fluent-plugin-parser_cef 0.2.0 → 0.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/VERSION +1 -1
- data/fluent-plugin-parser_cef.gemspec +2 -0
- data/lib/fluent/plugin/parser_cef.rb +49 -61
- data/spec/fluent/plugin/parser_cef_spec.rb +30 -0
- data/spec/spec_helper.rb +3 -5
- metadata +4 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: c09965c761425d6ee3fc54bbb9fba450a7a77ca1
|
4
|
+
data.tar.gz: '048a3194df2c21016b2d394f244c40ea6a4f6a44'
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 387f53dab5273481471073b35a2821a47b876e94f5aadcebb3cd0b9d4779cee6ad5c9708a90afb65ed91a0859a6d91480993cd39579f3ad2c73b20bb4cc8393d
|
7
|
+
data.tar.gz: 84594857d98d6a8a5850a64a725142474cefbc5c2395636f6312ba5eb66cfa19f4cb4b7e12b507082dd54517d815e885850ff4cf5eb7200aea757a2036776271
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
0.
|
1
|
+
0.3.0
|
@@ -17,6 +17,8 @@ Gem::Specification.new do |spec|
|
|
17
17
|
spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
|
18
18
|
spec.require_paths = ["lib"]
|
19
19
|
|
20
|
+
spec.required_ruby_version = "~> 2.0"
|
21
|
+
|
20
22
|
spec.add_runtime_dependency "fluentd", ">= 0.12", "< 0.14"
|
21
23
|
|
22
24
|
spec.add_development_dependency "bundler", "~> 1.3"
|
@@ -8,9 +8,7 @@ require 'yaml'
|
|
8
8
|
module Fluent
|
9
9
|
class TextParser
|
10
10
|
class CommonEventFormatParser < Parser
|
11
|
-
|
12
11
|
Plugin.register_parser("cef", self)
|
13
|
-
|
14
12
|
config_param :log_format, :string, :default => "syslog"
|
15
13
|
config_param :log_utc_offset, :string, :default => nil
|
16
14
|
config_param :syslog_timestamp_format, :string, :default => '\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}'
|
@@ -19,14 +17,11 @@ module Fluent
|
|
19
17
|
config_param :cef_keyfilename, :string, :default => 'config/cef_version_0_keys.yaml'
|
20
18
|
config_param :output_raw_field, :bool, :default => false
|
21
19
|
|
22
|
-
|
23
20
|
def configure(conf)
|
24
21
|
super
|
25
|
-
|
26
22
|
@key_value_format_regexp = /([^\s=]+)=(.*?)(?:(?=[^\s=]+=)|\z)/
|
27
23
|
@valid_format_regexp = create_valid_format_regexp
|
28
24
|
@utc_offset = get_utc_offset(@log_utc_offset)
|
29
|
-
|
30
25
|
begin
|
31
26
|
if @parse_strict_mode
|
32
27
|
if @cef_keyfilename =~ /^\//
|
@@ -47,6 +42,55 @@ module Fluent
|
|
47
42
|
end
|
48
43
|
end
|
49
44
|
|
45
|
+
def parse(text)
|
46
|
+
if text.nil? || text.empty?
|
47
|
+
if block_given?
|
48
|
+
yield nil, nil
|
49
|
+
return
|
50
|
+
else
|
51
|
+
return nil, nil
|
52
|
+
end
|
53
|
+
end
|
54
|
+
text.force_encoding("utf-8")
|
55
|
+
replaced_text = text.scrub('?')
|
56
|
+
record = {}
|
57
|
+
record_overview = @valid_format_regexp.match(replaced_text)
|
58
|
+
if record_overview.nil?
|
59
|
+
if block_given?
|
60
|
+
yield Engine.now, { "raw" => replaced_text }
|
61
|
+
return
|
62
|
+
else
|
63
|
+
return Engine.now, { "raw" => replaced_text }
|
64
|
+
end
|
65
|
+
end
|
66
|
+
time = get_unixtime_with_utc_offset(record_overview["syslog_timestamp"], @utc_offset)
|
67
|
+
begin
|
68
|
+
record_overview.names.each {|key| record[key] = record_overview[key] }
|
69
|
+
text_cef_extension = record_overview["cef_extension"]
|
70
|
+
record.delete("cef_extension")
|
71
|
+
rescue
|
72
|
+
if block_given?
|
73
|
+
yield Engine.now, { "raw" => replaced_text }
|
74
|
+
return
|
75
|
+
else
|
76
|
+
return Engine.now, { "raw" => replaced_text }
|
77
|
+
end
|
78
|
+
end
|
79
|
+
unless text_cef_extension.nil?
|
80
|
+
record_cef_extension = parse_cef_extension(text_cef_extension)
|
81
|
+
record.merge!(record_cef_extension)
|
82
|
+
end
|
83
|
+
record["raw"] = replaced_text if @output_raw_field
|
84
|
+
if block_given?
|
85
|
+
yield time, record
|
86
|
+
return
|
87
|
+
else
|
88
|
+
return time, record
|
89
|
+
end
|
90
|
+
end
|
91
|
+
|
92
|
+
private
|
93
|
+
|
50
94
|
def get_utc_offset(text)
|
51
95
|
utc_offset = nil
|
52
96
|
begin
|
@@ -91,7 +135,6 @@ module Fluent
|
|
91
135
|
return Regexp.new(valid_format_regexp)
|
92
136
|
end
|
93
137
|
|
94
|
-
|
95
138
|
def get_unixtime_with_utc_offset(timestamp, utc_offset)
|
96
139
|
unixtime = nil
|
97
140
|
begin
|
@@ -106,59 +149,6 @@ module Fluent
|
|
106
149
|
return unixtime
|
107
150
|
end
|
108
151
|
|
109
|
-
|
110
|
-
def parse(text)
|
111
|
-
if text.nil? || text.empty?
|
112
|
-
if block_given?
|
113
|
-
yield nil, nil
|
114
|
-
return
|
115
|
-
else
|
116
|
-
return nil, nil
|
117
|
-
end
|
118
|
-
end
|
119
|
-
|
120
|
-
text.force_encoding("utf-8")
|
121
|
-
record = {}
|
122
|
-
record_overview = @valid_format_regexp.match(text)
|
123
|
-
if record_overview.nil?
|
124
|
-
if block_given?
|
125
|
-
yield Engine.now, { "raw" => text }
|
126
|
-
return
|
127
|
-
else
|
128
|
-
return Engine.now, { "raw" => text }
|
129
|
-
end
|
130
|
-
end
|
131
|
-
|
132
|
-
time = get_unixtime_with_utc_offset(record_overview["syslog_timestamp"], @utc_offset)
|
133
|
-
|
134
|
-
begin
|
135
|
-
record_overview.names.each {|key| record[key] = record_overview[key] }
|
136
|
-
text_cef_extension = record_overview["cef_extension"]
|
137
|
-
record.delete("cef_extension")
|
138
|
-
rescue
|
139
|
-
if block_given?
|
140
|
-
yield Engine.now, { "raw" => text }
|
141
|
-
return
|
142
|
-
else
|
143
|
-
return Engine.now, { "raw" => text }
|
144
|
-
end
|
145
|
-
end
|
146
|
-
|
147
|
-
unless text_cef_extension.nil?
|
148
|
-
record_cef_extension = parse_cef_extension(text_cef_extension)
|
149
|
-
record.merge!(record_cef_extension)
|
150
|
-
end
|
151
|
-
|
152
|
-
record["raw"] = text if @output_raw_field
|
153
|
-
if block_given?
|
154
|
-
yield time, record
|
155
|
-
return
|
156
|
-
else
|
157
|
-
return time, record
|
158
|
-
end
|
159
|
-
end
|
160
|
-
|
161
|
-
|
162
152
|
def parse_cef_extension(text)
|
163
153
|
if @parse_strict_mode == true
|
164
154
|
return parse_cef_extension_with_strict_mode(text)
|
@@ -167,7 +157,6 @@ module Fluent
|
|
167
157
|
end
|
168
158
|
end
|
169
159
|
|
170
|
-
|
171
160
|
def parse_cef_extension_with_strict_mode(text)
|
172
161
|
record = {}
|
173
162
|
begin
|
@@ -187,7 +176,6 @@ module Fluent
|
|
187
176
|
return record
|
188
177
|
end
|
189
178
|
|
190
|
-
|
191
179
|
def parse_cef_extension_without_strict_mode(text)
|
192
180
|
record = {}
|
193
181
|
begin
|
@@ -283,5 +283,35 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
|
|
283
283
|
"cef_severity" => "Severity",
|
284
284
|
"cs1" => "test" }]}
|
285
285
|
end
|
286
|
+
context "syslog message is UTF-8, but including invalid UTF-8 string" do
|
287
|
+
let (:config) {%[
|
288
|
+
log_utc_offset +09:00
|
289
|
+
]}
|
290
|
+
let (:text) { "Feb 19 00:35:11 hogehuga CEF:0|Vendor|Product|Version|ID|Name|Severity|src=192.168.1.1 spt=60000 dst=172.16.100.100 dpt=80 msg=\xe3\x2e\x2e\x2e" }
|
291
|
+
subject do
|
292
|
+
allow(Fluent::Engine).to receive(:now).and_return(Time.now.to_i)
|
293
|
+
@timestamp = Time.parse("Feb 19 00:35:11 +09:00").to_i
|
294
|
+
@test_driver = create_driver(config)
|
295
|
+
text.force_encoding("ascii-8bit")
|
296
|
+
@test_driver.parse(text)
|
297
|
+
end
|
298
|
+
it { is_expected.to eq [
|
299
|
+
@timestamp, {
|
300
|
+
"syslog_timestamp" => "Feb 19 00:35:11",
|
301
|
+
"syslog_hostname" => "hogehuga",
|
302
|
+
"syslog_tag" => "",
|
303
|
+
"cef_version" => "0",
|
304
|
+
"cef_device_vendor" => "Vendor",
|
305
|
+
"cef_device_product" => "Product",
|
306
|
+
"cef_device_version" => "Version",
|
307
|
+
"cef_device_event_class_id" => "ID",
|
308
|
+
"cef_name" => "Name",
|
309
|
+
"cef_severity" => "Severity",
|
310
|
+
"src" => "192.168.1.1",
|
311
|
+
"spt" => "60000",
|
312
|
+
"dst" => "172.16.100.100",
|
313
|
+
"dpt" => "80",
|
314
|
+
"msg" => "\xe3\x2e\x2e\x2e".scrub('?') }]}
|
315
|
+
end
|
286
316
|
end
|
287
317
|
end
|
data/spec/spec_helper.rb
CHANGED
@@ -24,11 +24,9 @@ require 'simplecov'
|
|
24
24
|
require 'coveralls'
|
25
25
|
Coveralls.wear!
|
26
26
|
|
27
|
-
SimpleCov.
|
28
|
-
|
29
|
-
|
30
|
-
]
|
31
|
-
SimpleCov.start
|
27
|
+
SimpleCov.start do
|
28
|
+
add_filter "/spec/"
|
29
|
+
end
|
32
30
|
|
33
31
|
RSpec.configure do |config|
|
34
32
|
# rspec-expectations config goes here. You can use an alternate
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: fluent-plugin-parser_cef
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.3.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Tomoyuki Sugimura
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-
|
11
|
+
date: 2017-02-23 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: fluentd
|
@@ -134,9 +134,9 @@ require_paths:
|
|
134
134
|
- lib
|
135
135
|
required_ruby_version: !ruby/object:Gem::Requirement
|
136
136
|
requirements:
|
137
|
-
- - "
|
137
|
+
- - "~>"
|
138
138
|
- !ruby/object:Gem::Version
|
139
|
-
version: '0'
|
139
|
+
version: '2.0'
|
140
140
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
141
141
|
requirements:
|
142
142
|
- - ">="
|