fluent-plugin-sekoia-io 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 1e2dfb7c081bd780c5d7d44a7be676d44d7038509682c885293c538aa7ca72af
+  data.tar.gz: 45f03e81f8cec162944d13c6e41147f51bb7c52e2e719fba3d09e52f2b5af3f1
+SHA512:
+  metadata.gz: 066f14bc603db32514dca4884d97eb1373f8bbe3cd915413683233f7b1a6798b38dc6a6d59b09b181255bbb744948d1839f0d74fb6e4fe270870fb0e138c8acc
+  data.tar.gz: dfdf89a0fb3e1999764aeb9f349fee3deed245f851ed538e48537cc1f068b287d3c90da7b6298d6aec8a73631c1207943e834c243c672ae8a3c83b685e8eb680

data/.gitignore

@@ -0,0 +1,17 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+.idea
+
+# rspec failure tracking
+.rspec_status
+
+#binary
+fluent-plugin-syslog_rfc5424-*.gem
+
+Gemfile.lock

data/.ruby-version

@@ -0,0 +1 @@
+2.4.2

data/.travis.yml

@@ -0,0 +1,5 @@
+---
+sudo: false
+language: ruby
+cache: bundler
+before_install: gem install bundler -v 2.0.2

data/Dockerfile

@@ -0,0 +1,7 @@
+FROM ruby:2.7-slim-buster
+
+RUN apt update -y && \
+    apt install -y entr git gcc make
+
+VOLUME /app
+WORKDIR /app

data/Gemfile

@@ -0,0 +1,4 @@
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in the gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,9 @@
+Copyright 2019 Cloud Foundry
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+

data/Makefile

@@ -0,0 +1,6 @@
+dev:
+	docker build -t ruby-dev .
+	docker run --rm -it -v ${PWD}:/app --entrypoint bash ruby-dev
+
+download:
+	curl https://app.sekoia.io/assets/files/SEKOIA-IO-intake.pem > resources/SEKOIA-IO-intake.pem

data/README.md

@@ -0,0 +1,103 @@
+# FluentD Output & Formatter Plugins: SyslogSEKOIA
+
+This plugin is HEAVILY based on the work done on https://github.com/cloudfoundry/fluent-plugin-syslog_rfc5424
+
+Formatter plugin adheres to [RFC5424](https://tools.ietf.org/html/rfc5424).
+
+Output plugin adheres to [RFC6587](https://tools.ietf.org/html/rfc6587) and [RFC5424](https://tools.ietf.org/html/rfc5424).
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'fluent-plugin-sekoia'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install fluent-plugin-sekoia
+
+## Output Usage
+
+```
+<match **>
+  @type sekoia
+  <buffer>
+    @type memory
+    flush_interval 10s
+  </buffer>
+</match>
+```
+
+### Configuration
+
+| name            | type    | description                                     |
+| --------------  | ------- | ---------------------------------               |
+| host            | string  | syslog target host                              |
+| port            | integer | syslog target port                              |
+| transport       | string  | transport protocol (tls [default], udp, or tcp) |
+| insecure        | boolean | skip ssl validation                             |
+| trusted_ca_path | string  | file path to ca to trust                        |
+
+#### Format Section
+
+Defaults to `sekoia`
+
+| name                 | type    | description                                                                                                              |
+| --------------       | ------- | -------                                                                                                                  |
+| rfc6587_message_size | boolean | prepends message length for syslog transmission (false by default)                                                       |
+| app_name_field       | string  | sets app name in syslog from field in fluentd, delimited by '.' (default kubernetes.labels.app)                          |
+| proc_id_field        | string  | sets proc id in syslog from field in fluentd, delimited by '.' (default kubernete.pod_name)                              |
+| intake_key_field     | string  | sets intake_key in structured data for sekoia.io. delimited by '.' (default kubernetes.annotations.sekoia-io-intake-key) |
+
+
+## Formatter Usage
+
+```
+<match **>
+  @type sekoia
+  <format>
+    @type sekoia
+    app_name_field example.custom_field_1
+    intake_key_field kubernetes.annotations.custom-annotation-that-contains-intake-key
+  </format>
+</match>
+```
+
+
+## Development
+
+After checking out the repo, run `bundle install` to install dependencies. Then, run `bundle exec rake` to run the tests. You can also run `bundle console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`.
+
+To release a new version,
+1. update the version number in `fluent-plugin-sekoia.gemspec`,
+1. download latest sekoia.io certificate `make download`
+1. then run `bundle exec rake release`, which will create a git tag for the version,
+1. push git commits and tags
+1. push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+### Using the dev docker environment
+
+Run the command `make dev` to start a docker with the current folder mounted in the docker. Then use the following commands to start the tests at each code modifications:
+
+```bash
+bundle install
+find . | entr -s 'bundle exec rake'
+```
+
+## Publishing
+
+1. Run tests `bundle exec rake`
+1. Download latest sekoia.io certificate `make download`
+1. Push changes
+1. Create & push git tag with version
+1. Change version in `.gemspec`
+1. Build gem `gem build fluent-plugin-sekoia`
+1. Push `.gem` file to rubygems `gem push pkg/fluent-plugin-sekoia-io-0.0.1`

data/Rakefile

@@ -0,0 +1,15 @@
+require "bundler/gem_tasks"
+require 'rake/testtask'
+require 'fluent-plugin-sekoia-io/version'
+
+Rake::TestTask.new(:test) do |test|
+  test.libs << "lib" << "test"
+  test.pattern = "test/**/*_spec.rb"
+  test.verbose = true
+end
+
+task default: :test
+
+task :version do
+  puts FluentSEKOIAOutputPlugin::VERSION
+end

data/fluent-plugin-sekoia-io.gemspec

@@ -0,0 +1,29 @@
+
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'fluent-plugin-sekoia-io/version'
+Gem::Specification.new do |spec|
+  spec.name          = "fluent-plugin-sekoia-io"
+  spec.version       = FluentSEKOIAIOOutputPlugin::VERSION
+  spec.authors       = ["Pivotal"]
+  spec.email         = %w(cf-loggregator@pivotal.io)
+  spec.homepage      = "https://github.com/SekoiaLab/fluent-plugin-sekoia-io"
+
+  spec.summary       = %q{FluentD output plugin to send messages via rfc5424 for sekoia}
+  spec.description   = %q{FluentD output plugin to send messages via Syslog rfc5424 for sekoia.}
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 2.0"
+  spec.add_development_dependency "rake", "~> 13.0"
+  spec.add_development_dependency "test-unit", "~> 3.3"
+  spec.add_development_dependency "test-unit-rr", "~> 1.0"
+  spec.add_development_dependency "pry", "~> 0.12"
+  spec.add_development_dependency "minitest", "~> 5.14"
+
+  spec.add_runtime_dependency "fluentd", "~> 1.7"
+end
+

data/lib/fluent/plugin/formatter_sekoia.rb

@@ -0,0 +1,41 @@
+require 'sekoia/formatter'
+
+module Fluent
+  module Plugin
+    class FormatterSEKOIA < Formatter
+      Fluent::Plugin.register_formatter('sekoia', self)
+
+      config_param :rfc6587_message_size, :bool, default: false
+      config_param :app_name_field, :string, default: "kubernetes.labels.app"
+      config_param :proc_id_field, :string, default: "kubernetes.pod_name"
+      config_param :intake_key_field, :string, default: "kubernetes.annotations.sekoia-io-intake-key"
+
+      def configure(conf)
+        super
+        @app_name_field_array = @app_name_field.split(".")
+        @proc_id_field_array = @proc_id_field.split(".")
+        @intake_key_array = @intake_key_field.split(".")
+      end
+
+      def format(tag, time, record)
+        log.debug("Record")
+        log.debug(record.map { |k, v| "#{k}=#{v}" }.join('&'))
+
+        msg = SEKOIA::Formatter.format(
+          log: record['log'],
+          timestamp: time,
+          app_name: record.dig(*@app_name_field_array) || "-",
+          proc_id: record.dig(*@proc_id_field_array) || "-",
+          intake_key: record.dig(*@intake_key_array) || ""
+        )
+
+        log.debug("RFC 5424 Message")
+        log.debug(msg)
+
+        return msg + "\n" unless @rfc6587_message_size
+
+        msg.length.to_s + ' ' + msg
+      end
+    end
+  end
+end

data/lib/fluent/plugin/out_sekoia.rb

@@ -0,0 +1,72 @@
+require 'fluent/plugin/output'
+
+module Fluent
+  module Plugin
+    class OutSyslogSEKOIA < Output
+      Fluent::Plugin.register_output('syslog_sekoia', self)
+
+      helpers :socket, :formatter
+      DEFAULT_FORMATTER = "sekoia"
+
+      config_param :host, :string, default: "intake.sekoia.io"
+      config_param :port, :integer, default: 10514
+      config_param :transport, :string, default: "tls"
+      config_param :insecure, :bool, default: false
+      config_param :trusted_ca_path, :string, default: nil
+      config_section :format do
+        config_set_default :@type, DEFAULT_FORMATTER
+      end
+
+      def configure(config)
+        super
+        @sockets = {}
+        @formatter = formatter_create
+      end
+
+      def write(chunk)
+        socket = find_or_create_socket(@transport.to_sym, @host, @port)
+        tag = chunk.metadata.tag
+        chunk.each do |time, record|
+          begin
+            socket.write_nonblock @formatter.format(tag, time, record)
+            IO.select(nil, [socket], nil, 1) || raise(StandardError.new "ReconnectError")
+          rescue => e
+            @sockets.delete(socket_key(@transport.to_sym, @host, @port))
+            socket.close
+            raise e
+          end
+        end
+      end
+
+      def close
+        super
+        @sockets.each_value { |s| s.close }
+        @sockets = {}
+      end
+
+      private
+
+      def find_or_create_socket(transport, host, port)
+        socket = find_socket(transport, host, port)
+        return socket if socket
+
+        @sockets[socket_key(transport, host, port)] = socket_create(transport.to_sym, host, port, socket_options)
+      end
+
+      def socket_options
+        return {} unless @transport == 'tls'
+
+        # TODO: make timeouts configurable
+        { insecure: @insecure, verify_fqdn: !@insecure, cert_paths: @trusted_ca_path } #, connect_timeout: 1, send_timeout: 1, recv_timeout: 1, linger_timeout: 1 }
+      end
+
+      def socket_key(transport, host, port)
+        "#{host}:#{port}:#{transport}"
+      end
+
+      def find_socket(transport, host, port)
+        @sockets[socket_key(transport, host, port)]
+      end
+    end
+  end
+end

data/lib/fluent-plugin-sekoia-io/version.rb

@@ -0,0 +1,3 @@
+module FluentSEKOIAIOOutputPlugin
+  VERSION = "0.0.1"
+end

data/lib/sekoia/formatter.rb

@@ -0,0 +1,34 @@
+require 'date'
+
+module SEKOIA
+  class Formatter
+    SekoiaID = "SEKOIA@53288"
+    Format = "<%d>1 %s %s %s %s %s %s %s"
+
+    class << self
+      def format(
+        priority: 14,
+        timestamp: nil,
+        log: "",
+        hostname: "-",
+        app_name: "-",
+        proc_id: "-",
+        msg_id: "-",
+        intake_key: ""
+      )
+        Format % [priority, format_time(timestamp), hostname[0..254], app_name[0..47], proc_id[0..127], msg_id[0..31], format_structured_data(intake_key), log]
+      end
+
+      def format_structured_data(intake_key)
+        %{[#{SekoiaID} intake_key="#{intake_key}"]}
+      end
+
+      def format_time(timestamp)
+        return "-" if timestamp.nil?
+        return Time.at(timestamp.to_r).utc.to_datetime.rfc3339(6) if timestamp.is_a?(Fluent::EventTime)
+
+        DateTime.strptime(timestamp.to_s, '%s').rfc3339(6)
+      end
+    end
+  end
+end

data/resources/SEKOIA-IO-intake.pem

@@ -0,0 +1,47 @@
+-----BEGIN CERTIFICATE-----
+MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
+SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
+GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
+q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
+SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
+Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
+a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
+/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
+AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
+CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
+bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
+c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
+VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
+ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
+MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
+Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
+AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
+uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
+wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
+X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
+PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
+KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
+PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
+Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
+rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
+OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
+xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
+7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
+aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
+SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
+ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
+AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
+R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
+JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
+Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
+-----END CERTIFICATE-----

data/test/plugin/formatter_sekoia_spec.rb

@@ -0,0 +1,122 @@
+require "test_helper"
+require "fluent/plugin/formatter_sekoia"
+
+class FormatterSEKOIATest < Test::Unit::TestCase
+  def setup
+    Fluent::Test.setup
+  end
+
+  def create_driver(conf = CONFIG)
+    Fluent::Test::Driver::Formatter.new(Fluent::Plugin::FormatterSEKOIA).configure(conf)
+  end
+
+  def test_format_default
+    formatter_driver = create_driver %(
+      @type sekoia
+    )
+    tag = "test-formatter"
+    time = Fluent::EventTime.new(0, 123456000)
+    record = {"log" => "test-log"}
+    assert_equal "<14>1 1970-01-01T00:00:00.123456+00:00 - - - - [SEKOIA@53288 intake_key=\"\"] test-log\n",
+                 formatter_driver.instance.format(tag, time, record)
+  end
+
+  def test_format_without_message_size
+    formatter_driver = create_driver %(
+      @type sekoia
+    )
+    tag = "test-formatter"
+    time = Fluent::EventTime.new(0, 123456000)
+    record = {"log" => "test-log"}
+    assert_equal "<14>1 1970-01-01T00:00:00.123456+00:00 - - - - [SEKOIA@53288 intake_key=\"\"] test-log\n",
+                 formatter_driver.instance.format(tag, time, record)
+  end
+
+  def test_format_with_message_size
+    formatter_driver = create_driver %(
+      @type sekoia
+      rfc6587_message_size true
+    )
+    tag = "test-formatter"
+    time = Fluent::EventTime.new(0, 123456000)
+    record = {"log" => "test-log"}
+
+    formatted_message = "<14>1 1970-01-01T00:00:00.123456+00:00 - - - - [SEKOIA@53288 intake_key=\"\"] test-log"
+    message_size = formatted_message.length
+    assert_equal "#{message_size} #{formatted_message}",
+                 formatter_driver.instance.format(tag, time, record)
+  end
+
+  def test_format_with_app_name
+    formatter_driver = create_driver %(
+      @type sekoia
+      app_name_field example.custom_field
+    )
+    tag = "test-formatter"
+    time = Fluent::EventTime.new(0, 123456000)
+    record = {"log" => "test-log", "example" => {"custom_field" => "custom-value"}}
+
+    formatted_message = "<14>1 1970-01-01T00:00:00.123456+00:00 - custom-value - - [SEKOIA@53288 intake_key=\"\"] test-log\n"
+    assert_equal "#{formatted_message}",
+                 formatter_driver.instance.format(tag, time, record)
+  end
+
+  def test_format_with_proc_id
+    formatter_driver = create_driver %(
+      @type sekoia
+      proc_id_field example.custom_field
+    )
+    tag = "test-formatter"
+    time = Fluent::EventTime.new(0, 123456000)
+    record = {"log" => "test-log", "example" => {"custom_field" => "custom-value"}}
+
+    formatted_message = "<14>1 1970-01-01T00:00:00.123456+00:00 - - custom-value - [SEKOIA@53288 intake_key=\"\"] test-log\n"
+    assert_equal "#{formatted_message}",
+                 formatter_driver.instance.format(tag, time, record)
+  end
+
+  def test_format_with_intake_key
+    formatter_driver = create_driver %(
+      @type sekoia
+      app_name_field example.custom_field
+      intake_key_field field.intake_key
+    )
+    tag = "test-formatter"
+    time = Fluent::EventTime.new(0, 123456000)
+    record = {
+      "log" => "test-log",
+      "example" => {
+        "custom_field" => "custom-value"
+      },
+      "field" => {
+        "intake_key" => "testIntakeKey"
+      }
+    }
+    formatted_message = "<14>1 1970-01-01T00:00:00.123456+00:00 - custom-value - - [SEKOIA@53288 intake_key=\"testIntakeKey\"] test-log\n"
+    assert_equal "#{formatted_message}",
+                 formatter_driver.instance.format(tag, time, record)
+  end
+
+  def test_format_with_intake_key_and_default_path
+    formatter_driver = create_driver %(
+      @type sekoia
+    )
+    tag = "test-formatter"
+    time = Fluent::EventTime.new(0, 123456000)
+    record = {
+      "log" => "test-log",
+      "kubernetes" => {
+        "annotations" => {
+          "sekoia-io-intake-key" => "1234"
+        },
+        "labels" => {
+          "app" => "test"
+        }
+      }
+    }
+    formatted_message = "<14>1 1970-01-01T00:00:00.123456+00:00 - test - - [SEKOIA@53288 intake_key=\"1234\"] test-log\n"
+    assert_equal "#{formatted_message}",
+                 formatter_driver.instance.format(tag, time, record)
+  end
+
+end

data/test/plugin/out_sekoia_spec.rb

@@ -0,0 +1,168 @@
+require "test_helper"
+require "fluent/plugin/out_sekoia"
+
+class OutSyslogSEKOIATest < Test::Unit::TestCase
+  def setup
+    Fluent::Test.setup
+    @time = Fluent::EventTime.new(0, 123456)
+    @formatted_log = "<14>1 1970-01-01T00:00:00.000123+00:00 - - - - [SEKOIA@53288 intake_key=\"\"] hi\n"
+  end
+
+  def create_driver(conf = CONFIG)
+    Fluent::Test::Driver::Output.new(Fluent::Plugin::OutSyslogSEKOIA).configure(conf)
+  end
+
+  def test_configure
+    output_driver = create_driver %(
+      @type sekoia
+      host example.com
+      port 123
+    )
+
+    assert_equal "example.com", output_driver.instance.instance_variable_get(:@host)
+    assert_equal 123, output_driver.instance.instance_variable_get(:@port)
+  end
+
+  def test_sends_a_message
+    output_driver = create_driver %(
+      @type sekoia
+      host example.com
+      port 123
+    )
+
+    socket = Object.new
+    mock(socket).write_nonblock(@formatted_log)
+    stub(socket).close
+
+    stub(IO).select(nil, [socket], nil, 1) { ["not an error"] }
+
+    any_instance_of(Fluent::Plugin::OutSyslogSEKOIA) do |fluent_plugin|
+      mock(fluent_plugin).socket_create(:tls, "example.com", 123, {:insecure=>false, :verify_fqdn=>true, :cert_paths=>nil}).returns(socket)
+    end
+
+    output_driver.run do
+      output_driver.feed("tag", @time, {"log" => "hi"})
+    end
+  end
+
+  def test_reconnects
+    output_driver = create_driver %(
+      @type sekoia
+      host example.com
+      port 123
+    )
+
+    bad_socket = Object.new
+    mock(bad_socket).write_nonblock(@formatted_log)
+    stub(bad_socket).close
+
+    good_socket = Object.new
+    mock(good_socket).write_nonblock(@formatted_log)
+    stub(good_socket).close
+
+    mock(IO).select(nil, [bad_socket], nil, 1)
+    mock(IO).select(nil, [good_socket], nil, 1) { ["not an error"] }
+
+    any_instance_of(Fluent::Plugin::OutSyslogSEKOIA) do |fluent_plugin|
+      mock(fluent_plugin).socket_create(:tls, "example.com", 123, {:insecure=>false, :verify_fqdn=>true, :cert_paths=>nil}).returns(bad_socket)
+      mock(fluent_plugin).socket_create(:tls, "example.com", 123, {:insecure=>false, :verify_fqdn=>true, :cert_paths=>nil}).returns(good_socket)
+    end
+
+    output_driver.run(shutdown: false, force_flush_retry: true) do
+      output_driver.feed("tag", @time, {"log" => "hi"})
+    end
+  end
+
+  def test_non_tls
+    output_driver = create_driver %(
+      @type sekoia
+      host example.com
+      port 123
+      transport tcp
+    )
+
+    socket = Object.new
+    mock(socket).write_nonblock(@formatted_log)
+    stub(socket).close
+
+    stub(IO).select(nil, [socket], nil, 1) { ["not an error"] }
+
+    any_instance_of(Fluent::Plugin::OutSyslogSEKOIA) do |fluent_plugin|
+      mock(fluent_plugin).socket_create(:tcp, "example.com", 123, {}).returns(socket)
+    end
+
+    output_driver.run do
+      output_driver.feed("tag", @time, {"log" => "hi"})
+    end
+  end
+
+  def test_insecure_tls
+    output_driver = create_driver %(
+      @type sekoia
+      host example.com
+      port 123
+      transport tls
+      insecure true
+    )
+
+    socket = Object.new
+    mock(socket).write_nonblock(@formatted_log)
+    stub(socket).close
+
+    stub(IO).select(nil, [socket], nil, 1) { ["not an error"] }
+
+    any_instance_of(Fluent::Plugin::OutSyslogSEKOIA) do |fluent_plugin|
+      mock(fluent_plugin).socket_create(:tls, "example.com", 123, {:insecure=>true, :verify_fqdn=>false, :cert_paths=>nil}).returns(socket)
+    end
+
+    output_driver.run do
+      output_driver.feed("tag", @time, {"log" => "hi"})
+    end
+  end
+
+  def test_secure_tls
+    output_driver = create_driver %(
+      @type sekoia
+      host example.com
+      port 123
+      transport tls
+      trusted_ca_path supertrustworthy
+    )
+
+    socket = Object.new
+    mock(socket).write_nonblock(@formatted_log)
+    stub(socket).close
+
+    stub(IO).select(nil, [socket], nil, 1) { ["not an error"] }
+
+    any_instance_of(Fluent::Plugin::OutSyslogSEKOIA) do |fluent_plugin|
+      mock(fluent_plugin).socket_create(:tls, "example.com", 123, {:insecure=>false, :verify_fqdn=>true, :cert_paths=>"supertrustworthy"}).returns(socket)
+    end
+
+    output_driver.run do
+      output_driver.feed("tag", @time, {"log" => "hi"})
+    end
+  end
+
+  def test_close_is_called_on_sockets
+    output_driver = create_driver %(
+      @type sekoia
+      host example.com
+      port 123
+    )
+
+    socket = Object.new
+    stub(socket).write_nonblock(@formatted_log)
+    mock(socket).close
+
+    stub(IO).select(nil, [socket], nil, 1) { ["not an error"] }
+
+    any_instance_of(Fluent::Plugin::OutSyslogSEKOIA) do |fluent_plugin|
+      mock(fluent_plugin).socket_create(:tls, "example.com", 123, {:insecure=>false, :verify_fqdn=>true, :cert_paths=>nil}).returns(socket)
+    end
+
+    output_driver.run do
+      output_driver.feed("tag", @time , {"log" => "hi"})
+    end
+  end
+end

data/test/sekoia/formatter_spec.rb

@@ -0,0 +1,72 @@
+require "test_helper"
+require "sekoia/formatter"
+
+class SEKOIA::FormatterTest < Test::Unit::TestCase
+  def test_only_log
+    log = SEKOIA::Formatter.format(log: "test-log")
+    assert_equal log, "<14>1 - - - - - [SEKOIA@53288 intake_key=\"\"] test-log"
+  end
+
+  # RFC 3339
+  # Adding fractional seconds: https://github.com/fluent/fluentd/issues/1862
+  def test_with_timestamp
+    log = SEKOIA::Formatter.format(timestamp: 0, log: "test-log")
+    assert_equal log, "<14>1 1970-01-01T00:00:00.000000+00:00 - - - - [SEKOIA@53288 intake_key=\"\"] test-log"
+  end
+
+  def test_with_timestamp_nano
+    log = SEKOIA::Formatter.format(timestamp: Fluent::EventTime.new(0, 123456000), log: "test-log")
+
+    assert_equal log, "<14>1 1970-01-01T00:00:00.123456+00:00 - - - - [SEKOIA@53288 intake_key=\"\"] test-log"
+  end
+
+  def test_with_priority
+    log = SEKOIA::Formatter.format( priority: 1, log: "test-log")
+    assert_equal log, "<1>1 - - - - - [SEKOIA@53288 intake_key=\"\"] test-log"
+  end
+
+  def test_with_hostname
+    log = SEKOIA::Formatter.format( hostname: "host", log: "test-log")
+    assert_equal log, "<14>1 - host - - - [SEKOIA@53288 intake_key=\"\"] test-log"
+  end
+
+  def test_with_overly_long_hostname
+    log = SEKOIA::Formatter.format( hostname: "a"*300, log: "test-log")
+    assert_equal log, "<14>1 - #{"a"*255} - - - [SEKOIA@53288 intake_key=\"\"] test-log"
+  end
+
+  def test_with_app_name
+    log = SEKOIA::Formatter.format( app_name: "app-name", log: "test-log")
+    assert_equal log, "<14>1 - - app-name - - [SEKOIA@53288 intake_key=\"\"] test-log"
+  end
+
+  def test_with_overly_long_app_name
+    log = SEKOIA::Formatter.format( app_name: "a"*300, log: "test-log")
+    assert_equal log, "<14>1 - - #{"a"*48} - - [SEKOIA@53288 intake_key=\"\"] test-log"
+  end
+
+  def test_with_proc_id
+    log = SEKOIA::Formatter.format( proc_id: "proc-id", log: "test-log")
+    assert_equal log, "<14>1 - - - proc-id - [SEKOIA@53288 intake_key=\"\"] test-log"
+  end
+
+  def test_with_overly_long_proc_id
+    log = SEKOIA::Formatter.format( proc_id: "a"*300, log: "test-log")
+    assert_equal log, "<14>1 - - - #{"a"*128} - [SEKOIA@53288 intake_key=\"\"] test-log"
+  end
+
+  def test_with_msg_id
+    log = SEKOIA::Formatter.format( msg_id: "msg-id", log: "test-log")
+    assert_equal log, "<14>1 - - - - msg-id [SEKOIA@53288 intake_key=\"\"] test-log"
+  end
+
+  def test_with_overly_long_msg_id
+    log = SEKOIA::Formatter.format( msg_id: "a"*300, log: "test-log")
+    assert_equal log, "<14>1 - - - - #{"a"*32} [SEKOIA@53288 intake_key=\"\"] test-log"
+  end
+
+  def test_with_intake_key
+    log = SEKOIA::Formatter.format( msg_id: "a"*300, log: "test-log", intake_key: "testIntakeKey")
+    assert_equal log, "<14>1 - - - - #{"a"*32} [SEKOIA@53288 intake_key=\"testIntakeKey\"] test-log"
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,14 @@
+require "bundler/setup"
+require "test/unit"
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), "..", "lib"))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+
+require "fluent/test"
+require "fluent/test/driver/output"
+require "fluent/test/driver/formatter"
+
+require "test/unit/rr"
+require "minitest/mock"
+
+require 'pry'

metadata

@@ -0,0 +1,164 @@
+--- !ruby/object:Gem::Specification
+name: fluent-plugin-sekoia-io
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Pivotal
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2020-04-15 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: test-unit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+- !ruby/object:Gem::Dependency
+  name: test-unit-rr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.12'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.14'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.14'
+- !ruby/object:Gem::Dependency
+  name: fluentd
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+description: FluentD output plugin to send messages via Syslog rfc5424 for sekoia.
+email:
+- cf-loggregator@pivotal.io
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".ruby-version"
+- ".travis.yml"
+- Dockerfile
+- Gemfile
+- LICENSE
+- Makefile
+- README.md
+- Rakefile
+- fluent-plugin-sekoia-io.gemspec
+- lib/fluent-plugin-sekoia-io/version.rb
+- lib/fluent/plugin/formatter_sekoia.rb
+- lib/fluent/plugin/out_sekoia.rb
+- lib/sekoia/formatter.rb
+- resources/SEKOIA-IO-intake.pem
+- test/plugin/formatter_sekoia_spec.rb
+- test/plugin/out_sekoia_spec.rb
+- test/sekoia/formatter_spec.rb
+- test/test_helper.rb
+homepage: https://github.com/SekoiaLab/fluent-plugin-sekoia-io
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.2
+signing_key: 
+specification_version: 4
+summary: FluentD output plugin to send messages via rfc5424 for sekoia
+test_files:
+- test/plugin/formatter_sekoia_spec.rb
+- test/plugin/out_sekoia_spec.rb
+- test/sekoia/formatter_spec.rb
+- test/test_helper.rb