logstash-filter-syslog_pri 3.1.0 → 3.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: df1a5a0efc75ab1d50dc78903d358f09e6dcaa4f397a7181fa34e07d357a9bdf
-  data.tar.gz: 61263bc2b1a7744f84b2cd7e35b4c92f4cf97177791b1be93276a038f977b50a
+  metadata.gz: 7d49b0cc07a4a0cbbef1653e471b167f0967529b2a89a7b298de407992660256
+  data.tar.gz: 635cf6c9275c23fa11c2606b5facf55390cd3fcf0126c6df91949162c41b12fb
 SHA512:
-  metadata.gz: 14b276385f32db19d5cbf913ca01758f9e3dc8f2a2ddfa742fa87b5a237d574a931055a12d418407a711cbe97575a3f68ba9ae231d6e4edfc4234b58e28bd35f
-  data.tar.gz: 467f740f2f1d65ee8b0ac6ec3e98207520ae5cfe0601f5f71644f225763256a17f35e1edf1579be6099d54597e2d3847675456444fd9f058bfd664c328ac25f3
+  metadata.gz: f2fcc25974dd4ea5e2ac15a06c076eddac4a0794875f210da822431cb7a5003ad42cf7b31d2a33497f1daebc088b5e99eaf518ceedfeb3d68d416ca6e475b192
+  data.tar.gz: 61b1775d1b8c05362265bcd36cbf3c7ee7040266701700c0fec3f0c8be7f97fcf4e2640d16a218eb69d261483eaf6ad200d4da116fd3b949ae21663dda07247d

data/CHANGELOG.md

@@ -1,3 +1,10 @@
+## 3.2.0
+  - Feat: add tagging on unrecognized `facility_label` code [#11](https://github.com/logstash-plugins/logstash-filter-syslog_pri/pull/11)
+  - Change: refactored test code to be streamlined when checking ECS fields [#14](https://github.com/logstash-plugins/logstash-filter-syslog_pri/pull/14)
+
+## 3.1.1
+  - Added preview of ECS-v8 support with existing ECS-v1 implementation [#10](https://github.com/logstash-plugins/logstash-filter-syslog_pri/pull/10)
+
 ## 3.1.0
   - Feat: ECS compatibility [#9](https://github.com/logstash-plugins/logstash-filter-syslog_pri/pull/9) 
 

data/docs/index.asciidoc

@@ -53,7 +53,7 @@ filter plugins.
 * Value type is <<string,string>>
 * Supported values are:
 ** `disabled`: does not use ECS-compatible field names (for example, `syslog_severity_code` for syslog severity)
-** `v1`: uses fields that are compatible with Elastic Common Schema (for example, `[log][syslog][severity][code]`)
+** `v1`, `v8`: uses fields that are compatible with Elastic Common Schema (for example, `[log][syslog][severity][code]`)
 * Default value depends on which version of Logstash is running:
 ** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
 ** Otherwise, the default value is `disabled`.
@@ -68,6 +68,8 @@ The value of this setting affects the _default_ value of <<plugins-{type}s-{plug
   * Default value is `["kernel", "user-level", "mail", "daemon", "security/authorization", "syslogd", "line printer", "network news", "uucp", "clock", "security/authorization", "ftp", "ntp", "log audit", "log alert", "clock", "local0", "local1", "local2", "local3", "local4", "local5", "local6", "local7"]`
 
 Labels for facility levels. This comes from RFC3164.
+If an unrecognized facility code is provided and <<plugins-{type}s-{plugin}-use_labels>> is `true` then the event
+is tagged with `_syslogpriparsefailure`.
 
 [id="plugins-{type}s-{plugin}-severity_labels"]
 ===== `severity_labels` 

data/lib/logstash/filters/syslog_pri.rb

@@ -7,7 +7,7 @@ require "logstash/namespace"
 # default to 13 (per RFC).
 class LogStash::Filters::Syslog_pri < LogStash::Filters::Base
 
-  include LogStash::PluginMixins::ECSCompatibilitySupport(:disabled, :v1)
+  include LogStash::PluginMixins::ECSCompatibilitySupport(:disabled, :v1, :v8 => :v1)
 
   config_name "syslog_pri"
 
@@ -84,6 +84,8 @@ class LogStash::Filters::Syslog_pri < LogStash::Filters::Base
 
   private
 
+  SYSLOGPRIPARSEFAILURE_TAG = "_syslogpriparsefailure"
+
   def parse_pri(event)
     # Per RFC3164, priority = (facility * 8) + severity
     # = (facility << 3) & (severity)
@@ -104,12 +106,21 @@ class LogStash::Filters::Syslog_pri < LogStash::Filters::Base
     event.set(@facility_code_key, facility_code)
 
     # Add human-readable names after parsing severity and facility from PRI
-    if @use_labels
-      facility_label = @facility_labels[facility_code]
-      event.set(@facility_label_key, facility_label) if facility_label
-
-      severity_label = @severity_labels[severity_code]
-      event.set(@severity_label_key, severity_label) if severity_label
+    return unless @use_labels
+
+    # from Syslog PRI RFC 4.1.1 PRI Part, facility_code the maximum possible value is 124, however it defines just 23 values
+    if facility_code > (@facility_labels.size - 1)
+      # if the facility_code overflow the labels array
+      event.tag(SYSLOGPRIPARSEFAILURE_TAG)
+      logger.debug("Invalid facility code for event", :facility => facility_code)
+      return
     end
+
+    facility_label = @facility_labels[facility_code]
+    event.set(@facility_label_key, facility_label) if facility_label
+
+    # severity code is in range [0..7] by definition, no need to check any bound
+    severity_label = @severity_labels[severity_code]
+    event.set(@severity_label_key, severity_label) if severity_label
   end # def parse_pri
 end # class LogStash::Filters::SyslogPRI

data/logstash-filter-syslog_pri.gemspec

@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
 
   s.name            = 'logstash-filter-syslog_pri'
-  s.version         = '3.1.0'
+  s.version         = '3.2.0'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "Parses the `PRI` (priority) field of a `syslog` message"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
@@ -21,7 +21,7 @@ Gem::Specification.new do |s|
 
   # Gem dependencies
   s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
-  s.add_runtime_dependency 'logstash-mixin-ecs_compatibility_support', '~> 1.1'
+  s.add_runtime_dependency 'logstash-mixin-ecs_compatibility_support', '~> 1.3'
   s.add_development_dependency 'logstash-devutils'
 
 end

data/spec/filters/syslog_pri_spec.rb

@@ -9,6 +9,10 @@ describe LogStash::Filters::Syslog_pri do
   subject          { LogStash::Filters::Syslog_pri.new(options) }
   let(:event_data) { { :name => "foo" } }
   let(:event)      { LogStash::Event.new.tap { |event| event_data.each { |k, v| event.set(k, v) } } }
+  let(:syslog_facility_code_field) { ecs_compatibility? ? "[log][syslog][facility][code]" : "syslog_facility_code" }
+  let(:syslog_facility_name_field) { ecs_compatibility? ? "[log][syslog][facility][name]" : "syslog_facility" }
+  let(:syslog_severity_code_field) { ecs_compatibility? ? "[log][syslog][severity][code]" : "syslog_severity_code" }
+  let(:syslog_severity_name_field) { ecs_compatibility? ? "[log][syslog][severity][name]" : "syslog_severity" }
 
   it "should register without errors" do
     plugin = LogStash::Plugin.lookup("filter", "syslog_pri").new( "facility_labels" => ["kernel"] )
@@ -16,7 +20,7 @@ describe LogStash::Filters::Syslog_pri do
   end
 
   context 'defaults', :ecs_compatibility_support do
-    ecs_compatibility_matrix(:disabled, :v1) do |ecs_select|
+    ecs_compatibility_matrix(:disabled, :v1, :v8 => :v1) do |ecs_select|
 
       let(:ecs_compatibility?) { ecs_select.active_mode != :disabled }
 
@@ -31,38 +35,22 @@ describe LogStash::Filters::Syslog_pri do
 
       it "default syslog_facility is user-level" do
         subject.filter(event)
-        if ecs_compatibility?
-          expect(event.get("[log][syslog][facility][name]")).to eq("user-level")
-        else
-          expect(event.get("syslog_facility")).to eq("user-level")
-        end
+        expect(event.get(syslog_facility_name_field)).to eq("user-level")
       end
 
       it "default syslog severity is notice" do
         subject.filter(event)
-        if ecs_compatibility?
-          expect(event.get("[log][syslog][severity][name]")).to eq("notice")
-        else
-          expect(event.get("syslog_severity")).to eq("notice")
-        end
+        expect(event.get(syslog_severity_name_field)).to eq("notice")
       end
 
       it "default severity to be 5, out of priority default 13" do
         subject.filter(event)
-        if ecs_compatibility?
-          expect(event.get("[log][syslog][severity][code]")).to eq(5)
-        else
-          expect(event.get("syslog_severity_code")).to eq(5)
-        end
+        expect(event.get(syslog_severity_code_field)).to eq(5)
       end
 
       it "defaults to facility 1" do
         subject.filter(event)
-        if ecs_compatibility?
-          expect(event.get("[log][syslog][facility][code]")).to eq(1)
-        else
-          expect(event.get("syslog_facility_code")).to eq(1)
-        end
+        expect(event.get(syslog_facility_code_field)).to eq(1)
       end
 
     end
@@ -86,20 +74,12 @@ describe LogStash::Filters::Syslog_pri do
 
         it "syslog severity is critical" do
           subject.filter(event)
-          if ecs_compatibility?
-            expect(event.get("[log][syslog][severity][name]")).to eq("critical")
-          else
-            expect(event.get("syslog_severity")).to eq("critical")
-          end
+          expect(event.get(syslog_severity_name_field)).to eq("critical")
         end
 
         it "default syslog_facility is user-level" do
           subject.filter(event)
-          if ecs_compatibility?
-            expect(event.get("[log][syslog][facility][name]")).to eq("security/authorization")
-          else
-            expect(event.get("syslog_facility")).to eq("security/authorization")
-          end
+          expect(event.get(syslog_facility_name_field)).to eq("security/authorization")
         end
 
       end
@@ -109,20 +89,12 @@ describe LogStash::Filters::Syslog_pri do
 
         it "syslog severity is notice" do
           subject.filter(event)
-          if ecs_compatibility?
-            expect(event.get("[log][syslog][severity][name]")).to eq("notice")
-          else
-            expect(event.get("syslog_severity")).to eq("notice")
-          end
+          expect(event.get(syslog_severity_name_field)).to eq("notice")
         end
 
         it "default syslog_facility is user-level" do
           subject.filter(event)
-          if ecs_compatibility?
-            expect(event.get("[log][syslog][facility][name]")).to eq("local4")
-          else
-            expect(event.get("syslog_facility")).to eq("local4")
-          end
+          expect(event.get(syslog_facility_name_field)).to eq("local4")
         end
       end
 
@@ -131,20 +103,12 @@ describe LogStash::Filters::Syslog_pri do
 
         it "syslog severity is notice" do
           subject.filter(event)
-          if ecs_compatibility?
-            expect(event.get("[log][syslog][severity][name]")).to eq("debug")
-          else
-            expect(event.get("syslog_severity")).to eq("debug")
-          end
+          expect(event.get(syslog_severity_name_field)).to eq("debug")
         end
 
         it "default syslog_facility is user-level" do
           subject.filter(event)
-          if ecs_compatibility?
-            expect(event.get("[log][syslog][facility][name]")).to eq("local7")
-          else
-            expect(event.get("syslog_facility")).to eq("local7")
-          end
+          expect(event.get(syslog_facility_name_field)).to eq("local7")
         end
       end
 
@@ -153,25 +117,49 @@ describe LogStash::Filters::Syslog_pri do
 
         it "syslog severity is notice" do
           subject.filter(event)
-          if ecs_compatibility?
-            expect(event.get("[log][syslog][severity][name]")).to eq("alert")
-          else
-            expect(event.get("syslog_severity")).to eq("alert")
-          end
+          expect(event.get(syslog_severity_name_field)).to eq("alert")
         end
 
         it "default syslog_facility is user-level" do
           subject.filter(event)
-          if ecs_compatibility?
-            expect(event.get("[log][syslog][facility][name]")).to eq("local1")
-            expect(event.get("[log][syslog][facility][code]")).to eq(17)
-          else
-            expect(event.get("syslog_facility")).to eq("local1")
-            expect(event.get("syslog_facility_code")).to eq(17)
-          end
+          expect(event.get(syslog_facility_name_field)).to eq("local1")
+          expect(event.get(syslog_facility_code_field)).to eq(17)
         end
       end
 
+      context "when malformed messages arrive" do
+        context "if syslog priority value is too high" do
+          let(:syslog_pri) { 193 }
+
+          before(:each) { subject.filter(event) }
+
+          context "if use_labels is enabled (default)" do
+            it "the event is tagged" do
+              expect(event.get("tags")).to include("_syslogpriparsefailure")
+            end
+            it "the facility label isn't set" do
+              expect(event.get(syslog_facility_name_field)).to be_nil
+            end
+            it "the severity label isn't set" do
+              expect(event.get(syslog_severity_name_field)).to be_nil
+            end
+          end
+
+          context "if use_labels is disabled" do
+            let(:options) { super().merge("use_labels" => false) }
+            it "the event is not tagged" do
+              expect(event.get("tags")).to be_nil
+            end
+          end
+
+          it "the facility code is still set" do
+            expect(event.get(syslog_facility_code_field)).to eq(24)
+          end
+          it "the severity code is still set" do
+            expect(event.get(syslog_severity_code_field)).to eq(1)
+          end
+        end
+      end
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-filter-syslog_pri
 version: !ruby/object:Gem::Version
-  version: 3.1.0
+  version: 3.2.0
 platform: ruby
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-03-16 00:00:00.000000000 Z
+date: 2023-01-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -35,7 +35,7 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '1.3'
   name: logstash-mixin-ecs_compatibility_support
   prerelease: false
   type: :runtime
@@ -43,7 +43,7 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '1.3'
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
@@ -98,8 +98,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.6.13
+rubygems_version: 3.1.6
 signing_key:
 specification_version: 4
 summary: Parses the `PRI` (priority) field of a `syslog` message