logstash-input-delf 3.0.3

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 308100753a50a0d7d3c0a9956ce41ee9c001f62d
+  data.tar.gz: c8c424269c039b12f4195a610753af6c5ef183d6
+SHA512:
+  metadata.gz: 31c2835ee3bc1e0b218e50f2fc103ee9e757dcbcd669cea2a440932805cbb777ffa5ffab2085743d6a767b06c0a06398932758c437906ff49a9f9da29dbbfc5f
+  data.tar.gz: f516dbccce766aed7e57347625ffabd9c1a632f3058d87002f3897494761576259d94118b601bb88b7f6ef1819bc81c83c56261b80ca00567d9651412dc625ef

data/CHANGELOG.md

@@ -0,0 +1,26 @@
+## 3.0.3
+  - Docs: Update doc examples to use new event API syntax 
+
+## 3.0.2
+  - Relax constraint on logstash-core-plugin-api to >= 1.60 <= 2.99
+
+## 3.0.1
+  - Republish all the gems under jruby.
+## 3.0.0
+  - Update the plugin to the version 2.0 of the plugin api, this change is required for Logstash 5.0 compatibility. See https://github.com/elastic/logstash/issues/5141
+## 2.0.8
+  - Make the `Event.from_json` return a single element instead of an array and make this plugin works under 5.0
+## 2.0.7
+  - Fix failing test caused by reverting Java Event back to Ruby Event
+## 2.0.6
+  - Fix plugin crash when Logstash::Json fails to parse a message, https://github.com/logstash-plugins/logstash-input-gelf/pull/27
+## 2.0.5
+  - Depend on logstash-core-plugin-api instead of logstash-core, removing the need to mass update plugins on major releases of logstash
+## 2.0.4
+  - New dependency requirements for logstash-core for the 5.0 release
+## 2.0.3
+ - Fix Timestamp coercion to preserve upto microsecond precision, https://github.com/logstash-plugins/logstash-input-gelf/pull/35
+## 2.0.0
+ - Plugins were updated to follow the new shutdown semantic, this mainly allows Logstash to instruct input plugins to terminate gracefully,
+   instead of using Thread.raise on the plugins' threads. Ref: https://github.com/elastic/logstash/pull/3895
+ - Dependency on logstash-core update to 2.0

data/CONTRIBUTORS

@@ -0,0 +1,23 @@
+The following is a list of people who have contributed ideas, code, bug
+reports, or in general have helped logstash along its way.
+
+Contributors:
+* Bernd Ahlers (bernd)
+* Chris McCoy (lofidellity)
+* Colin Surprenant (colinsurprenant)
+* JeremyEinfeld
+* John E. Vincent (lusis)
+* Jordan Sissel (jordansissel)
+* Kurt Hurtado (kurtado)
+* Nick Ethier (nickethier)
+* Pete Fritchman (fetep)
+* Pier-Hugues Pellerin (ph)
+* Richard Pijnenburg (electrical)
+* Suyog Rao (suyograo)
+* joe miller (joemiller)
+* Guy Boertje (guyboertje)
+
+Note: If you've sent us patches, bug reports, or otherwise contributed to
+Logstash, and you aren't on the list above and want to be, please let us know
+and we'll make sure you're here. Contributions from folks like you are what make
+open source awesome.

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in logstash-mass_effect.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,13 @@
+Copyright (c) 2012–2016 Elasticsearch <http://www.elastic.co>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/NOTICE.TXT

@@ -0,0 +1,5 @@
+Elasticsearch
+Copyright 2012-2015 Elasticsearch
+
+This product includes software developed by The Apache Software
+Foundation (http://www.apache.org/).

data/README.md

@@ -0,0 +1,104 @@
+# Logstash Plugin - delf
+
+[![Travis Build Status](https://travis-ci.org/wade-r/logstash-input-delf.svg)](https://travis-ci.org/wade-r/logstash-input-delf)
+
+`delf` is a Docker flavored version of `gelf` input plugin, with multi-line support.
+
+# Logstash Plugin
+
+[![Travis Build Status](https://travis-ci.org/logstash-plugins/logstash-input-gelf.svg)](https://travis-ci.org/logstash-plugins/logstash-input-gelf)
+
+This is a plugin for [Logstash](https://github.com/elastic/logstash).
+
+It is fully free and fully open source. The license is Apache 2.0, meaning you are pretty much free to use it however you want in whatever way.
+
+## Documentation
+
+Logstash provides infrastructure to automatically generate documentation for this plugin. We use the asciidoc format to write documentation so any comments in the source code will be first converted into asciidoc and then into html. All plugin documentation are placed under one [central location](http://www.elastic.co/guide/en/logstash/current/).
+
+- For formatting code or config example, you can use the asciidoc `[source,ruby]` directive
+- For more asciidoc formatting tips, see the excellent reference here https://github.com/elastic/docs#asciidoc-guide
+
+## Need Help?
+
+Need help? Try #logstash on freenode IRC or the https://discuss.elastic.co/c/logstash discussion forum.
+
+## Developing
+
+### 1. Plugin Developement and Testing
+
+#### Code
+- To get started, you'll need JRuby with the Bundler gem installed.
+
+- Create a new plugin or clone and existing from the GitHub [logstash-plugins](https://github.com/logstash-plugins) organization. We also provide [example plugins](https://github.com/logstash-plugins?query=example).
+
+- Install dependencies
+```sh
+bundle install
+```
+
+#### Test
+
+- Update your dependencies
+
+```sh
+bundle install
+```
+
+- Run tests
+
+```sh
+bundle exec rspec
+```
+
+### 2. Running your unpublished Plugin in Logstash
+
+#### 2.1 Run in a local Logstash clone
+
+- Edit Logstash `Gemfile` and add the local plugin path, for example:
+```ruby
+gem "logstash-filter-awesome", :path => "/your/local/logstash-filter-awesome"
+```
+- Install plugin
+```sh
+# Logstash 2.3 and higher
+bin/logstash-plugin install --no-verify
+
+# Prior to Logstash 2.3
+bin/plugin install --no-verify
+
+```
+- Run Logstash with your plugin
+```sh
+bin/logstash -e 'filter {awesome {}}'
+```
+At this point any modifications to the plugin code will be applied to this local Logstash setup. After modifying the plugin, simply rerun Logstash.
+
+#### 2.2 Run in an installed Logstash
+
+You can use the same **2.1** method to run your plugin in an installed Logstash by editing its `Gemfile` and pointing the `:path` to your local plugin development directory or you can build the gem and install it using:
+
+- Build your plugin gem
+```sh
+gem build logstash-filter-awesome.gemspec
+```
+- Install the plugin from the Logstash home
+```sh
+# Logstash 2.3 and higher
+bin/logstash-plugin install --no-verify
+
+# Prior to Logstash 2.3
+bin/plugin install --no-verify
+
+```
+- Start Logstash and proceed to test the plugin
+
+## Contributing
+
+All contributions are welcome: ideas, patches, documentation, bug reports, complaints, and even something you drew up on a napkin.
+
+Programming is not a required skill. Whatever you've seen about open source and maintainers or community members  saying "send patches or die" - you will not see that here.
+
+It is more important to the community that you are able to contribute.
+
+For more information about contributing, see the [CONTRIBUTING](https://github.com/elastic/logstash/blob/master/CONTRIBUTING.md) file.

data/docs/index.asciidoc

@@ -0,0 +1,104 @@
+:plugin: gelf
+:type: input
+
+///////////////////////////////////////////
+START - GENERATED VARIABLES, DO NOT EDIT!
+///////////////////////////////////////////
+:version: %VERSION%
+:release_date: %RELEASE_DATE%
+:changelog_url: %CHANGELOG_URL%
+:include_path: ../../../logstash/docs/include
+///////////////////////////////////////////
+END - GENERATED VARIABLES, DO NOT EDIT!
+///////////////////////////////////////////
+
+[id="plugins-{type}-{plugin}"]
+
+=== Gelf
+
+include::{include_path}/plugin_header.asciidoc[]
+
+==== Description
+
+This input will read GELF messages as events over the network,
+making it a good choice if you already use Graylog2 today.
+
+The main use case for this input is to leverage existing GELF
+logging libraries such as the GELF log4j appender. A library used
+by this plugin has a bug which prevents it parsing uncompressed data.
+If you use the log4j appender you need to configure it like this to force
+gzip even for small messages:
+
+  <Socket name="logstash" protocol="udp" host="logstash.example.com" port="5001">
+     <GelfLayout compressionType="GZIP" compressionThreshold="1" />
+  </Socket>
+
+
+
+[id="plugins-{type}s-{plugin}-options"]
+==== Gelf Input Configuration Options
+
+This plugin supports the following configuration options plus the <<plugins-{type}s-common-options>> described later.
+
+[cols="<,<,<",options="header",]
+|=======================================================================
+|Setting |Input type|Required
+| <<plugins-{type}s-{plugin}-host>> |<<string,string>>|No
+| <<plugins-{type}s-{plugin}-port>> |<<number,number>>|No
+| <<plugins-{type}s-{plugin}-remap>> |<<boolean,boolean>>|No
+| <<plugins-{type}s-{plugin}-strip_leading_underscore>> |<<boolean,boolean>>|No
+|=======================================================================
+
+Also see <<plugins-{type}s-common-options>> for a list of options supported by all
+input plugins.
+
+&nbsp;
+
+[id="plugins-{type}s-{plugin}-host"]
+===== `host` 
+
+  * Value type is <<string,string>>
+  * Default value is `"0.0.0.0"`
+
+The IP address or hostname to listen on.
+
+[id="plugins-{type}s-{plugin}-port"]
+===== `port` 
+
+  * Value type is <<number,number>>
+  * Default value is `12201`
+
+The port to listen on. Remember that ports less than 1024 (privileged
+ports) may require root to use.
+
+[id="plugins-{type}s-{plugin}-remap"]
+===== `remap` 
+
+  * Value type is <<boolean,boolean>>
+  * Default value is `true`
+
+Whether or not to remap the GELF message fields to Logstash event fields or
+leave them intact.
+
+Remapping converts the following GELF fields to Logstash equivalents:
+
+* `full\_message` becomes `event.get("message")`.
+* if there is no `full\_message`, `short\_message` becomes `event.get("message")`.
+
+[id="plugins-{type}s-{plugin}-strip_leading_underscore"]
+===== `strip_leading_underscore` 
+
+  * Value type is <<boolean,boolean>>
+  * Default value is `true`
+
+Whether or not to remove the leading `\_` in GELF fields or leave them
+in place. (Logstash < 1.2 did not remove them by default.). Note that
+GELF version 1.1 format now requires all non-standard fields to be added
+as an "additional" field, beginning with an underscore.
+
+e.g. `\_foo` becomes `foo`
+
+
+
+
+include::{include_path}/{type}.asciidoc[]

data/lib/logstash/inputs/delf.rb

@@ -0,0 +1,241 @@
+# encoding: utf-8
+require "logstash/inputs/base"
+require "logstash/namespace"
+require "logstash/json"
+require "logstash/timestamp"
+require "stud/interval"
+require "date"
+require "socket"
+
+# This input will read GELF messages as events over the network,
+# making it a good choice if you already use Graylog2 today.
+#
+# The main use case for this input is to leverage existing GELF
+# logging libraries such as the GELF log4j appender. A library used
+# by this plugin has a bug which prevents it parsing uncompressed data.
+# If you use the log4j appender you need to configure it like this to force
+# gzip even for small messages:
+#
+#   <Socket name="logstash" protocol="udp" host="logstash.example.com" port="5001">
+#      <GelfLayout compressionType="GZIP" compressionThreshold="1" />
+#   </Socket>
+#
+#
+class LogStash::Inputs::Delf < LogStash::Inputs::Base
+  config_name "delf"
+
+  default :codec, "plain"
+
+  # The IP address or hostname to listen on.
+  config :host, :validate => :string, :default => "0.0.0.0"
+
+  # The port to listen on. Remember that ports less than 1024 (privileged
+  # ports) may require root to use.
+  config :port, :validate => :number, :default => 12201
+
+  # The incomplete mark, line ends with this mark will be considered as a incomplete event
+  config :continue_mark, :validate => :string, :default => "\\"
+
+  # The field to identify different event stream, for Docker events, it's 'container_id'
+  config :track, :validate => :string, :default => 'container_id'
+
+  RECONNECT_BACKOFF_SLEEP = 5
+  TIMESTAMP_GELF_FIELD = "timestamp".freeze
+  SOURCE_HOST_FIELD = "source_host".freeze
+  MESSAGE_FIELD = "message"
+  TAGS_FIELD = "tags"
+  PARSE_FAILURE_TAG = "_jsonparsefailure"
+  PARSE_FAILURE_LOG_MESSAGE = "JSON parse failure. Falling back to plain-text"
+
+  public
+  def initialize(params)
+    super
+    BasicSocket.do_not_reverse_lookup = true
+    @incomplete_events = {}
+  end # def initialize
+
+  public
+  def register
+    require 'gelfd'
+  end # def register
+
+  public
+  def run(output_queue)
+    begin
+      # udp server
+      udp_listener(output_queue)
+    rescue => e
+      unless stop?
+        @logger.warn("delf listener died", :exception => e, :backtrace => e.backtrace)
+        Stud.stoppable_sleep(RECONNECT_BACKOFF_SLEEP) { stop? }
+        retry unless stop?
+      end
+    end # begin
+  end # def run
+
+  public
+  def stop
+    @udp.close
+  rescue IOError # the plugin is currently shutting down, so its safe to ignore theses errors
+  end
+
+  private
+  def udp_listener(output_queue)
+    @logger.info("Starting delf listener", :address => "#{@host}:#{@port}")
+
+    @udp = UDPSocket.new(Socket::AF_INET)
+    @udp.bind(@host, @port)
+
+    while !stop?
+      line, client = @udp.recvfrom(8192)
+
+      begin
+        data = Gelfd::Parser.parse(line)
+      rescue => ex
+        @logger.warn("Gelfd failed to parse a message skipping", :exception => ex, :backtrace => ex.backtrace)
+        next
+      end
+
+      # Gelfd parser outputs null if it received and cached a non-final chunk
+      next if data.nil?
+
+      event = self.class.new_event(data, client[3])
+      next if event.nil?
+
+      remap_gelf(event)
+      strip_leading_underscore(event)
+      decorate(event)
+
+      event = handle_multiline(event)
+      next if event.nil?
+
+      output_queue << event
+    end
+  end # def udp_listener
+
+  # generate a new LogStash::Event from json input and assign host to source_host event field.
+  # @param json_gelf [String] GELF json data
+  # @param host [String] source host of GELF data
+  # @return [LogStash::Event] new event with parsed json gelf, assigned source host and coerced timestamp
+  def self.new_event(json_gelf, host)
+    event = parse(json_gelf)
+    return if event.nil?
+
+    event.set(SOURCE_HOST_FIELD, host)
+
+    if (gelf_timestamp = event.get(TIMESTAMP_GELF_FIELD)).is_a?(Numeric)
+      event.timestamp = self.coerce_timestamp(gelf_timestamp)
+      event.remove(TIMESTAMP_GELF_FIELD)
+    end
+
+    event
+  end
+
+  # transform a given timestamp value into a proper LogStash::Timestamp, preserving microsecond precision
+  # and work around a JRuby issue with Time.at loosing fractional part with BigDecimal.
+  # @param timestamp [Numeric] a Numeric (integer, float or bigdecimal) timestampo representation
+  # @return [LogStash::Timestamp] the proper LogStash::Timestamp representation
+  def self.coerce_timestamp(timestamp)
+    # bug in JRuby prevents correcly parsing a BigDecimal fractional part, see https://github.com/elastic/logstash/issues/4565
+    timestamp.is_a?(BigDecimal) ? LogStash::Timestamp.at(timestamp.to_i, timestamp.frac * 1000000) : LogStash::Timestamp.at(timestamp)
+  end
+
+  # from_json_parse uses the Event#from_json method to deserialize and directly produce events
+  def self.from_json_parse(json)
+    # from_json will always return an array of item.
+    # in the context of gelf, the payload should be an array of 1
+    LogStash::Event.from_json(json).first
+  rescue LogStash::Json::ParserError => e
+    logger.error(PARSE_FAILURE_LOG_MESSAGE, :error => e, :data => json)
+    LogStash::Event.new(MESSAGE_FIELD => json, TAGS_FIELD => [PARSE_FAILURE_TAG, '_fromjsonparser'])
+  end # def self.from_json_parse
+
+  # legacy_parse uses the LogStash::Json class to deserialize json
+  def self.legacy_parse(json)
+    o = LogStash::Json.load(json)
+    LogStash::Event.new(o)
+  rescue LogStash::Json::ParserError => e
+    logger.error(PARSE_FAILURE_LOG_MESSAGE, :error => e, :data => json)
+    LogStash::Event.new(MESSAGE_FIELD => json, TAGS_FIELD => [PARSE_FAILURE_TAG, '_legacyjsonparser'])
+  end # def self.parse
+
+  # keep compatibility with all v2.x distributions. only in 2.3 will the Event#from_json method be introduced
+  # and we need to keep compatibility for all v2 releases.
+  class << self
+    alias_method :parse, LogStash::Event.respond_to?(:from_json) ? :from_json_parse : :legacy_parse
+  end
+
+  private
+  def remap_gelf(event)
+    if event.get("full_message") && !event.get("full_message").empty?
+      event.set("message", event.get("full_message").dup)
+      event.remove("full_message")
+      if event.get("short_message") == event.get("message")
+        event.remove("short_message")
+      end
+    elsif event.get("short_message") && !event.get("short_message").empty?
+      event.set("message", event.get("short_message").dup)
+      event.remove("short_message")
+    end
+  end # def remap_gelf
+
+  private
+  def strip_leading_underscore(event)
+     # Map all '_foo' fields to simply 'foo'
+     event.to_hash.keys.each do |key|
+       next unless key[0,1] == "_"
+       event.set(key[1..-1], event.get(key))
+       event.remove(key)
+     end
+  end # def removing_leading_underscores
+
+  private
+  def handle_multiline(event)
+    # Ignore if no track found
+    track_id = event.get(@track)
+    return event unless track_id.kind_of?(String)
+
+    # Ignore if no message found
+    message = event.get("message")
+    return event unless message.kind_of?(String)
+
+    # Fetch last event
+    last_event = @incomplete_events[track_id]
+
+    if message.end_with?(@continue_mark)
+      # remove the continue_mark
+      message = message.slice(0, message.length - @continue_mark.length)
+      # If it's an incomplete event
+      if last_event.nil?
+        # update the message
+        event.set("message", message)
+        # cache it as a pending event
+        @incomplete_events[track_id] = event
+        return nil
+      else
+        # append content to pending event
+        last_event.set("message", last_event.get("message") + "\n" + message)
+        # limit message length to 5000
+        if last_event.get("message").length > 5000
+          @incomplete_events[track_id] = nil
+          return last_event
+        else
+          return nil
+        end
+      end
+    else
+      # If it's not an incomplete event
+      if last_event.nil?
+        # just return if no pending incomplete event
+        return event
+      else
+        # append content to pending incomplete event and return it
+        last_event.set("message", last_event.get("message") + "\n" + message)
+        # clear the pending incomplete event
+        @incomplete_events[track_id] = nil
+        return last_event
+      end
+    end
+  end #def handle_multiline
+
+end # class LogStash::Inputs::Gelf

data/logstash-input-delf.gemspec

@@ -0,0 +1,32 @@
+Gem::Specification.new do |s|
+
+  s.name            = 'logstash-input-delf'
+  s.version         = '3.0.3'
+  s.licenses        = ['Apache License (2.0)']
+  s.summary         = "This input will read GELF messages as events over the network, making it a good choice if you already use Graylog2 today."
+  s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
+  s.authors         = ["Elastic"]
+  s.email           = 'info@elastic.co'
+  s.homepage        = "http://www.elastic.co/guide/en/logstash/current/index.html"
+  s.require_paths = ["lib"]
+
+  # Files
+  s.files = Dir["lib/**/*","spec/**/*","*.gemspec","*.md","CONTRIBUTORS","Gemfile","LICENSE","NOTICE.TXT", "vendor/jar-dependencies/**/*.jar", "vendor/jar-dependencies/**/*.rb", "VERSION", "docs/**/*"]
+
+  # Tests
+  s.test_files = s.files.grep(%r{^(test|spec|features)/})
+
+  # Special flag to let us know this is actually a logstash plugin
+  s.metadata = { "logstash_plugin" => "true", "logstash_group" => "input" }
+
+  # Gem dependencies
+  s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
+
+  s.add_runtime_dependency "gelfd", ["0.2.0"]                 #(Apache 2.0 license)
+  s.add_runtime_dependency 'logstash-codec-plain'
+  s.add_runtime_dependency "stud", "~> 0.0.22"
+
+  s.add_development_dependency 'logstash-devutils'
+  s.add_development_dependency "gelf", ["1.3.2"]                  #(MIT license)
+  s.add_development_dependency "flores"
+end

data/spec/inputs/delf_spec.rb

@@ -0,0 +1,277 @@
+# encoding: utf-8
+require "logstash/devutils/rspec/spec_helper"
+require "logstash/inputs/delf"
+require_relative "../support/helpers"
+require "gelf"
+require "flores/random"
+
+describe LogStash::Inputs::Delf do
+  context "when interrupting the plugin" do
+    let(:port) { Flores::Random.integer(1024..65535) }
+    let(:host) { "127.0.0.1" }
+    let(:chunksize) { 1420 }
+    let(:producer) { InfiniteDelfProducer.new(host, port, chunksize) }
+    let(:config) {  { "host" => host, "port" => port } }
+
+    before { producer.run }
+    after { producer.stop }
+
+
+    it_behaves_like "an interruptible input plugin"
+  end
+
+  it "reads chunked gelf messages " do
+    port = 12209
+    host = "127.0.0.1"
+    chunksize = 1420
+    gelfclient = GELF::Notifier.new(host, port, chunksize)
+
+    conf = <<-CONFIG
+      input {
+        delf {
+          port => "#{port}"
+          host => "#{host}"
+        }
+      }
+    CONFIG
+
+    large_random = 2000.times.map{32 + rand(126 - 32)}.join("")
+
+    messages = [
+      "hello",
+      "world",
+      large_random,
+      "we survived delf!"
+    ]
+
+    events = input(conf) do |pipeline, queue|
+      # send a first message until plugin is up and receives it
+      while queue.size <= 0
+        gelfclient.notify!("short_message" => "prime")
+        sleep(0.1)
+      end
+      gelfclient.notify!("short_message" => "start")
+
+      e = queue.pop
+      while (e.get("message") != "start")
+        e = queue.pop
+      end
+
+      messages.each do |m|
+  	    gelfclient.notify!("short_message" => m)
+      end
+
+      messages.map{queue.pop}
+    end
+
+    events.each_with_index do |e, i|
+      insist { e.get("message") } == messages[i]
+      insist { e.get("host") } == Socket.gethostname
+    end
+  end
+
+  it "handles multi-line messages " do
+    port = 12209
+    host = "127.0.0.1"
+    chunksize = 1420
+    gelfclient = GELF::Notifier.new(host, port, chunksize)
+
+    conf = <<-CONFIG
+      input {
+        delf {
+          port => "#{port}"
+          host => "#{host}"
+        }
+      }
+    CONFIG
+
+    messages = [{
+      "_container_id" => "dummy1",
+      "short_message" => "single1"
+    },{
+      "_container_id" => "dummy2",
+      "short_message" => "single2"
+    },{
+      "_container_id" => "dummy1",
+      "short_message" => "multi1\\"
+    },{
+      "_container_id" => "dummy2",
+      "short_message" => "multi2\\"
+    },{
+      "_container_id" => "dummy1",
+      "short_message" => "multi3\\"
+    },{
+      "_container_id" => "dummy2",
+      "short_message" => "multi4\\"
+    },{
+      "_container_id" => "dummy2",
+      "short_message" => "multi5" # dummy2 multi ended first
+    },{
+      "_container_id" => "dummy1",
+      "short_message" => "multi6"
+    },{
+      "_container_id" => "dummy2",
+      "short_message" => "single3"
+    },{
+      "_container_id" => "dummy1",
+      "short_message" => "single4"
+    }]
+
+    events = input(conf) do |pipeline, queue|
+      # send a first message until plugin is up and receives it
+      while queue.size <= 0
+        gelfclient.notify!("short_message" => "prime")
+        sleep(0.1)
+      end
+      gelfclient.notify!("short_message" => "start")
+
+      e = queue.pop
+      while (e.get("message") != "start")
+        e = queue.pop
+      end
+
+      messages.each do |m|
+        gelfclient.notify!(m)
+      end
+
+      results = []
+
+      6.times do
+        results << queue.pop
+      end
+
+      results
+    end
+
+    insist { events.count } == 6
+
+    insist { events[0].get("container_id") } == "dummy1"
+    insist { events[0].get("message") } == "single1"
+    insist { events[1].get("container_id") } == "dummy2"
+    insist { events[1].get("message") } == "single2"
+    insist { events[2].get("container_id") } == "dummy2"
+    insist { events[2].get("message") } == "multi2\nmulti4\nmulti5"
+    insist { events[3].get("container_id") } == "dummy1"
+    insist { events[3].get("message") } == "multi1\nmulti3\nmulti6"
+    insist { events[4].get("container_id") } == "dummy2"
+    insist { events[4].get("message") } == "single3"
+    insist { events[5].get("container_id") } == "dummy1"
+    insist { events[5].get("message") } == "single4"
+  end
+
+  context "timestamp coercion" do
+    # these test private methods, this is advisable for now until we roll out this coercion in the Timestamp class
+    # and remove this
+
+    context "integer numeric values" do
+      it "should coerce" do
+        expect(LogStash::Inputs::Delf.coerce_timestamp(946702800).to_iso8601).to eq("2000-01-01T05:00:00.000Z")
+        expect(LogStash::Inputs::Delf.coerce_timestamp(946702800).usec).to eq(0)
+      end
+    end
+
+    context "float numeric values" do
+      # using explicit and certainly useless to_f here just to leave no doubt about the numeric type involved
+
+      it "should coerce and preserve millisec precision in iso8601" do
+        expect(LogStash::Inputs::Delf.coerce_timestamp(946702800.1.to_f).to_iso8601).to eq("2000-01-01T05:00:00.100Z")
+        expect(LogStash::Inputs::Delf.coerce_timestamp(946702800.12.to_f).to_iso8601).to eq("2000-01-01T05:00:00.120Z")
+        expect(LogStash::Inputs::Delf.coerce_timestamp(946702800.123.to_f).to_iso8601).to eq("2000-01-01T05:00:00.123Z")
+      end
+
+      it "should coerce and preserve usec precision" do
+        expect(LogStash::Inputs::Delf.coerce_timestamp(946702800.1.to_f).usec).to eq(100000)
+        expect(LogStash::Inputs::Delf.coerce_timestamp(946702800.12.to_f).usec).to eq(120000)
+        expect(LogStash::Inputs::Delf.coerce_timestamp(946702800.123.to_f).usec).to eq(123000)
+
+        # since Java Timestamp in 2.3+ relies on JodaTime which supports only millisec precision
+        # the usec method will only be precise up to millisec.
+        expect(LogStash::Inputs::Delf.coerce_timestamp(946702800.1234.to_f).usec).to be_within(1000).of(123400)
+        expect(LogStash::Inputs::Delf.coerce_timestamp(946702800.12345.to_f).usec).to be_within(1000).of(123450)
+        expect(LogStash::Inputs::Delf.coerce_timestamp(946702800.123456.to_f).usec).to be_within(1000).of(123456)
+      end
+    end
+
+    context "BigDecimal numeric values" do
+      it "should coerce and preserve millisec precision in iso8601" do
+        expect(LogStash::Inputs::Delf.coerce_timestamp(BigDecimal.new("946702800.1")).to_iso8601).to eq("2000-01-01T05:00:00.100Z")
+        expect(LogStash::Inputs::Delf.coerce_timestamp(BigDecimal.new("946702800.12")).to_iso8601).to eq("2000-01-01T05:00:00.120Z")
+        expect(LogStash::Inputs::Delf.coerce_timestamp(BigDecimal.new("946702800.123")).to_iso8601).to eq("2000-01-01T05:00:00.123Z")
+      end
+
+      it "should coerce and preserve usec precision" do
+        expect(LogStash::Inputs::Delf.coerce_timestamp(BigDecimal.new("946702800.1")).usec).to eq(100000)
+        expect(LogStash::Inputs::Delf.coerce_timestamp(BigDecimal.new("946702800.12")).usec).to eq(120000)
+        expect(LogStash::Inputs::Delf.coerce_timestamp(BigDecimal.new("946702800.123")).usec).to eq(123000)
+
+        # since Java Timestamp in 2.3+ relies on JodaTime which supports only millisec precision
+        # the usec method will only be precise up to millisec.
+        expect(LogStash::Inputs::Delf.coerce_timestamp(BigDecimal.new("946702800.1234")).usec).to be_within(1000).of(123400)
+        expect(LogStash::Inputs::Delf.coerce_timestamp(BigDecimal.new("946702800.12345")).usec).to be_within(1000).of(123450)
+        expect(LogStash::Inputs::Delf.coerce_timestamp(BigDecimal.new("946702800.123456")).usec).to be_within(1000).of(123456)
+      end
+    end
+  end
+
+  context "json timestamp coercion" do
+    # these test private methods, this is advisable for now until we roll out this coercion in the Timestamp class
+    # and remove this
+
+    it "should coerce integer numeric json timestamp input" do
+      event = LogStash::Inputs::Delf.new_event("{\"timestamp\":946702800}", "dummy")
+      expect(event.timestamp.to_iso8601).to eq("2000-01-01T05:00:00.000Z")
+    end
+
+    it "should coerce float numeric value and preserve milliseconds precision in iso8601" do
+      event = LogStash::Inputs::Delf.new_event("{\"timestamp\":946702800.123}", "dummy")
+      expect(event.timestamp.to_iso8601).to eq("2000-01-01T05:00:00.123Z")
+    end
+
+    it "should coerce float numeric value and preserve usec precision" do
+      # since Java Timestamp in 2.3+ relies on JodaTime which supports only millisec precision
+      # the usec method will only be precise up to millisec.
+
+      event = LogStash::Inputs::Delf.new_event("{\"timestamp\":946702800.123456}", "dummy")
+      expect(event.timestamp.usec).to be_within(1000).of(123456)
+    end
+  end
+
+  context "when an invalid JSON is fed to the listener" do
+    subject { LogStash::Inputs::Delf.new_event(message, "host") }
+    let(:message) { "Invalid JSON message" }
+
+    if LogStash::Event.respond_to?(:from_json)
+      context "default :from_json parser output" do
+        it { should be_a(LogStash::Event) }
+
+        it "falls back to plain-text" do
+          expect(subject.get("message")).to eq(message)
+        end
+
+        it "tags message with _jsonparsefailure" do
+          expect(subject.get("tags")).to include("_jsonparsefailure")
+        end
+
+        it "tags message with _fromjsonparser" do
+          expect(subject.get("tags")).to include("_fromjsonparser")
+        end
+      end
+    else
+      context "legacy JSON parser output" do
+        it { should be_a(LogStash::Event) }
+
+        it "falls back to plain-text" do
+          expect(subject.get("message")).to eq(message)
+        end
+
+        it "tags message with _jsonparsefailure" do
+          expect(subject.get("tags")).to include("_jsonparsefailure")
+        end
+
+        it "tags message with _legacyjsonparser" do
+          expect(subject.get("tags")).to include("_legacyjsonparser")
+        end
+      end
+    end
+  end
+end

data/spec/support/helpers.rb

@@ -0,0 +1,18 @@
+# encoding: utf-8
+class InfiniteDelfProducer
+  def initialize(host, port, chunksize)
+    @client = GELF::Notifier.new(host, port, chunksize)
+  end
+
+  def run
+    @producer = Thread.new do
+      while true
+        @client.notify!("short_message" => "hello world")
+      end
+    end
+  end
+
+  def stop
+    @producer.kill
+  end
+end

metadata

@@ -0,0 +1,162 @@
+--- !ruby/object:Gem::Specification
+name: logstash-input-delf
+version: !ruby/object:Gem::Version
+  version: 3.0.3
+platform: ruby
+authors:
+- Elastic
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2017-05-22 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.60'
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: '2.99'
+  name: logstash-core-plugin-api
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.60'
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: '2.99'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.2.0
+  name: gelfd
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.2.0
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  name: logstash-codec-plain
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.0.22
+  name: stud
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.0.22
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  name: logstash-devutils
+  prerelease: false
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.3.2
+  name: gelf
+  prerelease: false
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.3.2
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  name: flores
+  prerelease: false
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program
+email: info@elastic.co
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- CONTRIBUTORS
+- Gemfile
+- LICENSE
+- NOTICE.TXT
+- README.md
+- docs/index.asciidoc
+- lib/logstash/inputs/delf.rb
+- logstash-input-delf.gemspec
+- spec/inputs/delf_spec.rb
+- spec/support/helpers.rb
+homepage: http://www.elastic.co/guide/en/logstash/current/index.html
+licenses:
+- Apache License (2.0)
+metadata:
+  logstash_plugin: 'true'
+  logstash_group: input
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.4.8
+signing_key:
+specification_version: 4
+summary: This input will read GELF messages as events over the network, making it a good choice if you already use Graylog2 today.
+test_files:
+- spec/inputs/delf_spec.rb
+- spec/support/helpers.rb