diff --git a/nifi-nar-bundles/nifi-evtx-bundle/nifi-evtx-processors/src/main/java/org/apache/nifi/processors/evtx/parser/ChunkHeader.java b/nifi-nar-bundles/nifi-evtx-bundle/nifi-evtx-processors/src/main/java/org/apache/nifi/processors/evtx/parser/ChunkHeader.java index 7f01adf0c0..bb4e4d7136 100644 --- a/nifi-nar-bundles/nifi-evtx-bundle/nifi-evtx-processors/src/main/java/org/apache/nifi/processors/evtx/parser/ChunkHeader.java +++ b/nifi-nar-bundles/nifi-evtx-bundle/nifi-evtx-processors/src/main/java/org/apache/nifi/processors/evtx/parser/ChunkHeader.java @@ -158,7 +158,7 @@ public class ChunkHeader extends Block { } public boolean hasNext() { - return fileLastRecordNumber.compareTo(recordNumber) > 0; + return logLastRecordNumber.compareTo(recordNumber) > 0; } public String getString(int offset) { diff --git a/nifi-nar-bundles/nifi-evtx-bundle/nifi-evtx-processors/src/main/java/org/apache/nifi/processors/evtx/parser/FileHeader.java b/nifi-nar-bundles/nifi-evtx-bundle/nifi-evtx-processors/src/main/java/org/apache/nifi/processors/evtx/parser/FileHeader.java index 8610fe9ef3..914d518620 100644 --- a/nifi-nar-bundles/nifi-evtx-bundle/nifi-evtx-processors/src/main/java/org/apache/nifi/processors/evtx/parser/FileHeader.java +++ b/nifi-nar-bundles/nifi-evtx-bundle/nifi-evtx-processors/src/main/java/org/apache/nifi/processors/evtx/parser/FileHeader.java @@ -141,10 +141,10 @@ public class FileHeader extends Block { /** * Tests whether there are more chunks - * @return true iff there are chunks left + * @return true if there are chunks left */ public boolean hasNext() { - return count < chunkCount; + return count <= chunkCount; } /** diff --git a/nifi-nar-bundles/nifi-evtx-bundle/nifi-evtx-processors/src/test/java/org/apache/nifi/processors/evtx/ParseEvtxTest.java b/nifi-nar-bundles/nifi-evtx-bundle/nifi-evtx-processors/src/test/java/org/apache/nifi/processors/evtx/ParseEvtxTest.java index 2e5e90ddd1..260869d850 100644 --- a/nifi-nar-bundles/nifi-evtx-bundle/nifi-evtx-processors/src/test/java/org/apache/nifi/processors/evtx/ParseEvtxTest.java +++ b/nifi-nar-bundles/nifi-evtx-bundle/nifi-evtx-processors/src/test/java/org/apache/nifi/processors/evtx/ParseEvtxTest.java @@ -74,6 +74,7 @@ public class ParseEvtxTest { public static final String USER_DATA = "UserData"; public static final String EVENT_DATA = "EventData"; public static final Set DATA_TAGS = new HashSet<>(Arrays.asList(EVENT_DATA, USER_DATA)); + public static final int EXPECTED_SUCCESSFUL_EVENT_COUNT = 1053; @Mock FileHeaderFactory fileHeaderFactory; @@ -366,7 +367,7 @@ public class ParseEvtxTest { assertEquals(1, failureFlowFiles.size()); validateFlowFiles(failureFlowFiles); // We expect the same number of records to come out no matter the granularity - assertEquals(960, validateFlowFiles(failureFlowFiles)); + assertEquals(EXPECTED_SUCCESSFUL_EVENT_COUNT, validateFlowFiles(failureFlowFiles)); // Whole file fails if there is a failure parsing List successFlowFiles = testRunner.getFlowFilesForRelationship(ParseEvtx.REL_SUCCESS); @@ -399,10 +400,10 @@ public class ParseEvtxTest { assertEquals(1, failureFlowFiles.size()); List successFlowFiles = testRunner.getFlowFilesForRelationship(ParseEvtx.REL_SUCCESS); - assertEquals(8, successFlowFiles.size()); + assertEquals(9, successFlowFiles.size()); // We expect the same number of records to come out no matter the granularity - assertEquals(960, validateFlowFiles(successFlowFiles) + validateFlowFiles(failureFlowFiles)); + assertEquals(EXPECTED_SUCCESSFUL_EVENT_COUNT, validateFlowFiles(successFlowFiles) + validateFlowFiles(failureFlowFiles)); } @Test @@ -433,10 +434,42 @@ public class ParseEvtxTest { // Whole file fails if there is a failure parsing List successFlowFiles = testRunner.getFlowFilesForRelationship(ParseEvtx.REL_SUCCESS); - assertEquals(960, successFlowFiles.size()); + assertEquals(EXPECTED_SUCCESSFUL_EVENT_COUNT, successFlowFiles.size()); // We expect the same number of records to come out no matter the granularity - assertEquals(960, validateFlowFiles(successFlowFiles)); + assertEquals(EXPECTED_SUCCESSFUL_EVENT_COUNT, validateFlowFiles(successFlowFiles)); + } + + @Test + public void testRecordBasedParseCorrectNumberOfFlowFiles() { + testValidEvents(ParseEvtx.RECORD, "1344_events.evtx", 1344); + } + + @Test + public void testChunkBasedParseCorrectNumberOfFlowFiles() { + testValidEvents(ParseEvtx.CHUNK, "1344_events.evtx", 14); + } + + @Test + public void testRecordBasedParseCorrectNumberOfFlowFilesFromAResizedFile() { + testValidEvents(ParseEvtx.RECORD, "3778_events_not_exported.evtx", 3778); + } + + @Test + public void testChunkBasedParseCorrectNumberOfFlowFilesFromAResizedFile() { + testValidEvents(ParseEvtx.CHUNK, "3778_events_not_exported.evtx", 16); + } + + private void testValidEvents(String granularity, String filename, int expectedCount) { + TestRunner testRunner = TestRunners.newTestRunner(ParseEvtx.class); + testRunner.setProperty(ParseEvtx.GRANULARITY, granularity); + Map attributes = new HashMap<>(); + ClassLoader classLoader = this.getClass().getClassLoader(); + InputStream resourceAsStream = classLoader.getResourceAsStream(filename); + testRunner.enqueue(resourceAsStream, attributes); + testRunner.run(); + + testRunner.assertTransferCount(ParseEvtx.REL_SUCCESS, expectedCount); } private int validateFlowFiles(List successFlowFiles) throws SAXException, IOException, ParserConfigurationException { diff --git a/nifi-nar-bundles/nifi-evtx-bundle/nifi-evtx-processors/src/test/java/org/apache/nifi/processors/evtx/parser/ChunkHeaderTest.java b/nifi-nar-bundles/nifi-evtx-bundle/nifi-evtx-processors/src/test/java/org/apache/nifi/processors/evtx/parser/ChunkHeaderTest.java index 1cb52dbb60..247d37fb0b 100644 --- a/nifi-nar-bundles/nifi-evtx-bundle/nifi-evtx-processors/src/test/java/org/apache/nifi/processors/evtx/parser/ChunkHeaderTest.java +++ b/nifi-nar-bundles/nifi-evtx-bundle/nifi-evtx-processors/src/test/java/org/apache/nifi/processors/evtx/parser/ChunkHeaderTest.java @@ -102,7 +102,7 @@ public class ChunkHeaderTest { offset += 11; } - RecordTest.putNode(testBinaryReaderBuilder, fileLastRecordNumber, new Date()); + RecordTest.putNode(testBinaryReaderBuilder, logLastRecordNumber, new Date()); testBinaryReaderBuilder.put(dataBuilder.toByteArray()); @@ -133,7 +133,7 @@ public class ChunkHeaderTest { assertTrue(chunkHeader.hasNext()); Record next = chunkHeader.next(); - assertEquals(fileLastRecordNumber, next.getRecordNum().intValue()); + assertEquals(logLastRecordNumber, next.getRecordNum().intValue()); RootNode rootNode = next.getRootNode(); List children = rootNode.getChildren(); assertEquals(1, children.size()); diff --git a/nifi-nar-bundles/nifi-evtx-bundle/nifi-evtx-processors/src/test/resources/1344_events.evtx b/nifi-nar-bundles/nifi-evtx-bundle/nifi-evtx-processors/src/test/resources/1344_events.evtx new file mode 100644 index 0000000000..31a084dd71 Binary files /dev/null and b/nifi-nar-bundles/nifi-evtx-bundle/nifi-evtx-processors/src/test/resources/1344_events.evtx differ diff --git a/nifi-nar-bundles/nifi-evtx-bundle/nifi-evtx-processors/src/test/resources/3778_events_not_exported.evtx b/nifi-nar-bundles/nifi-evtx-bundle/nifi-evtx-processors/src/test/resources/3778_events_not_exported.evtx new file mode 100644 index 0000000000..1110090bee Binary files /dev/null and b/nifi-nar-bundles/nifi-evtx-bundle/nifi-evtx-processors/src/test/resources/3778_events_not_exported.evtx differ