fluent-plugin-grok-parser 2.4.0 → 2.5.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 7ee0a491eb3c582a83f228c34648869c693cf028aba0beed0404f0ffa3dff182
4
- data.tar.gz: b421584afadea006497e075a5e198bbd2497654cb446148e1223320172a85aac
3
+ metadata.gz: d615b82eed6b2bedc84947d46ebc4bd320f6887541416f131f9676e4531679cd
4
+ data.tar.gz: e6e7acba01a1a100f382ba902c55a732ad7c7079bd908b5ea3c535cebd7a9c06
5
5
  SHA512:
6
- metadata.gz: 0db5d145e6d33b285393c75a8383b93120ba623f99859356831e2b08622ca8d1c12ac37d9597ea5fc123d2997c7d42d6b75f4015e9502eaccc830fe41a1919db
7
- data.tar.gz: 55d52fd681a761529947a779ebec12de1b7468e1d95546b086fd34d1dcaba6a4122726a954ddbc2f26cd872ca401ec0d6a4ce1294118b8db4bc48a47df79fade
6
+ metadata.gz: 9454d12393f8213e7792fd8100d3c0dfd564e1cf1248ca5b23656bf7079560c8bd486a2227a8381c70dec456415737eea7ff35494030abbb182eb77293b1c50b
7
+ data.tar.gz: 1df8abdbebb4d7f1c0df3b9049b86edb4b4d11badf0d1e7422e6719dc154aaeb01a6e9adbd22ea38bfc7f2cd509ebb420d6727f6795b513f46778ba1454ca51d
data/.travis.yml CHANGED
@@ -2,8 +2,7 @@ sudo: false
2
2
  language: ruby
3
3
 
4
4
  rvm:
5
- - 2.2.10
6
- - 2.3.7
7
- - 2.4.4
8
- - 2.5.1
9
-
5
+ - 2.3
6
+ - 2.4
7
+ - 2.5.3
8
+ - 2.6.0
@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
4
4
 
5
5
  Gem::Specification.new do |spec|
6
6
  spec.name = "fluent-plugin-grok-parser"
7
- spec.version = "2.4.0"
7
+ spec.version = "2.5.0"
8
8
  spec.authors = ["kiyoto", "Kenji Okimoto"]
9
9
  spec.email = ["kiyoto@treasure-data.com", "okimoto@clear-code.com"]
10
10
  spec.summary = %q{Fluentd plugin to support Logstash-inspired Grok format for parsing logs}
@@ -131,7 +131,7 @@ module Fluent
131
131
  else
132
132
  replacement_pattern = "(?:#{curr_pattern})"
133
133
  end
134
- pattern.sub!(m[0]) do |s|
134
+ pattern = pattern.sub(m[0]) do |s|
135
135
  replacement_pattern
136
136
  end
137
137
  end
data/patterns/aws CHANGED
@@ -9,6 +9,3 @@ ELB_URI %{URIPROTO:proto}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST:urihost})?(?:%{
9
9
  ELB_REQUEST_LINE (?:%{WORD:verb} %{ELB_URI:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})
10
10
 
11
11
  ELB_ACCESS_LOG %{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:elb} %{IP:clientip}:%{INT:clientport:integer} (?:(%{IP:backendip}:?:%{INT:backendport:integer})|-) %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{INT:response:integer} %{INT:backend_response:integer} %{INT:received_bytes:integer} %{INT:bytes:integer} "%{ELB_REQUEST_LINE}"
12
-
13
- CLOUDFRONT_ACCESS_LOG (?<timestamp>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}\t%{TIME})\t%{WORD:x_edge_location}\t(?:%{NUMBER:sc_bytes:integer}|-)\t%{IPORHOST:clientip}\t%{WORD:cs_method}\t%{HOSTNAME:cs_host}\t%{NOTSPACE:cs_uri_stem}\t%{NUMBER:sc_status:integer}\t%{GREEDYDATA:referrer}\t%{GREEDYDATA:agent}\t%{GREEDYDATA:cs_uri_query}\t%{GREEDYDATA:cookies}\t%{WORD:x_edge_result_type}\t%{NOTSPACE:x_edge_request_id}\t%{HOSTNAME:x_host_header}\t%{URIPROTO:cs_protocol}\t%{INT:cs_bytes:integer}\t%{GREEDYDATA:time_taken:float}\t%{GREEDYDATA:x_forwarded_for}\t%{GREEDYDATA:ssl_protocol}\t%{GREEDYDATA:ssl_cipher}\t%{GREEDYDATA:x_edge_response_result_type}
14
-
data/patterns/firewalls CHANGED
@@ -36,7 +36,7 @@ CISCOFW106006_106007_106010 %{CISCO_ACTION:action} %{CISCO_DIRECTION:direction}
36
36
  # ASA-3-106014
37
37
  CISCOFW106014 %{CISCO_ACTION:action} %{CISCO_DIRECTION:direction} %{WORD:protocol} src %{DATA:src_interface}:%{IP:src_ip}(\(%{DATA:src_fwuser}\))? dst %{DATA:dst_interface}:%{IP:dst_ip}(\(%{DATA:dst_fwuser}\))? \(type %{INT:icmp_type}, code %{INT:icmp_code}\)
38
38
  # ASA-6-106015
39
- CISCOFW106015 %{CISCO_ACTION:action} %{WORD:protocol} \(%{DATA:policy_id}\) from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags %{DATA:tcp_flags} on interface %{GREEDYDATA:interface}
39
+ CISCOFW106015 %{CISCO_ACTION:action} %{WORD:protocol} \(%{DATA:policy_id}\) from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags %{DATA:tcp_flags} on interface %{GREEDYDATA:interface}
40
40
  # ASA-1-106021
41
41
  CISCOFW106021 %{CISCO_ACTION:action} %{WORD:protocol} reverse path check from %{IP:src_ip} to %{IP:dst_ip} on interface %{GREEDYDATA:interface}
42
42
  # ASA-4-106023
@@ -45,8 +45,6 @@ CISCOFW106023 %{CISCO_ACTION:action}( protocol)? %{WORD:protocol} src %{DATA:src
45
45
  CISCOFW106100_2_3 access-list %{NOTSPACE:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} for user '%{DATA:src_fwuser}' %{DATA:src_interface}/%{IP:src_ip}\(%{INT:src_port}\) -> %{DATA:dst_interface}/%{IP:dst_ip}\(%{INT:dst_port}\) hit-cnt %{INT:hit_count} %{CISCO_INTERVAL:interval} \[%{DATA:hashcode1}, %{DATA:hashcode2}\]
46
46
  # ASA-5-106100
47
47
  CISCOFW106100 access-list %{NOTSPACE:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} %{DATA:src_interface}/%{IP:src_ip}\(%{INT:src_port}\)(\(%{DATA:src_fwuser}\))? -> %{DATA:dst_interface}/%{IP:dst_ip}\(%{INT:dst_port}\)(\(%{DATA:src_fwuser}\))? hit-cnt %{INT:hit_count} %{CISCO_INTERVAL:interval} \[%{DATA:hashcode1}, %{DATA:hashcode2}\]
48
- # ASA-5-304001
49
- CISCOFW304001 %{IP:src_ip}(\(%{DATA:src_fwuser}\))? Accessed URL %{IP:dst_ip}:%{GREEDYDATA:dst_url}
50
48
  # ASA-6-110002
51
49
  CISCOFW110002 %{CISCO_REASON:reason} for %{WORD:protocol} from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}
52
50
  # ASA-6-302010
@@ -86,6 +84,3 @@ CISCOFW733100 \[\s*%{DATA:drop_type}\s*\] drop %{DATA:drop_rate_id} exceeded. Cu
86
84
  # Shorewall firewall logs
87
85
  SHOREWALL (%{SYSLOGTIMESTAMP:timestamp}) (%{WORD:nf_host}) kernel:.*Shorewall:(%{WORD:nf_action1})?:(%{WORD:nf_action2})?.*IN=(%{USERNAME:nf_in_interface})?.*(OUT= *MAC=(%{COMMONMAC:nf_dst_mac}):(%{COMMONMAC:nf_src_mac})?|OUT=%{USERNAME:nf_out_interface}).*SRC=(%{IPV4:nf_src_ip}).*DST=(%{IPV4:nf_dst_ip}).*LEN=(%{WORD:nf_len}).?*TOS=(%{WORD:nf_tos}).?*PREC=(%{WORD:nf_prec}).?*TTL=(%{INT:nf_ttl}).?*ID=(%{INT:nf_id}).?*PROTO=(%{WORD:nf_protocol}).?*SPT=(%{INT:nf_src_port}?.*DPT=%{INT:nf_dst_port}?.*)
88
86
  #== End Shorewall
89
- #== SuSE Firewall 2 ==
90
- SFW2 ((%{SYSLOGTIMESTAMP})|(%{TIMESTAMP_ISO8601}))\s*%{HOSTNAME}\s*kernel\S+\s*%{NAGIOSTIME}\s*SFW2\-INext\-%{NOTSPACE:nf_action}\s*IN=%{USERNAME:nf_in_interface}.*OUT=((\s*%{USERNAME:nf_out_interface})|(\s*))MAC=((%{COMMONMAC:nf_dst_mac}:%{COMMONMAC:nf_src_mac})|(\s*)).*SRC=%{IP:nf_src_ip}\s*DST=%{IP:nf_dst_ip}.*PROTO=%{WORD:nf_protocol}((.*SPT=%{INT:nf_src_port}.*DPT=%{INT:nf_dst_port}.*)|())
91
- #== End SuSE ==
@@ -2,6 +2,7 @@ USERNAME [a-zA-Z0-9._-]+
2
2
  USER %{USERNAME}
3
3
  EMAILLOCALPART [a-zA-Z][a-zA-Z0-9_.+-=:]+
4
4
  EMAILADDRESS %{EMAILLOCALPART}@%{HOSTNAME}
5
+ HTTPDUSER %{EMAILADDRESS}|%{USER}
5
6
  INT (?:[+-]?(?:[0-9]+))
6
7
  BASE10NUM (?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))
7
8
  NUMBER (?:%{BASE10NUM})
@@ -17,8 +18,6 @@ DATA .*?
17
18
  GREEDYDATA .*
18
19
  QUOTEDSTRING (?>(?<!\\)(?>"(?>\\.|[^\\"]+)+"|""|(?>'(?>\\.|[^\\']+)+')|''|(?>`(?>\\.|[^\\`]+)+`)|``))
19
20
  UUID [A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12}
20
- # URN, allowing use of RFC 2141 section 2.3 reserved characters
21
- URN urn:[0-9A-Za-z][0-9A-Za-z-]{0,31}:(?:%[0-9a-fA-F]{2}|[0-9A-Za-z()+,.:=@;$_!*'/?#-])+
22
21
 
23
22
  # Networking
24
23
  MAC (?:%{CISCOMAC}|%{WINDOWSMAC}|%{COMMONMAC})
@@ -34,7 +33,7 @@ HOSTPORT %{IPORHOST}:%{POSINT}
34
33
 
35
34
  # paths
36
35
  PATH (?:%{UNIXPATH}|%{WINPATH})
37
- UNIXPATH (/([\w_%!$@:.,+~-]+|\\.)*)+
36
+ UNIXPATH (/([\w_%!$@:.,~-]+|\\.)*)+
38
37
  TTY (?:/dev/(pts|tty([pq])?)(\w+)?/?(?:[0-9]+))
39
38
  WINPATH (?>[A-Za-z]+:|\\)(?:\\[^\\?*]*)+
40
39
  URIPROTO [A-Za-z]+(\+[A-Za-z+]+)?
@@ -48,7 +47,7 @@ URIPATHPARAM %{URIPATH}(?:%{URIPARAM})?
48
47
  URI %{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})?
49
48
 
50
49
  # Months: January, Feb, 3, 03, 12, December
51
- MONTH \b(?:[Jj]an(?:uary|uar)?|[Ff]eb(?:ruary|ruar)?|[Mm](?:a|ä)?r(?:ch|z)?|[Aa]pr(?:il)?|[Mm]a(?:y|i)?|[Jj]un(?:e|i)?|[Jj]ul(?:y)?|[Aa]ug(?:ust)?|[Ss]ep(?:tember)?|[Oo](?:c|k)?t(?:ober)?|[Nn]ov(?:ember)?|[Dd]e(?:c|z)(?:ember)?)\b
50
+ MONTH \b(?:Jan(?:uary|uar)?|Feb(?:ruary|ruar)?|M(?:a|ä)?r(?:ch|z)?|Apr(?:il)?|Ma(?:y|i)?|Jun(?:e|i)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|O(?:c|k)?t(?:ober)?|Nov(?:ember)?|De(?:c|z)(?:ember)?)\b
52
51
  MONTHNUM (?:0?[1-9]|1[0-2])
53
52
  MONTHNUM2 (?:0[1-9]|1[0-2])
54
53
  MONTHDAY (?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])
@@ -71,11 +70,12 @@ ISO8601_SECOND (?:%{SECOND}|60)
71
70
  TIMESTAMP_ISO8601 %{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?
72
71
  DATE %{DATE_US}|%{DATE_EU}
73
72
  DATESTAMP %{DATE}[- ]%{TIME}
74
- TZ (?:[APMCE][SD]T|UTC)
73
+ TZ (?:[PMCE][SD]T|UTC)
75
74
  DATESTAMP_RFC822 %{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME} %{TZ}
76
75
  DATESTAMP_RFC2822 %{DAY}, %{MONTHDAY} %{MONTH} %{YEAR} %{TIME} %{ISO8601_TIMEZONE}
77
76
  DATESTAMP_OTHER %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{TZ} %{YEAR}
78
77
  DATESTAMP_EVENTLOG %{YEAR}%{MONTHNUM2}%{MONTHDAY}%{HOUR}%{MINUTE}%{SECOND}
78
+ HTTPDERROR_DATE %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}
79
79
 
80
80
  # Syslog Dates: Month Day HH:MM:SS
81
81
  SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME}
@@ -90,6 +90,12 @@ QS %{QUOTEDSTRING}
90
90
 
91
91
  # Log formats
92
92
  SYSLOGBASE %{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:
93
+ COMMONAPACHELOG %{IPORHOST:clientip} %{HTTPDUSER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-)
94
+ COMBINEDAPACHELOG %{COMMONAPACHELOG} %{QS:referrer} %{QS:agent}
95
+ HTTPD20_ERRORLOG \[%{HTTPDERROR_DATE:timestamp}\] \[%{LOGLEVEL:loglevel}\] (?:\[client %{IPORHOST:clientip}\] ){0,1}%{GREEDYDATA:errormsg}
96
+ HTTPD24_ERRORLOG \[%{HTTPDERROR_DATE:timestamp}\] \[%{WORD:module}:%{LOGLEVEL:loglevel}\] \[pid %{POSINT:pid}:tid %{NUMBER:tid}\]( \(%{POSINT:proxy_errorcode}\)%{DATA:proxy_errormessage}:)?( \[client %{IPORHOST:client}:%{POSINT:clientport}\])? %{DATA:errorcode}: %{GREEDYDATA:message}
97
+ HTTPD_ERRORLOG %{HTTPD20_ERRORLOG}|%{HTTPD24_ERRORLOG}
98
+
93
99
 
94
100
  # Log Levels
95
101
  LOGLEVEL ([Aa]lert|ALERT|[Tt]race|TRACE|[Dd]ebug|DEBUG|[Nn]otice|NOTICE|[Ii]nfo|INFO|[Ww]arn?(?:ing)?|WARN?(?:ING)?|[Ee]rr?(?:or)?|ERR?(?:OR)?|[Cc]rit?(?:ical)?|CRIT?(?:ICAL)?|[Ff]atal|FATAL|[Ss]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?)
data/patterns/java CHANGED
@@ -1,14 +1,15 @@
1
1
  JAVACLASS (?:[a-zA-Z$_][a-zA-Z$_0-9]*\.)*[a-zA-Z$_][a-zA-Z$_0-9]*
2
2
  #Space is an allowed character to match special cases like 'Native Method' or 'Unknown Source'
3
3
  JAVAFILE (?:[A-Za-z0-9_. -]+)
4
- #Allow special <init>, <clinit> methods
5
- JAVAMETHOD (?:(<(?:cl)?init>)|[a-zA-Z$_][a-zA-Z$_0-9]*)
4
+ #Allow special <init> method
5
+ JAVAMETHOD (?:(<init>)|[a-zA-Z$_][a-zA-Z$_0-9]*)
6
6
  #Line number is optional in special cases 'Native method' or 'Unknown source'
7
7
  JAVASTACKTRACEPART %{SPACE}at %{JAVACLASS:class}\.%{JAVAMETHOD:method}\(%{JAVAFILE:file}(?::%{NUMBER:line})?\)
8
8
  # Java Logs
9
9
  JAVATHREAD (?:[A-Z]{2}-Processor[\d]+)
10
10
  JAVACLASS (?:[a-zA-Z0-9-]+\.)+[A-Za-z0-9$]+
11
11
  JAVAFILE (?:[A-Za-z0-9_.-]+)
12
+ JAVASTACKTRACEPART at %{JAVACLASS:class}\.%{WORD:method}\(%{JAVAFILE:file}:%{NUMBER:line}\)
12
13
  JAVALOGMESSAGE (.*)
13
14
  # MMM dd, yyyy HH:mm:ss eg: Jan 9, 2014 7:13:13 AM
14
15
  CATALINA_DATESTAMP %{MONTH} %{MONTHDAY}, 20%{YEAR} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) (?:AM|PM)
data/patterns/redis CHANGED
@@ -1,3 +1,3 @@
1
1
  REDISTIMESTAMP %{MONTHDAY} %{MONTH} %{TIME}
2
2
  REDISLOG \[%{POSINT:pid}\] %{REDISTIMESTAMP:timestamp} \*
3
- REDISMONLOG %{NUMBER:timestamp} \[%{INT:database} %{IP:client}:%{NUMBER:port}\] "%{WORD:command}"\s?%{GREEDYDATA:params}
3
+
@@ -158,37 +158,49 @@ class GrokParserTest < ::Test::Unit::TestCase
158
158
  end
159
159
  end
160
160
 
161
- test "no grok patterns" do
162
- assert_raise Fluent::ConfigError do
163
- create_driver('')
161
+ sub_test_case "configure" do
162
+ test "no grok patterns" do
163
+ assert_raise Fluent::ConfigError do
164
+ create_driver('')
165
+ end
166
+ end
167
+
168
+ test "invalid config value type" do
169
+ assert_raise Fluent::ConfigError do
170
+ create_driver(%[
171
+ <grok>
172
+ pattern %{PATH:path:foo}
173
+ </grok>
174
+ ])
175
+ end
164
176
  end
165
- end
166
177
 
167
- test "invalid config value type" do
168
- assert_raise Fluent::ConfigError do
169
- create_driver(%[
178
+ test "invalid config value type and normal grok pattern" do
179
+ d = create_driver(%[
170
180
  <grok>
171
181
  pattern %{PATH:path:foo}
172
182
  </grok>
183
+ <grok>
184
+ pattern %{IP:ip_address}
185
+ </grok>
173
186
  ])
187
+ assert_equal(1, d.instance.instance_variable_get(:@grok).parsers.size)
188
+ logs = $log.instance_variable_get(:@logger).instance_variable_get(:@logdev).logs
189
+ error_logs = logs.grep(/error_class/)
190
+ assert_equal(1, error_logs.size)
191
+ error_message = error_logs.first[/error="(.+)"/, 1]
192
+ assert_equal("unknown value conversion for key:'path', type:'foo'", error_message)
174
193
  end
175
- end
176
194
 
177
- test "invalid config value type and normal grok pattern" do
178
- d = create_driver(%[
179
- <grok>
180
- pattern %{PATH:path:foo}
181
- </grok>
182
- <grok>
183
- pattern %{IP:ip_address}
184
- </grok>
185
- ])
186
- assert_equal(1, d.instance.instance_variable_get(:@grok).parsers.size)
187
- logs = $log.instance_variable_get(:@logger).instance_variable_get(:@logdev).logs
188
- error_logs = logs.grep(/error_class/)
189
- assert_equal(1, error_logs.size)
190
- error_message = error_logs.first[/error="(.+)"/, 1]
191
- assert_equal("unknown value conversion for key:'path', type:'foo'", error_message)
195
+ test "keep original configuration" do
196
+ config = %[
197
+ <grok>
198
+ pattern %{INT:user_id:integer} paid %{NUMBER:paid_amount:float}
199
+ </grok>
200
+ ]
201
+ d = create_driver(config)
202
+ assert_equal("%{INT:user_id:integer} paid %{NUMBER:paid_amount:float}", d.instance.config.elements("grok").first["pattern"])
203
+ end
192
204
  end
193
205
 
194
206
  sub_test_case "grok_name_key" do
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: fluent-plugin-grok-parser
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.4.0
4
+ version: 2.5.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - kiyoto
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2018-11-28 00:00:00.000000000 Z
12
+ date: 2019-03-13 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: bundler
@@ -138,8 +138,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
138
138
  - !ruby/object:Gem::Version
139
139
  version: '0'
140
140
  requirements: []
141
- rubyforge_project:
142
- rubygems_version: 2.7.6
141
+ rubygems_version: 3.0.1
143
142
  signing_key:
144
143
  specification_version: 4
145
144
  summary: Fluentd plugin to support Logstash-inspired Grok format for parsing logs