fluent-plugin-parser_cefalt 1.0.6

data/spec/fluent/plugin/parser_cefalt_spec.rb

@@ -0,0 +1,377 @@
+#-*- coding: utf-8 -*-
+
+require 'fluent/plugin/parser_cef'
+require 'fluent/test'
+require 'fluent/test/driver/parser'
+
+RSpec.describe Fluent::Plugin::CommonEventFormatParser do
+
+  DEFAULT_CONFIGURE = %[
+    log_format  syslog
+    syslog_timestamp_format  \\w{3}\\s+\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2}
+    cef_version  0
+    parse_strict_mode  true
+    cef_keyfilename  'config/cef_version_0_keys.yaml'
+    output_raw_field  false
+  ]
+  def create_driver(conf=DEFAULT_CONFIGURE)
+    Fluent::Test::Driver::Parser.new(Fluent::Plugin::CommonEventFormatParser).configure(conf)
+  end
+
+  before :all do
+    Fluent::Test.setup
+  end
+
+  before :each do
+    @test_driver = create_driver
+  end
+
+  describe "#parse(text)" do
+
+    context "text == nil" do
+      let (:text) { nil }
+      subject do
+        parsed = nil
+        @test_driver.instance.parse(text) do |time, record|
+          parsed = [time, record]
+        end
+        parsed
+      end
+      it { is_expected.to eq [nil, nil] }
+    end
+    context "text is empty string" do
+      let (:text) { "" }
+      subject do
+        parsed = nil
+        @test_driver.instance.parse(text) do |time, record|
+          parsed = [time, record]
+        end
+        parsed
+      end
+      it { is_expected.to eq [nil, nil] }
+    end
+    context "text is not syslog format nor CEF" do
+      let (:text) { "December 12 10:00:00 hostname tag message" }
+      subject do
+        allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
+        parsed = nil
+        @test_driver.instance.parse(text) do |time, record|
+          parsed = [time, record]
+        end
+        parsed
+      end
+      it { is_expected.to contain_exactly(be_an(Fluent::EventTime), { "raw" => "December 12 10:00:00 hostname tag message" }) }
+    end
+    context "text is not in syslog format but is CEF" do
+      let (:text) { "December 12 10:00:00 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|cs1=test" }
+      subject do
+        allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
+        parsed = nil
+        @test_driver.instance.parse(text) do |time, record|
+          parsed = [time, record]
+        end
+        parsed
+      end
+      it { is_expected.to contain_exactly(be_an(Fluent::EventTime), { "raw" => "December 12 10:00:00 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|cs1=test" }) }
+    end
+    context "text is syslog format but not CEF" do
+      let (:text) { "Dec 12 10:11:12 hostname tag message" }
+      subject do
+        allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
+        parsed = nil
+        @test_driver.instance.parse(text) do |time, record|
+          parsed = [time, record]
+        end
+        parsed
+      end
+      it { is_expected.to contain_exactly(be_an(Fluent::EventTime), { "raw" => "Dec 12 10:11:12 hostname tag message" }) }
+    end
+    context "text is syslog format and CEF (CEF Extension field is empty)" do
+      let (:text) { "Dec  2 03:17:06 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|" }
+      subject do
+        allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
+        @timestamp = Time.parse("Dec  2 03:17:06").to_i
+        parsed = nil
+        @test_driver.instance.parse(text) do |time, record|
+          parsed = [time, record]
+        end
+        parsed
+      end
+      it { is_expected.to eq [
+        @timestamp, {
+          "syslog_timestamp" => "Dec  2 03:17:06",
+          "syslog_hostname" => "hostname",
+          "syslog_tag" => "tag",
+          "cef_version" => "0",
+          "cef_device_vendor" => "Vendor",
+          "cef_device_product" => "Product",
+          "cef_device_version" => "Version",
+          "cef_device_event_class_id" => "ID",
+          "cef_name" => "Name",
+          "cef_severity" => "Severity" }]}
+    end
+    context "text is syslog format and CEF (there is only one valid key in the CEF Extension field), Strict mode on" do
+      let (:text) { "Dec  2 03:17:06 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|cs1=test" }
+      subject do
+        allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
+        @timestamp = Time.parse("Dec  2 03:17:06").to_i
+        parsed = nil
+        @test_driver.instance.parse(text) do |time, record|
+          parsed = [time, record]
+        end
+        parsed
+      end
+      it { is_expected.to eq [
+        @timestamp, {
+          "syslog_timestamp" => "Dec  2 03:17:06",
+          "syslog_hostname" => "hostname",
+          "syslog_tag" => "tag",
+          "cef_version" => "0",
+          "cef_device_vendor" => "Vendor",
+          "cef_device_product" => "Product",
+          "cef_device_version" => "Version",
+          "cef_device_event_class_id" => "ID",
+          "cef_name" => "Name",
+          "cef_severity" => "Severity",
+          "cs1" => "test" }]}
+    end
+    context "text is syslog format and CEF (there is only one valid key in the CEF Extension field), Strict mode off" do
+      let (:config) {%[
+        parse_strict_mode  false
+      ]}
+      let (:text) { "Dec  2 03:17:06 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|foo=bar" }
+      subject do
+        allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
+        @timestamp = Time.parse("Dec  2 03:17:06").to_i
+        @test_driver = create_driver(config)
+        parsed = nil
+        @test_driver.instance.parse(text) do |time, record|
+          parsed = [time, record]
+        end
+        parsed
+      end
+      it { is_expected.to eq [
+        @timestamp, {
+          "syslog_timestamp" => "Dec  2 03:17:06",
+          "syslog_hostname" => "hostname",
+          "syslog_tag" => "tag",
+          "cef_version" => "0",
+          "cef_device_vendor" => "Vendor",
+          "cef_device_product" => "Product",
+          "cef_device_version" => "Version",
+          "cef_device_event_class_id" => "ID",
+          "cef_name" => "Name",
+          "cef_severity" => "Severity",
+          "foo" => "bar" }]}
+    end
+    context "text is syslog format and CEF (there is only one valid key in the CEF Extension field), Strict mode on, timestamp is rfc3339" do
+      let (:config) {%[
+        syslog_timestamp_format  \\d{4}-{,1}\\d{2}-{,1}\\d{2}T\\d{2}:\\d{2}:\\d{2}(?:\\.\\d+){,1}(?:\\Z|\\+\\d{2}:\\d{2})
+      ]}
+      let (:text) { "2014-06-07T18:55:09.019283+09:00 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|foo=bar" }
+      subject do
+        allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
+        @timestamp = Time.parse("2014-06-07T18:55:09.019283+09:00").to_i
+        @test_driver = create_driver(config)
+        parsed = nil
+        @test_driver.instance.parse(text) do |time, record|
+          parsed = [time, record]
+        end
+        parsed
+      end
+      it { is_expected.to eq [
+        @timestamp, {
+          "syslog_timestamp" => "2014-06-07T18:55:09.019283+09:00",
+          "syslog_hostname" => "hostname",
+          "syslog_tag" => "tag",
+          "cef_version" => "0",
+          "cef_device_vendor" => "Vendor",
+          "cef_device_product" => "Product",
+          "cef_device_version" => "Version",
+          "cef_device_event_class_id" => "ID",
+          "cef_name" => "Name",
+          "cef_severity" => "Severity" }]}
+    end
+    context "timestamp is rfc3339, UTC+3" do
+      let (:config) {%[
+        syslog_timestamp_format  \\d{4}-{,1}\\d{2}-{,1}\\d{2}T\\d{2}:\\d{2}:\\d{2}(?:\\.\\d+){,1}(?:\\Z|\\+\\d{2}:\\d{2})
+      ]}
+      let (:text) { "2014-06-07T18:55:09.019283+03:00 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|foo=bar" }
+      subject do
+        allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
+        @timestamp = Time.parse("2014-06-07T18:55:09.019283+03:00").to_i
+        @test_driver = create_driver(config)
+        parsed = nil
+        @test_driver.instance.parse(text) do |time, record|
+          parsed = [time, record]
+        end
+        parsed
+      end
+      it { is_expected.to eq [
+        @timestamp, {
+          "syslog_timestamp" => "2014-06-07T18:55:09.019283+03:00",
+          "syslog_hostname" => "hostname",
+          "syslog_tag" => "tag",
+          "cef_version" => "0",
+          "cef_device_vendor" => "Vendor",
+          "cef_device_product" => "Product",
+          "cef_device_version" => "Version",
+          "cef_device_event_class_id" => "ID",
+          "cef_name" => "Name",
+          "cef_severity" => "Severity" }]}
+    end
+    context "timestamp is rfc3339, UTC+0" do
+      let (:config) {%[
+        syslog_timestamp_format  \\d{4}-{,1}\\d{2}-{,1}\\d{2}T\\d{2}:\\d{2}:\\d{2}(?:\\.\\d+){,1}(?:Z|\\+\\d{2}:\\d{2})
+      ]}
+      let (:text) { "2014-06-07T18:55:09.019283Z hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|foo=bar" }
+      subject do
+        allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
+        @timestamp = Time.parse("2014-06-07T18:55:09.019283Z").to_i
+        @test_driver = create_driver(config)
+        parsed = nil
+        @test_driver.instance.parse(text) do |time, record|
+          parsed = [time, record]
+        end
+        parsed
+      end
+      it { is_expected.to eq [
+        @timestamp, {
+          "syslog_timestamp" => "2014-06-07T18:55:09.019283Z",
+          "syslog_hostname" => "hostname",
+          "syslog_tag" => "tag",
+          "cef_version" => "0",
+          "cef_device_vendor" => "Vendor",
+          "cef_device_product" => "Product",
+          "cef_device_version" => "Version",
+          "cef_device_event_class_id" => "ID",
+          "cef_name" => "Name",
+          "cef_severity" => "Severity" }]}
+    end
+    context "utc offset set to +04:00" do
+      let (:config) {%[
+        log_utc_offset  +04:00
+      ]}
+      let (:text) { "Dec  2 03:17:06 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|cs1=test" }
+      subject do
+        allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
+        @timestamp = Time.parse("Dec  2 03:17:06 +04:00").to_i
+        @test_driver = create_driver(config)
+        parsed = nil
+        @test_driver.instance.parse(text) do |time, record|
+          parsed = [time, record]
+        end
+        parsed
+      end
+      it { is_expected.to eq [
+        @timestamp, {
+          "syslog_timestamp" => "Dec  2 03:17:06",
+          "syslog_hostname" => "hostname",
+          "syslog_tag" => "tag",
+          "cef_version" => "0",
+          "cef_device_vendor" => "Vendor",
+          "cef_device_product" => "Product",
+          "cef_device_version" => "Version",
+          "cef_device_event_class_id" => "ID",
+          "cef_name" => "Name",
+          "cef_severity" => "Severity",
+          "cs1" => "test" }]}
+    end
+    context "utc offset set to -11:00, but log timestamp has timezone information, so utc offset is ignored" do
+      let (:config) {%[
+        syslog_timestamp_format  \\d{4}-{,1}\\d{2}-{,1}\\d{2}T\\d{2}:\\d{2}:\\d{2}(?:\\.\\d+){,1}(?:\\Z|\\+\\d{2}:\\d{2})
+        log_utc_offset  -11:00
+      ]}
+      let (:text) { "2013-07-24T12:34:56.923984+03:30 hostname tag CEF:0|Vendor|Product|Version|ID|Name|Severity|cs1=test" }
+      subject do
+        allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
+        @timestamp = Time.parse("2013-07-24T12:34:56.923984+03:30").to_i
+        @test_driver = create_driver(config)
+        parsed = nil
+        @test_driver.instance.parse(text) do |time, record|
+          parsed = [time, record]
+        end
+        parsed
+      end
+      it { is_expected.to eq [
+        @timestamp, {
+          "syslog_timestamp" => "2013-07-24T12:34:56.923984+03:30",
+          "syslog_hostname" => "hostname",
+          "syslog_tag" => "tag",
+          "cef_version" => "0",
+          "cef_device_vendor" => "Vendor",
+          "cef_device_product" => "Product",
+          "cef_device_version" => "Version",
+          "cef_device_event_class_id" => "ID",
+          "cef_name" => "Name",
+          "cef_severity" => "Severity",
+          "cs1" => "test" }]}
+    end
+    context "syslog message is UTF-8, with BOM" do
+      let (:config) {%[
+        log_utc_offset  -07:00
+      ]}
+      let (:text) { "Dec  2 03:17:06 hostname tag ***CEF:0|Vendor|Product|Version|ID|Name|Severity|cs1=test" }
+      subject do
+        allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
+        @timestamp = Time.parse("Dec  2 03:17:06 -07:00").to_i
+        @test_driver = create_driver(config)
+        text.setbyte(29, 0xef)
+        text.setbyte(30, 0xbb)
+        text.setbyte(31, 0xbf)
+        text.force_encoding("ascii-8bit")
+        parsed = nil
+        @test_driver.instance.parse(text) do |time, record|
+          parsed = [time, record]
+        end
+        parsed
+      end
+      it { is_expected.to eq [
+        @timestamp, {
+          "syslog_timestamp" => "Dec  2 03:17:06",
+          "syslog_hostname" => "hostname",
+          "syslog_tag" => "tag",
+          "cef_version" => "0",
+          "cef_device_vendor" => "Vendor",
+          "cef_device_product" => "Product",
+          "cef_device_version" => "Version",
+          "cef_device_event_class_id" => "ID",
+          "cef_name" => "Name",
+          "cef_severity" => "Severity",
+          "cs1" => "test" }]}
+    end
+    context "syslog message is UTF-8, but including invalid UTF-8 string" do
+      let (:config) {%[
+        log_utc_offset  +09:00
+      ]}
+      let (:text) { "Feb 19 00:35:11 hogehuga CEF:0|Vendor|Product|Version|ID|Name|Severity|src=192.168.1.1 spt=60000 dst=172.16.100.100 dpt=80 msg=\xe3\x2e\x2e\x2e" }
+      subject do
+        allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
+        @timestamp = Time.parse("Feb 19 00:35:11 +09:00").to_i
+        @test_driver = create_driver(config)
+        parsed = nil
+        @test_driver.instance.parse(text) do |time, record|
+          parsed = [time, record]
+        end
+        parsed
+      end
+      it { is_expected.to eq [
+        @timestamp, {
+          "syslog_timestamp" => "Feb 19 00:35:11",
+          "syslog_hostname" => "hogehuga",
+          "syslog_tag" => "",
+          "cef_version" => "0",
+          "cef_device_vendor" => "Vendor",
+          "cef_device_product" => "Product",
+          "cef_device_version" => "Version",
+          "cef_device_event_class_id" => "ID",
+          "cef_name" => "Name",
+          "cef_severity" => "Severity",
+          "src" => "192.168.1.1",
+          "spt" => "60000",
+          "dst" => "172.16.100.100",
+          "dpt" => "80",
+          "msg" => "\xe3\x2e\x2e\x2e".scrub('?') }]}
+    end
+  end
+end

data/spec/sample/fluentd.conf

@@ -0,0 +1,31 @@
+<source>
+  @type   tail
+  tag     develop.cef
+  path      /tmp/fluentd/test.log
+  pos_file  /tmp/fluentd/test.pos
+
+  format  cef
+  #log_format  syslog
+  #syslog_timestamp_format  '\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}'
+  #cef_version  0
+  #parse_strict_mode  true
+  #cef_keyfilename  'config/cef_version_0_keys.yaml'
+  #output_raw_field  false
+</source>
+
+<match **>
+  @type  stdout
+</match>
+
+#<match cevelop.cef>
+#  @type  elasticsearch
+#  host   elasticsearch
+#  port   9200
+#  logstash_format  true
+#  logstash_dateformat  %Y.%m.%d
+#  utc_index  true
+#  include_tag_key  false
+#  logstash_prefix  develop
+#  type_name  develop
+#  flush_interval 1s
+#</match>

data/spec/spec_helper.rb

@@ -0,0 +1,116 @@
+# This file was generated by the `rspec --init` command. Conventionally, all
+# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# The generated `.rspec` file contains `--require spec_helper` which will cause
+# this file to always be loaded, without a need to explicitly require it in any
+# files.
+#
+# Given that it is always loaded, you are encouraged to keep this file as
+# light-weight as possible. Requiring heavyweight dependencies from this file
+# will add to the boot time of your test suite on EVERY test run, even for an
+# individual file that may not need all of that loaded. Instead, consider making
+# a separate helper file that requires the additional dependencies and performs
+# the additional setup, and require it from the spec files that actually need
+# it.
+#
+# The `.rspec` file also contains a few flags that are not defaults but that
+# users commonly want.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+
+$LOAD_PATH.unshift(File.expand_path('../lib', __FILE__))
+$LOAD_PATH.unshift(File.expand_path('../spec', __FILE__))
+
+require 'simplecov'
+require 'coveralls'
+Coveralls.wear!
+
+SimpleCov.start do
+  add_filter "/spec/"
+end
+
+RSpec.configure do |config|
+  # rspec-expectations config goes here. You can use an alternate
+  # assertion/expectation library such as wrong or the stdlib/minitest
+  # assertions if you prefer.
+  config.expect_with :rspec do |expectations|
+    # This option will default to `true` in RSpec 4. It makes the `description`
+    # and `failure_message` of custom matchers include text for helper methods
+    # defined using `chain`, e.g.:
+    #     be_bigger_than(2).and_smaller_than(4).description
+    #     # => "be bigger than 2 and smaller than 4"
+    # ...rather than:
+    #     # => "be bigger than 2"
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+  end
+
+  # rspec-mocks config goes here. You can use an alternate test double
+  # library (such as bogus or mocha) by changing the `mock_with` option here.
+  config.mock_with :rspec do |mocks|
+    # Prevents you from mocking or stubbing a method that does not exist on
+    # a real object. This is generally recommended, and will default to
+    # `true` in RSpec 4.
+    mocks.verify_partial_doubles = true
+  end
+
+  # This option will default to `:apply_to_host_groups` in RSpec 4 (and will
+  # have no way to turn it off -- the option exists only for backwards
+  # compatibility in RSpec 3). It causes shared context metadata to be
+  # inherited by the metadata hash of host groups and examples, rather than
+  # triggering implicit auto-inclusion in groups with matching metadata.
+  config.shared_context_metadata_behavior = :apply_to_host_groups
+
+# The settings below are suggested to provide a good initial experience
+# with RSpec, but feel free to customize to your heart's content.
+=begin
+  # This allows you to limit a spec run to individual examples or groups
+  # you care about by tagging them with `:focus` metadata. When nothing
+  # is tagged with `:focus`, all examples get run. RSpec also provides
+  # aliases for `it`, `describe`, and `context` that include `:focus`
+  # metadata: `fit`, `fdescribe` and `fcontext`, respectively.
+  config.filter_run_when_matching :focus
+
+  # Allows RSpec to persist some state between runs in order to support
+  # the `--only-failures` and `--next-failure` CLI options. We recommend
+  # you configure your source control system to ignore this file.
+  config.example_status_persistence_file_path = "spec/examples.txt"
+
+  # Limits the available syntax to the non-monkey patched syntax that is
+  # recommended. For more details, see:
+  #   - http://rspec.info/blog/2012/06/rspecs-new-expectation-syntax/
+  #   - http://www.teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
+  #   - http://rspec.info/blog/2014/05/notable-changes-in-rspec-3/#zero-monkey-patching-mode
+  config.disable_monkey_patching!
+
+  # This setting enables warnings. It's recommended, but in some cases may
+  # be too noisy due to issues in dependencies.
+  config.warnings = true
+
+  # Many RSpec users commonly either run the entire suite or an individual
+  # file, and it's useful to allow more verbose output when running an
+  # individual spec file.
+  if config.files_to_run.one?
+    # Use the documentation formatter for detailed output,
+    # unless a formatter has already been configured
+    # (e.g. via a command-line flag).
+    config.default_formatter = 'doc'
+  end
+
+  # Print the 10 slowest examples and example groups at the
+  # end of the spec run, to help surface which specs are running
+  # particularly slow.
+  config.profile_examples = 10
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  #config.order = :random
+
+  # Seed global randomization in this process using the `--seed` CLI option.
+  # Setting this allows you to use `--seed` to deterministically reproduce
+  # test failures related to randomization by passing the same `--seed` value
+  # as the one that triggered the failure.
+  Kernel.srand config.seed
+=end
+end
+

metadata

@@ -0,0 +1,154 @@
+--- !ruby/object:Gem::Specification
+name: fluent-plugin-parser_cefalt
+version: !ruby/object:Gem::Version
+  version: 1.0.6
+platform: ruby
+authors:
+- Tomoyuki Sugimura
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2025-04-11 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: fluentd
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.14.0
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.14.0
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rspec-core
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: test-unit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: common event format(CEF) parser plugin for fluentd
+email:
+- tomoyuki.sugimura@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".codeclimate.yml"
+- ".coveralls.yml"
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- ".travis.yml"
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- VERSION
+- fluent-plugin-parser_cefalt.gemspec
+- lib/fluent/plugin/config/cef_version_0_keys.yaml
+- lib/fluent/plugin/parser_cefalt.rb
+- spec/fluent/plugin/parser_cefalt_spec.rb
+- spec/sample/fluentd.conf
+- spec/spec_helper.rb
+homepage: https://github.com/lunardial/fluent-plugin-parser_cef
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.1'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.3.1
+signing_key: 
+specification_version: 4
+summary: common event format(CEF) parser plugin, currently only 'syslog' format is
+  permitted
+test_files:
+- spec/fluent/plugin/parser_cefalt_spec.rb
+- spec/sample/fluentd.conf
+- spec/spec_helper.rb