RubyGems - logstash-input-syslog - Versions diffs - 3.6.0 → 3.7.1 - Mend

logstash-input-syslog 3.6.0 → 3.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +8 -0
data/lib/logstash/inputs/syslog.rb +26 -5
data/logstash-input-syslog.gemspec +1 -1
data/spec/inputs/syslog_spec.rb +244 -200
metadata +12 -12

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ef06714d6d1b2383646d6ec53550171592e1dbcd97e3e7b1e847edcceba41d4a
-  data.tar.gz: acd1005f0b2db5ad66ff95c7d74027ead6841d97b4805c05ed19225fa5af3cf5
+  metadata.gz: 630e8328b3161d33d8d34489893a654e8310aa871a827bceb3911454f149bd34
+  data.tar.gz: 8e7c5b275c4169a83a20cd0a2a41b4d3b746d9b4a7e5aedc6360f917cd9660cc
 SHA512:
-  metadata.gz: ea924072e2e8904864649a6be3706523dca20a01c1c7aef441fea1c643f93e78dcb12d869ffb1f4d16ee2ebbdcdf4a396f45d6b3fc77909ad247941a849f9e6d
-  data.tar.gz: d3d658703fa56537a9818f65b92ddba37e8f56e760beda02698b1782c5f89eb9dc6c279c18a0611ecf653f3c9b07894549edf5b750855fc0f42500862f7d6f4a
+  metadata.gz: 69270b0499c4768ec2bbacff35dd35aacdd8e24944ad24d873291c4e83ce780eecba5afeff97b10d360daaf14d0601c473f631b6af6f27a0b33d239c22ca93db
+  data.tar.gz: 361942102a239e8797c2364942659c31245ffcf5149203530d2e47834ff2d5b04c834bd2001aa07cfd363afe40918a5923b5da61b886d207aee251c70e0b57ff

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,11 @@
+## 3.7.1
+  - Fix issue where the priority field was not being set correctly when grok failed [#76](https://github.com/logstash-plugins/logstash-input-syslog/pull/78)
+## 3.7.0
+  - Changed the TCP reading mode to use the non-blocking method [#75](https://github.com/logstash-plugins/logstash-input-syslog/pull/75)
+    It fixes the high CPU usage when TCP clients do not properly disconnect/send EOF.
+  - Fixed broken tests
 ## 3.6.0
   - Add support for ECS v8 as alias to v1 implementation [#68](https://github.com/logstash-plugins/logstash-input-syslog/pull/68)

data/lib/logstash/inputs/syslog.rb CHANGED Viewed

@@ -83,6 +83,8 @@ class LogStash::Inputs::Syslog < LogStash::Inputs::Base
   # assuming users would want that (they have specific use-case for LS as syslog server).
   config :service_type, :validate => :string, :default => 'system'
+  GROK_FAILURE_TAG = "_grokparsefailure_sysloginput"
   def initialize(*params)
     super
@@ -103,7 +105,7 @@ class LogStash::Inputs::Syslog < LogStash::Inputs::Base
     @grok_filter = LogStash::Filters::Grok.new(
         "overwrite" => @syslog_field,
         "match" => { @syslog_field => @grok_pattern },
-        "tag_on_failure" => ["_grokparsefailure_sysloginput"],
+        "tag_on_failure" => [GROK_FAILURE_TAG],
         "ecs_compatibility" => ecs_compatibility # use ecs-compliant patterns
     )
@@ -221,6 +223,21 @@ class LogStash::Inputs::Syslog < LogStash::Inputs::Base
     close_tcp
   end # def tcp_listener
+  def tcp_read_lines(socket)
+    buffer = String.new
+    loop do
+      begin
+        buffer << socket.read_nonblock(1024)
+        while (newline = buffer.index("\n"))
+          yield buffer.slice!(0..newline)
+        end
+      rescue IO::WaitReadable
+        IO.select([socket], nil)
+        retry
+      end
+    end
+  end
   # tcp_receiver is executed in a thread, any uncatched exception will be bubbled up to the
   # tcp server thread and all tcp connections will be closed and the listener restarted.
   def tcp_receiver(output_queue, socket)
@@ -232,7 +249,7 @@ class LogStash::Inputs::Syslog < LogStash::Inputs::Base
     first_read = true
-    socket.each do |line|
+    tcp_read_lines(socket) do |line|
       metric.increment(:messages_received)
       if @proxy_protocol && first_read
         first_read = false
@@ -253,7 +270,7 @@ class LogStash::Inputs::Syslog < LogStash::Inputs::Base
   rescue Errno::ECONNRESET
     # swallow connection reset exceptions to avoid bubling up the tcp_listener & server
     logger.info("connection reset", :client => "#{ip}:#{port}")
-  rescue Errno::EBADF
+  rescue Errno::EBADF, EOFError
     # swallow connection closed exceptions to avoid bubling up the tcp_listener & server
     logger.info("connection closed", :client => "#{ip}:#{port}")
   rescue IOError => e
@@ -326,10 +343,14 @@ class LogStash::Inputs::Syslog < LogStash::Inputs::Base
   def syslog_relay(event)
     @grok_filter_exec.(event)
-    if event.get("tags").nil? || !event.get("tags").include?(@grok_filter.tag_on_failure)
+    if event.get("tags").nil? || !event.get("tags").include?(GROK_FAILURE_TAG)
       # Per RFC3164, priority = (facility * 8) + severity
       #                       = (facility << 3) & (severity)
-      priority = event.get(@priority_key).to_i rescue 13
+      priority = if event.include?(@priority_key)
+                   event.get(@priority_key).to_i rescue 13
+                 else
+                   13
+                 end
       set_priority event, priority
       @date_filter_exec.(event)

data/logstash-input-syslog.gemspec CHANGED Viewed

@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
   s.name            = 'logstash-input-syslog'
-  s.version         = '3.6.0'
+  s.version         = '3.7.1'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "Reads syslog messages as events"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"

data/spec/inputs/syslog_spec.rb CHANGED Viewed

@@ -33,80 +33,18 @@ require "socket"
 describe LogStash::Inputs::Syslog do
   SYSLOG_LINE = "<164>Oct 26 15:19:25 1.2.3.4 %ASA-4-106023: Deny udp src DRAC:10.1.2.3/43434 dst outside:192.168.0.1/53 by access-group \"acl_drac\" [0x0, 0x0]"
-  it "should properly handle priority, severity and facilities" do
-    skip_if_stack_known_issue
-    port = 5511
-    event_count = 10
-    conf = <<-CONFIG
-      input {
-        syslog {
-          type => "blah"
-          port => #{port}
-        }
-      }
-    CONFIG
-    events = input(conf) do |pipeline, queue|
-      socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
-      event_count.times do |i|
-        socket.puts(SYSLOG_LINE)
-      end
-      socket.close
-      event_count.times.collect { queue.pop }
-    end
-    expect( events.length ).to eql event_count
-    events.each do |event|
-      expect( event.get("priority") ).to eql 164
-      expect( event.get("severity") ).to eql 4
-      expect( event.get("facility") ).to eql 20
-    end
-  end
-  it "should properly PROXY protocol v1" do
-    skip_if_stack_known_issue
-    port = 5511
-    event_count = 10
-    conf = <<-CONFIG
-      input {
-        syslog {
-          type => "blah"
-          port => #{port}
-          proxy_protocol => true
-        }
-      }
-    CONFIG
-    events = input(conf) do |pipeline, queue|
-      socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
-      socket.puts("PROXY TCP4 1.2.3.4 5.6.7.8 1234 5678\r");
-      socket.flush
-      event_count.times do |i|
-        socket.puts(SYSLOG_LINE)
-      end
-      socket.close
-      event_count.times.collect { queue.pop }
-    end
-    expect( events.length ).to eql event_count
-    events.each do |event|
-      expect( event.get("priority") ).to eql 164
-      expect( event.get("severity") ).to eql 4
-      expect( event.get("facility") ).to eql 20
-      expect( event.get("host") ).to eql "1.2.3.4"
-    end
-  end
-  context 'tag', :ecs_compatibility_support do
-    ecs_compatibility_matrix(:disabled, :v1, :v8 => :v1) do
+  context 'ECS common behavior', :ecs_compatibility_support do
+    ecs_compatibility_matrix(:disabled, :v1, :v8 => :v1) do |ecs_select|
+      let(:priority_key) { ecs_select[disabled:'priority', v1:'[log][syslog][priority]'] }
+      let(:facility_key) { ecs_select[disabled:'facility', v1:'[log][syslog][facility][code]'] }
+      let(:severity_key) { ecs_select[disabled:'severity', v1:'[log][syslog][severity][code]'] }
+      let(:host_key) { ecs_select[disabled:'host', v1:'[host][ip]'] }
       before(:each) do
         allow_any_instance_of(described_class).to receive(:ecs_compatibility).and_return(ecs_compatibility)
       end
-      it "should add unique tag when grok parsing fails with live syslog input" do
+      it "should properly handle priority, severity and facilities" do
         skip_if_stack_known_issue
         port = 5511
         event_count = 10
@@ -122,7 +60,7 @@ describe LogStash::Inputs::Syslog do
         events = input(conf) do |pipeline, queue|
           socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
           event_count.times do |i|
-            socket.puts("message which causes the a grok parse failure")
+            socket.puts(SYSLOG_LINE)
           end
           socket.close
@@ -130,38 +68,31 @@ describe LogStash::Inputs::Syslog do
         end
         expect( events.length ).to eql event_count
-        event_count.times do |i|
-          expect( events[i].get("tags") ).to eql ["_grokparsefailure_sysloginput"]
+        events.each do |event|
+          expect( event.get(priority_key) ).to eql 164
+          expect( event.get(severity_key) ).to eql 4
+          expect( event.get(facility_key) ).to eql 20
         end
       end
-    end
-  end
-  context 'timestamp', :ecs_compatibility_support do
-    ecs_compatibility_matrix(:disabled, :v1) do
-      before(:each) do
-        allow_any_instance_of(described_class).to receive(:ecs_compatibility).and_return(ecs_compatibility)
-      end
-      it "should properly handle locale and timezone" do
+      it "should properly PROXY protocol v1" do
+        skip_if_stack_known_issue
         port = 5511
         event_count = 10
         conf = <<-CONFIG
           input {
             syslog {
               type => "blah"
               port => #{port}
-              locale => "en"
-              timezone => "UTC"
+              proxy_protocol => true
             }
           }
         CONFIG
         events = input(conf) do |pipeline, queue|
           socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
+          socket.puts("PROXY TCP4 1.2.3.4 5.6.7.8 1234 5678\r\n")
+          socket.flush
           event_count.times do |i|
             socket.puts(SYSLOG_LINE)
           end
@@ -172,53 +103,218 @@ describe LogStash::Inputs::Syslog do
         expect( events.length ).to eql event_count
         events.each do |event|
-          expect( event.get("@timestamp") ).to be_a_logstash_timestamp_equivalent_to("#{Time.now.year}-10-26T15:19:25Z")
+          expect( event.get(priority_key) ).to eql 164
+          expect( event.get(severity_key) ).to eql 4
+          expect( event.get(facility_key) ).to eql 20
+          expect( event.get(host_key) ).to eql "1.2.3.4"
         end
       end
-      it "should properly handle no locale and no timezone" do
-        port = 5511
+      context 'grok' do
+        it "should add unique tag when grok parsing fails with live syslog input" do
+          skip_if_stack_known_issue
+          port = 5511
+          event_count = 10
+          conf = <<-CONFIG
+            input {
+              syslog {
+                type => "blah"
+                port => #{port}
+              }
+            }
+          CONFIG
+          events = input(conf) do |pipeline, queue|
+            socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
+            event_count.times do |i|
+              socket.puts("message which causes the a grok parse failure")
+            end
+            socket.close
+            event_count.times.collect { queue.pop }
+          end
+          expect( events.length ).to eql event_count
+          event_count.times do |i|
+            expect( events[i].get("tags") ).to eql ["_grokparsefailure_sysloginput"]
+          end
+        end
-        conf = <<-CONFIG
-          input {
-            syslog {
-              type => "blah"
-              port => #{port}
+        it "should add unique tag when grok parsing fails" do
+          input = LogStash::Inputs::Syslog.new({})
+          input.register
+          # event which is not syslog should have a new tag
+          event = LogStash::Event.new({ "message" => "hello world, this is not syslog RFC3164" })
+          input.syslog_relay(event)
+          expect( event.get("tags") ).to eql  ["_grokparsefailure_sysloginput"]
+          expect( event.get(priority_key) ).to eql 13
+          syslog_event = LogStash::Event.new({ "message" => "<164>Oct 26 15:19:25 1.2.3.4 %ASA-4-106023: Deny udp src DRAC:10.1.2.3/43434" })
+          input.syslog_relay(syslog_event)
+          expect( syslog_event.get(priority_key) ).to eql 164
+          expect( syslog_event.get(severity_key) ).to eql 4
+          expect( syslog_event.get("tags") ).to be nil
+          input.close
+        end
+        it "should properly handle a custom grok_pattern" do
+          port = 5511
+          event_count = 1
+          custom_grok = "<%{POSINT:#{priority_key}}>%{SYSLOGTIMESTAMP:timestamp} atypical %{GREEDYDATA:message}"
+          message_field = "This part constitutes the message field"
+          timestamp = "Oct 26 15:19:25"
+          custom_line = "<164>#{timestamp} atypical #{message_field}"
+          conf = <<-CONFIG
+            input {
+              syslog {
+                type => "blah"
+                port => #{port}
+                grok_pattern => "#{custom_grok}"
+              }
             }
-          }
-        CONFIG
+          CONFIG
-        event = input(conf) do |pipeline, queue|
-          socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
-          socket.puts(SYSLOG_LINE)
-          socket.close
+          events = input(conf) do |pipeline, queue|
+            socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
+            event_count.times do |i|
+              socket.puts(custom_line)
+            end
+            socket.close
+            event_count.times.collect { queue.pop }
+          end
-          queue.pop
+          expect( events.length ).to eql event_count
+          events.each do |event|
+            expect( event.get(priority_key) ).to eql 164
+            expect( event.get(severity_key) ).to eql 4
+            expect( event.get(facility_key) ).to eql 20
+            expect( event.get("message") ).to eql "#{message_field}\n"
+            expect( event.get('timestamp') ).to eql timestamp if ecs_compatibility == :disabled
+            expect( event.include?('timestamp') ).to be false if ecs_compatibility != :disabled
+          end
         end
-        # chances platform timezone is not UTC, so parse without offset to create expectation
-        equivalent_time = Time.parse("#{Time.now.year}-10-26T15:19:25")
-        expect( event.get("@timestamp") ).to be_a_logstash_timestamp_equivalent_to(equivalent_time)
+        it "should properly handle the cef codec with a custom grok_pattern" do
+          port = 5511
+          event_count = 1
+          custom_grok = "<%{POSINT:#{priority_key}}>%{TIMESTAMP_ISO8601:timestamp} atypical %{GREEDYDATA:syslog_message}"
+          timestamp = "2018-02-07T12:40:00.000Z"
+          cef_message = "Description Omitted"
+          syslog_message = "foo bar"
+          syslog_message_envelope = "<134>#{timestamp} atypical #{syslog_message}"
+          custom_line = "CEF:0|Company Name|Application Name|Application Version Number|632|Syslog Configuration Updated|3|src=192.168.0.1 suser=user@example.com target=TARGET msg=#{cef_message} syslog=#{syslog_message_envelope} KeyValueOne=kv1 KeyValueTwo=12345 "
+          conf = <<-CONFIG
+            input {
+              syslog {
+                port => #{port}
+                syslog_field => "syslog"
+                grok_pattern => "#{custom_grok}"
+                codec => cef { ecs_compatibility => #{ ecs_compatibility } }
+              }
+            }
+          CONFIG
+          events = input(conf) do |pipeline, queue|
+            socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
+            event_count.times do |i|
+              socket.puts(custom_line)
+            end
+            socket.close
+            event_count.times.collect { queue.pop }
+          end
+          expect( events.length ).to eql event_count
+          events.each do |event|
+            expect( event.get(priority_key) ).to eql 134
+            expect( event.get(severity_key) ).to eql 6
+            expect( event.get(facility_key) ).to eql 16
+            expect( event.get("message") ).to eql cef_message
+            expect( event.get("syslog_message") ).to eql syslog_message
+            expect( event.get('timestamp') ).to eql timestamp if ecs_compatibility == :disabled
+            expect( event.include?('timestamp') ).to be false if ecs_compatibility != :disabled
+          end
+        end
       end
-      it "should support non UTC timezone" do
-        input = LogStash::Inputs::Syslog.new({"timezone" => "-05:00"})
-        input.register
+      context 'timestamp' do
+        it "should properly handle locale and timezone" do
+          port = 5511
+          event_count = 10
+          conf = <<-CONFIG
+            input {
+              syslog {
+                type => "blah"
+                port => #{port}
+                locale => "en"
+                timezone => "UTC"
+              }
+            }
+          CONFIG
+          events = input(conf) do |pipeline, queue|
+            socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
+            event_count.times do |i|
+              socket.puts(SYSLOG_LINE)
+            end
+            socket.close
-        # event which is not syslog should have a new tag
+            event_count.times.collect { queue.pop }
+          end
-        syslog_event = LogStash::Event.new({ "message" => "<164>Oct 26 15:19:25 1.2.3.4 %ASA-4-106023: Deny udp src DRAC:10.1.2.3/43434" })
-        input.syslog_relay(syslog_event)
+          expect( events.length ).to eql event_count
+          events.each do |event|
+            expect( event.get("@timestamp") ).to be_a_logstash_timestamp_equivalent_to("#{Time.now.year}-10-26T15:19:25Z")
+          end
+        end
-        expect( syslog_event.get("@timestamp") ).to be_a_logstash_timestamp_equivalent_to("#{Time.now.year}-10-26T20:19:25Z")
+        it "should properly handle no locale and no timezone" do
+          port = 5511
-        input.close
-      end
+          conf = <<-CONFIG
+            input {
+              syslog {
+                type => "blah"
+                port => #{port}
+              }
+            }
+          CONFIG
+          event = input(conf) do |pipeline, queue|
+            socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
+            socket.puts(SYSLOG_LINE)
+            socket.close
+            queue.pop
+          end
+          # chances platform timezone is not UTC, so parse without offset to create expectation
+          equivalent_time = Time.parse("#{Time.now.year}-10-26T15:19:25")
+          expect( event.get("@timestamp") ).to be_a_logstash_timestamp_equivalent_to(equivalent_time)
+        end
+        it "should support non UTC timezone" do
+          input = LogStash::Inputs::Syslog.new({"timezone" => "-05:00"})
+          input.register
+          # event which is not syslog should have a new tag
+          syslog_event = LogStash::Event.new({ "message" => "<164>Oct 26 15:19:25 1.2.3.4 %ASA-4-106023: Deny udp src DRAC:10.1.2.3/43434" })
+          input.syslog_relay(syslog_event)
+          expect( syslog_event.get("@timestamp") ).to be_a_logstash_timestamp_equivalent_to("#{Time.now.year}-10-26T20:19:25Z")
+          input.close
+        end
+      end
     end
   end
-  context 'ECS behavior', :ecs_compatibility_support do
+  context 'ECS :v1 behavior', :ecs_compatibility_support do
     ecs_compatibility_matrix(:v1) do
@@ -270,7 +366,7 @@ describe LogStash::Inputs::Syslog do
       let(:socket) do
         server = double('tcp-server')
-        allow( server ).to receive(:each).and_yield "<133>Mar 11 08:44:43 precision kernel: [765135.424096] mce: CPU6: Package temperature/speed normal\n"
+        allow( subject ).to receive(:tcp_read_lines).and_yield("<133>Mar 11 08:44:43 precision kernel: [765135.424096] mce: CPU6: Package temperature/speed normal\n")
         allow( server ).to receive(:close)
         server
       end
@@ -286,103 +382,51 @@ describe LogStash::Inputs::Syslog do
     end
   end
-  it "should add unique tag when grok parsing fails" do
-    input = LogStash::Inputs::Syslog.new({})
-    input.register
+  context 'tcp receiver' do
+    subject(:plugin) { LogStash::Inputs::Syslog.new }
+    before { plugin.register }
+    after { plugin.close }
-    # event which is not syslog should have a new tag
-    event = LogStash::Event.new({ "message" => "hello world, this is not syslog RFC3164" })
-    input.syslog_relay(event)
-    expect( event.get("tags") ).to eql  ["_grokparsefailure_sysloginput"]
+    let(:queue) { Queue.new }
+    let(:socket) do
+      socket = double('tcp-socket')
+      expect( socket ).to receive(:peeraddr).and_return(["AF_INET", 514, "192.168.0.10", "192.168.0.10"])
+      socket
+    end
-    syslog_event = LogStash::Event.new({ "message" => "<164>Oct 26 15:19:25 1.2.3.4 %ASA-4-106023: Deny udp src DRAC:10.1.2.3/43434" })
-    input.syslog_relay(syslog_event)
-    expect( syslog_event.get("priority") ).to eql 164
-    expect( syslog_event.get("severity") ).to eql 4
-    expect( syslog_event.get("tags") ).to be nil
+    it 'should close connection when client sends EOF' do
+      expect( socket ).to receive(:read_nonblock).and_raise(EOFError)
+      expect( socket ).to receive(:close)
+      allow( plugin.logger ).to receive(:info)
-    input.close
-  end
+      plugin.send :tcp_receiver, queue, socket
-  it_behaves_like 'an interruptible input plugin' do
-    let(:config) { { "port" => 5511 } }
-  end
+      expect( plugin.logger ).to have_received(:info).with(/connection closed/, anything)
+      expect( queue.size ).to eql 0
+    end
-  it "should properly handle a custom grok_pattern" do
-    port = 5511
-    event_count = 1
-    custom_grok = "<%{POSINT:priority}>%{SYSLOGTIMESTAMP:timestamp} atypical %{GREEDYDATA:message}"
-    message_field = "This part constitutes the message field"
-    timestamp = "Oct 26 15:19:25"
-    custom_line = "<164>#{timestamp} atypical #{message_field}"
-    conf = <<-CONFIG
-      input {
-        syslog {
-          type => "blah"
-          port => #{port}
-          grok_pattern => "#{custom_grok}"
-        }
-      }
-    CONFIG
-    events = input(conf) do |pipeline, queue|
-      socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
-      event_count.times do |i|
-        socket.puts(custom_line)
+    it 'should properly read partially received messages' do
+      expect( socket ).to receive(:close)
+      allow( plugin.codec ).to receive(:decode).and_call_original
+      messages = ["<133>Mar 11 08:44:43 localhost message 2\n", "message 1\n", "<133>Mar 11 08:44:43 localhost ", ]
+      allow( socket ).to receive(:read_nonblock).at_least(messages.size).times do
+        msg = messages.pop
+        raise EOFError unless msg
+        msg
       end
-      socket.close
-      event_count.times.collect { queue.pop }
-    end
+      plugin.send :tcp_receiver, queue, socket
-    expect( events.length ).to eql event_count
-    events.each do |event|
-      expect( event.get("priority") ).to eql 164
-      expect( event.get("severity") ).to eql 4
-      expect( event.get("facility") ).to eql 20
-      expect( event.get("message") ).to eql "#{message_field}\n"
-      expect( event.get("timestamp") ).to eql timestamp
+      expect( queue.size ).to eql 2
+      expect( plugin.codec ).to have_received(:decode).with("<133>Mar 11 08:44:43 localhost message 1\n")
+      expect( plugin.codec ).to have_received(:decode).with("<133>Mar 11 08:44:43 localhost message 2\n")
     end
   end
-  it "should properly handle the cef codec with a custom grok_pattern" do
-    port = 5511
-    event_count = 1
-    custom_grok = "<%{POSINT:priority}>%{TIMESTAMP_ISO8601:timestamp} atypical"
-    message_field = "Description Omitted"
-    timestamp = "2018-02-07T12:40:00.000Z"
-    custom_line = "<134>#{timestamp} atypical CEF:0|Company Name|Application Name|Application Version Number|632|Syslog Configuration Updated|3|src=192.168.0.1 suser=user@example.com target=TARGET msg=#{message_field} KeyValueOne=kv1 KeyValueTwo=12345 "
-    conf = <<-CONFIG
-      input {
-        syslog {
-          port => #{port}
-          syslog_field => "syslog"
-          grok_pattern => "#{custom_grok}"
-          codec => cef
-        }
-      }
-    CONFIG
-    events = input(conf) do |pipeline, queue|
-      socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
-      event_count.times do |i|
-        socket.puts(custom_line)
-      end
-      socket.close
-      event_count.times.collect { queue.pop }
-    end
-    expect( events.length ).to eql event_count
-    events.each do |event|
-      expect( event.get("priority") ).to eql 134
-      expect( event.get("severity") ).to eql 6
-      expect( event.get("facility") ).to eql 16
-      expect( event.get("message") ).to eql message_field
-      expect( event.get("timestamp") ).to eql timestamp
-    end
+  it_behaves_like 'an interruptible input plugin' do
+    let(:config) { { "port" => 5511 } }
   end
   private

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-input-syslog
 version: !ruby/object:Gem::Version
-  version: 3.6.0
+  version: 3.7.1
 platform: ruby
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-11-11 00:00:00.000000000 Z
+date: 2025-03-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -20,8 +20,8 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '2.99'
   name: logstash-core-plugin-api
-  prerelease: false
   type: :runtime
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -37,8 +37,8 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '1.2'
   name: logstash-mixin-ecs_compatibility_support
-  prerelease: false
   type: :runtime
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
@@ -51,8 +51,8 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
   name: concurrent-ruby
-  prerelease: false
   type: :runtime
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -68,8 +68,8 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 0.1.0
   name: stud
-  prerelease: false
   type: :runtime
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -85,8 +85,8 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
   name: logstash-codec-plain
-  prerelease: false
   type: :runtime
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -99,8 +99,8 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 4.4.1
   name: logstash-filter-grok
-  prerelease: false
   type: :runtime
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -113,8 +113,8 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
   name: logstash-filter-date
-  prerelease: false
   type: :runtime
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -127,8 +127,8 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '2.3'
   name: logstash-devutils
-  prerelease: false
   type: :development
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
@@ -141,8 +141,8 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
   name: logstash-codec-cef
-  prerelease: false
   type: :development
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -187,7 +187,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.3.26
 signing_key:
 specification_version: 4
 summary: Reads syslog messages as events