fluent-plugin-parser_cef 0.3.1 → 1.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +14 -1
- data/VERSION +1 -1
- data/fluent-plugin-parser_cef.gemspec +1 -1
- data/lib/fluent/plugin/parser_cef.rb +11 -27
- data/spec/fluent/plugin/parser_cef_spec.rb +95 -35
- metadata +7 -7
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 28b195b49a40cd27dcaf136e342f7a4912901010
|
4
|
+
data.tar.gz: 04b4477f4b315e721ad588d70a4adc330ed8d132
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 182d3610e26d0e4a9fbb1f2424928cc7320f21f019ed3e13ec699ec60de4d7db0f26741794f8d078ede666c277d6223c60c28c1e07a18bde66858e8e65d2db0a
|
7
|
+
data.tar.gz: 10d33b50f2e00d6c19cb853c9e92111b1781097e42b24cbefc1a8b26c18b330a88b39573aa937123418f7516315b6e9b9112a1c590100a8e1667b783006f019a
|
data/README.md
CHANGED
@@ -9,15 +9,28 @@
|
|
9
9
|
|
10
10
|
Fluentd Parser plugin to parse CEF - common event format -
|
11
11
|
|
12
|
+
## Requirements
|
13
|
+
|
14
|
+
| fluent-plugin-parser_cef | fluentd |
|
15
|
+
|---------------------------|---------|
|
16
|
+
| >= 1.0.0 | >= v0.14.0 |
|
17
|
+
| < 1.0.0 | >= v0.12.0 |
|
18
|
+
|
12
19
|
## Installation
|
13
20
|
|
14
21
|
Add this line to your application's Gemfile:
|
15
22
|
|
16
23
|
```bash
|
17
|
-
# for fluentd
|
24
|
+
# for fluentd v0.12
|
25
|
+
gem install fluent-plugin-parser_cef -v "< 1.0.0"
|
26
|
+
|
27
|
+
# for fluentd v0.14 or higher
|
18
28
|
gem install fluent-plugin-parser_cef
|
19
29
|
|
20
30
|
# for td-agent2
|
31
|
+
td-agent-gem install fluent-plugin-parser_cef -v "< 1.0.0"
|
32
|
+
|
33
|
+
# for td-agent3
|
21
34
|
td-agent-gem install fluent-plugin-parser_cef
|
22
35
|
```
|
23
36
|
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
0.
|
1
|
+
1.0.0
|
@@ -19,7 +19,7 @@ Gem::Specification.new do |spec|
|
|
19
19
|
|
20
20
|
spec.required_ruby_version = "~> 2.1"
|
21
21
|
|
22
|
-
spec.add_runtime_dependency "fluentd", ">= 0.
|
22
|
+
spec.add_runtime_dependency "fluentd", ">= 0.14.0", "< 2"
|
23
23
|
|
24
24
|
spec.add_development_dependency "bundler", "~> 1.3"
|
25
25
|
spec.add_development_dependency "rake"
|
@@ -1,14 +1,14 @@
|
|
1
1
|
# -*- coding: utf-8
|
2
2
|
|
3
3
|
require 'fluent/log'
|
4
|
-
require 'fluent/parser'
|
4
|
+
require 'fluent/plugin/parser'
|
5
5
|
require 'time'
|
6
6
|
require 'yaml'
|
7
7
|
|
8
8
|
module Fluent
|
9
|
-
|
9
|
+
module Plugin
|
10
10
|
class CommonEventFormatParser < Parser
|
11
|
-
Plugin.register_parser("cef", self)
|
11
|
+
Fluent::Plugin.register_parser("cef", self)
|
12
12
|
config_param :log_format, :string, :default => "syslog"
|
13
13
|
config_param :log_utc_offset, :string, :default => nil
|
14
14
|
config_param :syslog_timestamp_format, :string, :default => '\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}'
|
@@ -44,24 +44,16 @@ module Fluent
|
|
44
44
|
|
45
45
|
def parse(text)
|
46
46
|
if text.nil? || text.empty?
|
47
|
-
|
48
|
-
|
49
|
-
return
|
50
|
-
else
|
51
|
-
return nil, nil
|
52
|
-
end
|
47
|
+
yield nil, nil
|
48
|
+
return
|
53
49
|
end
|
54
50
|
text.force_encoding("utf-8")
|
55
51
|
replaced_text = text.scrub('?')
|
56
52
|
record = {}
|
57
53
|
record_overview = @valid_format_regexp.match(replaced_text)
|
58
54
|
if record_overview.nil?
|
59
|
-
|
60
|
-
|
61
|
-
return
|
62
|
-
else
|
63
|
-
return Engine.now, { "raw" => replaced_text }
|
64
|
-
end
|
55
|
+
yield Engine.now, { "raw" => replaced_text }
|
56
|
+
return
|
65
57
|
end
|
66
58
|
time = get_unixtime_with_utc_offset(record_overview["syslog_timestamp"], @utc_offset)
|
67
59
|
begin
|
@@ -69,24 +61,16 @@ module Fluent
|
|
69
61
|
text_cef_extension = record_overview["cef_extension"]
|
70
62
|
record.delete("cef_extension")
|
71
63
|
rescue
|
72
|
-
|
73
|
-
|
74
|
-
return
|
75
|
-
else
|
76
|
-
return Engine.now, { "raw" => replaced_text }
|
77
|
-
end
|
64
|
+
yield Engine.now, { "raw" => replaced_text }
|
65
|
+
return
|
78
66
|
end
|
79
67
|
unless text_cef_extension.nil?
|
80
68
|
record_cef_extension = parse_cef_extension(text_cef_extension)
|
81
69
|
record.merge!(record_cef_extension)
|
82
70
|
end
|
83
71
|
record["raw"] = replaced_text if @output_raw_field
|
84
|
-
|
85
|
-
|
86
|
-
return
|
87
|
-
else
|
88
|
-
return time, record
|
89
|
-
end
|
72
|
+
yield time, record
|
73
|
+
return
|
90
74
|
end
|
91
75
|
|
92
76
|
private
|
@@ -2,8 +2,9 @@
|
|
2
2
|
|
3
3
|
require 'fluent/plugin/parser_cef'
|
4
4
|
require 'fluent/test'
|
5
|
+
require 'fluent/test/driver/parser'
|
5
6
|
|
6
|
-
RSpec.describe Fluent::
|
7
|
+
RSpec.describe Fluent::Plugin::CommonEventFormatParser do
|
7
8
|
|
8
9
|
DEFAULT_CONFIGURE = %[
|
9
10
|
log_format syslog
|
@@ -13,8 +14,8 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
|
|
13
14
|
cef_keyfilename 'config/cef_version_0_keys.yaml'
|
14
15
|
output_raw_field false
|
15
16
|
]
|
16
|
-
def create_driver(conf=DEFAULT_CONFIGURE
|
17
|
-
Fluent::Test::
|
17
|
+
def create_driver(conf=DEFAULT_CONFIGURE)
|
18
|
+
Fluent::Test::Driver::Parser.new(Fluent::Plugin::CommonEventFormatParser).configure(conf)
|
18
19
|
end
|
19
20
|
|
20
21
|
before :all do
|
@@ -30,47 +31,71 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
|
|
30
31
|
context "text == nil" do
|
31
32
|
let (:text) { nil }
|
32
33
|
subject do
|
33
|
-
|
34
|
+
parsed = nil
|
35
|
+
@test_driver.instance.parse(text) do |time, record|
|
36
|
+
parsed = [time, record]
|
37
|
+
end
|
38
|
+
parsed
|
34
39
|
end
|
35
40
|
it { is_expected.to eq [nil, nil] }
|
36
41
|
end
|
37
42
|
context "text is empty string" do
|
38
43
|
let (:text) { "" }
|
39
44
|
subject do
|
40
|
-
|
45
|
+
parsed = nil
|
46
|
+
@test_driver.instance.parse(text) do |time, record|
|
47
|
+
parsed = [time, record]
|
48
|
+
end
|
49
|
+
parsed
|
41
50
|
end
|
42
51
|
it { is_expected.to eq [nil, nil] }
|
43
52
|
end
|
44
53
|
context "text is not syslog format nor CEF" do
|
45
54
|
let (:text) { "December 12 10:00:00 hostname tag message" }
|
46
55
|
subject do
|
47
|
-
allow(Fluent::Engine).to receive(:now).and_return(
|
48
|
-
|
56
|
+
allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
|
57
|
+
parsed = nil
|
58
|
+
@test_driver.instance.parse(text) do |time, record|
|
59
|
+
parsed = [time, record]
|
60
|
+
end
|
61
|
+
parsed
|
49
62
|
end
|
50
|
-
it { is_expected.to contain_exactly(be_an(
|
63
|
+
it { is_expected.to contain_exactly(be_an(Fluent::EventTime), { "raw" => "December 12 10:00:00 hostname tag message" }) }
|
51
64
|
end
|
52
65
|
context "text is not in syslog format but is CEF" do
|
53
66
|
let (:text) { "December 12 10:00:00 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|cs1=test" }
|
54
67
|
subject do
|
55
|
-
allow(Fluent::Engine).to receive(:now).and_return(
|
56
|
-
|
68
|
+
allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
|
69
|
+
parsed = nil
|
70
|
+
@test_driver.instance.parse(text) do |time, record|
|
71
|
+
parsed = [time, record]
|
72
|
+
end
|
73
|
+
parsed
|
57
74
|
end
|
58
|
-
it { is_expected.to contain_exactly(be_an(
|
75
|
+
it { is_expected.to contain_exactly(be_an(Fluent::EventTime), { "raw" => "December 12 10:00:00 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|cs1=test" }) }
|
59
76
|
end
|
60
77
|
context "text is syslog format but not CEF" do
|
61
78
|
let (:text) { "Dec 12 10:11:12 hostname tag message" }
|
62
79
|
subject do
|
63
|
-
allow(Fluent::Engine).to receive(:now).and_return(
|
64
|
-
|
80
|
+
allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
|
81
|
+
parsed = nil
|
82
|
+
@test_driver.instance.parse(text) do |time, record|
|
83
|
+
parsed = [time, record]
|
84
|
+
end
|
85
|
+
parsed
|
65
86
|
end
|
66
|
-
it { is_expected.to contain_exactly(be_an(
|
87
|
+
it { is_expected.to contain_exactly(be_an(Fluent::EventTime), { "raw" => "Dec 12 10:11:12 hostname tag message" }) }
|
67
88
|
end
|
68
89
|
context "text is syslog format and CEF (CEF Extension field is empty)" do
|
69
90
|
let (:text) { "Dec 2 03:17:06 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|" }
|
70
91
|
subject do
|
71
|
-
allow(Fluent::Engine).to receive(:now).and_return(
|
92
|
+
allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
|
72
93
|
@timestamp = Time.parse("Dec 2 03:17:06").to_i
|
73
|
-
|
94
|
+
parsed = nil
|
95
|
+
@test_driver.instance.parse(text) do |time, record|
|
96
|
+
parsed = [time, record]
|
97
|
+
end
|
98
|
+
parsed
|
74
99
|
end
|
75
100
|
it { is_expected.to eq [
|
76
101
|
@timestamp, {
|
@@ -88,9 +113,13 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
|
|
88
113
|
context "text is syslog format and CEF (there is only one valid key in the CEF Extension field), Strict mode on" do
|
89
114
|
let (:text) { "Dec 2 03:17:06 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|cs1=test" }
|
90
115
|
subject do
|
91
|
-
allow(Fluent::Engine).to receive(:now).and_return(
|
116
|
+
allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
|
92
117
|
@timestamp = Time.parse("Dec 2 03:17:06").to_i
|
93
|
-
|
118
|
+
parsed = nil
|
119
|
+
@test_driver.instance.parse(text) do |time, record|
|
120
|
+
parsed = [time, record]
|
121
|
+
end
|
122
|
+
parsed
|
94
123
|
end
|
95
124
|
it { is_expected.to eq [
|
96
125
|
@timestamp, {
|
@@ -112,10 +141,14 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
|
|
112
141
|
]}
|
113
142
|
let (:text) { "Dec 2 03:17:06 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|foo=bar" }
|
114
143
|
subject do
|
115
|
-
allow(Fluent::Engine).to receive(:now).and_return(
|
144
|
+
allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
|
116
145
|
@timestamp = Time.parse("Dec 2 03:17:06").to_i
|
117
146
|
@test_driver = create_driver(config)
|
118
|
-
|
147
|
+
parsed = nil
|
148
|
+
@test_driver.instance.parse(text) do |time, record|
|
149
|
+
parsed = [time, record]
|
150
|
+
end
|
151
|
+
parsed
|
119
152
|
end
|
120
153
|
it { is_expected.to eq [
|
121
154
|
@timestamp, {
|
@@ -137,10 +170,14 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
|
|
137
170
|
]}
|
138
171
|
let (:text) { "2014-06-07T18:55:09.019283+09:00 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|foo=bar" }
|
139
172
|
subject do
|
140
|
-
allow(Fluent::Engine).to receive(:now).and_return(
|
173
|
+
allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
|
141
174
|
@timestamp = Time.parse("2014-06-07T18:55:09.019283+09:00").to_i
|
142
175
|
@test_driver = create_driver(config)
|
143
|
-
|
176
|
+
parsed = nil
|
177
|
+
@test_driver.instance.parse(text) do |time, record|
|
178
|
+
parsed = [time, record]
|
179
|
+
end
|
180
|
+
parsed
|
144
181
|
end
|
145
182
|
it { is_expected.to eq [
|
146
183
|
@timestamp, {
|
@@ -161,10 +198,14 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
|
|
161
198
|
]}
|
162
199
|
let (:text) { "2014-06-07T18:55:09.019283+03:00 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|foo=bar" }
|
163
200
|
subject do
|
164
|
-
allow(Fluent::Engine).to receive(:now).and_return(
|
201
|
+
allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
|
165
202
|
@timestamp = Time.parse("2014-06-07T18:55:09.019283+03:00").to_i
|
166
203
|
@test_driver = create_driver(config)
|
167
|
-
|
204
|
+
parsed = nil
|
205
|
+
@test_driver.instance.parse(text) do |time, record|
|
206
|
+
parsed = [time, record]
|
207
|
+
end
|
208
|
+
parsed
|
168
209
|
end
|
169
210
|
it { is_expected.to eq [
|
170
211
|
@timestamp, {
|
@@ -185,10 +226,14 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
|
|
185
226
|
]}
|
186
227
|
let (:text) { "2014-06-07T18:55:09.019283Z hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|foo=bar" }
|
187
228
|
subject do
|
188
|
-
allow(Fluent::Engine).to receive(:now).and_return(
|
229
|
+
allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
|
189
230
|
@timestamp = Time.parse("2014-06-07T18:55:09.019283Z").to_i
|
190
231
|
@test_driver = create_driver(config)
|
191
|
-
|
232
|
+
parsed = nil
|
233
|
+
@test_driver.instance.parse(text) do |time, record|
|
234
|
+
parsed = [time, record]
|
235
|
+
end
|
236
|
+
parsed
|
192
237
|
end
|
193
238
|
it { is_expected.to eq [
|
194
239
|
@timestamp, {
|
@@ -209,10 +254,14 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
|
|
209
254
|
]}
|
210
255
|
let (:text) { "Dec 2 03:17:06 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|cs1=test" }
|
211
256
|
subject do
|
212
|
-
allow(Fluent::Engine).to receive(:now).and_return(
|
257
|
+
allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
|
213
258
|
@timestamp = Time.parse("Dec 2 03:17:06 +04:00").to_i
|
214
259
|
@test_driver = create_driver(config)
|
215
|
-
|
260
|
+
parsed = nil
|
261
|
+
@test_driver.instance.parse(text) do |time, record|
|
262
|
+
parsed = [time, record]
|
263
|
+
end
|
264
|
+
parsed
|
216
265
|
end
|
217
266
|
it { is_expected.to eq [
|
218
267
|
@timestamp, {
|
@@ -235,10 +284,14 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
|
|
235
284
|
]}
|
236
285
|
let (:text) { "2013-07-24T12:34:56.923984+03:30 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|cs1=test" }
|
237
286
|
subject do
|
238
|
-
allow(Fluent::Engine).to receive(:now).and_return(
|
287
|
+
allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
|
239
288
|
@timestamp = Time.parse("2013-07-24T12:34:56.923984+03:30").to_i
|
240
289
|
@test_driver = create_driver(config)
|
241
|
-
|
290
|
+
parsed = nil
|
291
|
+
@test_driver.instance.parse(text) do |time, record|
|
292
|
+
parsed = [time, record]
|
293
|
+
end
|
294
|
+
parsed
|
242
295
|
end
|
243
296
|
it { is_expected.to eq [
|
244
297
|
@timestamp, {
|
@@ -260,14 +313,18 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
|
|
260
313
|
]}
|
261
314
|
let (:text) { "Dec 2 03:17:06 hostname tag ***CEF:0|Vendor|Product|Version|ID|Name|Severity|cs1=test" }
|
262
315
|
subject do
|
263
|
-
allow(Fluent::Engine).to receive(:now).and_return(
|
316
|
+
allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
|
264
317
|
@timestamp = Time.parse("Dec 2 03:17:06 -07:00").to_i
|
265
318
|
@test_driver = create_driver(config)
|
266
319
|
text.setbyte(29, 0xef)
|
267
320
|
text.setbyte(30, 0xbb)
|
268
321
|
text.setbyte(31, 0xbf)
|
269
322
|
text.force_encoding("ascii-8bit")
|
270
|
-
|
323
|
+
parsed = nil
|
324
|
+
@test_driver.instance.parse(text) do |time, record|
|
325
|
+
parsed = [time, record]
|
326
|
+
end
|
327
|
+
parsed
|
271
328
|
end
|
272
329
|
it { is_expected.to eq [
|
273
330
|
@timestamp, {
|
@@ -289,11 +346,14 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
|
|
289
346
|
]}
|
290
347
|
let (:text) { "Feb 19 00:35:11 hogehuga CEF:0|Vendor|Product|Version|ID|Name|Severity|src=192.168.1.1 spt=60000 dst=172.16.100.100 dpt=80 msg=\xe3\x2e\x2e\x2e" }
|
291
348
|
subject do
|
292
|
-
allow(Fluent::Engine).to receive(:now).and_return(
|
349
|
+
allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
|
293
350
|
@timestamp = Time.parse("Feb 19 00:35:11 +09:00").to_i
|
294
351
|
@test_driver = create_driver(config)
|
295
|
-
|
296
|
-
@test_driver.parse(text)
|
352
|
+
parsed = nil
|
353
|
+
@test_driver.instance.parse(text) do |time, record|
|
354
|
+
parsed = [time, record]
|
355
|
+
end
|
356
|
+
parsed
|
297
357
|
end
|
298
358
|
it { is_expected.to eq [
|
299
359
|
@timestamp, {
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: fluent-plugin-parser_cef
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 1.0.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Tomoyuki Sugimura
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-
|
11
|
+
date: 2017-12-03 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: fluentd
|
@@ -16,20 +16,20 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - ">="
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version:
|
19
|
+
version: 0.14.0
|
20
20
|
- - "<"
|
21
21
|
- !ruby/object:Gem::Version
|
22
|
-
version: '
|
22
|
+
version: '2'
|
23
23
|
type: :runtime
|
24
24
|
prerelease: false
|
25
25
|
version_requirements: !ruby/object:Gem::Requirement
|
26
26
|
requirements:
|
27
27
|
- - ">="
|
28
28
|
- !ruby/object:Gem::Version
|
29
|
-
version:
|
29
|
+
version: 0.14.0
|
30
30
|
- - "<"
|
31
31
|
- !ruby/object:Gem::Version
|
32
|
-
version: '
|
32
|
+
version: '2'
|
33
33
|
- !ruby/object:Gem::Dependency
|
34
34
|
name: bundler
|
35
35
|
requirement: !ruby/object:Gem::Requirement
|
@@ -144,7 +144,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
144
144
|
version: '0'
|
145
145
|
requirements: []
|
146
146
|
rubyforge_project:
|
147
|
-
rubygems_version: 2.
|
147
|
+
rubygems_version: 2.6.13
|
148
148
|
signing_key:
|
149
149
|
specification_version: 4
|
150
150
|
summary: common event format(CEF) parser plugin, currently only 'syslog' format is
|