fluent-plugin-parser_cef 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: f36fef400e2254cf95714e61ce9e4477a53433ac
+  data.tar.gz: d87286621fc65c1698674a1d8ee5f61bd6a0a66f
+SHA512:
+  metadata.gz: 7639775cc9ce359b3046a69a7f5eee7cda203e02e82bd4a2adb133afe9223178d8ef6740a74ae98bff6777d7f03578ffcedf01704be3e1ab6e3c15ed44f62194
+  data.tar.gz: 8b757928f1a26b54bfcb522f365c48b2c1deeb1a7c54e895ee76bbd406ab983832782af068c3e028085eb501280223d7580d64ed076eb52b4671ac3e4531f46b

data/.gitignore

@@ -0,0 +1,58 @@
+
+# Created by https://www.gitignore.io/api/git,ruby
+
+### Git ###
+*.orig
+
+
+### Ruby ###
+*.gem
+*.rbc
+/.config
+/coverage/
+/InstalledFiles
+/pkg/
+/spec/reports/
+/spec/examples.txt
+/test/tmp/
+/test/version_tmp/
+/tmp/
+
+# Used by dotenv library to load environment variables.
+.env
+
+## Specific to RubyMotion:
+.dat*
+.repl_history
+build/
+*.bridgesupport
+build-iPhoneOS/
+build-iPhoneSimulator/
+
+## Specific to RubyMotion (use of CocoaPods):
+#
+# We recommend against adding the Pods directory to your .gitignore. However
+# you should judge for yourself, the pros and cons are mentioned at:
+# https://guides.cocoapods.org/using/using-cocoapods.html#should-i-check-the-pods-directory-into-source-control
+#
+vendor/Pods/
+
+## Documentation cache and generated files:
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+
+## Environment normalization:
+/.bundle/
+/vendor/bundle
+/lib/bundler/man/
+
+# for a library or gem, you might want to ignore these files since the code is
+# intended to run in multiple environments; otherwise, check them in:
+Gemfile.lock
+.ruby-version
+.ruby-gemset
+
+# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
+.rvmrc

data/.rspec

@@ -0,0 +1,3 @@
+--color
+--require spec_helper
+--format documentation

data/Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2016 TODO: Write your name
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,68 @@
+# fluent-plugin-parser_cef
+
+Fluentd Parser plugin to parse CEF - common event format -
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```bash
+# for fluentd
+gem install fluent-plugin-parser_cef
+
+# for td-agent2
+td-agent-gem install fluent-plugin-parser_cef
+```
+
+## Usage
+
+```
+<source>
+  @type   tail
+  tag     develop.cef
+  path      /tmp/fluentd/test.log
+  pos_file  /tmp/fluentd/test.pos
+
+  format  cef
+  #log_format  syslog
+  #syslog_timestamp_format  '\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}'
+  #cef_version  0
+  #parse_strict_mode  true
+  #cef_keyfilename  'config/cef_version_0_keys.yaml'
+  #output_raw_field  false
+</source>
+```
+
+## parameters
+
+* `log_format` (default: syslog)
+
+  input log format, currently only 'syslog' is valid
+
+* `syslog_timestamp` (default: '\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}')
+
+  syslog timestamp format, the default is traditional syslog timestamp
+
+* `cef_version` (default: 0)
+
+  CEF version, this should be 0
+
+* `parse_strict_mode` (default: true)
+
+  if the CEF extensions are the following, the value of the key cs2 should 'foo hoge=fuga'
+
+  - cs1=test cs2=foo hoge=fuga cs3=bar
+
+  if parse_strict_mode is false, this is raugh parse, so the value of the key cs2 become 'foo' and non CEF key 'hoge' shown, and the value is 'fuga'
+
+* `cef_keyfilename` (default: 'config/cef_version_0_keys.yaml')
+
+  used when parse_strict_mode is true, this is the array of the valid CEF keys
+
+* `output_raw_field` (default: false)
+
+  append {"raw":\<message itself\>} key-value even if success parsing
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,2 @@
+require "bundler/gem_tasks"
+task :default => :spec

data/VERSION

@@ -0,0 +1 @@
+0.1.0

data/fluent-plugin-parser_cef.gemspec

@@ -0,0 +1,27 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+
+Gem::Specification.new do |spec|
+  spec.name          = "fluent-plugin-parser_cef"
+  spec.version       = File.read("VERSION").strip
+  spec.authors       = ["Tomoyuki Sugimura"]
+  spec.email         = ["tomoyuki.sugimura@gmail.com"]
+  spec.description   = %q{common event format(CEF) parser plugin for fluentd}
+  spec.summary       = %q{common event format(CEF) parser plugin, currently only 'syslog' format is permitted}
+  spec.homepage      = "https://github.com/lunardial/fluent-plugin-parser_cef"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_runtime_dependency "fluentd", "~> 0.10", ">= 0.10.43"
+
+  spec.add_development_dependency "bundler", "~> 1.3"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "rspec", "~> 3.0"
+  spec.add_development_dependency "rspec-core"
+  spec.add_development_dependency "test-unit"
+end

data/lib/fluent/plugin/config/cef_version_0_keys.yaml

@@ -0,0 +1,173 @@
+# Implementing ArcSight Common Event Format
+# Chapter2: ArcSight Extension Dictionary
+
+# CEF Key Names For Event Producers
+cef_key_names_for_event_producers:
+  - act
+  - app
+  - c6a1
+  - c6a1Label
+  - c6a2
+  - c6a2Label
+  - c6a3
+  - c6a3Label
+  - c6a4
+  - c6a4Label
+  - cfp1
+  - cfp1Label
+  - cfp2
+  - cfp2Label
+  - cfp3
+  - cfp3Label
+  - cfp4
+  - cfp4Label
+  - cn1
+  - cn1Label
+  - cn2
+  - cn2Label
+  - cn3
+  - cn3Label
+  - cnt
+  - cs1
+  - cs1Label
+  - cs2
+  - cs2Label
+  - cs3
+  - cs3Label
+  - cs4
+  - cs4Label
+  - cs5
+  - cs5Label
+  - cs6
+  - cs6Label
+  - destinationDnsDomain
+  - destinationServiceName
+  - destinationTranslatedAddress
+  - destinationTranslatedPort
+  - deviceCustomDate1
+  - deviceCustomDate1Label
+  - deviceCustomDate2
+  - deviceCustomDate2Label
+  - deviceDirection
+  - deviceDnsDomain
+  - deviceExternalId
+  - deviceFacility
+  - deviceInboundInterface
+  - deviceNtDomain
+  - deviceOutboundInterface
+  - devicePayloadId
+  - deviceProcessName
+  - deviceTranslatedAddress
+  - dhost
+  - dmac
+  - dntdom
+  - dpid
+  - dpriv
+  - dproc
+  - dpt
+  - dst
+  - dtz
+  - duid
+  - duser
+  - dvc
+  - dvchost
+  - dvcmac
+  - dvcpid
+  - end
+  - externalId
+  - fileCreateTime
+  - fileHash
+  - fileId
+  - fileModificationTime
+  - filePath
+  - filePermission
+  - fileType
+  - flexDate1
+  - flexDate1Label
+  - flexNumber1
+  - flexNumber1Label
+  - flexNumber2
+  - flexNumber2Label
+  - flexString1
+  - flexString1Label
+  - flexString2
+  - flexString2Label
+  - fname
+  - fsize
+  - in
+  - msg
+  - oldFileCreateTime
+  - oldFileHash
+  - oldFileId
+  - oldFileModificationTime
+  - oldFileName
+  - oldFilePath
+  - oldFilePermission
+  - oldFileSize
+  - oldFileType
+  - out
+  - outcome
+  - proto
+  - reason
+  - request
+  - requestClientApplication
+  - requestContext
+  - requestCookies
+  - requestMethod
+  - rt
+  - shost
+  - smac
+  - sntdom
+  - sourceDnsDomain
+  - sourceServiceName
+  - sourceTranslatedAddress
+  - sourceTranslatedPort
+  - spid
+  - spriv
+  - sproc
+  - spt
+  - src
+  - start
+  - suid
+  - suser
+  - type
+
+# CEF Key Names For Event Consumers
+cef_key_names_for_event_consumers:
+  - agentDnsDomain
+  - agentNtDomain
+  - agentTranslatedAddress
+  - agentTranslatedZoneExternalID
+  - agentTranslatedZoneURI
+  - agentZoneExternalID
+  - agentZoneURI
+  - agt
+  - ahost
+  - aid
+  - amac
+  - art
+  - at
+  - atz
+  - av
+  - cat
+  - customerExternalID
+  - customerURI
+  - destinationTranslatedZoneExternalID
+  - destinationTranslatedZoneURI
+  - destinationZoneExternalID
+  - destinationZoneURI
+  - deviceTranslatedZoneExternalID
+  - deviceTranslatedZoneURI
+  - deviceZoneExternalID
+  - deviceZoneURI
+  - dlat
+  - dlong
+  - eventId
+  - rawEvent
+  - slat
+  - slong
+  - sourceTranslatedZoneExternalID
+  - sourceTranslatedZoneURI
+  - sourceZoneExternalID
+  - sourceZoneURI
+

data/lib/fluent/plugin/parser_cef.rb

@@ -0,0 +1,164 @@
+# -*- coding: utf-8
+
+require 'fluent/log'
+require 'fluent/parser'
+require 'time'
+require 'yaml'
+
+module Fluent
+  class TextParser
+    class CommonEventFormatParser < Parser
+
+      Plugin.register_parser("cef", self)
+
+      config_param :log_format, :string, :default => "syslog"
+      config_param :syslog_timestamp_format, :string, :default => '\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}'
+      config_param :cef_version, :integer, :default => 0
+      config_param :parse_strict_mode, :bool, :default => true
+      config_param :cef_keyfilename, :string, :default => 'config/cef_version_0_keys.yaml'
+      config_param :output_raw_field, :bool, :default => false
+
+
+      def configure(conf)
+        super
+
+        @key_value_format_regexp = /([^\s=]+)=(.*?)(?:(?=[^\s=]+=)|\z)/
+        @valid_format_regexp = create_valid_format_regexp
+
+        begin
+          if @parse_strict_mode
+            if @cef_keyfilename =~ /^\//
+              yaml_fieldinfo = YAML.load_file(@cef_keyfilename)
+            else
+              yaml_fieldinfo = YAML.load_file("#{File.dirname(File.expand_path(__FILE__))}/#{@cef_keyfilename}")
+            end
+            @keys_array = []
+            yaml_fieldinfo.each {|key, value| @keys_array.concat(value) }
+            $log.info "running with strict mode, #{@keys_array.length} keys are valid."
+          else
+            $log.info "running without strict mode"
+          end
+        rescue => e
+          @parse_strict_mode = false
+          $log.warn "running without strict mode because of the following error"
+          $log.warn "#{e.message}"
+        end
+      end
+
+
+      def create_valid_format_regexp()
+        case @log_format
+        when "syslog"
+          syslog_header = /
+              (?<syslog_timestamp>#{@syslog_timestamp_format})\s
+              (?<syslog_hostname>\S+)\s
+              (?<syslog_tag>\S*)\s*
+            /x
+          cef_header = /
+            CEF:(?<cef_version>#{@cef_version})\|
+            (?<cef_device_vendor>[^|]*)\|
+            (?<cef_device_product>[^|]*)\|
+            (?<cef_device_version>[^|]*)\|
+            (?<cef_device_event_class_id>[^|]*)\|
+            (?<cef_name>[^|]*)\|
+            (?<cef_severity>[^|]*)
+          /x
+          valid_format_regexp = /
+              \A
+                #{syslog_header}
+                #{cef_header}\|
+                (?<cef_extension>.*)
+              \z
+            /x
+        else
+          raise Fluent::ConfigError, "#{@log_format} is unknown format"
+        end
+        return Regexp.new(valid_format_regexp)
+      end
+
+
+      def parse(text)
+        if text.nil? || text.empty?
+          if block_given?
+            yield nil, nil
+            return
+          else
+            return nil, nil
+          end
+        end
+
+        record = {}
+        record_overview = @valid_format_regexp.match(text)
+        if record_overview.nil?
+          if block_given?
+            yield Engine.now, { "raw" => text }
+            return
+          else
+            return Engine.now, { "raw" => text }
+          end
+        end
+
+        begin
+          time = Time.parse(record_overview["syslog_timestamp"]).to_i
+        rescue => e
+          time = Engine.now
+        end
+
+        begin
+          record_overview.names.each {|key| record[key] = record_overview[key] }
+          text_cef_extension = record_overview["cef_extension"]
+          record.delete("cef_extension")
+          unless text_cef_extension.nil?
+            record_cef_extension = parse_cef_extension(text_cef_extension)
+            record.merge!(record_cef_extension)
+          end
+        rescue => e
+        end
+
+        record["raw"] = text if @output_raw_field
+        if block_given?
+          yield time, record
+          return
+        else
+          return time, record
+        end
+      end
+
+
+      def parse_cef_extension(text)
+        record = @parse_strict_mode ? parse_cef_extension_with_strict_mode(text) : parse_cef_extension_without_strict_mode(text)
+      end
+
+
+      def parse_cef_extension_with_strict_mode(text)
+        record = {}
+        begin
+          last_valid_key_name = nil
+          text.scan(@key_value_format_regexp) do |key, value|
+            if @keys_array.include?(key)
+              record[key] = value
+              record[last_valid_key_name].rstrip! unless last_valid_key_name.nil?
+              last_valid_key_name = key
+            else
+              record[last_valid_key_name].concat("#{key}=#{value}")
+            end
+          end
+        rescue => e
+          return {}
+        end
+        return record
+      end
+
+
+      def parse_cef_extension_without_strict_mode(text)
+        record = {}
+        begin
+          text.scan(@key_value_format_regexp) {|key, value| record[key] = value.rstrip }
+        rescue => e
+          return {}
+        end
+        return record
+      end
+    end
+  end
+end

data/spec/fluent/plugin/parser_cef_spec.rb

@@ -0,0 +1,151 @@
+#-*- coding: utf-8 -*-
+
+require 'fluent/plugin/parser_cef'
+require 'fluent/test'
+
+RSpec.describe Fluent::TextParser::CommonEventFormatParser do
+
+  DEFAULT_CONFIGURE = %[
+    log_format  syslog
+    syslog_timestamp_format  \\w{3}\\s+\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2}
+    cef_version  0
+    parse_strict_mode  true
+    cef_keyfilename  'config/cef_version_0_keys.yaml'
+    output_raw_field  false
+  ]
+  def create_driver(conf=DEFAULT_CONFIGURE, tag='test')
+    Fluent::Test::ParserTestDriver.new(Fluent::TextParser::CommonEventFormatParser, tag).configure(conf)
+  end
+
+  before :all do
+    Fluent::Test.setup
+  end
+
+  before :each do
+    @test_driver = create_driver
+  end
+
+  describe "#parse(text)" do
+    context "text == nil" do
+      let (:text) { nil }
+      subject do
+        @test_driver.parse(text)
+      end
+      it { is_expected.to eq [nil, nil] }
+    end
+    context "text is empty string" do
+      let (:text) { "" }
+      subject do
+        @test_driver.parse(text)
+      end
+      it { is_expected.to eq [nil, nil] }
+    end
+    context "text is not syslog format nor CEF" do
+      let (:text) { "December 12 10:00:00 hostname tag message" }
+      subject do
+        @test_driver.parse(text)
+      end
+      it { is_expected.to contain_exactly(be_an(Integer), {"raw"=>"December 12 10:00:00 hostname tag message"}) }
+    end
+    context "text is not in syslog format but is CEF" do
+      let (:text) { "December 12 10:00:00 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|cs1=test" }
+      subject do
+        @test_driver.parse(text)
+      end
+      it { is_expected.to contain_exactly(be_an(Integer), {"raw"=>"December 12 10:00:00 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|cs1=test"}) }
+    end
+    context "text is syslog format but not CEF" do
+      let (:text) { "Dec 12 10:11:12 hostname tag message" }
+      subject do
+        @test_driver.parse(text)
+      end
+      it { is_expected.to contain_exactly(be_an(Integer), {"raw"=>"Dec 12 10:11:12 hostname tag message"}) }
+    end
+    context "text is syslog format and CEF (CEF Extension field is empty)" do
+      let (:text) { "Dec  2 03:17:06 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|" }
+      subject do
+        @test_driver.parse(text)
+      end
+      it { is_expected.to eq [
+        1480616226,
+        {"syslog_timestamp"=>"Dec  2 03:17:06",
+         "syslog_hostname"=>"hostname",
+         "syslog_tag"=>"tag",
+         "cef_version"=>"0",
+         "cef_device_vendor"=>"Vendor",
+         "cef_device_product"=>"Product",
+         "cef_device_version"=>"Version",
+         "cef_device_event_class_id"=>"ID",
+         "cef_name"=>"Name",
+         "cef_severity"=>"Severity"}
+      ]}
+    end
+    context "text is syslog format and CEF (there is only one valid key in the CEF Extension field), Strict mode on" do
+      let (:text) { "Dec  2 03:17:06 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|cs1=test" }
+      subject do
+        @test_driver.parse(text)
+      end
+      it { is_expected.to eq [
+        1480616226,
+        {"syslog_timestamp"=>"Dec  2 03:17:06",
+         "syslog_hostname"=>"hostname",
+         "syslog_tag"=>"tag",
+         "cef_version"=>"0",
+         "cef_device_vendor"=>"Vendor",
+         "cef_device_product"=>"Product",
+         "cef_device_version"=>"Version",
+         "cef_device_event_class_id"=>"ID",
+         "cef_name"=>"Name",
+         "cef_severity"=>"Severity",
+         "cs1"=>"test"}
+      ]}
+    end
+    context "text is syslog format and CEF (there is only one valid key in the CEF Extension field), Strict mode off" do
+      let (:config) {%[
+        parse_strict_mode  false
+      ]}
+      let (:text) { "Dec  2 03:17:06 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|foo=bar" }
+      subject do
+        @test_driver = create_driver(config)
+        @test_driver.parse(text)
+      end
+      it { is_expected.to eq [
+        1480616226,
+        {"syslog_timestamp"=>"Dec  2 03:17:06",
+         "syslog_hostname"=>"hostname",
+         "syslog_tag"=>"tag",
+         "cef_version"=>"0",
+         "cef_device_vendor"=>"Vendor",
+         "cef_device_product"=>"Product",
+         "cef_device_version"=>"Version",
+         "cef_device_event_class_id"=>"ID",
+         "cef_name"=>"Name",
+         "cef_severity"=>"Severity",
+         "foo"=>"bar"}
+      ]}
+    end
+    context "text is syslog format and CEF (there is only one valid key in the CEF Extension field), Strict mode on, timestamp is rfc3339" do
+      let (:config) {%[
+        syslog_timestamp_format  \\d{4}-{,1}\\d{2}-{,1}\\d{2}T\\d{2}:\\d{2}:\\d{2}(?:\\.\\d+){,1}(?:\\Z|\\+\\d{2}:\\d{2})
+      ]}
+      let (:text) { "2014-06-07T18:55:09.019283+09:00 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|foo=bar" }
+      subject do
+        @test_driver = create_driver(config)
+        @test_driver.parse(text)
+      end
+      it { is_expected.to eq [
+        1402134909,
+        {"syslog_timestamp"=>"2014-06-07T18:55:09.019283+09:00",
+         "syslog_hostname"=>"hostname",
+         "syslog_tag"=>"tag",
+         "cef_version"=>"0",
+         "cef_device_vendor"=>"Vendor",
+         "cef_device_product"=>"Product",
+         "cef_device_version"=>"Version",
+         "cef_device_event_class_id"=>"ID",
+         "cef_name"=>"Name",
+         "cef_severity"=>"Severity"}
+      ]}
+    end
+  end
+end

data/spec/sample/fluentd.conf

@@ -0,0 +1,31 @@
+<source>
+  @type   tail
+  tag     develop.cef
+  path      /tmp/fluentd/test.log
+  pos_file  /tmp/fluentd/test.pos
+
+  format  cef
+  #log_format  syslog
+  #syslog_timestamp_format  '\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}'
+  #cef_version  0
+  #parse_strict_mode  true
+  #cef_keyfilename  'config/cef_version_0_keys.yaml'
+  #output_raw_field  false
+</source>
+
+<match **>
+  @type  stdout
+</match>
+
+#<match cevelop.cef>
+#  @type  elasticsearch
+#  host   elasticsearch
+#  port   9200
+#  logstash_format  true
+#  logstash_dateformat  %Y.%m.%d
+#  utc_index  true
+#  include_tag_key  false
+#  logstash_prefix  develop
+#  type_name  develop
+#  flush_interval 1s
+#</match>

data/spec/spec_helper.rb

@@ -0,0 +1,108 @@
+# This file was generated by the `rspec --init` command. Conventionally, all
+# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# The generated `.rspec` file contains `--require spec_helper` which will cause
+# this file to always be loaded, without a need to explicitly require it in any
+# files.
+#
+# Given that it is always loaded, you are encouraged to keep this file as
+# light-weight as possible. Requiring heavyweight dependencies from this file
+# will add to the boot time of your test suite on EVERY test run, even for an
+# individual file that may not need all of that loaded. Instead, consider making
+# a separate helper file that requires the additional dependencies and performs
+# the additional setup, and require it from the spec files that actually need
+# it.
+#
+# The `.rspec` file also contains a few flags that are not defaults but that
+# users commonly want.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+
+$LOAD_PATH.unshift(File.expand_path('../lib', __FILE__))
+$LOAD_PATH.unshift(File.expand_path('../spec', __FILE__))
+
+RSpec.configure do |config|
+  # rspec-expectations config goes here. You can use an alternate
+  # assertion/expectation library such as wrong or the stdlib/minitest
+  # assertions if you prefer.
+  config.expect_with :rspec do |expectations|
+    # This option will default to `true` in RSpec 4. It makes the `description`
+    # and `failure_message` of custom matchers include text for helper methods
+    # defined using `chain`, e.g.:
+    #     be_bigger_than(2).and_smaller_than(4).description
+    #     # => "be bigger than 2 and smaller than 4"
+    # ...rather than:
+    #     # => "be bigger than 2"
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+  end
+
+  # rspec-mocks config goes here. You can use an alternate test double
+  # library (such as bogus or mocha) by changing the `mock_with` option here.
+  config.mock_with :rspec do |mocks|
+    # Prevents you from mocking or stubbing a method that does not exist on
+    # a real object. This is generally recommended, and will default to
+    # `true` in RSpec 4.
+    mocks.verify_partial_doubles = true
+  end
+
+  # This option will default to `:apply_to_host_groups` in RSpec 4 (and will
+  # have no way to turn it off -- the option exists only for backwards
+  # compatibility in RSpec 3). It causes shared context metadata to be
+  # inherited by the metadata hash of host groups and examples, rather than
+  # triggering implicit auto-inclusion in groups with matching metadata.
+  config.shared_context_metadata_behavior = :apply_to_host_groups
+
+# The settings below are suggested to provide a good initial experience
+# with RSpec, but feel free to customize to your heart's content.
+=begin
+  # This allows you to limit a spec run to individual examples or groups
+  # you care about by tagging them with `:focus` metadata. When nothing
+  # is tagged with `:focus`, all examples get run. RSpec also provides
+  # aliases for `it`, `describe`, and `context` that include `:focus`
+  # metadata: `fit`, `fdescribe` and `fcontext`, respectively.
+  config.filter_run_when_matching :focus
+
+  # Allows RSpec to persist some state between runs in order to support
+  # the `--only-failures` and `--next-failure` CLI options. We recommend
+  # you configure your source control system to ignore this file.
+  config.example_status_persistence_file_path = "spec/examples.txt"
+
+  # Limits the available syntax to the non-monkey patched syntax that is
+  # recommended. For more details, see:
+  #   - http://rspec.info/blog/2012/06/rspecs-new-expectation-syntax/
+  #   - http://www.teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
+  #   - http://rspec.info/blog/2014/05/notable-changes-in-rspec-3/#zero-monkey-patching-mode
+  config.disable_monkey_patching!
+
+  # This setting enables warnings. It's recommended, but in some cases may
+  # be too noisy due to issues in dependencies.
+  config.warnings = true
+
+  # Many RSpec users commonly either run the entire suite or an individual
+  # file, and it's useful to allow more verbose output when running an
+  # individual spec file.
+  if config.files_to_run.one?
+    # Use the documentation formatter for detailed output,
+    # unless a formatter has already been configured
+    # (e.g. via a command-line flag).
+    config.default_formatter = 'doc'
+  end
+
+  # Print the 10 slowest examples and example groups at the
+  # end of the spec run, to help surface which specs are running
+  # particularly slow.
+  config.profile_examples = 10
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  #config.order = :random
+
+  # Seed global randomization in this process using the `--seed` CLI option.
+  # Setting this allows you to use `--seed` to deterministically reproduce
+  # test failures related to randomization by passing the same `--seed` value
+  # as the one that triggered the failure.
+  Kernel.srand config.seed
+=end
+end
+

metadata

@@ -0,0 +1,151 @@
+--- !ruby/object:Gem::Specification
+name: fluent-plugin-parser_cef
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Tomoyuki Sugimura
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-12-05 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: fluentd
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.10'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.10.43
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.10'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.10.43
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rspec-core
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: test-unit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: common event format(CEF) parser plugin for fluentd
+email:
+- tomoyuki.sugimura@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- VERSION
+- fluent-plugin-parser_cef.gemspec
+- lib/fluent/plugin/config/cef_version_0_keys.yaml
+- lib/fluent/plugin/parser_cef.rb
+- spec/fluent/plugin/parser_cef_spec.rb
+- spec/sample/fluentd.conf
+- spec/spec_helper.rb
+homepage: https://github.com/lunardial/fluent-plugin-parser_cef
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.2
+signing_key: 
+specification_version: 4
+summary: common event format(CEF) parser plugin, currently only 'syslog' format is
+  permitted
+test_files:
+- spec/fluent/plugin/parser_cef_spec.rb
+- spec/sample/fluentd.conf
+- spec/spec_helper.rb