logstash-input-syslog 3.3.0 → 3.4.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: afc32918fa577b058932c4b231b47a8b1f1fe9b568e5126aacf8e9d0224563bb
4
- data.tar.gz: 5db1690089b6f82efcad455170defb3f1987d9420197817af225ca2480511ffc
3
+ metadata.gz: 30915cac1fcc65f8de106471302441df16c4bc5333243faec47223166be5c96b
4
+ data.tar.gz: ccfa3cf6950b6a4353c6bfcd8ac7073df626b3ed18d0d8cf82e762b80ba9aeb8
5
5
  SHA512:
6
- metadata.gz: 1e25afad30245aa9bb745861f8fef0d474eb8c0de28c1964e71e939aa02aabe55785fc03312d14771c9608378e045168691e284485facea58dfa48d9a660a581
7
- data.tar.gz: d04b48e1192204d932cdb011dfd79ae310370dacb9fb5120b0c2421cbeb2a7d82119eb8719fc31810646b487699d32b453350654c00ca4aa3b7f3db3abf4e333
6
+ metadata.gz: d515b8ba355a0ad289dc276ca2620a8ebef47304b907abbc003eb975ad5f21f82a63ece8125a30b24ec36dd9077a38675cf34e049d3972d6da0ed4d7dc74565c
7
+ data.tar.gz: '038276f3c5172c192782ba4d60c98a1a407754fc9290266c94e420d98c0fef06de2fe1afbfc9509c5fe269aa0cb9ffb33cfc39f08209abaaf3d3b94e1c42ae77'
@@ -1,3 +1,7 @@
1
+ ## 3.4.0
2
+ - Allow the syslog field to be a configurable option. This is useful for when codecs change
3
+ the field containing the syslog data (e.g. the CEF codec).
4
+
1
5
  ## 3.3.0
2
6
  - Make the grok pattern a configurable option
3
7
 
@@ -53,6 +53,7 @@ This plugin supports the following configuration options plus the <<plugins-{typ
53
53
  | <<plugins-{type}s-{plugin}-port>> |<<number,number>>|No
54
54
  | <<plugins-{type}s-{plugin}-proxy_protocol>> |<<boolean,boolean>>|No
55
55
  | <<plugins-{type}s-{plugin}-severity_labels>> |<<array,array>>|No
56
+ | <<plugins-{type}s-{plugin}-syslog_field>> |<<string,string>>|No
56
57
  | <<plugins-{type}s-{plugin}-timezone>> |<<string,string>>|No
57
58
  | <<plugins-{type}s-{plugin}-use_labels>> |<<boolean,boolean>>|No
58
59
  |=======================================================================
@@ -136,6 +137,29 @@ http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
136
137
 
137
138
  Labels for severity levels. These are defined in RFC3164.
138
139
 
140
+ [id="plugins-{type}s-{plugin}-syslog_field"]
141
+ ===== `syslog_field`
142
+
143
+ * Value type is <<string,string>>
144
+ * Default value is `"message"`
145
+
146
+ Codecs process the data before the rest of the data is parsed. Some codecs,
147
+ like CEF, put the syslog data into another field after pre-processing the
148
+ data. Use this option in conjunction with the `grok_pattern` configuration
149
+ to allow the syslog input plugin to fully parse the syslog data in this case.
150
+
151
+ [source,sh]
152
+ -------
153
+ input {
154
+ syslog {
155
+ port => 12345
156
+ codec => cef
157
+ syslog_field => "syslog"
158
+ grok_pattern => "<%{POSINT:priority}>%{SYSLOGTIMESTAMP:timestamp} CUSTOM GROK HERE"
159
+ }
160
+ }
161
+ -------
162
+
139
163
  [id="plugins-{type}s-{plugin}-timezone"]
140
164
  ===== `timezone`
141
165
 
@@ -36,6 +36,10 @@ class LogStash::Inputs::Syslog < LogStash::Inputs::Base
36
36
  # ports) may require root to use.
37
37
  config :port, :validate => :number, :default => 514
38
38
 
39
+ # Use custom post-codec processing field (e.g. syslog, after cef codec
40
+ # processing) instead of the default `message` field
41
+ config :syslog_field, :validate => :string, :default => "message"
42
+
39
43
  # Set custom grok pattern to parse the syslog, in case the format differs
40
44
  # from the defined standard. This is common in security and other appliances
41
45
  config :grok_pattern, :validate => :string, :default => "<%{POSINT:priority}>%{SYSLOGLINE}"
@@ -82,8 +86,8 @@ class LogStash::Inputs::Syslog < LogStash::Inputs::Base
82
86
  @metric_errors = metric.namespace(:errors)
83
87
  require "thread_safe"
84
88
  @grok_filter = LogStash::Filters::Grok.new(
85
- "overwrite" => "message",
86
- "match" => { "message" => @grok_pattern },
89
+ "overwrite" => @syslog_field,
90
+ "match" => { @syslog_field => @grok_pattern },
87
91
  "tag_on_failure" => ["_grokparsefailure_sysloginput"],
88
92
  )
89
93
 
@@ -1,7 +1,7 @@
1
1
  Gem::Specification.new do |s|
2
2
 
3
3
  s.name = 'logstash-input-syslog'
4
- s.version = '3.3.0'
4
+ s.version = '3.4.0'
5
5
  s.licenses = ['Apache License (2.0)']
6
6
  s.summary = "Reads syslog messages as events"
7
7
  s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
@@ -31,5 +31,6 @@ Gem::Specification.new do |s|
31
31
  s.add_runtime_dependency 'logstash-filter-date'
32
32
 
33
33
  s.add_development_dependency 'logstash-devutils'
34
+ s.add_development_dependency 'logstash-codec-cef'
34
35
  end
35
36
 
@@ -22,6 +22,7 @@ module LogStash::Environment
22
22
  end
23
23
 
24
24
  require "logstash/inputs/syslog"
25
+ require "logstash/codecs/cef"
25
26
  require "logstash/event"
26
27
  require "stud/try"
27
28
  require "socket"
@@ -248,4 +249,43 @@ describe LogStash::Inputs::Syslog do
248
249
  insist { event.get("timestamp") } == timestamp
249
250
  end
250
251
  end
252
+
253
+ it "should properly handle the cef codec with a custom grok_pattern" do
254
+ port = 5511
255
+ event_count = 1
256
+ custom_grok = "<%{POSINT:priority}>%{TIMESTAMP_ISO8601:timestamp} atypical"
257
+ message_field = "Description Omitted"
258
+ timestamp = "2018-02-07T12:40:00.000Z"
259
+ custom_line = "<134>#{timestamp} atypical CEF:0|Company Name|Application Name|Application Version Number|632|Syslog Configuration Updated|3|src=192.168.0.1 suser=user@example.com target=TARGET msg=#{message_field} KeyValueOne=kv1 KeyValueTwo=12345 "
260
+
261
+ conf = <<-CONFIG
262
+ input {
263
+ syslog {
264
+ port => #{port}
265
+ syslog_field => "syslog"
266
+ grok_pattern => "#{custom_grok}"
267
+ codec => cef
268
+ }
269
+ }
270
+ CONFIG
271
+
272
+ events = input(conf) do |pipeline, queue|
273
+ socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
274
+ event_count.times do |i|
275
+ socket.puts(custom_line)
276
+ end
277
+ socket.close
278
+
279
+ event_count.times.collect { queue.pop }
280
+ end
281
+
282
+ insist { events.length } == event_count
283
+ events.each do |event|
284
+ insist { event.get("priority") } == 134
285
+ insist { event.get("severity") } == 6
286
+ insist { event.get("facility") } == 16
287
+ insist { event.get("message") } == message_field
288
+ insist { event.get("timestamp") } == timestamp
289
+ end
290
+ end
251
291
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: logstash-input-syslog
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.3.0
4
+ version: 3.4.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Elastic
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-02-06 00:00:00.000000000 Z
11
+ date: 2018-02-07 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  requirement: !ruby/object:Gem::Requirement
@@ -134,6 +134,20 @@ dependencies:
134
134
  - - ">="
135
135
  - !ruby/object:Gem::Version
136
136
  version: '0'
137
+ - !ruby/object:Gem::Dependency
138
+ requirement: !ruby/object:Gem::Requirement
139
+ requirements:
140
+ - - ">="
141
+ - !ruby/object:Gem::Version
142
+ version: '0'
143
+ name: logstash-codec-cef
144
+ prerelease: false
145
+ type: :development
146
+ version_requirements: !ruby/object:Gem::Requirement
147
+ requirements:
148
+ - - ">="
149
+ - !ruby/object:Gem::Version
150
+ version: '0'
137
151
  description: This gem is a Logstash plugin required to be installed on top of the
138
152
  Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This
139
153
  gem is not a stand-alone program