fluent-plugin-parser_cef 0.3.1 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: dddad6ce52fd31b25fe1f9940abb91a10bd03036
-  data.tar.gz: be435316f91b8de60290ca3cb5427477716d42dc
+  metadata.gz: 28b195b49a40cd27dcaf136e342f7a4912901010
+  data.tar.gz: 04b4477f4b315e721ad588d70a4adc330ed8d132
 SHA512:
-  metadata.gz: 382298a06a59511e42f9230e3523099f37dfd7c3e24e4a8bbe8b3c3e3f7483c39725cb048f005f394478a288445c4a62285b43c34ec1e25a63ac69133796e2aa
-  data.tar.gz: b33a768a61f5c1039eb5e534cf5338fe33883ab3f90d10fd0fb375ea0b0c5788686816f343c16152ce8af532c91c3083737a4484975928423b95359fb5307dfb
+  metadata.gz: 182d3610e26d0e4a9fbb1f2424928cc7320f21f019ed3e13ec699ec60de4d7db0f26741794f8d078ede666c277d6223c60c28c1e07a18bde66858e8e65d2db0a
+  data.tar.gz: 10d33b50f2e00d6c19cb853c9e92111b1781097e42b24cbefc1a8b26c18b330a88b39573aa937123418f7516315b6e9b9112a1c590100a8e1667b783006f019a

data/README.md

@@ -9,15 +9,28 @@
 
 Fluentd Parser plugin to parse CEF - common event format -
 
+## Requirements
+
+| fluent-plugin-parser_cef  | fluentd |
+|---------------------------|---------|
+| >= 1.0.0 | >= v0.14.0 |
+|  < 1.0.0 | >= v0.12.0 |
+
 ## Installation
 
 Add this line to your application's Gemfile:
 
 ```bash
-# for fluentd
+# for fluentd v0.12
+gem install fluent-plugin-parser_cef -v "< 1.0.0"
+
+# for fluentd v0.14 or higher
 gem install fluent-plugin-parser_cef
 
 # for td-agent2
+td-agent-gem install fluent-plugin-parser_cef -v "< 1.0.0"
+
+# for td-agent3
 td-agent-gem install fluent-plugin-parser_cef
 ```
 

data/VERSION

@@ -1 +1 @@
-0.3.1
+1.0.0

data/fluent-plugin-parser_cef.gemspec

@@ -19,7 +19,7 @@ Gem::Specification.new do |spec|
 
   spec.required_ruby_version = "~> 2.1"
 
-  spec.add_runtime_dependency "fluentd", ">= 0.12", "< 0.14"
+  spec.add_runtime_dependency "fluentd", ">= 0.14.0", "< 2"
 
   spec.add_development_dependency "bundler", "~> 1.3"
   spec.add_development_dependency "rake"

data/lib/fluent/plugin/parser_cef.rb

@@ -1,14 +1,14 @@
 # -*- coding: utf-8
 
 require 'fluent/log'
-require 'fluent/parser'
+require 'fluent/plugin/parser'
 require 'time'
 require 'yaml'
 
 module Fluent
-  class TextParser
+  module Plugin
     class CommonEventFormatParser < Parser
-      Plugin.register_parser("cef", self)
+      Fluent::Plugin.register_parser("cef", self)
       config_param :log_format, :string, :default => "syslog"
       config_param :log_utc_offset, :string, :default => nil
       config_param :syslog_timestamp_format, :string, :default => '\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}'
@@ -44,24 +44,16 @@ module Fluent
 
       def parse(text)
         if text.nil? || text.empty?
-          if block_given?
-            yield nil, nil
-            return
-          else
-            return nil, nil
-          end
+          yield nil, nil
+          return
         end
         text.force_encoding("utf-8")
         replaced_text = text.scrub('?')
         record = {}
         record_overview = @valid_format_regexp.match(replaced_text)
         if record_overview.nil?
-          if block_given?
-            yield Engine.now, { "raw" => replaced_text }
-            return
-          else
-            return Engine.now, { "raw" => replaced_text }
-          end
+          yield Engine.now, { "raw" => replaced_text }
+          return
         end
         time = get_unixtime_with_utc_offset(record_overview["syslog_timestamp"], @utc_offset)
         begin
@@ -69,24 +61,16 @@ module Fluent
           text_cef_extension = record_overview["cef_extension"]
           record.delete("cef_extension")
         rescue
-          if block_given?
-            yield Engine.now, { "raw" => replaced_text }
-            return
-          else
-            return Engine.now, { "raw" => replaced_text }
-          end
+          yield Engine.now, { "raw" => replaced_text }
+          return
         end
         unless text_cef_extension.nil?
           record_cef_extension = parse_cef_extension(text_cef_extension)
           record.merge!(record_cef_extension)
         end
         record["raw"] = replaced_text if @output_raw_field
-        if block_given?
-          yield time, record
-          return
-        else
-          return time, record
-        end
+        yield time, record
+        return
       end
 
       private

data/spec/fluent/plugin/parser_cef_spec.rb

@@ -2,8 +2,9 @@
 
 require 'fluent/plugin/parser_cef'
 require 'fluent/test'
+require 'fluent/test/driver/parser'
 
-RSpec.describe Fluent::TextParser::CommonEventFormatParser do
+RSpec.describe Fluent::Plugin::CommonEventFormatParser do
 
   DEFAULT_CONFIGURE = %[
     log_format  syslog
@@ -13,8 +14,8 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
     cef_keyfilename  'config/cef_version_0_keys.yaml'
     output_raw_field  false
   ]
-  def create_driver(conf=DEFAULT_CONFIGURE, tag='test')
-    Fluent::Test::ParserTestDriver.new(Fluent::TextParser::CommonEventFormatParser, tag).configure(conf)
+  def create_driver(conf=DEFAULT_CONFIGURE)
+    Fluent::Test::Driver::Parser.new(Fluent::Plugin::CommonEventFormatParser).configure(conf)
   end
 
   before :all do
@@ -30,47 +31,71 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
     context "text == nil" do
       let (:text) { nil }
       subject do
-        @test_driver.parse(text)
+        parsed = nil
+        @test_driver.instance.parse(text) do |time, record|
+          parsed = [time, record]
+        end
+        parsed
       end
       it { is_expected.to eq [nil, nil] }
     end
     context "text is empty string" do
       let (:text) { "" }
       subject do
-        @test_driver.parse(text)
+        parsed = nil
+        @test_driver.instance.parse(text) do |time, record|
+          parsed = [time, record]
+        end
+        parsed
       end
       it { is_expected.to eq [nil, nil] }
     end
     context "text is not syslog format nor CEF" do
       let (:text) { "December 12 10:00:00 hostname tag message" }
       subject do
-        allow(Fluent::Engine).to receive(:now).and_return(Time.now.to_i)
-        @test_driver.parse(text)
+        allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
+        parsed = nil
+        @test_driver.instance.parse(text) do |time, record|
+          parsed = [time, record]
+        end
+        parsed
       end
-      it { is_expected.to contain_exactly(be_an(Integer), { "raw" => "December 12 10:00:00 hostname tag message" }) }
+      it { is_expected.to contain_exactly(be_an(Fluent::EventTime), { "raw" => "December 12 10:00:00 hostname tag message" }) }
     end
     context "text is not in syslog format but is CEF" do
       let (:text) { "December 12 10:00:00 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|cs1=test" }
       subject do
-        allow(Fluent::Engine).to receive(:now).and_return(Time.now.to_i)
-        @test_driver.parse(text)
+        allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
+        parsed = nil
+        @test_driver.instance.parse(text) do |time, record|
+          parsed = [time, record]
+        end
+        parsed
       end
-      it { is_expected.to contain_exactly(be_an(Integer), { "raw" => "December 12 10:00:00 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|cs1=test" }) }
+      it { is_expected.to contain_exactly(be_an(Fluent::EventTime), { "raw" => "December 12 10:00:00 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|cs1=test" }) }
     end
     context "text is syslog format but not CEF" do
       let (:text) { "Dec 12 10:11:12 hostname tag message" }
       subject do
-        allow(Fluent::Engine).to receive(:now).and_return(Time.now.to_i)
-        @test_driver.parse(text)
+        allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
+        parsed = nil
+        @test_driver.instance.parse(text) do |time, record|
+          parsed = [time, record]
+        end
+        parsed
       end
-      it { is_expected.to contain_exactly(be_an(Integer), { "raw" => "Dec 12 10:11:12 hostname tag message" }) }
+      it { is_expected.to contain_exactly(be_an(Fluent::EventTime), { "raw" => "Dec 12 10:11:12 hostname tag message" }) }
     end
     context "text is syslog format and CEF (CEF Extension field is empty)" do
       let (:text) { "Dec  2 03:17:06 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|" }
       subject do
-        allow(Fluent::Engine).to receive(:now).and_return(Time.now.to_i)
+        allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
         @timestamp = Time.parse("Dec  2 03:17:06").to_i
-        @test_driver.parse(text)
+        parsed = nil
+        @test_driver.instance.parse(text) do |time, record|
+          parsed = [time, record]
+        end
+        parsed
       end
       it { is_expected.to eq [
         @timestamp, {
@@ -88,9 +113,13 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
     context "text is syslog format and CEF (there is only one valid key in the CEF Extension field), Strict mode on" do
       let (:text) { "Dec  2 03:17:06 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|cs1=test" }
       subject do
-        allow(Fluent::Engine).to receive(:now).and_return(Time.now.to_i)
+        allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
         @timestamp = Time.parse("Dec  2 03:17:06").to_i
-        @test_driver.parse(text)
+        parsed = nil
+        @test_driver.instance.parse(text) do |time, record|
+          parsed = [time, record]
+        end
+        parsed
       end
       it { is_expected.to eq [
         @timestamp, {
@@ -112,10 +141,14 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
       ]}
       let (:text) { "Dec  2 03:17:06 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|foo=bar" }
       subject do
-        allow(Fluent::Engine).to receive(:now).and_return(Time.now.to_i)
+        allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
         @timestamp = Time.parse("Dec  2 03:17:06").to_i
         @test_driver = create_driver(config)
-        @test_driver.parse(text)
+        parsed = nil
+        @test_driver.instance.parse(text) do |time, record|
+          parsed = [time, record]
+        end
+        parsed
       end
       it { is_expected.to eq [
         @timestamp, {
@@ -137,10 +170,14 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
       ]}
       let (:text) { "2014-06-07T18:55:09.019283+09:00 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|foo=bar" }
       subject do
-        allow(Fluent::Engine).to receive(:now).and_return(Time.now.to_i)
+        allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
         @timestamp = Time.parse("2014-06-07T18:55:09.019283+09:00").to_i
         @test_driver = create_driver(config)
-        @test_driver.parse(text)
+        parsed = nil
+        @test_driver.instance.parse(text) do |time, record|
+          parsed = [time, record]
+        end
+        parsed
       end
       it { is_expected.to eq [
         @timestamp, {
@@ -161,10 +198,14 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
       ]}
       let (:text) { "2014-06-07T18:55:09.019283+03:00 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|foo=bar" }
       subject do
-        allow(Fluent::Engine).to receive(:now).and_return(Time.now.to_i)
+        allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
         @timestamp = Time.parse("2014-06-07T18:55:09.019283+03:00").to_i
         @test_driver = create_driver(config)
-        @test_driver.parse(text)
+        parsed = nil
+        @test_driver.instance.parse(text) do |time, record|
+          parsed = [time, record]
+        end
+        parsed
       end
       it { is_expected.to eq [
         @timestamp, {
@@ -185,10 +226,14 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
       ]}
       let (:text) { "2014-06-07T18:55:09.019283Z hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|foo=bar" }
       subject do
-        allow(Fluent::Engine).to receive(:now).and_return(Time.now.to_i)
+        allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
         @timestamp = Time.parse("2014-06-07T18:55:09.019283Z").to_i
         @test_driver = create_driver(config)
-        @test_driver.parse(text)
+        parsed = nil
+        @test_driver.instance.parse(text) do |time, record|
+          parsed = [time, record]
+        end
+        parsed
       end
       it { is_expected.to eq [
         @timestamp, {
@@ -209,10 +254,14 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
       ]}
       let (:text) { "Dec  2 03:17:06 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|cs1=test" }
       subject do
-        allow(Fluent::Engine).to receive(:now).and_return(Time.now.to_i)
+        allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
         @timestamp = Time.parse("Dec  2 03:17:06 +04:00").to_i
         @test_driver = create_driver(config)
-        @test_driver.parse(text)
+        parsed = nil
+        @test_driver.instance.parse(text) do |time, record|
+          parsed = [time, record]
+        end
+        parsed
       end
       it { is_expected.to eq [
         @timestamp, {
@@ -235,10 +284,14 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
       ]}
       let (:text) { "2013-07-24T12:34:56.923984+03:30 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|cs1=test" }
       subject do
-        allow(Fluent::Engine).to receive(:now).and_return(Time.now.to_i)
+        allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
         @timestamp = Time.parse("2013-07-24T12:34:56.923984+03:30").to_i
         @test_driver = create_driver(config)
-        @test_driver.parse(text)
+        parsed = nil
+        @test_driver.instance.parse(text) do |time, record|
+          parsed = [time, record]
+        end
+        parsed
       end
       it { is_expected.to eq [
         @timestamp, {
@@ -260,14 +313,18 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
       ]}
       let (:text) { "Dec  2 03:17:06 hostname tag ***CEF:0|Vendor|Product|Version|ID|Name|Severity|cs1=test" }
       subject do
-        allow(Fluent::Engine).to receive(:now).and_return(Time.now.to_i)
+        allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
         @timestamp = Time.parse("Dec  2 03:17:06 -07:00").to_i
         @test_driver = create_driver(config)
         text.setbyte(29, 0xef)
         text.setbyte(30, 0xbb)
         text.setbyte(31, 0xbf)
         text.force_encoding("ascii-8bit")
-        @test_driver.parse(text)
+        parsed = nil
+        @test_driver.instance.parse(text) do |time, record|
+          parsed = [time, record]
+        end
+        parsed
       end
       it { is_expected.to eq [
         @timestamp, {
@@ -289,11 +346,14 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
       ]}
       let (:text) { "Feb 19 00:35:11 hogehuga CEF:0|Vendor|Product|Version|ID|Name|Severity|src=192.168.1.1 spt=60000 dst=172.16.100.100 dpt=80 msg=\xe3\x2e\x2e\x2e" }
       subject do
-        allow(Fluent::Engine).to receive(:now).and_return(Time.now.to_i)
+        allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
         @timestamp = Time.parse("Feb 19 00:35:11 +09:00").to_i
         @test_driver = create_driver(config)
-        text.force_encoding("ascii-8bit")
-        @test_driver.parse(text)
+        parsed = nil
+        @test_driver.instance.parse(text) do |time, record|
+          parsed = [time, record]
+        end
+        parsed
       end
       it { is_expected.to eq [
         @timestamp, {

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fluent-plugin-parser_cef
 version: !ruby/object:Gem::Version
-  version: 0.3.1
+  version: 1.0.0
 platform: ruby
 authors:
 - Tomoyuki Sugimura
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-02-23 00:00:00.000000000 Z
+date: 2017-12-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: fluentd
@@ -16,20 +16,20 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0.12'
+        version: 0.14.0
     - - "<"
       - !ruby/object:Gem::Version
-        version: '0.14'
+        version: '2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0.12'
+        version: 0.14.0
     - - "<"
       - !ruby/object:Gem::Version
-        version: '0.14'
+        version: '2'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -144,7 +144,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.2
+rubygems_version: 2.6.13
 signing_key: 
 specification_version: 4
 summary: common event format(CEF) parser plugin, currently only 'syslog' format is