logstash-filter-syslog_pri 3.1.1 → 3.2.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: c3e7172aa14a0a1ac779c183aadb366d15d30e027c7f266aa6ca2dd228aab38e
4
- data.tar.gz: 3e3274f72b800eb2096d0ba879c4fc17ea42dcee9bdf8de42d646b5de01f9071
3
+ metadata.gz: 15045cf32219a84e310c2f9ec1446484c1e5f8e09a4b17c3c8bb0fcdf209b6ce
4
+ data.tar.gz: 01d2bcfe07f470e70f897c5903b72965502d935da9dfe4a8724d7510eccc9c83
5
5
  SHA512:
6
- metadata.gz: 3ed38b2e8905864b009f31d9c7482b0316c88e83cf0704015af1af15c2d4c0f39525b7f500c99ad6f8d69464df77753356fdc36680b48b99284e4a0d761309d1
7
- data.tar.gz: a78e217a3defc39b436297e37446754ce024685a83bab05e85c3e382e6b1c7901aeb2bb6ae5e945963519793ad81ae391087cb718cacaaf4a2c2f324c5b124f4
6
+ metadata.gz: 032a33ff35de0d43b33f3e58634d433ae98a70ae380a3fcd6a95ecdfe9d454f96803dcc542f9f9b09f20881072ce3cd1c925dba5463935dfdee24a8ecc2824be
7
+ data.tar.gz: 670f30eb6740c06ac9264472fca2ac015ff462b23ed0ee9143ba3b4a8781a28947f8ada2e6d3966ba126aa75f6905c5ae33e1f8e18c335942095f34d34721949
data/CHANGELOG.md CHANGED
@@ -1,3 +1,10 @@
1
+ ## 3.2.1
2
+ - Remove spurious leftover text from "use_labels" docs [#15](https://github.com/logstash-plugins/logstash-filter-syslog_pri/pull/15)
3
+
4
+ ## 3.2.0
5
+ - Feat: add tagging on unrecognized `facility_label` code [#11](https://github.com/logstash-plugins/logstash-filter-syslog_pri/pull/11)
6
+ - Change: refactored test code to be streamlined when checking ECS fields [#14](https://github.com/logstash-plugins/logstash-filter-syslog_pri/pull/14)
7
+
1
8
  ## 3.1.1
2
9
  - Added preview of ECS-v8 support with existing ECS-v1 implementation [#10](https://github.com/logstash-plugins/logstash-filter-syslog_pri/pull/10)
3
10
 
data/docs/index.asciidoc CHANGED
@@ -68,6 +68,8 @@ The value of this setting affects the _default_ value of <<plugins-{type}s-{plug
68
68
  * Default value is `["kernel", "user-level", "mail", "daemon", "security/authorization", "syslogd", "line printer", "network news", "uucp", "clock", "security/authorization", "ftp", "ntp", "log audit", "log alert", "clock", "local0", "local1", "local2", "local3", "local4", "local5", "local6", "local7"]`
69
69
 
70
70
  Labels for facility levels. This comes from RFC3164.
71
+ If an unrecognized facility code is provided and <<plugins-{type}s-{plugin}-use_labels>> is `true` then the event
72
+ is tagged with `_syslogpriparsefailure`.
71
73
 
72
74
  [id="plugins-{type}s-{plugin}-severity_labels"]
73
75
  ===== `severity_labels`
@@ -93,10 +95,9 @@ Name of field which passes in the extracted PRI part of the syslog message
93
95
  * Value type is <<boolean,boolean>>
94
96
  * Default value is `true`
95
97
 
96
- set the status to experimental/beta/stable
97
98
  Add human-readable names after parsing severity and facility from PRI
98
99
 
99
100
 
100
101
 
101
102
  [id="plugins-{type}s-{plugin}-common-options"]
102
- include::{include_path}/{type}.asciidoc[]
103
+ include::{include_path}/{type}.asciidoc[]
@@ -11,8 +11,6 @@ class LogStash::Filters::Syslog_pri < LogStash::Filters::Base
11
11
 
12
12
  config_name "syslog_pri"
13
13
 
14
- # set the status to experimental/beta/stable
15
-
16
14
  # Add human-readable names after parsing severity and facility from PRI
17
15
  config :use_labels, :validate => :boolean, :default => true
18
16
 
@@ -84,6 +82,8 @@ class LogStash::Filters::Syslog_pri < LogStash::Filters::Base
84
82
 
85
83
  private
86
84
 
85
+ SYSLOGPRIPARSEFAILURE_TAG = "_syslogpriparsefailure"
86
+
87
87
  def parse_pri(event)
88
88
  # Per RFC3164, priority = (facility * 8) + severity
89
89
  # = (facility << 3) & (severity)
@@ -104,12 +104,21 @@ class LogStash::Filters::Syslog_pri < LogStash::Filters::Base
104
104
  event.set(@facility_code_key, facility_code)
105
105
 
106
106
  # Add human-readable names after parsing severity and facility from PRI
107
- if @use_labels
108
- facility_label = @facility_labels[facility_code]
109
- event.set(@facility_label_key, facility_label) if facility_label
110
-
111
- severity_label = @severity_labels[severity_code]
112
- event.set(@severity_label_key, severity_label) if severity_label
107
+ return unless @use_labels
108
+
109
+ # from Syslog PRI RFC 4.1.1 PRI Part, facility_code the maximum possible value is 124, however it defines just 23 values
110
+ if facility_code > (@facility_labels.size - 1)
111
+ # if the facility_code overflow the labels array
112
+ event.tag(SYSLOGPRIPARSEFAILURE_TAG)
113
+ logger.debug("Invalid facility code for event", :facility => facility_code)
114
+ return
113
115
  end
116
+
117
+ facility_label = @facility_labels[facility_code]
118
+ event.set(@facility_label_key, facility_label) if facility_label
119
+
120
+ # severity code is in range [0..7] by definition, no need to check any bound
121
+ severity_label = @severity_labels[severity_code]
122
+ event.set(@severity_label_key, severity_label) if severity_label
114
123
  end # def parse_pri
115
124
  end # class LogStash::Filters::SyslogPRI
@@ -1,7 +1,7 @@
1
1
  Gem::Specification.new do |s|
2
2
 
3
3
  s.name = 'logstash-filter-syslog_pri'
4
- s.version = '3.1.1'
4
+ s.version = '3.2.1'
5
5
  s.licenses = ['Apache License (2.0)']
6
6
  s.summary = "Parses the `PRI` (priority) field of a `syslog` message"
7
7
  s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
@@ -9,6 +9,10 @@ describe LogStash::Filters::Syslog_pri do
9
9
  subject { LogStash::Filters::Syslog_pri.new(options) }
10
10
  let(:event_data) { { :name => "foo" } }
11
11
  let(:event) { LogStash::Event.new.tap { |event| event_data.each { |k, v| event.set(k, v) } } }
12
+ let(:syslog_facility_code_field) { ecs_compatibility? ? "[log][syslog][facility][code]" : "syslog_facility_code" }
13
+ let(:syslog_facility_name_field) { ecs_compatibility? ? "[log][syslog][facility][name]" : "syslog_facility" }
14
+ let(:syslog_severity_code_field) { ecs_compatibility? ? "[log][syslog][severity][code]" : "syslog_severity_code" }
15
+ let(:syslog_severity_name_field) { ecs_compatibility? ? "[log][syslog][severity][name]" : "syslog_severity" }
12
16
 
13
17
  it "should register without errors" do
14
18
  plugin = LogStash::Plugin.lookup("filter", "syslog_pri").new( "facility_labels" => ["kernel"] )
@@ -31,38 +35,22 @@ describe LogStash::Filters::Syslog_pri do
31
35
 
32
36
  it "default syslog_facility is user-level" do
33
37
  subject.filter(event)
34
- if ecs_compatibility?
35
- expect(event.get("[log][syslog][facility][name]")).to eq("user-level")
36
- else
37
- expect(event.get("syslog_facility")).to eq("user-level")
38
- end
38
+ expect(event.get(syslog_facility_name_field)).to eq("user-level")
39
39
  end
40
40
 
41
41
  it "default syslog severity is notice" do
42
42
  subject.filter(event)
43
- if ecs_compatibility?
44
- expect(event.get("[log][syslog][severity][name]")).to eq("notice")
45
- else
46
- expect(event.get("syslog_severity")).to eq("notice")
47
- end
43
+ expect(event.get(syslog_severity_name_field)).to eq("notice")
48
44
  end
49
45
 
50
46
  it "default severity to be 5, out of priority default 13" do
51
47
  subject.filter(event)
52
- if ecs_compatibility?
53
- expect(event.get("[log][syslog][severity][code]")).to eq(5)
54
- else
55
- expect(event.get("syslog_severity_code")).to eq(5)
56
- end
48
+ expect(event.get(syslog_severity_code_field)).to eq(5)
57
49
  end
58
50
 
59
51
  it "defaults to facility 1" do
60
52
  subject.filter(event)
61
- if ecs_compatibility?
62
- expect(event.get("[log][syslog][facility][code]")).to eq(1)
63
- else
64
- expect(event.get("syslog_facility_code")).to eq(1)
65
- end
53
+ expect(event.get(syslog_facility_code_field)).to eq(1)
66
54
  end
67
55
 
68
56
  end
@@ -86,20 +74,12 @@ describe LogStash::Filters::Syslog_pri do
86
74
 
87
75
  it "syslog severity is critical" do
88
76
  subject.filter(event)
89
- if ecs_compatibility?
90
- expect(event.get("[log][syslog][severity][name]")).to eq("critical")
91
- else
92
- expect(event.get("syslog_severity")).to eq("critical")
93
- end
77
+ expect(event.get(syslog_severity_name_field)).to eq("critical")
94
78
  end
95
79
 
96
80
  it "default syslog_facility is user-level" do
97
81
  subject.filter(event)
98
- if ecs_compatibility?
99
- expect(event.get("[log][syslog][facility][name]")).to eq("security/authorization")
100
- else
101
- expect(event.get("syslog_facility")).to eq("security/authorization")
102
- end
82
+ expect(event.get(syslog_facility_name_field)).to eq("security/authorization")
103
83
  end
104
84
 
105
85
  end
@@ -109,20 +89,12 @@ describe LogStash::Filters::Syslog_pri do
109
89
 
110
90
  it "syslog severity is notice" do
111
91
  subject.filter(event)
112
- if ecs_compatibility?
113
- expect(event.get("[log][syslog][severity][name]")).to eq("notice")
114
- else
115
- expect(event.get("syslog_severity")).to eq("notice")
116
- end
92
+ expect(event.get(syslog_severity_name_field)).to eq("notice")
117
93
  end
118
94
 
119
95
  it "default syslog_facility is user-level" do
120
96
  subject.filter(event)
121
- if ecs_compatibility?
122
- expect(event.get("[log][syslog][facility][name]")).to eq("local4")
123
- else
124
- expect(event.get("syslog_facility")).to eq("local4")
125
- end
97
+ expect(event.get(syslog_facility_name_field)).to eq("local4")
126
98
  end
127
99
  end
128
100
 
@@ -131,20 +103,12 @@ describe LogStash::Filters::Syslog_pri do
131
103
 
132
104
  it "syslog severity is notice" do
133
105
  subject.filter(event)
134
- if ecs_compatibility?
135
- expect(event.get("[log][syslog][severity][name]")).to eq("debug")
136
- else
137
- expect(event.get("syslog_severity")).to eq("debug")
138
- end
106
+ expect(event.get(syslog_severity_name_field)).to eq("debug")
139
107
  end
140
108
 
141
109
  it "default syslog_facility is user-level" do
142
110
  subject.filter(event)
143
- if ecs_compatibility?
144
- expect(event.get("[log][syslog][facility][name]")).to eq("local7")
145
- else
146
- expect(event.get("syslog_facility")).to eq("local7")
147
- end
111
+ expect(event.get(syslog_facility_name_field)).to eq("local7")
148
112
  end
149
113
  end
150
114
 
@@ -153,25 +117,49 @@ describe LogStash::Filters::Syslog_pri do
153
117
 
154
118
  it "syslog severity is notice" do
155
119
  subject.filter(event)
156
- if ecs_compatibility?
157
- expect(event.get("[log][syslog][severity][name]")).to eq("alert")
158
- else
159
- expect(event.get("syslog_severity")).to eq("alert")
160
- end
120
+ expect(event.get(syslog_severity_name_field)).to eq("alert")
161
121
  end
162
122
 
163
123
  it "default syslog_facility is user-level" do
164
124
  subject.filter(event)
165
- if ecs_compatibility?
166
- expect(event.get("[log][syslog][facility][name]")).to eq("local1")
167
- expect(event.get("[log][syslog][facility][code]")).to eq(17)
168
- else
169
- expect(event.get("syslog_facility")).to eq("local1")
170
- expect(event.get("syslog_facility_code")).to eq(17)
171
- end
125
+ expect(event.get(syslog_facility_name_field)).to eq("local1")
126
+ expect(event.get(syslog_facility_code_field)).to eq(17)
172
127
  end
173
128
  end
174
129
 
130
+ context "when malformed messages arrive" do
131
+ context "if syslog priority value is too high" do
132
+ let(:syslog_pri) { 193 }
133
+
134
+ before(:each) { subject.filter(event) }
135
+
136
+ context "if use_labels is enabled (default)" do
137
+ it "the event is tagged" do
138
+ expect(event.get("tags")).to include("_syslogpriparsefailure")
139
+ end
140
+ it "the facility label isn't set" do
141
+ expect(event.get(syslog_facility_name_field)).to be_nil
142
+ end
143
+ it "the severity label isn't set" do
144
+ expect(event.get(syslog_severity_name_field)).to be_nil
145
+ end
146
+ end
147
+
148
+ context "if use_labels is disabled" do
149
+ let(:options) { super().merge("use_labels" => false) }
150
+ it "the event is not tagged" do
151
+ expect(event.get("tags")).to be_nil
152
+ end
153
+ end
154
+
155
+ it "the facility code is still set" do
156
+ expect(event.get(syslog_facility_code_field)).to eq(24)
157
+ end
158
+ it "the severity code is still set" do
159
+ expect(event.get(syslog_severity_code_field)).to eq(1)
160
+ end
161
+ end
162
+ end
175
163
  end
176
164
  end
177
165
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: logstash-filter-syslog_pri
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.1.1
4
+ version: 3.2.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Elastic
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-11-10 00:00:00.000000000 Z
11
+ date: 2024-01-17 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  requirement: !ruby/object:Gem::Requirement
@@ -98,7 +98,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
98
98
  - !ruby/object:Gem::Version
99
99
  version: '0'
100
100
  requirements: []
101
- rubygems_version: 3.1.6
101
+ rubygems_version: 3.2.33
102
102
  signing_key:
103
103
  specification_version: 4
104
104
  summary: Parses the `PRI` (priority) field of a `syslog` message