logstash-filter-syslog_pri 3.1.0 → 3.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +7 -0
- data/docs/index.asciidoc +3 -1
- data/lib/logstash/filters/syslog_pri.rb +18 -7
- data/logstash-filter-syslog_pri.gemspec +2 -2
- data/spec/filters/syslog_pri_spec.rb +51 -63
- metadata +5 -6
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 7d49b0cc07a4a0cbbef1653e471b167f0967529b2a89a7b298de407992660256
|
4
|
+
data.tar.gz: 635cf6c9275c23fa11c2606b5facf55390cd3fcf0126c6df91949162c41b12fb
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f2fcc25974dd4ea5e2ac15a06c076eddac4a0794875f210da822431cb7a5003ad42cf7b31d2a33497f1daebc088b5e99eaf518ceedfeb3d68d416ca6e475b192
|
7
|
+
data.tar.gz: 61b1775d1b8c05362265bcd36cbf3c7ee7040266701700c0fec3f0c8be7f97fcf4e2640d16a218eb69d261483eaf6ad200d4da116fd3b949ae21663dda07247d
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,10 @@
|
|
1
|
+
## 3.2.0
|
2
|
+
- Feat: add tagging on unrecognized `facility_label` code [#11](https://github.com/logstash-plugins/logstash-filter-syslog_pri/pull/11)
|
3
|
+
- Change: refactored test code to be streamlined when checking ECS fields [#14](https://github.com/logstash-plugins/logstash-filter-syslog_pri/pull/14)
|
4
|
+
|
5
|
+
## 3.1.1
|
6
|
+
- Added preview of ECS-v8 support with existing ECS-v1 implementation [#10](https://github.com/logstash-plugins/logstash-filter-syslog_pri/pull/10)
|
7
|
+
|
1
8
|
## 3.1.0
|
2
9
|
- Feat: ECS compatibility [#9](https://github.com/logstash-plugins/logstash-filter-syslog_pri/pull/9)
|
3
10
|
|
data/docs/index.asciidoc
CHANGED
@@ -53,7 +53,7 @@ filter plugins.
|
|
53
53
|
* Value type is <<string,string>>
|
54
54
|
* Supported values are:
|
55
55
|
** `disabled`: does not use ECS-compatible field names (for example, `syslog_severity_code` for syslog severity)
|
56
|
-
** `v1`: uses fields that are compatible with Elastic Common Schema (for example, `[log][syslog][severity][code]`)
|
56
|
+
** `v1`, `v8`: uses fields that are compatible with Elastic Common Schema (for example, `[log][syslog][severity][code]`)
|
57
57
|
* Default value depends on which version of Logstash is running:
|
58
58
|
** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
|
59
59
|
** Otherwise, the default value is `disabled`.
|
@@ -68,6 +68,8 @@ The value of this setting affects the _default_ value of <<plugins-{type}s-{plug
|
|
68
68
|
* Default value is `["kernel", "user-level", "mail", "daemon", "security/authorization", "syslogd", "line printer", "network news", "uucp", "clock", "security/authorization", "ftp", "ntp", "log audit", "log alert", "clock", "local0", "local1", "local2", "local3", "local4", "local5", "local6", "local7"]`
|
69
69
|
|
70
70
|
Labels for facility levels. This comes from RFC3164.
|
71
|
+
If an unrecognized facility code is provided and <<plugins-{type}s-{plugin}-use_labels>> is `true` then the event
|
72
|
+
is tagged with `_syslogpriparsefailure`.
|
71
73
|
|
72
74
|
[id="plugins-{type}s-{plugin}-severity_labels"]
|
73
75
|
===== `severity_labels`
|
@@ -7,7 +7,7 @@ require "logstash/namespace"
|
|
7
7
|
# default to 13 (per RFC).
|
8
8
|
class LogStash::Filters::Syslog_pri < LogStash::Filters::Base
|
9
9
|
|
10
|
-
include LogStash::PluginMixins::ECSCompatibilitySupport(:disabled, :v1)
|
10
|
+
include LogStash::PluginMixins::ECSCompatibilitySupport(:disabled, :v1, :v8 => :v1)
|
11
11
|
|
12
12
|
config_name "syslog_pri"
|
13
13
|
|
@@ -84,6 +84,8 @@ class LogStash::Filters::Syslog_pri < LogStash::Filters::Base
|
|
84
84
|
|
85
85
|
private
|
86
86
|
|
87
|
+
SYSLOGPRIPARSEFAILURE_TAG = "_syslogpriparsefailure"
|
88
|
+
|
87
89
|
def parse_pri(event)
|
88
90
|
# Per RFC3164, priority = (facility * 8) + severity
|
89
91
|
# = (facility << 3) & (severity)
|
@@ -104,12 +106,21 @@ class LogStash::Filters::Syslog_pri < LogStash::Filters::Base
|
|
104
106
|
event.set(@facility_code_key, facility_code)
|
105
107
|
|
106
108
|
# Add human-readable names after parsing severity and facility from PRI
|
107
|
-
|
108
|
-
|
109
|
-
|
110
|
-
|
111
|
-
|
112
|
-
event.
|
109
|
+
return unless @use_labels
|
110
|
+
|
111
|
+
# from Syslog PRI RFC 4.1.1 PRI Part, facility_code the maximum possible value is 124, however it defines just 23 values
|
112
|
+
if facility_code > (@facility_labels.size - 1)
|
113
|
+
# if the facility_code overflow the labels array
|
114
|
+
event.tag(SYSLOGPRIPARSEFAILURE_TAG)
|
115
|
+
logger.debug("Invalid facility code for event", :facility => facility_code)
|
116
|
+
return
|
113
117
|
end
|
118
|
+
|
119
|
+
facility_label = @facility_labels[facility_code]
|
120
|
+
event.set(@facility_label_key, facility_label) if facility_label
|
121
|
+
|
122
|
+
# severity code is in range [0..7] by definition, no need to check any bound
|
123
|
+
severity_label = @severity_labels[severity_code]
|
124
|
+
event.set(@severity_label_key, severity_label) if severity_label
|
114
125
|
end # def parse_pri
|
115
126
|
end # class LogStash::Filters::SyslogPRI
|
@@ -1,7 +1,7 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
2
|
|
3
3
|
s.name = 'logstash-filter-syslog_pri'
|
4
|
-
s.version = '3.
|
4
|
+
s.version = '3.2.0'
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
6
6
|
s.summary = "Parses the `PRI` (priority) field of a `syslog` message"
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
@@ -21,7 +21,7 @@ Gem::Specification.new do |s|
|
|
21
21
|
|
22
22
|
# Gem dependencies
|
23
23
|
s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
|
24
|
-
s.add_runtime_dependency 'logstash-mixin-ecs_compatibility_support', '~> 1.
|
24
|
+
s.add_runtime_dependency 'logstash-mixin-ecs_compatibility_support', '~> 1.3'
|
25
25
|
s.add_development_dependency 'logstash-devutils'
|
26
26
|
|
27
27
|
end
|
@@ -9,6 +9,10 @@ describe LogStash::Filters::Syslog_pri do
|
|
9
9
|
subject { LogStash::Filters::Syslog_pri.new(options) }
|
10
10
|
let(:event_data) { { :name => "foo" } }
|
11
11
|
let(:event) { LogStash::Event.new.tap { |event| event_data.each { |k, v| event.set(k, v) } } }
|
12
|
+
let(:syslog_facility_code_field) { ecs_compatibility? ? "[log][syslog][facility][code]" : "syslog_facility_code" }
|
13
|
+
let(:syslog_facility_name_field) { ecs_compatibility? ? "[log][syslog][facility][name]" : "syslog_facility" }
|
14
|
+
let(:syslog_severity_code_field) { ecs_compatibility? ? "[log][syslog][severity][code]" : "syslog_severity_code" }
|
15
|
+
let(:syslog_severity_name_field) { ecs_compatibility? ? "[log][syslog][severity][name]" : "syslog_severity" }
|
12
16
|
|
13
17
|
it "should register without errors" do
|
14
18
|
plugin = LogStash::Plugin.lookup("filter", "syslog_pri").new( "facility_labels" => ["kernel"] )
|
@@ -16,7 +20,7 @@ describe LogStash::Filters::Syslog_pri do
|
|
16
20
|
end
|
17
21
|
|
18
22
|
context 'defaults', :ecs_compatibility_support do
|
19
|
-
ecs_compatibility_matrix(:disabled, :v1) do |ecs_select|
|
23
|
+
ecs_compatibility_matrix(:disabled, :v1, :v8 => :v1) do |ecs_select|
|
20
24
|
|
21
25
|
let(:ecs_compatibility?) { ecs_select.active_mode != :disabled }
|
22
26
|
|
@@ -31,38 +35,22 @@ describe LogStash::Filters::Syslog_pri do
|
|
31
35
|
|
32
36
|
it "default syslog_facility is user-level" do
|
33
37
|
subject.filter(event)
|
34
|
-
|
35
|
-
expect(event.get("[log][syslog][facility][name]")).to eq("user-level")
|
36
|
-
else
|
37
|
-
expect(event.get("syslog_facility")).to eq("user-level")
|
38
|
-
end
|
38
|
+
expect(event.get(syslog_facility_name_field)).to eq("user-level")
|
39
39
|
end
|
40
40
|
|
41
41
|
it "default syslog severity is notice" do
|
42
42
|
subject.filter(event)
|
43
|
-
|
44
|
-
expect(event.get("[log][syslog][severity][name]")).to eq("notice")
|
45
|
-
else
|
46
|
-
expect(event.get("syslog_severity")).to eq("notice")
|
47
|
-
end
|
43
|
+
expect(event.get(syslog_severity_name_field)).to eq("notice")
|
48
44
|
end
|
49
45
|
|
50
46
|
it "default severity to be 5, out of priority default 13" do
|
51
47
|
subject.filter(event)
|
52
|
-
|
53
|
-
expect(event.get("[log][syslog][severity][code]")).to eq(5)
|
54
|
-
else
|
55
|
-
expect(event.get("syslog_severity_code")).to eq(5)
|
56
|
-
end
|
48
|
+
expect(event.get(syslog_severity_code_field)).to eq(5)
|
57
49
|
end
|
58
50
|
|
59
51
|
it "defaults to facility 1" do
|
60
52
|
subject.filter(event)
|
61
|
-
|
62
|
-
expect(event.get("[log][syslog][facility][code]")).to eq(1)
|
63
|
-
else
|
64
|
-
expect(event.get("syslog_facility_code")).to eq(1)
|
65
|
-
end
|
53
|
+
expect(event.get(syslog_facility_code_field)).to eq(1)
|
66
54
|
end
|
67
55
|
|
68
56
|
end
|
@@ -86,20 +74,12 @@ describe LogStash::Filters::Syslog_pri do
|
|
86
74
|
|
87
75
|
it "syslog severity is critical" do
|
88
76
|
subject.filter(event)
|
89
|
-
|
90
|
-
expect(event.get("[log][syslog][severity][name]")).to eq("critical")
|
91
|
-
else
|
92
|
-
expect(event.get("syslog_severity")).to eq("critical")
|
93
|
-
end
|
77
|
+
expect(event.get(syslog_severity_name_field)).to eq("critical")
|
94
78
|
end
|
95
79
|
|
96
80
|
it "default syslog_facility is user-level" do
|
97
81
|
subject.filter(event)
|
98
|
-
|
99
|
-
expect(event.get("[log][syslog][facility][name]")).to eq("security/authorization")
|
100
|
-
else
|
101
|
-
expect(event.get("syslog_facility")).to eq("security/authorization")
|
102
|
-
end
|
82
|
+
expect(event.get(syslog_facility_name_field)).to eq("security/authorization")
|
103
83
|
end
|
104
84
|
|
105
85
|
end
|
@@ -109,20 +89,12 @@ describe LogStash::Filters::Syslog_pri do
|
|
109
89
|
|
110
90
|
it "syslog severity is notice" do
|
111
91
|
subject.filter(event)
|
112
|
-
|
113
|
-
expect(event.get("[log][syslog][severity][name]")).to eq("notice")
|
114
|
-
else
|
115
|
-
expect(event.get("syslog_severity")).to eq("notice")
|
116
|
-
end
|
92
|
+
expect(event.get(syslog_severity_name_field)).to eq("notice")
|
117
93
|
end
|
118
94
|
|
119
95
|
it "default syslog_facility is user-level" do
|
120
96
|
subject.filter(event)
|
121
|
-
|
122
|
-
expect(event.get("[log][syslog][facility][name]")).to eq("local4")
|
123
|
-
else
|
124
|
-
expect(event.get("syslog_facility")).to eq("local4")
|
125
|
-
end
|
97
|
+
expect(event.get(syslog_facility_name_field)).to eq("local4")
|
126
98
|
end
|
127
99
|
end
|
128
100
|
|
@@ -131,20 +103,12 @@ describe LogStash::Filters::Syslog_pri do
|
|
131
103
|
|
132
104
|
it "syslog severity is notice" do
|
133
105
|
subject.filter(event)
|
134
|
-
|
135
|
-
expect(event.get("[log][syslog][severity][name]")).to eq("debug")
|
136
|
-
else
|
137
|
-
expect(event.get("syslog_severity")).to eq("debug")
|
138
|
-
end
|
106
|
+
expect(event.get(syslog_severity_name_field)).to eq("debug")
|
139
107
|
end
|
140
108
|
|
141
109
|
it "default syslog_facility is user-level" do
|
142
110
|
subject.filter(event)
|
143
|
-
|
144
|
-
expect(event.get("[log][syslog][facility][name]")).to eq("local7")
|
145
|
-
else
|
146
|
-
expect(event.get("syslog_facility")).to eq("local7")
|
147
|
-
end
|
111
|
+
expect(event.get(syslog_facility_name_field)).to eq("local7")
|
148
112
|
end
|
149
113
|
end
|
150
114
|
|
@@ -153,25 +117,49 @@ describe LogStash::Filters::Syslog_pri do
|
|
153
117
|
|
154
118
|
it "syslog severity is notice" do
|
155
119
|
subject.filter(event)
|
156
|
-
|
157
|
-
expect(event.get("[log][syslog][severity][name]")).to eq("alert")
|
158
|
-
else
|
159
|
-
expect(event.get("syslog_severity")).to eq("alert")
|
160
|
-
end
|
120
|
+
expect(event.get(syslog_severity_name_field)).to eq("alert")
|
161
121
|
end
|
162
122
|
|
163
123
|
it "default syslog_facility is user-level" do
|
164
124
|
subject.filter(event)
|
165
|
-
|
166
|
-
|
167
|
-
expect(event.get("[log][syslog][facility][code]")).to eq(17)
|
168
|
-
else
|
169
|
-
expect(event.get("syslog_facility")).to eq("local1")
|
170
|
-
expect(event.get("syslog_facility_code")).to eq(17)
|
171
|
-
end
|
125
|
+
expect(event.get(syslog_facility_name_field)).to eq("local1")
|
126
|
+
expect(event.get(syslog_facility_code_field)).to eq(17)
|
172
127
|
end
|
173
128
|
end
|
174
129
|
|
130
|
+
context "when malformed messages arrive" do
|
131
|
+
context "if syslog priority value is too high" do
|
132
|
+
let(:syslog_pri) { 193 }
|
133
|
+
|
134
|
+
before(:each) { subject.filter(event) }
|
135
|
+
|
136
|
+
context "if use_labels is enabled (default)" do
|
137
|
+
it "the event is tagged" do
|
138
|
+
expect(event.get("tags")).to include("_syslogpriparsefailure")
|
139
|
+
end
|
140
|
+
it "the facility label isn't set" do
|
141
|
+
expect(event.get(syslog_facility_name_field)).to be_nil
|
142
|
+
end
|
143
|
+
it "the severity label isn't set" do
|
144
|
+
expect(event.get(syslog_severity_name_field)).to be_nil
|
145
|
+
end
|
146
|
+
end
|
147
|
+
|
148
|
+
context "if use_labels is disabled" do
|
149
|
+
let(:options) { super().merge("use_labels" => false) }
|
150
|
+
it "the event is not tagged" do
|
151
|
+
expect(event.get("tags")).to be_nil
|
152
|
+
end
|
153
|
+
end
|
154
|
+
|
155
|
+
it "the facility code is still set" do
|
156
|
+
expect(event.get(syslog_facility_code_field)).to eq(24)
|
157
|
+
end
|
158
|
+
it "the severity code is still set" do
|
159
|
+
expect(event.get(syslog_severity_code_field)).to eq(1)
|
160
|
+
end
|
161
|
+
end
|
162
|
+
end
|
175
163
|
end
|
176
164
|
end
|
177
165
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-filter-syslog_pri
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.
|
4
|
+
version: 3.2.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Elastic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2023-01-11 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
@@ -35,7 +35,7 @@ dependencies:
|
|
35
35
|
requirements:
|
36
36
|
- - "~>"
|
37
37
|
- !ruby/object:Gem::Version
|
38
|
-
version: '1.
|
38
|
+
version: '1.3'
|
39
39
|
name: logstash-mixin-ecs_compatibility_support
|
40
40
|
prerelease: false
|
41
41
|
type: :runtime
|
@@ -43,7 +43,7 @@ dependencies:
|
|
43
43
|
requirements:
|
44
44
|
- - "~>"
|
45
45
|
- !ruby/object:Gem::Version
|
46
|
-
version: '1.
|
46
|
+
version: '1.3'
|
47
47
|
- !ruby/object:Gem::Dependency
|
48
48
|
requirement: !ruby/object:Gem::Requirement
|
49
49
|
requirements:
|
@@ -98,8 +98,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
98
98
|
- !ruby/object:Gem::Version
|
99
99
|
version: '0'
|
100
100
|
requirements: []
|
101
|
-
|
102
|
-
rubygems_version: 2.6.13
|
101
|
+
rubygems_version: 3.1.6
|
103
102
|
signing_key:
|
104
103
|
specification_version: 4
|
105
104
|
summary: Parses the `PRI` (priority) field of a `syslog` message
|