logstash-filter-syslog_pri 3.1.1 → 3.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/docs/index.asciidoc +2 -0
- data/lib/logstash/filters/syslog_pri.rb +17 -6
- data/logstash-filter-syslog_pri.gemspec +1 -1
- data/spec/filters/syslog_pri_spec.rb +50 -62
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 7d49b0cc07a4a0cbbef1653e471b167f0967529b2a89a7b298de407992660256
|
4
|
+
data.tar.gz: 635cf6c9275c23fa11c2606b5facf55390cd3fcf0126c6df91949162c41b12fb
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f2fcc25974dd4ea5e2ac15a06c076eddac4a0794875f210da822431cb7a5003ad42cf7b31d2a33497f1daebc088b5e99eaf518ceedfeb3d68d416ca6e475b192
|
7
|
+
data.tar.gz: 61b1775d1b8c05362265bcd36cbf3c7ee7040266701700c0fec3f0c8be7f97fcf4e2640d16a218eb69d261483eaf6ad200d4da116fd3b949ae21663dda07247d
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,7 @@
|
|
1
|
+
## 3.2.0
|
2
|
+
- Feat: add tagging on unrecognized `facility_label` code [#11](https://github.com/logstash-plugins/logstash-filter-syslog_pri/pull/11)
|
3
|
+
- Change: refactored test code to be streamlined when checking ECS fields [#14](https://github.com/logstash-plugins/logstash-filter-syslog_pri/pull/14)
|
4
|
+
|
1
5
|
## 3.1.1
|
2
6
|
- Added preview of ECS-v8 support with existing ECS-v1 implementation [#10](https://github.com/logstash-plugins/logstash-filter-syslog_pri/pull/10)
|
3
7
|
|
data/docs/index.asciidoc
CHANGED
@@ -68,6 +68,8 @@ The value of this setting affects the _default_ value of <<plugins-{type}s-{plug
|
|
68
68
|
* Default value is `["kernel", "user-level", "mail", "daemon", "security/authorization", "syslogd", "line printer", "network news", "uucp", "clock", "security/authorization", "ftp", "ntp", "log audit", "log alert", "clock", "local0", "local1", "local2", "local3", "local4", "local5", "local6", "local7"]`
|
69
69
|
|
70
70
|
Labels for facility levels. This comes from RFC3164.
|
71
|
+
If an unrecognized facility code is provided and <<plugins-{type}s-{plugin}-use_labels>> is `true` then the event
|
72
|
+
is tagged with `_syslogpriparsefailure`.
|
71
73
|
|
72
74
|
[id="plugins-{type}s-{plugin}-severity_labels"]
|
73
75
|
===== `severity_labels`
|
@@ -84,6 +84,8 @@ class LogStash::Filters::Syslog_pri < LogStash::Filters::Base
|
|
84
84
|
|
85
85
|
private
|
86
86
|
|
87
|
+
SYSLOGPRIPARSEFAILURE_TAG = "_syslogpriparsefailure"
|
88
|
+
|
87
89
|
def parse_pri(event)
|
88
90
|
# Per RFC3164, priority = (facility * 8) + severity
|
89
91
|
# = (facility << 3) & (severity)
|
@@ -104,12 +106,21 @@ class LogStash::Filters::Syslog_pri < LogStash::Filters::Base
|
|
104
106
|
event.set(@facility_code_key, facility_code)
|
105
107
|
|
106
108
|
# Add human-readable names after parsing severity and facility from PRI
|
107
|
-
|
108
|
-
|
109
|
-
|
110
|
-
|
111
|
-
|
112
|
-
event.
|
109
|
+
return unless @use_labels
|
110
|
+
|
111
|
+
# from Syslog PRI RFC 4.1.1 PRI Part, facility_code the maximum possible value is 124, however it defines just 23 values
|
112
|
+
if facility_code > (@facility_labels.size - 1)
|
113
|
+
# if the facility_code overflow the labels array
|
114
|
+
event.tag(SYSLOGPRIPARSEFAILURE_TAG)
|
115
|
+
logger.debug("Invalid facility code for event", :facility => facility_code)
|
116
|
+
return
|
113
117
|
end
|
118
|
+
|
119
|
+
facility_label = @facility_labels[facility_code]
|
120
|
+
event.set(@facility_label_key, facility_label) if facility_label
|
121
|
+
|
122
|
+
# severity code is in range [0..7] by definition, no need to check any bound
|
123
|
+
severity_label = @severity_labels[severity_code]
|
124
|
+
event.set(@severity_label_key, severity_label) if severity_label
|
114
125
|
end # def parse_pri
|
115
126
|
end # class LogStash::Filters::SyslogPRI
|
@@ -1,7 +1,7 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
2
|
|
3
3
|
s.name = 'logstash-filter-syslog_pri'
|
4
|
-
s.version = '3.
|
4
|
+
s.version = '3.2.0'
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
6
6
|
s.summary = "Parses the `PRI` (priority) field of a `syslog` message"
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
@@ -9,6 +9,10 @@ describe LogStash::Filters::Syslog_pri do
|
|
9
9
|
subject { LogStash::Filters::Syslog_pri.new(options) }
|
10
10
|
let(:event_data) { { :name => "foo" } }
|
11
11
|
let(:event) { LogStash::Event.new.tap { |event| event_data.each { |k, v| event.set(k, v) } } }
|
12
|
+
let(:syslog_facility_code_field) { ecs_compatibility? ? "[log][syslog][facility][code]" : "syslog_facility_code" }
|
13
|
+
let(:syslog_facility_name_field) { ecs_compatibility? ? "[log][syslog][facility][name]" : "syslog_facility" }
|
14
|
+
let(:syslog_severity_code_field) { ecs_compatibility? ? "[log][syslog][severity][code]" : "syslog_severity_code" }
|
15
|
+
let(:syslog_severity_name_field) { ecs_compatibility? ? "[log][syslog][severity][name]" : "syslog_severity" }
|
12
16
|
|
13
17
|
it "should register without errors" do
|
14
18
|
plugin = LogStash::Plugin.lookup("filter", "syslog_pri").new( "facility_labels" => ["kernel"] )
|
@@ -31,38 +35,22 @@ describe LogStash::Filters::Syslog_pri do
|
|
31
35
|
|
32
36
|
it "default syslog_facility is user-level" do
|
33
37
|
subject.filter(event)
|
34
|
-
|
35
|
-
expect(event.get("[log][syslog][facility][name]")).to eq("user-level")
|
36
|
-
else
|
37
|
-
expect(event.get("syslog_facility")).to eq("user-level")
|
38
|
-
end
|
38
|
+
expect(event.get(syslog_facility_name_field)).to eq("user-level")
|
39
39
|
end
|
40
40
|
|
41
41
|
it "default syslog severity is notice" do
|
42
42
|
subject.filter(event)
|
43
|
-
|
44
|
-
expect(event.get("[log][syslog][severity][name]")).to eq("notice")
|
45
|
-
else
|
46
|
-
expect(event.get("syslog_severity")).to eq("notice")
|
47
|
-
end
|
43
|
+
expect(event.get(syslog_severity_name_field)).to eq("notice")
|
48
44
|
end
|
49
45
|
|
50
46
|
it "default severity to be 5, out of priority default 13" do
|
51
47
|
subject.filter(event)
|
52
|
-
|
53
|
-
expect(event.get("[log][syslog][severity][code]")).to eq(5)
|
54
|
-
else
|
55
|
-
expect(event.get("syslog_severity_code")).to eq(5)
|
56
|
-
end
|
48
|
+
expect(event.get(syslog_severity_code_field)).to eq(5)
|
57
49
|
end
|
58
50
|
|
59
51
|
it "defaults to facility 1" do
|
60
52
|
subject.filter(event)
|
61
|
-
|
62
|
-
expect(event.get("[log][syslog][facility][code]")).to eq(1)
|
63
|
-
else
|
64
|
-
expect(event.get("syslog_facility_code")).to eq(1)
|
65
|
-
end
|
53
|
+
expect(event.get(syslog_facility_code_field)).to eq(1)
|
66
54
|
end
|
67
55
|
|
68
56
|
end
|
@@ -86,20 +74,12 @@ describe LogStash::Filters::Syslog_pri do
|
|
86
74
|
|
87
75
|
it "syslog severity is critical" do
|
88
76
|
subject.filter(event)
|
89
|
-
|
90
|
-
expect(event.get("[log][syslog][severity][name]")).to eq("critical")
|
91
|
-
else
|
92
|
-
expect(event.get("syslog_severity")).to eq("critical")
|
93
|
-
end
|
77
|
+
expect(event.get(syslog_severity_name_field)).to eq("critical")
|
94
78
|
end
|
95
79
|
|
96
80
|
it "default syslog_facility is user-level" do
|
97
81
|
subject.filter(event)
|
98
|
-
|
99
|
-
expect(event.get("[log][syslog][facility][name]")).to eq("security/authorization")
|
100
|
-
else
|
101
|
-
expect(event.get("syslog_facility")).to eq("security/authorization")
|
102
|
-
end
|
82
|
+
expect(event.get(syslog_facility_name_field)).to eq("security/authorization")
|
103
83
|
end
|
104
84
|
|
105
85
|
end
|
@@ -109,20 +89,12 @@ describe LogStash::Filters::Syslog_pri do
|
|
109
89
|
|
110
90
|
it "syslog severity is notice" do
|
111
91
|
subject.filter(event)
|
112
|
-
|
113
|
-
expect(event.get("[log][syslog][severity][name]")).to eq("notice")
|
114
|
-
else
|
115
|
-
expect(event.get("syslog_severity")).to eq("notice")
|
116
|
-
end
|
92
|
+
expect(event.get(syslog_severity_name_field)).to eq("notice")
|
117
93
|
end
|
118
94
|
|
119
95
|
it "default syslog_facility is user-level" do
|
120
96
|
subject.filter(event)
|
121
|
-
|
122
|
-
expect(event.get("[log][syslog][facility][name]")).to eq("local4")
|
123
|
-
else
|
124
|
-
expect(event.get("syslog_facility")).to eq("local4")
|
125
|
-
end
|
97
|
+
expect(event.get(syslog_facility_name_field)).to eq("local4")
|
126
98
|
end
|
127
99
|
end
|
128
100
|
|
@@ -131,20 +103,12 @@ describe LogStash::Filters::Syslog_pri do
|
|
131
103
|
|
132
104
|
it "syslog severity is notice" do
|
133
105
|
subject.filter(event)
|
134
|
-
|
135
|
-
expect(event.get("[log][syslog][severity][name]")).to eq("debug")
|
136
|
-
else
|
137
|
-
expect(event.get("syslog_severity")).to eq("debug")
|
138
|
-
end
|
106
|
+
expect(event.get(syslog_severity_name_field)).to eq("debug")
|
139
107
|
end
|
140
108
|
|
141
109
|
it "default syslog_facility is user-level" do
|
142
110
|
subject.filter(event)
|
143
|
-
|
144
|
-
expect(event.get("[log][syslog][facility][name]")).to eq("local7")
|
145
|
-
else
|
146
|
-
expect(event.get("syslog_facility")).to eq("local7")
|
147
|
-
end
|
111
|
+
expect(event.get(syslog_facility_name_field)).to eq("local7")
|
148
112
|
end
|
149
113
|
end
|
150
114
|
|
@@ -153,25 +117,49 @@ describe LogStash::Filters::Syslog_pri do
|
|
153
117
|
|
154
118
|
it "syslog severity is notice" do
|
155
119
|
subject.filter(event)
|
156
|
-
|
157
|
-
expect(event.get("[log][syslog][severity][name]")).to eq("alert")
|
158
|
-
else
|
159
|
-
expect(event.get("syslog_severity")).to eq("alert")
|
160
|
-
end
|
120
|
+
expect(event.get(syslog_severity_name_field)).to eq("alert")
|
161
121
|
end
|
162
122
|
|
163
123
|
it "default syslog_facility is user-level" do
|
164
124
|
subject.filter(event)
|
165
|
-
|
166
|
-
|
167
|
-
expect(event.get("[log][syslog][facility][code]")).to eq(17)
|
168
|
-
else
|
169
|
-
expect(event.get("syslog_facility")).to eq("local1")
|
170
|
-
expect(event.get("syslog_facility_code")).to eq(17)
|
171
|
-
end
|
125
|
+
expect(event.get(syslog_facility_name_field)).to eq("local1")
|
126
|
+
expect(event.get(syslog_facility_code_field)).to eq(17)
|
172
127
|
end
|
173
128
|
end
|
174
129
|
|
130
|
+
context "when malformed messages arrive" do
|
131
|
+
context "if syslog priority value is too high" do
|
132
|
+
let(:syslog_pri) { 193 }
|
133
|
+
|
134
|
+
before(:each) { subject.filter(event) }
|
135
|
+
|
136
|
+
context "if use_labels is enabled (default)" do
|
137
|
+
it "the event is tagged" do
|
138
|
+
expect(event.get("tags")).to include("_syslogpriparsefailure")
|
139
|
+
end
|
140
|
+
it "the facility label isn't set" do
|
141
|
+
expect(event.get(syslog_facility_name_field)).to be_nil
|
142
|
+
end
|
143
|
+
it "the severity label isn't set" do
|
144
|
+
expect(event.get(syslog_severity_name_field)).to be_nil
|
145
|
+
end
|
146
|
+
end
|
147
|
+
|
148
|
+
context "if use_labels is disabled" do
|
149
|
+
let(:options) { super().merge("use_labels" => false) }
|
150
|
+
it "the event is not tagged" do
|
151
|
+
expect(event.get("tags")).to be_nil
|
152
|
+
end
|
153
|
+
end
|
154
|
+
|
155
|
+
it "the facility code is still set" do
|
156
|
+
expect(event.get(syslog_facility_code_field)).to eq(24)
|
157
|
+
end
|
158
|
+
it "the severity code is still set" do
|
159
|
+
expect(event.get(syslog_severity_code_field)).to eq(1)
|
160
|
+
end
|
161
|
+
end
|
162
|
+
end
|
175
163
|
end
|
176
164
|
end
|
177
165
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-filter-syslog_pri
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.
|
4
|
+
version: 3.2.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Elastic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2023-01-11 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|