fluent-plugin-parser_cef 0.3.1 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +14 -1
  3. data/VERSION +1 -1
  4. data/fluent-plugin-parser_cef.gemspec +1 -1
  5. data/lib/fluent/plugin/parser_cef.rb +11 -27
  6. data/spec/fluent/plugin/parser_cef_spec.rb +95 -35
  7. metadata +7 -7
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: dddad6ce52fd31b25fe1f9940abb91a10bd03036
4
- data.tar.gz: be435316f91b8de60290ca3cb5427477716d42dc
3
+ metadata.gz: 28b195b49a40cd27dcaf136e342f7a4912901010
4
+ data.tar.gz: 04b4477f4b315e721ad588d70a4adc330ed8d132
5
5
  SHA512:
6
- metadata.gz: 382298a06a59511e42f9230e3523099f37dfd7c3e24e4a8bbe8b3c3e3f7483c39725cb048f005f394478a288445c4a62285b43c34ec1e25a63ac69133796e2aa
7
- data.tar.gz: b33a768a61f5c1039eb5e534cf5338fe33883ab3f90d10fd0fb375ea0b0c5788686816f343c16152ce8af532c91c3083737a4484975928423b95359fb5307dfb
6
+ metadata.gz: 182d3610e26d0e4a9fbb1f2424928cc7320f21f019ed3e13ec699ec60de4d7db0f26741794f8d078ede666c277d6223c60c28c1e07a18bde66858e8e65d2db0a
7
+ data.tar.gz: 10d33b50f2e00d6c19cb853c9e92111b1781097e42b24cbefc1a8b26c18b330a88b39573aa937123418f7516315b6e9b9112a1c590100a8e1667b783006f019a
data/README.md CHANGED
@@ -9,15 +9,28 @@
9
9
 
10
10
  Fluentd Parser plugin to parse CEF - common event format -
11
11
 
12
+ ## Requirements
13
+
14
+ | fluent-plugin-parser_cef | fluentd |
15
+ |---------------------------|---------|
16
+ | >= 1.0.0 | >= v0.14.0 |
17
+ | < 1.0.0 | >= v0.12.0 |
18
+
12
19
  ## Installation
13
20
 
14
21
  Add this line to your application's Gemfile:
15
22
 
16
23
  ```bash
17
- # for fluentd
24
+ # for fluentd v0.12
25
+ gem install fluent-plugin-parser_cef -v "< 1.0.0"
26
+
27
+ # for fluentd v0.14 or higher
18
28
  gem install fluent-plugin-parser_cef
19
29
 
20
30
  # for td-agent2
31
+ td-agent-gem install fluent-plugin-parser_cef -v "< 1.0.0"
32
+
33
+ # for td-agent3
21
34
  td-agent-gem install fluent-plugin-parser_cef
22
35
  ```
23
36
 
data/VERSION CHANGED
@@ -1 +1 @@
1
- 0.3.1
1
+ 1.0.0
data/fluent-plugin-parser_cef.gemspec CHANGED
@@ -19,7 +19,7 @@ Gem::Specification.new do |spec|
19
19
 
20
20
  spec.required_ruby_version = "~> 2.1"
21
21
 
22
- spec.add_runtime_dependency "fluentd", ">= 0.12", "< 0.14"
22
+ spec.add_runtime_dependency "fluentd", ">= 0.14.0", "< 2"
23
23
 
24
24
  spec.add_development_dependency "bundler", "~> 1.3"
25
25
  spec.add_development_dependency "rake"
data/lib/fluent/plugin/parser_cef.rb CHANGED
@@ -1,14 +1,14 @@
1
1
  # -*- coding: utf-8
2
2
 
3
3
  require 'fluent/log'
4
- require 'fluent/parser'
4
+ require 'fluent/plugin/parser'
5
5
  require 'time'
6
6
  require 'yaml'
7
7
 
8
8
  module Fluent
9
- class TextParser
9
+ module Plugin
10
10
  class CommonEventFormatParser < Parser
11
- Plugin.register_parser("cef", self)
11
+ Fluent::Plugin.register_parser("cef", self)
12
12
  config_param :log_format, :string, :default => "syslog"
13
13
  config_param :log_utc_offset, :string, :default => nil
14
14
  config_param :syslog_timestamp_format, :string, :default => '\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}'
@@ -44,24 +44,16 @@ module Fluent
44
44
 
45
45
  def parse(text)
46
46
  if text.nil? || text.empty?
47
- if block_given?
48
- yield nil, nil
49
- return
50
- else
51
- return nil, nil
52
- end
47
+ yield nil, nil
48
+ return
53
49
  end
54
50
  text.force_encoding("utf-8")
55
51
  replaced_text = text.scrub('?')
56
52
  record = {}
57
53
  record_overview = @valid_format_regexp.match(replaced_text)
58
54
  if record_overview.nil?
59
- if block_given?
60
- yield Engine.now, { "raw" => replaced_text }
61
- return
62
- else
63
- return Engine.now, { "raw" => replaced_text }
64
- end
55
+ yield Engine.now, { "raw" => replaced_text }
56
+ return
65
57
  end
66
58
  time = get_unixtime_with_utc_offset(record_overview["syslog_timestamp"], @utc_offset)
67
59
  begin
@@ -69,24 +61,16 @@ module Fluent
69
61
  text_cef_extension = record_overview["cef_extension"]
70
62
  record.delete("cef_extension")
71
63
  rescue
72
- if block_given?
73
- yield Engine.now, { "raw" => replaced_text }
74
- return
75
- else
76
- return Engine.now, { "raw" => replaced_text }
77
- end
64
+ yield Engine.now, { "raw" => replaced_text }
65
+ return
78
66
  end
79
67
  unless text_cef_extension.nil?
80
68
  record_cef_extension = parse_cef_extension(text_cef_extension)
81
69
  record.merge!(record_cef_extension)
82
70
  end
83
71
  record["raw"] = replaced_text if @output_raw_field
84
- if block_given?
85
- yield time, record
86
- return
87
- else
88
- return time, record
89
- end
72
+ yield time, record
73
+ return
90
74
  end
91
75
 
92
76
  private
data/spec/fluent/plugin/parser_cef_spec.rb CHANGED
@@ -2,8 +2,9 @@
2
2
 
3
3
  require 'fluent/plugin/parser_cef'
4
4
  require 'fluent/test'
5
+ require 'fluent/test/driver/parser'
5
6
 
6
- RSpec.describe Fluent::TextParser::CommonEventFormatParser do
7
+ RSpec.describe Fluent::Plugin::CommonEventFormatParser do
7
8
 
8
9
  DEFAULT_CONFIGURE = %[
9
10
  log_format syslog
@@ -13,8 +14,8 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
13
14
  cef_keyfilename 'config/cef_version_0_keys.yaml'
14
15
  output_raw_field false
15
16
  ]
16
- def create_driver(conf=DEFAULT_CONFIGURE, tag='test')
17
- Fluent::Test::ParserTestDriver.new(Fluent::TextParser::CommonEventFormatParser, tag).configure(conf)
17
+ def create_driver(conf=DEFAULT_CONFIGURE)
18
+ Fluent::Test::Driver::Parser.new(Fluent::Plugin::CommonEventFormatParser).configure(conf)
18
19
  end
19
20
 
20
21
  before :all do
@@ -30,47 +31,71 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
30
31
  context "text == nil" do
31
32
  let (:text) { nil }
32
33
  subject do
33
- @test_driver.parse(text)
34
+ parsed = nil
35
+ @test_driver.instance.parse(text) do |time, record|
36
+ parsed = [time, record]
37
+ end
38
+ parsed
34
39
  end
35
40
  it { is_expected.to eq [nil, nil] }
36
41
  end
37
42
  context "text is empty string" do
38
43
  let (:text) { "" }
39
44
  subject do
40
- @test_driver.parse(text)
45
+ parsed = nil
46
+ @test_driver.instance.parse(text) do |time, record|
47
+ parsed = [time, record]
48
+ end
49
+ parsed
41
50
  end
42
51
  it { is_expected.to eq [nil, nil] }
43
52
  end
44
53
  context "text is not syslog format nor CEF" do
45
54
  let (:text) { "December 12 10:00:00 hostname tag message" }
46
55
  subject do
47
- allow(Fluent::Engine).to receive(:now).and_return(Time.now.to_i)
48
- @test_driver.parse(text)
56
+ allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
57
+ parsed = nil
58
+ @test_driver.instance.parse(text) do |time, record|
59
+ parsed = [time, record]
60
+ end
61
+ parsed
49
62
  end
50
- it { is_expected.to contain_exactly(be_an(Integer), { "raw" => "December 12 10:00:00 hostname tag message" }) }
63
+ it { is_expected.to contain_exactly(be_an(Fluent::EventTime), { "raw" => "December 12 10:00:00 hostname tag message" }) }
51
64
  end
52
65
  context "text is not in syslog format but is CEF" do
53
66
  let (:text) { "December 12 10:00:00 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|cs1=test" }
54
67
  subject do
55
- allow(Fluent::Engine).to receive(:now).and_return(Time.now.to_i)
56
- @test_driver.parse(text)
68
+ allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
69
+ parsed = nil
70
+ @test_driver.instance.parse(text) do |time, record|
71
+ parsed = [time, record]
72
+ end
73
+ parsed
57
74
  end
58
- it { is_expected.to contain_exactly(be_an(Integer), { "raw" => "December 12 10:00:00 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|cs1=test" }) }
75
+ it { is_expected.to contain_exactly(be_an(Fluent::EventTime), { "raw" => "December 12 10:00:00 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|cs1=test" }) }
59
76
  end
60
77
  context "text is syslog format but not CEF" do
61
78
  let (:text) { "Dec 12 10:11:12 hostname tag message" }
62
79
  subject do
63
- allow(Fluent::Engine).to receive(:now).and_return(Time.now.to_i)
64
- @test_driver.parse(text)
80
+ allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
81
+ parsed = nil
82
+ @test_driver.instance.parse(text) do |time, record|
83
+ parsed = [time, record]
84
+ end
85
+ parsed
65
86
  end
66
- it { is_expected.to contain_exactly(be_an(Integer), { "raw" => "Dec 12 10:11:12 hostname tag message" }) }
87
+ it { is_expected.to contain_exactly(be_an(Fluent::EventTime), { "raw" => "Dec 12 10:11:12 hostname tag message" }) }
67
88
  end
68
89
  context "text is syslog format and CEF (CEF Extension field is empty)" do
69
90
  let (:text) { "Dec 2 03:17:06 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|" }
70
91
  subject do
71
- allow(Fluent::Engine).to receive(:now).and_return(Time.now.to_i)
92
+ allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
72
93
  @timestamp = Time.parse("Dec 2 03:17:06").to_i
73
- @test_driver.parse(text)
94
+ parsed = nil
95
+ @test_driver.instance.parse(text) do |time, record|
96
+ parsed = [time, record]
97
+ end
98
+ parsed
74
99
  end
75
100
  it { is_expected.to eq [
76
101
  @timestamp, {
@@ -88,9 +113,13 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
88
113
  context "text is syslog format and CEF (there is only one valid key in the CEF Extension field), Strict mode on" do
89
114
  let (:text) { "Dec 2 03:17:06 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|cs1=test" }
90
115
  subject do
91
- allow(Fluent::Engine).to receive(:now).and_return(Time.now.to_i)
116
+ allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
92
117
  @timestamp = Time.parse("Dec 2 03:17:06").to_i
93
- @test_driver.parse(text)
118
+ parsed = nil
119
+ @test_driver.instance.parse(text) do |time, record|
120
+ parsed = [time, record]
121
+ end
122
+ parsed
94
123
  end
95
124
  it { is_expected.to eq [
96
125
  @timestamp, {
@@ -112,10 +141,14 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
112
141
  ]}
113
142
  let (:text) { "Dec 2 03:17:06 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|foo=bar" }
114
143
  subject do
115
- allow(Fluent::Engine).to receive(:now).and_return(Time.now.to_i)
144
+ allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
116
145
  @timestamp = Time.parse("Dec 2 03:17:06").to_i
117
146
  @test_driver = create_driver(config)
118
- @test_driver.parse(text)
147
+ parsed = nil
148
+ @test_driver.instance.parse(text) do |time, record|
149
+ parsed = [time, record]
150
+ end
151
+ parsed
119
152
  end
120
153
  it { is_expected.to eq [
121
154
  @timestamp, {
@@ -137,10 +170,14 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
137
170
  ]}
138
171
  let (:text) { "2014-06-07T18:55:09.019283+09:00 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|foo=bar" }
139
172
  subject do
140
- allow(Fluent::Engine).to receive(:now).and_return(Time.now.to_i)
173
+ allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
141
174
  @timestamp = Time.parse("2014-06-07T18:55:09.019283+09:00").to_i
142
175
  @test_driver = create_driver(config)
143
- @test_driver.parse(text)
176
+ parsed = nil
177
+ @test_driver.instance.parse(text) do |time, record|
178
+ parsed = [time, record]
179
+ end
180
+ parsed
144
181
  end
145
182
  it { is_expected.to eq [
146
183
  @timestamp, {
@@ -161,10 +198,14 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
161
198
  ]}
162
199
  let (:text) { "2014-06-07T18:55:09.019283+03:00 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|foo=bar" }
163
200
  subject do
164
- allow(Fluent::Engine).to receive(:now).and_return(Time.now.to_i)
201
+ allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
165
202
  @timestamp = Time.parse("2014-06-07T18:55:09.019283+03:00").to_i
166
203
  @test_driver = create_driver(config)
167
- @test_driver.parse(text)
204
+ parsed = nil
205
+ @test_driver.instance.parse(text) do |time, record|
206
+ parsed = [time, record]
207
+ end
208
+ parsed
168
209
  end
169
210
  it { is_expected.to eq [
170
211
  @timestamp, {
@@ -185,10 +226,14 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
185
226
  ]}
186
227
  let (:text) { "2014-06-07T18:55:09.019283Z hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|foo=bar" }
187
228
  subject do
188
- allow(Fluent::Engine).to receive(:now).and_return(Time.now.to_i)
229
+ allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
189
230
  @timestamp = Time.parse("2014-06-07T18:55:09.019283Z").to_i
190
231
  @test_driver = create_driver(config)
191
- @test_driver.parse(text)
232
+ parsed = nil
233
+ @test_driver.instance.parse(text) do |time, record|
234
+ parsed = [time, record]
235
+ end
236
+ parsed
192
237
  end
193
238
  it { is_expected.to eq [
194
239
  @timestamp, {
@@ -209,10 +254,14 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
209
254
  ]}
210
255
  let (:text) { "Dec 2 03:17:06 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|cs1=test" }
211
256
  subject do
212
- allow(Fluent::Engine).to receive(:now).and_return(Time.now.to_i)
257
+ allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
213
258
  @timestamp = Time.parse("Dec 2 03:17:06 +04:00").to_i
214
259
  @test_driver = create_driver(config)
215
- @test_driver.parse(text)
260
+ parsed = nil
261
+ @test_driver.instance.parse(text) do |time, record|
262
+ parsed = [time, record]
263
+ end
264
+ parsed
216
265
  end
217
266
  it { is_expected.to eq [
218
267
  @timestamp, {
@@ -235,10 +284,14 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
235
284
  ]}
236
285
  let (:text) { "2013-07-24T12:34:56.923984+03:30 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|cs1=test" }
237
286
  subject do
238
- allow(Fluent::Engine).to receive(:now).and_return(Time.now.to_i)
287
+ allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
239
288
  @timestamp = Time.parse("2013-07-24T12:34:56.923984+03:30").to_i
240
289
  @test_driver = create_driver(config)
241
- @test_driver.parse(text)
290
+ parsed = nil
291
+ @test_driver.instance.parse(text) do |time, record|
292
+ parsed = [time, record]
293
+ end
294
+ parsed
242
295
  end
243
296
  it { is_expected.to eq [
244
297
  @timestamp, {
@@ -260,14 +313,18 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
260
313
  ]}
261
314
  let (:text) { "Dec 2 03:17:06 hostname tag ***CEF:0|Vendor|Product|Version|ID|Name|Severity|cs1=test" }
262
315
  subject do
263
- allow(Fluent::Engine).to receive(:now).and_return(Time.now.to_i)
316
+ allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
264
317
  @timestamp = Time.parse("Dec 2 03:17:06 -07:00").to_i
265
318
  @test_driver = create_driver(config)
266
319
  text.setbyte(29, 0xef)
267
320
  text.setbyte(30, 0xbb)
268
321
  text.setbyte(31, 0xbf)
269
322
  text.force_encoding("ascii-8bit")
270
- @test_driver.parse(text)
323
+ parsed = nil
324
+ @test_driver.instance.parse(text) do |time, record|
325
+ parsed = [time, record]
326
+ end
327
+ parsed
271
328
  end
272
329
  it { is_expected.to eq [
273
330
  @timestamp, {
@@ -289,11 +346,14 @@ RSpec.describe Fluent::TextParser::CommonEventFormatParser do
289
346
  ]}
290
347
  let (:text) { "Feb 19 00:35:11 hogehuga CEF:0|Vendor|Product|Version|ID|Name|Severity|src=192.168.1.1 spt=60000 dst=172.16.100.100 dpt=80 msg=\xe3\x2e\x2e\x2e" }
291
348
  subject do
292
- allow(Fluent::Engine).to receive(:now).and_return(Time.now.to_i)
349
+ allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
293
350
  @timestamp = Time.parse("Feb 19 00:35:11 +09:00").to_i
294
351
  @test_driver = create_driver(config)
295
- text.force_encoding("ascii-8bit")
296
- @test_driver.parse(text)
352
+ parsed = nil
353
+ @test_driver.instance.parse(text) do |time, record|
354
+ parsed = [time, record]
355
+ end
356
+ parsed
297
357
  end
298
358
  it { is_expected.to eq [
299
359
  @timestamp, {
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: fluent-plugin-parser_cef
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.3.1
4
+ version: 1.0.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Tomoyuki Sugimura
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-02-23 00:00:00.000000000 Z
11
+ date: 2017-12-03 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: fluentd
@@ -16,20 +16,20 @@ dependencies:
16
16
  requirements:
17
17
  - - ">="
18
18
  - !ruby/object:Gem::Version
19
- version: '0.12'
19
+ version: 0.14.0
20
20
  - - "<"
21
21
  - !ruby/object:Gem::Version
22
- version: '0.14'
22
+ version: '2'
23
23
  type: :runtime
24
24
  prerelease: false
25
25
  version_requirements: !ruby/object:Gem::Requirement
26
26
  requirements:
27
27
  - - ">="
28
28
  - !ruby/object:Gem::Version
29
- version: '0.12'
29
+ version: 0.14.0
30
30
  - - "<"
31
31
  - !ruby/object:Gem::Version
32
- version: '0.14'
32
+ version: '2'
33
33
  - !ruby/object:Gem::Dependency
34
34
  name: bundler
35
35
  requirement: !ruby/object:Gem::Requirement
@@ -144,7 +144,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
144
144
  version: '0'
145
145
  requirements: []
146
146
  rubyforge_project:
147
- rubygems_version: 2.5.2
147
+ rubygems_version: 2.6.13
148
148
  signing_key:
149
149
  specification_version: 4
150
150
  summary: common event format(CEF) parser plugin, currently only 'syslog' format is