RubyGems - logstash-input-syslog - Versions diffs - 3.5.0 → 3.7.0 - Mend

logstash-input-syslog 3.5.0 → 3.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +8 -0
data/docs/index.asciidoc +1 -1
data/lib/logstash/inputs/syslog.rb +18 -3
data/logstash-input-syslog.gemspec +4 -4
data/spec/inputs/syslog_spec.rb +243 -199
metadata +11 -12

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6f54c37d7c50508f001a49df641a45df74cf61cf4c4a4fcebafef442e380df68
-  data.tar.gz: 8c269bbad63b3ee0b022e7e206fc0884ed213b38380b15bdda9ee421e7f8ebeb
+  metadata.gz: 0c25de14662bbd82e873e09199f770ae115e73ab837d78300ad23d2f1a5f8617
+  data.tar.gz: ce332bc77901424f297d992d43c08999fbc30cc69547af624ead0d3aef2486f7
 SHA512:
-  metadata.gz: 8c886952d2095e9cefddeaaebbefa8495b78732b74350a6579849dd22da8f85f3065a35b411ce8952cd2cb12a80d49468cb44eeabfac4d93d8610663f7536366
-  data.tar.gz: a254785ecca431fc409bd2ebd031a14b2901295f2293913c6d7f92629327e8694e1ee2e13e7e04898cdc7c1939f29b1a6bb674e5dbc183b7c5c1487146d47284
+  metadata.gz: 5a1cf93965af7f77e9f543d339567c0cba16e481d325c345fea9fcd945a85f032ab87ff4f135c4ebff82c44f14365e650e9e6fe08ef546efab42c8ba56cd273e
+  data.tar.gz: b6c4d596cac63c5432717086040ba6fb03cb2f7ae17b813f7414facef60c33cd3f3ea3239e5933768e2ca03721e596744d3301126087bc224db1c8abb09e4d72

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,11 @@
+## 3.7.0
+  - Changed the TCP reading mode to use the non-blocking method [#75](https://github.com/logstash-plugins/logstash-input-syslog/pull/75)
+    It fixes the high CPU usage when TCP clients do not properly disconnect/send EOF.
+  - Fixed broken tests
+## 3.6.0
+  - Add support for ECS v8 as alias to v1 implementation [#68](https://github.com/logstash-plugins/logstash-input-syslog/pull/68)
 ## 3.5.0
   - Feat: ECS compatibility support [#63](https://github.com/logstash-plugins/logstash-input-syslog/pull/63)

data/docs/index.asciidoc CHANGED Viewed

@@ -71,7 +71,7 @@ input plugins.
   * Value type is <<string,string>>
   * Supported values are:
     ** `disabled`: does not use ECS-compatible field names (for example, `priority` for syslog priority)
-    ** `v1`: uses fields that are compatible with Elastic Common Schema (for example, `[log][syslog][priority]`)
+    ** `v1`,`v8`: uses fields that are compatible with Elastic Common Schema (for example, `[log][syslog][priority]`)
   * Default value depends on which version of Logstash is running:
     ** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
     ** Otherwise, the default value is `disabled`.

data/lib/logstash/inputs/syslog.rb CHANGED Viewed

@@ -26,7 +26,7 @@ require "stud/interval"
 # Note: This input will start listeners on both TCP and UDP.
 #
 class LogStash::Inputs::Syslog < LogStash::Inputs::Base
-  include LogStash::PluginMixins::ECSCompatibilitySupport(:disabled, :v1)
+  include LogStash::PluginMixins::ECSCompatibilitySupport(:disabled, :v1, :v8 => :v1)
   config_name "syslog"
@@ -221,6 +221,21 @@ class LogStash::Inputs::Syslog < LogStash::Inputs::Base
     close_tcp
   end # def tcp_listener
+  def tcp_read_lines(socket)
+    buffer = String.new
+    loop do
+      begin
+        buffer << socket.read_nonblock(1024)
+        while (newline = buffer.index("\n"))
+          yield buffer.slice!(0..newline)
+        end
+      rescue IO::WaitReadable
+        IO.select([socket], nil)
+        retry
+      end
+    end
+  end
   # tcp_receiver is executed in a thread, any uncatched exception will be bubbled up to the
   # tcp server thread and all tcp connections will be closed and the listener restarted.
   def tcp_receiver(output_queue, socket)
@@ -232,7 +247,7 @@ class LogStash::Inputs::Syslog < LogStash::Inputs::Base
     first_read = true
-    socket.each do |line|
+    tcp_read_lines(socket) do |line|
       metric.increment(:messages_received)
       if @proxy_protocol && first_read
         first_read = false
@@ -253,7 +268,7 @@ class LogStash::Inputs::Syslog < LogStash::Inputs::Base
   rescue Errno::ECONNRESET
     # swallow connection reset exceptions to avoid bubling up the tcp_listener & server
     logger.info("connection reset", :client => "#{ip}:#{port}")
-  rescue Errno::EBADF
+  rescue Errno::EBADF, EOFError
     # swallow connection closed exceptions to avoid bubling up the tcp_listener & server
     logger.info("connection closed", :client => "#{ip}:#{port}")
   rescue IOError => e

data/logstash-input-syslog.gemspec CHANGED Viewed

@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
   s.name            = 'logstash-input-syslog'
-  s.version         = '3.5.0'
+  s.version         = '3.7.0'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "Reads syslog messages as events"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
@@ -21,16 +21,16 @@ Gem::Specification.new do |s|
   # Gem dependencies
   s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
-  s.add_runtime_dependency 'logstash-mixin-ecs_compatibility_support', '~> 1.1'
+  s.add_runtime_dependency 'logstash-mixin-ecs_compatibility_support', '~> 1.2'
   s.add_runtime_dependency 'concurrent-ruby'
   s.add_runtime_dependency 'stud', '>= 0.0.22', '< 0.1.0'
   s.add_runtime_dependency 'logstash-codec-plain'
-  s.add_runtime_dependency 'logstash-filter-grok', '>= 4.4.0'
+  s.add_runtime_dependency 'logstash-filter-grok', '>= 4.4.1'
   s.add_runtime_dependency 'logstash-filter-date'
-  s.add_development_dependency 'logstash-devutils'
+  s.add_development_dependency 'logstash-devutils', '~> 2.3'
   s.add_development_dependency 'logstash-codec-cef'
 end

data/spec/inputs/syslog_spec.rb CHANGED Viewed

@@ -33,80 +33,18 @@ require "socket"
 describe LogStash::Inputs::Syslog do
   SYSLOG_LINE = "<164>Oct 26 15:19:25 1.2.3.4 %ASA-4-106023: Deny udp src DRAC:10.1.2.3/43434 dst outside:192.168.0.1/53 by access-group \"acl_drac\" [0x0, 0x0]"
-  it "should properly handle priority, severity and facilities" do
-    skip_if_stack_known_issue
-    port = 5511
-    event_count = 10
-    conf = <<-CONFIG
-      input {
-        syslog {
-          type => "blah"
-          port => #{port}
-        }
-      }
-    CONFIG
-    events = input(conf) do |pipeline, queue|
-      socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
-      event_count.times do |i|
-        socket.puts(SYSLOG_LINE)
-      end
-      socket.close
-      event_count.times.collect { queue.pop }
-    end
-    expect( events.length ).to eql event_count
-    events.each do |event|
-      expect( event.get("priority") ).to eql 164
-      expect( event.get("severity") ).to eql 4
-      expect( event.get("facility") ).to eql 20
-    end
-  end
-  it "should properly PROXY protocol v1" do
-    skip_if_stack_known_issue
-    port = 5511
-    event_count = 10
-    conf = <<-CONFIG
-      input {
-        syslog {
-          type => "blah"
-          port => #{port}
-          proxy_protocol => true
-        }
-      }
-    CONFIG
-    events = input(conf) do |pipeline, queue|
-      socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
-      socket.puts("PROXY TCP4 1.2.3.4 5.6.7.8 1234 5678\r");
-      socket.flush
-      event_count.times do |i|
-        socket.puts(SYSLOG_LINE)
-      end
-      socket.close
-      event_count.times.collect { queue.pop }
-    end
-    expect( events.length ).to eql event_count
-    events.each do |event|
-      expect( event.get("priority") ).to eql 164
-      expect( event.get("severity") ).to eql 4
-      expect( event.get("facility") ).to eql 20
-      expect( event.get("host") ).to eql "1.2.3.4"
-    end
-  end
-  context 'tag', :ecs_compatibility_support do
-    ecs_compatibility_matrix(:disabled, :v1) do
+  context 'ECS common behavior', :ecs_compatibility_support do
+    ecs_compatibility_matrix(:disabled, :v1, :v8 => :v1) do |ecs_select|
+      let(:priority_key) { ecs_select[disabled:'priority', v1:'[log][syslog][priority]'] }
+      let(:facility_key) { ecs_select[disabled:'facility', v1:'[log][syslog][facility][code]'] }
+      let(:severity_key) { ecs_select[disabled:'severity', v1:'[log][syslog][severity][code]'] }
+      let(:host_key) { ecs_select[disabled:'host', v1:'[host][ip]'] }
       before(:each) do
         allow_any_instance_of(described_class).to receive(:ecs_compatibility).and_return(ecs_compatibility)
       end
-      it "should add unique tag when grok parsing fails with live syslog input" do
+      it "should properly handle priority, severity and facilities" do
         skip_if_stack_known_issue
         port = 5511
         event_count = 10
@@ -122,7 +60,7 @@ describe LogStash::Inputs::Syslog do
         events = input(conf) do |pipeline, queue|
           socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
           event_count.times do |i|
-            socket.puts("message which causes the a grok parse failure")
+            socket.puts(SYSLOG_LINE)
           end
           socket.close
@@ -130,38 +68,31 @@ describe LogStash::Inputs::Syslog do
         end
         expect( events.length ).to eql event_count
-        event_count.times do |i|
-          expect( events[i].get("tags") ).to eql ["_grokparsefailure_sysloginput"]
+        events.each do |event|
+          expect( event.get(priority_key) ).to eql 164
+          expect( event.get(severity_key) ).to eql 4
+          expect( event.get(facility_key) ).to eql 20
         end
       end
-    end
-  end
-  context 'timestamp', :ecs_compatibility_support do
-    ecs_compatibility_matrix(:disabled, :v1) do
-      before(:each) do
-        allow_any_instance_of(described_class).to receive(:ecs_compatibility).and_return(ecs_compatibility)
-      end
-      it "should properly handle locale and timezone" do
+      it "should properly PROXY protocol v1" do
+        skip_if_stack_known_issue
         port = 5511
         event_count = 10
         conf = <<-CONFIG
           input {
             syslog {
               type => "blah"
               port => #{port}
-              locale => "en"
-              timezone => "UTC"
+              proxy_protocol => true
             }
           }
         CONFIG
         events = input(conf) do |pipeline, queue|
           socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
+          socket.puts("PROXY TCP4 1.2.3.4 5.6.7.8 1234 5678\r\n")
+          socket.flush
           event_count.times do |i|
             socket.puts(SYSLOG_LINE)
           end
@@ -172,52 +103,217 @@ describe LogStash::Inputs::Syslog do
         expect( events.length ).to eql event_count
         events.each do |event|
-          expect( event.get("@timestamp").to_iso8601 ).to eql "#{Time.now.year}-10-26T15:19:25.000Z"
+          expect( event.get(priority_key) ).to eql 164
+          expect( event.get(severity_key) ).to eql 4
+          expect( event.get(facility_key) ).to eql 20
+          expect( event.get(host_key) ).to eql "1.2.3.4"
         end
       end
-      it "should properly handle no locale and no timezone" do
-        port = 5511
+      context 'grok' do
+        it "should add unique tag when grok parsing fails with live syslog input" do
+          skip_if_stack_known_issue
+          port = 5511
+          event_count = 10
+          conf = <<-CONFIG
+            input {
+              syslog {
+                type => "blah"
+                port => #{port}
+              }
+            }
+          CONFIG
+          events = input(conf) do |pipeline, queue|
+            socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
+            event_count.times do |i|
+              socket.puts("message which causes the a grok parse failure")
+            end
+            socket.close
+            event_count.times.collect { queue.pop }
+          end
+          expect( events.length ).to eql event_count
+          event_count.times do |i|
+            expect( events[i].get("tags") ).to eql ["_grokparsefailure_sysloginput"]
+          end
+        end
-        conf = <<-CONFIG
-          input {
-            syslog {
-              type => "blah"
-              port => #{port}
+        it "should add unique tag when grok parsing fails" do
+          input = LogStash::Inputs::Syslog.new({})
+          input.register
+          # event which is not syslog should have a new tag
+          event = LogStash::Event.new({ "message" => "hello world, this is not syslog RFC3164" })
+          input.syslog_relay(event)
+          expect( event.get("tags") ).to eql  ["_grokparsefailure_sysloginput"]
+          syslog_event = LogStash::Event.new({ "message" => "<164>Oct 26 15:19:25 1.2.3.4 %ASA-4-106023: Deny udp src DRAC:10.1.2.3/43434" })
+          input.syslog_relay(syslog_event)
+          expect( syslog_event.get(priority_key) ).to eql 164
+          expect( syslog_event.get(severity_key) ).to eql 4
+          expect( syslog_event.get("tags") ).to be nil
+          input.close
+        end
+        it "should properly handle a custom grok_pattern" do
+          port = 5511
+          event_count = 1
+          custom_grok = "<%{POSINT:#{priority_key}}>%{SYSLOGTIMESTAMP:timestamp} atypical %{GREEDYDATA:message}"
+          message_field = "This part constitutes the message field"
+          timestamp = "Oct 26 15:19:25"
+          custom_line = "<164>#{timestamp} atypical #{message_field}"
+          conf = <<-CONFIG
+            input {
+              syslog {
+                type => "blah"
+                port => #{port}
+                grok_pattern => "#{custom_grok}"
+              }
             }
-          }
-        CONFIG
+          CONFIG
-        event = input(conf) do |pipeline, queue|
-          socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
-          socket.puts(SYSLOG_LINE)
-          socket.close
+          events = input(conf) do |pipeline, queue|
+            socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
+            event_count.times do |i|
+              socket.puts(custom_line)
+            end
+            socket.close
+            event_count.times.collect { queue.pop }
+          end
-          queue.pop
+          expect( events.length ).to eql event_count
+          events.each do |event|
+            expect( event.get(priority_key) ).to eql 164
+            expect( event.get(severity_key) ).to eql 4
+            expect( event.get(facility_key) ).to eql 20
+            expect( event.get("message") ).to eql "#{message_field}\n"
+            expect( event.get('timestamp') ).to eql timestamp if ecs_compatibility == :disabled
+            expect( event.include?('timestamp') ).to be false if ecs_compatibility != :disabled
+          end
         end
-        # chances platform timezone is not UTC so ignore the hours
-        expect( event.get("@timestamp").to_iso8601 ).to match /#{Time.now.year}-10-26T\d\d:19:25.000Z/
+        it "should properly handle the cef codec with a custom grok_pattern" do
+          port = 5511
+          event_count = 1
+          custom_grok = "<%{POSINT:#{priority_key}}>%{TIMESTAMP_ISO8601:timestamp} atypical %{GREEDYDATA:syslog_message}"
+          timestamp = "2018-02-07T12:40:00.000Z"
+          cef_message = "Description Omitted"
+          syslog_message = "foo bar"
+          syslog_message_envelope = "<134>#{timestamp} atypical #{syslog_message}"
+          custom_line = "CEF:0|Company Name|Application Name|Application Version Number|632|Syslog Configuration Updated|3|src=192.168.0.1 suser=user@example.com target=TARGET msg=#{cef_message} syslog=#{syslog_message_envelope} KeyValueOne=kv1 KeyValueTwo=12345 "
+          conf = <<-CONFIG
+            input {
+              syslog {
+                port => #{port}
+                syslog_field => "syslog"
+                grok_pattern => "#{custom_grok}"
+                codec => cef { ecs_compatibility => #{ ecs_compatibility } }
+              }
+            }
+          CONFIG
+          events = input(conf) do |pipeline, queue|
+            socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
+            event_count.times do |i|
+              socket.puts(custom_line)
+            end
+            socket.close
+            event_count.times.collect { queue.pop }
+          end
+          expect( events.length ).to eql event_count
+          events.each do |event|
+            expect( event.get(priority_key) ).to eql 134
+            expect( event.get(severity_key) ).to eql 6
+            expect( event.get(facility_key) ).to eql 16
+            expect( event.get("message") ).to eql cef_message
+            expect( event.get("syslog_message") ).to eql syslog_message
+            expect( event.get('timestamp') ).to eql timestamp if ecs_compatibility == :disabled
+            expect( event.include?('timestamp') ).to be false if ecs_compatibility != :disabled
+          end
+        end
       end
-      it "should support non UTC timezone" do
-        input = LogStash::Inputs::Syslog.new({"timezone" => "-05:00"})
-        input.register
+      context 'timestamp' do
+        it "should properly handle locale and timezone" do
+          port = 5511
+          event_count = 10
+          conf = <<-CONFIG
+            input {
+              syslog {
+                type => "blah"
+                port => #{port}
+                locale => "en"
+                timezone => "UTC"
+              }
+            }
+          CONFIG
+          events = input(conf) do |pipeline, queue|
+            socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
+            event_count.times do |i|
+              socket.puts(SYSLOG_LINE)
+            end
+            socket.close
-        # event which is not syslog should have a new tag
+            event_count.times.collect { queue.pop }
+          end
-        syslog_event = LogStash::Event.new({ "message" => "<164>Oct 26 15:19:25 1.2.3.4 %ASA-4-106023: Deny udp src DRAC:10.1.2.3/43434" })
-        input.syslog_relay(syslog_event)
+          expect( events.length ).to eql event_count
+          events.each do |event|
+            expect( event.get("@timestamp") ).to be_a_logstash_timestamp_equivalent_to("#{Time.now.year}-10-26T15:19:25Z")
+          end
+        end
-        expect( syslog_event.get("@timestamp").to_iso8601 ).to eql "#{Time.now.year}-10-26T20:19:25.000Z"
+        it "should properly handle no locale and no timezone" do
+          port = 5511
-        input.close
-      end
+          conf = <<-CONFIG
+            input {
+              syslog {
+                type => "blah"
+                port => #{port}
+              }
+            }
+          CONFIG
+          event = input(conf) do |pipeline, queue|
+            socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
+            socket.puts(SYSLOG_LINE)
+            socket.close
+            queue.pop
+          end
+          # chances platform timezone is not UTC, so parse without offset to create expectation
+          equivalent_time = Time.parse("#{Time.now.year}-10-26T15:19:25")
+          expect( event.get("@timestamp") ).to be_a_logstash_timestamp_equivalent_to(equivalent_time)
+        end
+        it "should support non UTC timezone" do
+          input = LogStash::Inputs::Syslog.new({"timezone" => "-05:00"})
+          input.register
+          # event which is not syslog should have a new tag
+          syslog_event = LogStash::Event.new({ "message" => "<164>Oct 26 15:19:25 1.2.3.4 %ASA-4-106023: Deny udp src DRAC:10.1.2.3/43434" })
+          input.syslog_relay(syslog_event)
+          expect( syslog_event.get("@timestamp") ).to be_a_logstash_timestamp_equivalent_to("#{Time.now.year}-10-26T20:19:25Z")
+          input.close
+        end
+      end
     end
   end
-  context 'ECS behavior', :ecs_compatibility_support do
+  context 'ECS :v1 behavior', :ecs_compatibility_support do
     ecs_compatibility_matrix(:v1) do
@@ -269,7 +365,7 @@ describe LogStash::Inputs::Syslog do
       let(:socket) do
         server = double('tcp-server')
-        allow( server ).to receive(:each).and_yield "<133>Mar 11 08:44:43 precision kernel: [765135.424096] mce: CPU6: Package temperature/speed normal\n"
+        allow( subject ).to receive(:tcp_read_lines).and_yield("<133>Mar 11 08:44:43 precision kernel: [765135.424096] mce: CPU6: Package temperature/speed normal\n")
         allow( server ).to receive(:close)
         server
       end
@@ -285,103 +381,51 @@ describe LogStash::Inputs::Syslog do
     end
   end
-  it "should add unique tag when grok parsing fails" do
-    input = LogStash::Inputs::Syslog.new({})
-    input.register
+  context 'tcp receiver' do
+    subject(:plugin) { LogStash::Inputs::Syslog.new }
+    before { plugin.register }
+    after { plugin.close }
-    # event which is not syslog should have a new tag
-    event = LogStash::Event.new({ "message" => "hello world, this is not syslog RFC3164" })
-    input.syslog_relay(event)
-    expect( event.get("tags") ).to eql  ["_grokparsefailure_sysloginput"]
+    let(:queue) { Queue.new }
+    let(:socket) do
+      socket = double('tcp-socket')
+      expect( socket ).to receive(:peeraddr).and_return(["AF_INET", 514, "192.168.0.10", "192.168.0.10"])
+      socket
+    end
-    syslog_event = LogStash::Event.new({ "message" => "<164>Oct 26 15:19:25 1.2.3.4 %ASA-4-106023: Deny udp src DRAC:10.1.2.3/43434" })
-    input.syslog_relay(syslog_event)
-    expect( syslog_event.get("priority") ).to eql 164
-    expect( syslog_event.get("severity") ).to eql 4
-    expect( syslog_event.get("tags") ).to be nil
+    it 'should close connection when client sends EOF' do
+      expect( socket ).to receive(:read_nonblock).and_raise(EOFError)
+      expect( socket ).to receive(:close)
+      allow( plugin.logger ).to receive(:info)
-    input.close
-  end
+      plugin.send :tcp_receiver, queue, socket
-  it_behaves_like 'an interruptible input plugin' do
-    let(:config) { { "port" => 5511 } }
-  end
+      expect( plugin.logger ).to have_received(:info).with(/connection closed/, anything)
+      expect( queue.size ).to eql 0
+    end
-  it "should properly handle a custom grok_pattern" do
-    port = 5511
-    event_count = 1
-    custom_grok = "<%{POSINT:priority}>%{SYSLOGTIMESTAMP:timestamp} atypical %{GREEDYDATA:message}"
-    message_field = "This part constitutes the message field"
-    timestamp = "Oct 26 15:19:25"
-    custom_line = "<164>#{timestamp} atypical #{message_field}"
-    conf = <<-CONFIG
-      input {
-        syslog {
-          type => "blah"
-          port => #{port}
-          grok_pattern => "#{custom_grok}"
-        }
-      }
-    CONFIG
-    events = input(conf) do |pipeline, queue|
-      socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
-      event_count.times do |i|
-        socket.puts(custom_line)
+    it 'should properly read partially received messages' do
+      expect( socket ).to receive(:close)
+      allow( plugin.codec ).to receive(:decode).and_call_original
+      messages = ["<133>Mar 11 08:44:43 localhost message 2\n", "message 1\n", "<133>Mar 11 08:44:43 localhost ", ]
+      allow( socket ).to receive(:read_nonblock).at_least(messages.size).times do
+        msg = messages.pop
+        raise EOFError unless msg
+        msg
       end
-      socket.close
-      event_count.times.collect { queue.pop }
-    end
+      plugin.send :tcp_receiver, queue, socket
-    expect( events.length ).to eql event_count
-    events.each do |event|
-      expect( event.get("priority") ).to eql 164
-      expect( event.get("severity") ).to eql 4
-      expect( event.get("facility") ).to eql 20
-      expect( event.get("message") ).to eql "#{message_field}\n"
-      expect( event.get("timestamp") ).to eql timestamp
+      expect( queue.size ).to eql 2
+      expect( plugin.codec ).to have_received(:decode).with("<133>Mar 11 08:44:43 localhost message 1\n")
+      expect( plugin.codec ).to have_received(:decode).with("<133>Mar 11 08:44:43 localhost message 2\n")
     end
   end
-  it "should properly handle the cef codec with a custom grok_pattern" do
-    port = 5511
-    event_count = 1
-    custom_grok = "<%{POSINT:priority}>%{TIMESTAMP_ISO8601:timestamp} atypical"
-    message_field = "Description Omitted"
-    timestamp = "2018-02-07T12:40:00.000Z"
-    custom_line = "<134>#{timestamp} atypical CEF:0|Company Name|Application Name|Application Version Number|632|Syslog Configuration Updated|3|src=192.168.0.1 suser=user@example.com target=TARGET msg=#{message_field} KeyValueOne=kv1 KeyValueTwo=12345 "
-    conf = <<-CONFIG
-      input {
-        syslog {
-          port => #{port}
-          syslog_field => "syslog"
-          grok_pattern => "#{custom_grok}"
-          codec => cef
-        }
-      }
-    CONFIG
-    events = input(conf) do |pipeline, queue|
-      socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
-      event_count.times do |i|
-        socket.puts(custom_line)
-      end
-      socket.close
-      event_count.times.collect { queue.pop }
-    end
-    expect( events.length ).to eql event_count
-    events.each do |event|
-      expect( event.get("priority") ).to eql 134
-      expect( event.get("severity") ).to eql 6
-      expect( event.get("facility") ).to eql 16
-      expect( event.get("message") ).to eql message_field
-      expect( event.get("timestamp") ).to eql timestamp
-    end
+  it_behaves_like 'an interruptible input plugin' do
+    let(:config) { { "port" => 5511 } }
   end
   private

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-input-syslog
 version: !ruby/object:Gem::Version
-  version: 3.5.0
+  version: 3.7.0
 platform: ruby
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-03-22 00:00:00.000000000 Z
+date: 2023-10-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -35,7 +35,7 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '1.2'
   name: logstash-mixin-ecs_compatibility_support
   prerelease: false
   type: :runtime
@@ -43,7 +43,7 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '1.2'
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
@@ -97,7 +97,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 4.4.0
+        version: 4.4.1
   name: logstash-filter-grok
   prerelease: false
   type: :runtime
@@ -105,7 +105,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 4.4.0
+        version: 4.4.1
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
@@ -123,17 +123,17 @@ dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.3'
   name: logstash-devutils
   prerelease: false
   type: :development
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.3'
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
@@ -187,8 +187,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.6.13
+rubygems_version: 3.2.33
 signing_key:
 specification_version: 4
 summary: Reads syslog messages as events