name": "Microsoft-Windows-CAPI2", + "Guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" } }, - "Keywords": "0x4000000000000036", + "EventID": 53, + "Version": 0, "Level": 4, + "Task": 53, "Opcode": 2, - "Provider": { + "Keywords": "0x4000000000000036", + "TimeCreated": { "#attributes": { - "Guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}", - "Name": "Microsoft-Windows-CAPI2" + "SystemTime": "2017-05-19T02:02:36.203125Z" } }, - "Security": { + "EventRecordID": 28, + "Correlation": null, + "Execution": { "#attributes": { - "UserID": "S-1-5-21-1223297778-3299746493-1462173606-500" + "ProcessID": 1396, + "ThreadID": 2132 } }, - "Task": 53, - "TimeCreated": { + "Channel": "Microsoft-Windows-CAPI2/Operational", + "Computer": "WIN-M5327EF98B9", + "Security": { "#attributes": { - "SystemTime": "2017-05-19T02:02:36.203125Z" + "UserID": "S-1-5-21-1223297778-3299746493-1462173606-500" } - }, - "Version": 0 + } }, "UserData": { "CryptRetrieveObjectByUrlWire": { + "URL": { + "#attributes": { + "scheme": "http" + }, + "#text": "http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl" + }, + "Object": { + "#attributes": { + "type": "CONTEXT_OID_CRL", + "constant": "2" + } + }, + "Timeout": "PT9.984S", + "Flags": { + "#attributes": { + "value": "202005", + "CRYPT_RETRIEVE_MULTIPLE_OBJECTS": "true", + "CRYPT_WIRE_ONLY_RETRIEVAL": "true", + "CRYPT_LDAP_SCOPE_BASE_ONLY_RETRIEVAL": "true", + "CRYPT_PROXY_CACHE_RETRIEVAL": "true" + } + }, + "AuxInfo": { + "#attributes": { + "maxUrlRetrievalByteCount": "104857600", + "fProxyCacheRetrieval": "true" + } + }, "AdditionalInfo": { + "NetworkConnectivityStatus": { + "#attributes": { + "value": "1", + "_SENSAPI_NETWORK_ALIVE_LAN": "true" + } + }, "Action": { "#attributes": { "name": "NoProxy" @@ -62,8 +95,6 @@ expression: "&value" "HTTPResponseHeadersInfo": { "Header": "x-ms-blob-type: BlockBlob", "Header_1": "HTTP/1.1 200 OK", - "Header_10": "x-ms-version: 2009-09-19", - "Header_11": "x-ms-lease-status: unlocked", "Header_2": "Connection: keep-alive", "Header_3": "Date: Thu, 18 May 2017 11:37:58 GMT", "Header_4": "Content-Length: 813", @@ -71,19 +102,9 @@ expression: "&value" "Header_6": "Last-Modified: Tue, 02 May 2017 22:24:24 GMT", "Header_7": "ETag: 0x8D491A9FD112A27", "Header_8": "Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0", - "Header_9": "x-ms-request-id: 477c132d-0001-0045-443b-c49ae1000000" - }, - "NetworkConnectivityStatus": { - "#attributes": { - "_SENSAPI_NETWORK_ALIVE_LAN": "true", - "value": "1" - } - } - }, - "AuxInfo": { - "#attributes": { - "fProxyCacheRetrieval": "true", - "maxUrlRetrievalByteCount": "104857600" + "Header_9": "x-ms-request-id: 477c132d-0001-0045-443b-c49ae1000000", + "Header_10": "x-ms-version: 2009-09-19", + "Header_11": "x-ms-lease-status: unlocked" } }, "CacheInfo": { @@ -92,15 +113,17 @@ expression: "&value" }, "URLCacheResponseInfo": { "#attributes": { - "lastModifiedTime": "2017-05-02T22:24:24Z", - "responseType": "CRYPTNET_URL_CACHE_RESPONSE_HTTP" + "responseType": "CRYPTNET_URL_CACHE_RESPONSE_HTTP", + "lastModifiedTime": "2017-05-02T22:24:24Z" } } }, - "CorrelationAuxInfo": { - "#attributes": { - "SeqNumber": "7", - "TaskId": "{74E4CD40-C966-49F5-B50A-032DFFEE57CA}" + "RetrievedObjects": { + "CertificateRevocationList": { + "#attributes": { + "fileRef": "0986764ED95D3C77F3F1AD8340EDD2F36C3BF8E7.crl", + "issuerName": "Microsoft Root Certificate Authority" + } } }, "EventAuxInfo": { @@ -108,40 +131,16 @@ expression: "&value" "ProcessName": "Setup.exe" } }, - "Flags": { - "#attributes": { - "CRYPT_LDAP_SCOPE_BASE_ONLY_RETRIEVAL": "true", - "CRYPT_PROXY_CACHE_RETRIEVAL": "true", - "CRYPT_RETRIEVE_MULTIPLE_OBJECTS": "true", - "CRYPT_WIRE_ONLY_RETRIEVAL": "true", - "value": "202005" - } - }, - "Object": { + "CorrelationAuxInfo": { "#attributes": { - "constant": "2", - "type": "CONTEXT_OID_CRL" + "TaskId": "{74E4CD40-C966-49F5-B50A-032DFFEE57CA}", + "SeqNumber": "7" } }, "Result": { "#attributes": { "value": "0" } - }, - "RetrievedObjects": { - "CertificateRevocationList": { - "#attributes": { - "fileRef": "0986764ED95D3C77F3F1AD8340EDD2F36C3BF8E7.crl", - "issuerName": "Microsoft Root Certificate Authority" - } - } - }, - "Timeout": "PT9.984S", - "URL": { - "#attributes": { - "scheme": "http" - }, - "#text": "http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl" } } } diff --git a/tests/snapshots/test_record_samples__event_json_with_multiple_nodes_same_name_separate.snap b/tests/snapshots/test_record_samples__event_json_with_multiple_nodes_same_name_separate.snap index a059ab4b..799a868c 100644 --- a/tests/snapshots/test_record_samples__event_json_with_multiple_nodes_same_name_separate.snap +++ b/tests/snapshots/test_record_samples__event_json_with_multiple_nodes_same_name_separate.snap @@ -1,39 +1,66 @@ --- source: tests/test_record_samples.rs -assertion_line: 258 +assertion_line: 276 expression: "&value" --- { + "Event_attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, "Event": { "System": { - "Channel": "Microsoft-Windows-CAPI2/Operational", - "Computer": "WIN-M5327EF98B9", - "Correlation": null, + "Provider_attributes": { + "Name": "Microsoft-Windows-CAPI2", + "Guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" + }, "EventID": 53, + "Version": 0, + "Level": 4, + "Task": 53, + "Opcode": 2, + "Keywords": "0x4000000000000036", + "TimeCreated_attributes": { + "SystemTime": "2017-05-19T02:02:36.203125Z" + }, "EventRecordID": 28, + "Correlation": null, "Execution_attributes": { "ProcessID": 1396, "ThreadID": 2132 }, - "Keywords": "0x4000000000000036", - "Level": 4, - "Opcode": 2, - "Provider_attributes": { - "Guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}", - "Name": "Microsoft-Windows-CAPI2" - }, + "Channel": "Microsoft-Windows-CAPI2/Operational", + "Computer": "WIN-M5327EF98B9", "Security_attributes": { "UserID": "S-1-5-21-1223297778-3299746493-1462173606-500" - }, - "Task": 53, - "TimeCreated_attributes": { - "SystemTime": "2017-05-19T02:02:36.203125Z" - }, - "Version": 0 + } }, "UserData": { "CryptRetrieveObjectByUrlWire": { + "URL_attributes": { + "scheme": "http" + }, + "URL": "http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl", + "Object_attributes": { + "type": "CONTEXT_OID_CRL", + "constant": "2" + }, + "Timeout": "PT9.984S", + "Flags_attributes": { + "value": "202005", + "CRYPT_RETRIEVE_MULTIPLE_OBJECTS": "true", + "CRYPT_WIRE_ONLY_RETRIEVAL": "true", + "CRYPT_LDAP_SCOPE_BASE_ONLY_RETRIEVAL": "true", + "CRYPT_PROXY_CACHE_RETRIEVAL": "true" + }, + "AuxInfo_attributes": { + "maxUrlRetrievalByteCount": "104857600", + "fProxyCacheRetrieval": "true" + }, "AdditionalInfo": { + "NetworkConnectivityStatus_attributes": { + "value": "1", + "_SENSAPI_NETWORK_ALIVE_LAN": "true" + }, "Action_attributes": { "name": "NoProxy" }, @@ -49,8 +76,6 @@ expression: "&value" "HTTPResponseHeadersInfo": { "Header": "x-ms-blob-type: BlockBlob", "Header_1": "HTTP/1.1 200 OK", - "Header_10": "x-ms-version: 2009-09-19", - "Header_11": "x-ms-lease-status: unlocked", "Header_2": "Connection: keep-alive", "Header_3": "Date: Thu, 18 May 2017 11:37:58 GMT", "Header_4": "Content-Length: 813", @@ -58,62 +83,37 @@ expression: "&value" "Header_6": "Last-Modified: Tue, 02 May 2017 22:24:24 GMT", "Header_7": "ETag: 0x8D491A9FD112A27", "Header_8": "Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0", - "Header_9": "x-ms-request-id: 477c132d-0001-0045-443b-c49ae1000000" - }, - "NetworkConnectivityStatus_attributes": { - "_SENSAPI_NETWORK_ALIVE_LAN": "true", - "value": "1" + "Header_9": "x-ms-request-id: 477c132d-0001-0045-443b-c49ae1000000", + "Header_10": "x-ms-version: 2009-09-19", + "Header_11": "x-ms-lease-status: unlocked" } }, - "AuxInfo_attributes": { - "fProxyCacheRetrieval": "true", - "maxUrlRetrievalByteCount": "104857600" + "CacheInfo_attributes": { + "lastSyncTime": "2017-05-19T02:02:36.203Z" }, "CacheInfo": { "URLCacheResponseInfo_attributes": { - "lastModifiedTime": "2017-05-02T22:24:24Z", - "responseType": "CRYPTNET_URL_CACHE_RESPONSE_HTTP" + "responseType": "CRYPTNET_URL_CACHE_RESPONSE_HTTP", + "lastModifiedTime": "2017-05-02T22:24:24Z" } }, - "CacheInfo_attributes": { - "lastSyncTime": "2017-05-19T02:02:36.203Z" - }, - "CorrelationAuxInfo_attributes": { - "SeqNumber": "7", - "TaskId": "{74E4CD40-C966-49F5-B50A-032DFFEE57CA}" + "RetrievedObjects": { + "CertificateRevocationList_attributes": { + "fileRef": "0986764ED95D3C77F3F1AD8340EDD2F36C3BF8E7.crl", + "issuerName": "Microsoft Root Certificate Authority" + } }, "EventAuxInfo_attributes": { "ProcessName": "Setup.exe" }, - "Flags_attributes": { - "CRYPT_LDAP_SCOPE_BASE_ONLY_RETRIEVAL": "true", - "CRYPT_PROXY_CACHE_RETRIEVAL": "true", - "CRYPT_RETRIEVE_MULTIPLE_OBJECTS": "true", - "CRYPT_WIRE_ONLY_RETRIEVAL": "true", - "value": "202005" - }, - "Object_attributes": { - "constant": "2", - "type": "CONTEXT_OID_CRL" + "CorrelationAuxInfo_attributes": { + "TaskId": "{74E4CD40-C966-49F5-B50A-032DFFEE57CA}", + "SeqNumber": "7" }, "Result_attributes": { "value": "0" - }, - "RetrievedObjects": { - "CertificateRevocationList_attributes": { - "fileRef": "0986764ED95D3C77F3F1AD8340EDD2F36C3BF8E7.crl", - "issuerName": "Microsoft Root Certificate Authority" - } - }, - "Timeout": "PT9.984S", - "URL": "http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl", - "URL_attributes": { - "scheme": "http" } } } - }, - "Event_attributes": { - "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" } } diff --git a/tests/snapshots/test_record_samples__event_json_with_size_t.snap b/tests/snapshots/test_record_samples__event_json_with_size_t.snap index 6d469614..1f48b73a 100644 --- a/tests/snapshots/test_record_samples__event_json_with_size_t.snap +++ b/tests/snapshots/test_record_samples__event_json_with_size_t.snap @@ -7,49 +7,49 @@ expression: "&value" "#attributes": { "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" }, - "EventData": { - "HandleId": "0x7eec", - "NewSd": "S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)", - "ObjectName": "C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IO.Log.dll", - "ObjectServer": "Security", - "ObjectType": "File", - "OldSd": "", - "ProcessId": "0x858", - "ProcessName": "C:\\Windows\\servicing\\TrustedInstaller.exe", - "SubjectDomainName": "WORKGROUP", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "WIN-L0ZZQ76PMUF$", - "SubjectUserSid": "S-1-5-18" - }, "System": { - "Channel": "Security", - "Computer": "WIN-L0ZZQ76PMUF", - "Correlation": null, - "EventID": 4907, - "EventRecordID": 196, - "Execution": { + "Provider": { "#attributes": { - "ProcessID": 632, - "ThreadID": 684 + "Name": "Microsoft-Windows-Security-Auditing", + "Guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}" } }, - "Keywords": "0x8020000000000000", + "EventID": 4907, + "Version": 0, "Level": 0, + "Task": 13568, "Opcode": 0, - "Provider": { + "Keywords": "0x8020000000000000", + "TimeCreated": { "#attributes": { - "Guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "Name": "Microsoft-Windows-Security-Auditing" + "SystemTime": "2015-08-23T21:25:49.063125Z" } }, - "Security": null, - "Task": 13568, - "TimeCreated": { + "EventRecordID": 196, + "Correlation": null, + "Execution": { "#attributes": { - "SystemTime": "2015-08-23T21:25:49.063125Z" + "ProcessID": 632, + "ThreadID": 684 } }, - "Version": 0 + "Channel": "Security", + "Computer": "WIN-L0ZZQ76PMUF", + "Security": null + }, + "EventData": { + "SubjectUserSid": "S-1-5-18", + "SubjectUserName": "WIN-L0ZZQ76PMUF$", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "ObjectServer": "Security", + "ObjectType": "File", + "ObjectName": "C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IO.Log.dll", + "HandleId": "0x7eec", + "OldSd": "", + "NewSd": "S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)", + "ProcessId": "0x858", + "ProcessName": "C:\\Windows\\servicing\\TrustedInstaller.exe" } } }