logstash-input-syslog 3.5.0 → 3.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6f54c37d7c50508f001a49df641a45df74cf61cf4c4a4fcebafef442e380df68
-  data.tar.gz: 8c269bbad63b3ee0b022e7e206fc0884ed213b38380b15bdda9ee421e7f8ebeb
+  metadata.gz: 0c25de14662bbd82e873e09199f770ae115e73ab837d78300ad23d2f1a5f8617
+  data.tar.gz: ce332bc77901424f297d992d43c08999fbc30cc69547af624ead0d3aef2486f7
 SHA512:
-  metadata.gz: 8c886952d2095e9cefddeaaebbefa8495b78732b74350a6579849dd22da8f85f3065a35b411ce8952cd2cb12a80d49468cb44eeabfac4d93d8610663f7536366
-  data.tar.gz: a254785ecca431fc409bd2ebd031a14b2901295f2293913c6d7f92629327e8694e1ee2e13e7e04898cdc7c1939f29b1a6bb674e5dbc183b7c5c1487146d47284
+  metadata.gz: 5a1cf93965af7f77e9f543d339567c0cba16e481d325c345fea9fcd945a85f032ab87ff4f135c4ebff82c44f14365e650e9e6fe08ef546efab42c8ba56cd273e
+  data.tar.gz: b6c4d596cac63c5432717086040ba6fb03cb2f7ae17b813f7414facef60c33cd3f3ea3239e5933768e2ca03721e596744d3301126087bc224db1c8abb09e4d72

data/CHANGELOG.md

@@ -1,3 +1,11 @@
+## 3.7.0
+  - Changed the TCP reading mode to use the non-blocking method [#75](https://github.com/logstash-plugins/logstash-input-syslog/pull/75)
+    It fixes the high CPU usage when TCP clients do not properly disconnect/send EOF.
+  - Fixed broken tests
+
+## 3.6.0
+  - Add support for ECS v8 as alias to v1 implementation [#68](https://github.com/logstash-plugins/logstash-input-syslog/pull/68)
+
 ## 3.5.0
   - Feat: ECS compatibility support [#63](https://github.com/logstash-plugins/logstash-input-syslog/pull/63)
 

data/docs/index.asciidoc

@@ -71,7 +71,7 @@ input plugins.
   * Value type is <<string,string>>
   * Supported values are:
     ** `disabled`: does not use ECS-compatible field names (for example, `priority` for syslog priority)
-    ** `v1`: uses fields that are compatible with Elastic Common Schema (for example, `[log][syslog][priority]`)
+    ** `v1`,`v8`: uses fields that are compatible with Elastic Common Schema (for example, `[log][syslog][priority]`)
   * Default value depends on which version of Logstash is running:
     ** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
     ** Otherwise, the default value is `disabled`.

data/lib/logstash/inputs/syslog.rb

@@ -26,7 +26,7 @@ require "stud/interval"
 # Note: This input will start listeners on both TCP and UDP.
 #
 class LogStash::Inputs::Syslog < LogStash::Inputs::Base
-  include LogStash::PluginMixins::ECSCompatibilitySupport(:disabled, :v1)
+  include LogStash::PluginMixins::ECSCompatibilitySupport(:disabled, :v1, :v8 => :v1)
 
   config_name "syslog"
 
@@ -221,6 +221,21 @@ class LogStash::Inputs::Syslog < LogStash::Inputs::Base
     close_tcp
   end # def tcp_listener
 
+  def tcp_read_lines(socket)
+    buffer = String.new
+    loop do
+      begin
+        buffer << socket.read_nonblock(1024)
+        while (newline = buffer.index("\n"))
+          yield buffer.slice!(0..newline)
+        end
+      rescue IO::WaitReadable
+        IO.select([socket], nil)
+        retry
+      end
+    end
+  end
+
   # tcp_receiver is executed in a thread, any uncatched exception will be bubbled up to the
   # tcp server thread and all tcp connections will be closed and the listener restarted.
   def tcp_receiver(output_queue, socket)
@@ -232,7 +247,7 @@ class LogStash::Inputs::Syslog < LogStash::Inputs::Base
 
     first_read = true
 
-    socket.each do |line|
+    tcp_read_lines(socket) do |line|
       metric.increment(:messages_received)
       if @proxy_protocol && first_read
         first_read = false
@@ -253,7 +268,7 @@ class LogStash::Inputs::Syslog < LogStash::Inputs::Base
   rescue Errno::ECONNRESET
     # swallow connection reset exceptions to avoid bubling up the tcp_listener & server
     logger.info("connection reset", :client => "#{ip}:#{port}")
-  rescue Errno::EBADF
+  rescue Errno::EBADF, EOFError
     # swallow connection closed exceptions to avoid bubling up the tcp_listener & server
     logger.info("connection closed", :client => "#{ip}:#{port}")
   rescue IOError => e

data/logstash-input-syslog.gemspec

@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
 
   s.name            = 'logstash-input-syslog'
-  s.version         = '3.5.0'
+  s.version         = '3.7.0'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "Reads syslog messages as events"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
@@ -21,16 +21,16 @@ Gem::Specification.new do |s|
 
   # Gem dependencies
   s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
-  s.add_runtime_dependency 'logstash-mixin-ecs_compatibility_support', '~> 1.1'
+  s.add_runtime_dependency 'logstash-mixin-ecs_compatibility_support', '~> 1.2'
 
   s.add_runtime_dependency 'concurrent-ruby'
   s.add_runtime_dependency 'stud', '>= 0.0.22', '< 0.1.0'
 
   s.add_runtime_dependency 'logstash-codec-plain'
-  s.add_runtime_dependency 'logstash-filter-grok', '>= 4.4.0'
+  s.add_runtime_dependency 'logstash-filter-grok', '>= 4.4.1'
   s.add_runtime_dependency 'logstash-filter-date'
 
-  s.add_development_dependency 'logstash-devutils'
+  s.add_development_dependency 'logstash-devutils', '~> 2.3'
   s.add_development_dependency 'logstash-codec-cef'
 end
 

data/spec/inputs/syslog_spec.rb

@@ -33,80 +33,18 @@ require "socket"
 describe LogStash::Inputs::Syslog do
   SYSLOG_LINE = "<164>Oct 26 15:19:25 1.2.3.4 %ASA-4-106023: Deny udp src DRAC:10.1.2.3/43434 dst outside:192.168.0.1/53 by access-group \"acl_drac\" [0x0, 0x0]"
 
-  it "should properly handle priority, severity and facilities" do
-    skip_if_stack_known_issue
-    port = 5511
-    event_count = 10
-    conf = <<-CONFIG
-      input {
-        syslog {
-          type => "blah"
-          port => #{port}
-        }
-      }
-    CONFIG
-
-    events = input(conf) do |pipeline, queue|
-      socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
-      event_count.times do |i|
-        socket.puts(SYSLOG_LINE)
-      end
-      socket.close
-
-      event_count.times.collect { queue.pop }
-    end
-
-    expect( events.length ).to eql event_count
-    events.each do |event|
-      expect( event.get("priority") ).to eql 164
-      expect( event.get("severity") ).to eql 4
-      expect( event.get("facility") ).to eql 20
-    end
-  end
-
-  it "should properly PROXY protocol v1" do
-    skip_if_stack_known_issue
-    port = 5511
-    event_count = 10
-    conf = <<-CONFIG
-      input {
-        syslog {
-          type => "blah"
-          port => #{port}
-          proxy_protocol => true
-        }
-      }
-    CONFIG
-
-    events = input(conf) do |pipeline, queue|
-      socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
-      socket.puts("PROXY TCP4 1.2.3.4 5.6.7.8 1234 5678\r");
-      socket.flush
-      event_count.times do |i|
-        socket.puts(SYSLOG_LINE)
-      end
-      socket.close
-
-      event_count.times.collect { queue.pop }
-    end
-
-    expect( events.length ).to eql event_count
-    events.each do |event|
-      expect( event.get("priority") ).to eql 164
-      expect( event.get("severity") ).to eql 4
-      expect( event.get("facility") ).to eql 20
-      expect( event.get("host") ).to eql "1.2.3.4"
-    end
-  end
-
-  context 'tag', :ecs_compatibility_support do
-    ecs_compatibility_matrix(:disabled, :v1) do
+  context 'ECS common behavior', :ecs_compatibility_support do
+    ecs_compatibility_matrix(:disabled, :v1, :v8 => :v1) do |ecs_select|
+      let(:priority_key) { ecs_select[disabled:'priority', v1:'[log][syslog][priority]'] }
+      let(:facility_key) { ecs_select[disabled:'facility', v1:'[log][syslog][facility][code]'] }
+      let(:severity_key) { ecs_select[disabled:'severity', v1:'[log][syslog][severity][code]'] }
+      let(:host_key) { ecs_select[disabled:'host', v1:'[host][ip]'] }
 
       before(:each) do
         allow_any_instance_of(described_class).to receive(:ecs_compatibility).and_return(ecs_compatibility)
       end
 
-      it "should add unique tag when grok parsing fails with live syslog input" do
+      it "should properly handle priority, severity and facilities" do
         skip_if_stack_known_issue
         port = 5511
         event_count = 10
@@ -122,7 +60,7 @@ describe LogStash::Inputs::Syslog do
         events = input(conf) do |pipeline, queue|
           socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
           event_count.times do |i|
-            socket.puts("message which causes the a grok parse failure")
+            socket.puts(SYSLOG_LINE)
           end
           socket.close
 
@@ -130,38 +68,31 @@ describe LogStash::Inputs::Syslog do
         end
 
         expect( events.length ).to eql event_count
-        event_count.times do |i|
-          expect( events[i].get("tags") ).to eql ["_grokparsefailure_sysloginput"]
+        events.each do |event|
+          expect( event.get(priority_key) ).to eql 164
+          expect( event.get(severity_key) ).to eql 4
+          expect( event.get(facility_key) ).to eql 20
         end
       end
 
-    end
-  end
-
-  context 'timestamp', :ecs_compatibility_support do
-    ecs_compatibility_matrix(:disabled, :v1) do
-
-      before(:each) do
-        allow_any_instance_of(described_class).to receive(:ecs_compatibility).and_return(ecs_compatibility)
-      end
-
-      it "should properly handle locale and timezone" do
+      it "should properly PROXY protocol v1" do
+        skip_if_stack_known_issue
         port = 5511
         event_count = 10
-
         conf = <<-CONFIG
           input {
             syslog {
               type => "blah"
               port => #{port}
-              locale => "en"
-              timezone => "UTC"
+              proxy_protocol => true
             }
           }
         CONFIG
 
         events = input(conf) do |pipeline, queue|
           socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
+          socket.puts("PROXY TCP4 1.2.3.4 5.6.7.8 1234 5678\r\n")
+          socket.flush
           event_count.times do |i|
             socket.puts(SYSLOG_LINE)
           end
@@ -172,52 +103,217 @@ describe LogStash::Inputs::Syslog do
 
         expect( events.length ).to eql event_count
         events.each do |event|
-          expect( event.get("@timestamp").to_iso8601 ).to eql "#{Time.now.year}-10-26T15:19:25.000Z"
+          expect( event.get(priority_key) ).to eql 164
+          expect( event.get(severity_key) ).to eql 4
+          expect( event.get(facility_key) ).to eql 20
+          expect( event.get(host_key) ).to eql "1.2.3.4"
         end
       end
 
-      it "should properly handle no locale and no timezone" do
-        port = 5511
+      context 'grok' do
+        it "should add unique tag when grok parsing fails with live syslog input" do
+          skip_if_stack_known_issue
+          port = 5511
+          event_count = 10
+          conf = <<-CONFIG
+            input {
+              syslog {
+                type => "blah"
+                port => #{port}
+              }
+            }
+          CONFIG
+          events = input(conf) do |pipeline, queue|
+            socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
+            event_count.times do |i|
+              socket.puts("message which causes the a grok parse failure")
+            end
+            socket.close
+            event_count.times.collect { queue.pop }
+          end
+          expect( events.length ).to eql event_count
+          event_count.times do |i|
+            expect( events[i].get("tags") ).to eql ["_grokparsefailure_sysloginput"]
+          end
+        end
 
-        conf = <<-CONFIG
-          input {
-            syslog {
-              type => "blah"
-              port => #{port}
+        it "should add unique tag when grok parsing fails" do
+          input = LogStash::Inputs::Syslog.new({})
+          input.register
+
+          # event which is not syslog should have a new tag
+          event = LogStash::Event.new({ "message" => "hello world, this is not syslog RFC3164" })
+          input.syslog_relay(event)
+          expect( event.get("tags") ).to eql  ["_grokparsefailure_sysloginput"]
+
+          syslog_event = LogStash::Event.new({ "message" => "<164>Oct 26 15:19:25 1.2.3.4 %ASA-4-106023: Deny udp src DRAC:10.1.2.3/43434" })
+          input.syslog_relay(syslog_event)
+          expect( syslog_event.get(priority_key) ).to eql 164
+          expect( syslog_event.get(severity_key) ).to eql 4
+          expect( syslog_event.get("tags") ).to be nil
+
+          input.close
+        end
+
+        it "should properly handle a custom grok_pattern" do
+          port = 5511
+          event_count = 1
+          custom_grok = "<%{POSINT:#{priority_key}}>%{SYSLOGTIMESTAMP:timestamp} atypical %{GREEDYDATA:message}"
+          message_field = "This part constitutes the message field"
+          timestamp = "Oct 26 15:19:25"
+          custom_line = "<164>#{timestamp} atypical #{message_field}"
+
+          conf = <<-CONFIG
+            input {
+              syslog {
+                type => "blah"
+                port => #{port}
+                grok_pattern => "#{custom_grok}"
+              }
             }
-          }
-        CONFIG
+          CONFIG
 
-        event = input(conf) do |pipeline, queue|
-          socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
-          socket.puts(SYSLOG_LINE)
-          socket.close
+          events = input(conf) do |pipeline, queue|
+            socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
+            event_count.times do |i|
+              socket.puts(custom_line)
+            end
+            socket.close
+
+            event_count.times.collect { queue.pop }
+          end
 
-          queue.pop
+          expect( events.length ).to eql event_count
+          events.each do |event|
+            expect( event.get(priority_key) ).to eql 164
+            expect( event.get(severity_key) ).to eql 4
+            expect( event.get(facility_key) ).to eql 20
+            expect( event.get("message") ).to eql "#{message_field}\n"
+            expect( event.get('timestamp') ).to eql timestamp if ecs_compatibility == :disabled
+            expect( event.include?('timestamp') ).to be false if ecs_compatibility != :disabled
+          end
         end
 
-        # chances platform timezone is not UTC so ignore the hours
-        expect( event.get("@timestamp").to_iso8601 ).to match /#{Time.now.year}-10-26T\d\d:19:25.000Z/
+        it "should properly handle the cef codec with a custom grok_pattern" do
+          port = 5511
+          event_count = 1
+
+          custom_grok = "<%{POSINT:#{priority_key}}>%{TIMESTAMP_ISO8601:timestamp} atypical %{GREEDYDATA:syslog_message}"
+          timestamp = "2018-02-07T12:40:00.000Z"
+          cef_message = "Description Omitted"
+          syslog_message = "foo bar"
+          syslog_message_envelope = "<134>#{timestamp} atypical #{syslog_message}"
+          custom_line = "CEF:0|Company Name|Application Name|Application Version Number|632|Syslog Configuration Updated|3|src=192.168.0.1 suser=user@example.com target=TARGET msg=#{cef_message} syslog=#{syslog_message_envelope} KeyValueOne=kv1 KeyValueTwo=12345 "
+
+          conf = <<-CONFIG
+            input {
+              syslog {
+                port => #{port}
+                syslog_field => "syslog"
+                grok_pattern => "#{custom_grok}"
+                codec => cef { ecs_compatibility => #{ ecs_compatibility } }
+              }
+            }
+          CONFIG
+
+          events = input(conf) do |pipeline, queue|
+            socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
+            event_count.times do |i|
+              socket.puts(custom_line)
+            end
+            socket.close
+
+            event_count.times.collect { queue.pop }
+          end
+
+          expect( events.length ).to eql event_count
+          events.each do |event|
+            expect( event.get(priority_key) ).to eql 134
+            expect( event.get(severity_key) ).to eql 6
+            expect( event.get(facility_key) ).to eql 16
+            expect( event.get("message") ).to eql cef_message
+            expect( event.get("syslog_message") ).to eql syslog_message
+            expect( event.get('timestamp') ).to eql timestamp if ecs_compatibility == :disabled
+            expect( event.include?('timestamp') ).to be false if ecs_compatibility != :disabled
+          end
+        end
       end
 
-      it "should support non UTC timezone" do
-        input = LogStash::Inputs::Syslog.new({"timezone" => "-05:00"})
-        input.register
+      context 'timestamp' do
+        it "should properly handle locale and timezone" do
+          port = 5511
+          event_count = 10
+
+          conf = <<-CONFIG
+            input {
+              syslog {
+                type => "blah"
+                port => #{port}
+                locale => "en"
+                timezone => "UTC"
+              }
+            }
+          CONFIG
+
+          events = input(conf) do |pipeline, queue|
+            socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
+            event_count.times do |i|
+              socket.puts(SYSLOG_LINE)
+            end
+            socket.close
 
-        # event which is not syslog should have a new tag
+            event_count.times.collect { queue.pop }
+          end
 
-        syslog_event = LogStash::Event.new({ "message" => "<164>Oct 26 15:19:25 1.2.3.4 %ASA-4-106023: Deny udp src DRAC:10.1.2.3/43434" })
-        input.syslog_relay(syslog_event)
+          expect( events.length ).to eql event_count
+          events.each do |event|
+            expect( event.get("@timestamp") ).to be_a_logstash_timestamp_equivalent_to("#{Time.now.year}-10-26T15:19:25Z")
+          end
+        end
 
-        expect( syslog_event.get("@timestamp").to_iso8601 ).to eql "#{Time.now.year}-10-26T20:19:25.000Z"
+        it "should properly handle no locale and no timezone" do
+          port = 5511
 
-        input.close
-      end
+          conf = <<-CONFIG
+            input {
+              syslog {
+                type => "blah"
+                port => #{port}
+              }
+            }
+          CONFIG
+
+          event = input(conf) do |pipeline, queue|
+            socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
+            socket.puts(SYSLOG_LINE)
+            socket.close
+
+            queue.pop
+          end
 
+          # chances platform timezone is not UTC, so parse without offset to create expectation
+          equivalent_time = Time.parse("#{Time.now.year}-10-26T15:19:25")
+          expect( event.get("@timestamp") ).to be_a_logstash_timestamp_equivalent_to(equivalent_time)
+        end
+
+        it "should support non UTC timezone" do
+          input = LogStash::Inputs::Syslog.new({"timezone" => "-05:00"})
+          input.register
+
+          # event which is not syslog should have a new tag
+
+          syslog_event = LogStash::Event.new({ "message" => "<164>Oct 26 15:19:25 1.2.3.4 %ASA-4-106023: Deny udp src DRAC:10.1.2.3/43434" })
+          input.syslog_relay(syslog_event)
+
+          expect( syslog_event.get("@timestamp") ).to be_a_logstash_timestamp_equivalent_to("#{Time.now.year}-10-26T20:19:25Z")
+
+          input.close
+        end
+      end
     end
   end
 
-  context 'ECS behavior', :ecs_compatibility_support do
+  context 'ECS :v1 behavior', :ecs_compatibility_support do
 
     ecs_compatibility_matrix(:v1) do
 
@@ -269,7 +365,7 @@ describe LogStash::Inputs::Syslog do
 
       let(:socket) do
         server = double('tcp-server')
-        allow( server ).to receive(:each).and_yield "<133>Mar 11 08:44:43 precision kernel: [765135.424096] mce: CPU6: Package temperature/speed normal\n"
+        allow( subject ).to receive(:tcp_read_lines).and_yield("<133>Mar 11 08:44:43 precision kernel: [765135.424096] mce: CPU6: Package temperature/speed normal\n")
         allow( server ).to receive(:close)
         server
       end
@@ -285,103 +381,51 @@ describe LogStash::Inputs::Syslog do
     end
   end
 
-  it "should add unique tag when grok parsing fails" do
-    input = LogStash::Inputs::Syslog.new({})
-    input.register
+  context 'tcp receiver' do
+    subject(:plugin) { LogStash::Inputs::Syslog.new }
+    before { plugin.register }
+    after { plugin.close }
 
-    # event which is not syslog should have a new tag
-    event = LogStash::Event.new({ "message" => "hello world, this is not syslog RFC3164" })
-    input.syslog_relay(event)
-    expect( event.get("tags") ).to eql  ["_grokparsefailure_sysloginput"]
+    let(:queue) { Queue.new }
+    let(:socket) do
+      socket = double('tcp-socket')
+      expect( socket ).to receive(:peeraddr).and_return(["AF_INET", 514, "192.168.0.10", "192.168.0.10"])
+      socket
+    end
 
-    syslog_event = LogStash::Event.new({ "message" => "<164>Oct 26 15:19:25 1.2.3.4 %ASA-4-106023: Deny udp src DRAC:10.1.2.3/43434" })
-    input.syslog_relay(syslog_event)
-    expect( syslog_event.get("priority") ).to eql 164
-    expect( syslog_event.get("severity") ).to eql 4
-    expect( syslog_event.get("tags") ).to be nil
+    it 'should close connection when client sends EOF' do
+      expect( socket ).to receive(:read_nonblock).and_raise(EOFError)
+      expect( socket ).to receive(:close)
+      allow( plugin.logger ).to receive(:info)
 
-    input.close
-  end
+      plugin.send :tcp_receiver, queue, socket
 
-  it_behaves_like 'an interruptible input plugin' do
-    let(:config) { { "port" => 5511 } }
-  end
+      expect( plugin.logger ).to have_received(:info).with(/connection closed/, anything)
+      expect( queue.size ).to eql 0
+    end
 
-  it "should properly handle a custom grok_pattern" do
-    port = 5511
-    event_count = 1
-    custom_grok = "<%{POSINT:priority}>%{SYSLOGTIMESTAMP:timestamp} atypical %{GREEDYDATA:message}"
-    message_field = "This part constitutes the message field"
-    timestamp = "Oct 26 15:19:25"
-    custom_line = "<164>#{timestamp} atypical #{message_field}"
-
-    conf = <<-CONFIG
-      input {
-        syslog {
-          type => "blah"
-          port => #{port}
-          grok_pattern => "#{custom_grok}"
-        }
-      }
-    CONFIG
-
-    events = input(conf) do |pipeline, queue|
-      socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
-      event_count.times do |i|
-        socket.puts(custom_line)
+    it 'should properly read partially received messages' do
+      expect( socket ).to receive(:close)
+      allow( plugin.codec ).to receive(:decode).and_call_original
+
+      messages = ["<133>Mar 11 08:44:43 localhost message 2\n", "message 1\n", "<133>Mar 11 08:44:43 localhost ", ]
+      allow( socket ).to receive(:read_nonblock).at_least(messages.size).times do
+        msg = messages.pop
+        raise EOFError unless msg
+        msg
       end
-      socket.close
 
-      event_count.times.collect { queue.pop }
-    end
+      plugin.send :tcp_receiver, queue, socket
 
-    expect( events.length ).to eql event_count
-    events.each do |event|
-      expect( event.get("priority") ).to eql 164
-      expect( event.get("severity") ).to eql 4
-      expect( event.get("facility") ).to eql 20
-      expect( event.get("message") ).to eql "#{message_field}\n"
-      expect( event.get("timestamp") ).to eql timestamp
+      expect( queue.size ).to eql 2
+      expect( plugin.codec ).to have_received(:decode).with("<133>Mar 11 08:44:43 localhost message 1\n")
+      expect( plugin.codec ).to have_received(:decode).with("<133>Mar 11 08:44:43 localhost message 2\n")
     end
   end
 
-  it "should properly handle the cef codec with a custom grok_pattern" do
-    port = 5511
-    event_count = 1
-    custom_grok = "<%{POSINT:priority}>%{TIMESTAMP_ISO8601:timestamp} atypical"
-    message_field = "Description Omitted"
-    timestamp = "2018-02-07T12:40:00.000Z"
-    custom_line = "<134>#{timestamp} atypical CEF:0|Company Name|Application Name|Application Version Number|632|Syslog Configuration Updated|3|src=192.168.0.1 suser=user@example.com target=TARGET msg=#{message_field} KeyValueOne=kv1 KeyValueTwo=12345 "
-
-    conf = <<-CONFIG
-      input {
-        syslog {
-          port => #{port}
-          syslog_field => "syslog"
-          grok_pattern => "#{custom_grok}"
-          codec => cef
-        }
-      }
-    CONFIG
-
-    events = input(conf) do |pipeline, queue|
-      socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
-      event_count.times do |i|
-        socket.puts(custom_line)
-      end
-      socket.close
 
-      event_count.times.collect { queue.pop }
-    end
-
-    expect( events.length ).to eql event_count
-    events.each do |event|
-      expect( event.get("priority") ).to eql 134
-      expect( event.get("severity") ).to eql 6
-      expect( event.get("facility") ).to eql 16
-      expect( event.get("message") ).to eql message_field
-      expect( event.get("timestamp") ).to eql timestamp
-    end
+  it_behaves_like 'an interruptible input plugin' do
+    let(:config) { { "port" => 5511 } }
   end
 
   private

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-input-syslog
 version: !ruby/object:Gem::Version
-  version: 3.5.0
+  version: 3.7.0
 platform: ruby
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-03-22 00:00:00.000000000 Z
+date: 2023-10-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -35,7 +35,7 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '1.2'
   name: logstash-mixin-ecs_compatibility_support
   prerelease: false
   type: :runtime
@@ -43,7 +43,7 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '1.2'
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
@@ -97,7 +97,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 4.4.0
+        version: 4.4.1
   name: logstash-filter-grok
   prerelease: false
   type: :runtime
@@ -105,7 +105,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 4.4.0
+        version: 4.4.1
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
@@ -123,17 +123,17 @@ dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.3'
   name: logstash-devutils
   prerelease: false
   type: :development
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.3'
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
@@ -187,8 +187,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.6.13
+rubygems_version: 3.2.33
 signing_key:
 specification_version: 4
 summary: Reads syslog messages as events