logstash-integration-aws 7.1.1-java

data/lib/logstash/outputs/sqs.rb

@@ -0,0 +1,167 @@
+# encoding: utf-8
+
+require 'aws-sdk-sqs'
+require 'logstash/errors'
+require 'logstash/namespace'
+require 'logstash/outputs/base'
+require 'logstash/plugin_mixins/aws_config'
+
+# Push events to an Amazon Web Services (AWS) Simple Queue Service (SQS) queue.
+#
+# SQS is a simple, scalable queue system that is part of the Amazon Web
+# Services suite of tools. Although SQS is similar to other queuing systems
+# such as Advanced Message Queuing Protocol (AMQP), it uses a custom API and
+# requires that you have an AWS account. See http://aws.amazon.com/sqs/ for
+# more details on how SQS works, what the pricing schedule looks like and how
+# to setup a queue.
+#
+# The "consumer" identity must have the following permissions on the queue:
+#
+#   * `sqs:GetQueueUrl`
+#   * `sqs:SendMessage`
+#   * `sqs:SendMessageBatch`
+#
+# Typically, you should setup an IAM policy, create a user and apply the IAM
+# policy to the user. See http://aws.amazon.com/iam/ for more details on
+# setting up AWS identities. A sample policy is as follows:
+#
+# [source,json]
+# {
+#   "Version": "2012-10-17",
+#   "Statement": [
+#     {
+#       "Effect": "Allow",
+#       "Action": [
+#         "sqs:GetQueueUrl",
+#         "sqs:SendMessage",
+#         "sqs:SendMessageBatch"
+#       ],
+#       "Resource": "arn:aws:sqs:us-east-1:123456789012:my-sqs-queue"
+#     }
+#   ]
+# }
+#
+# ==== Batch Publishing
+# This output publishes messages to SQS in batches in order to optimize event
+# throughput and increase performance. This is done using the
+# [`SendMessageBatch`](http://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SendMessageBatch.html)
+# API. When publishing messages to SQS in batches, the following service limits
+# must be respected (see
+# [Limits in Amazon SQS](http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/limits-messages.html)):
+#
+#   * The maximum allowed individual message size is 256KiB.
+#   * The maximum total payload size (i.e. the sum of the sizes of all
+#     individual messages within a batch) is also 256KiB.
+#
+# This plugin will dynamically adjust the size of the batch published to SQS in
+# order to ensure that the total payload size does not exceed 256KiB.
+#
+# WARNING: This output cannot currently handle messages larger than 256KiB. Any
+# single message exceeding this size will be dropped.
+#
+class LogStash::Outputs::SQS < LogStash::Outputs::Base
+  include LogStash::PluginMixins::AwsConfig::V2
+
+  config_name 'sqs'
+  default :codec, 'json'
+
+  concurrency :shared
+
+  # The number of events to be sent in each batch. Set this to `1` to disable
+  # the batch sending of messages.
+  config :batch_events, :validate => :number, :default => 10
+
+  # The maximum number of bytes for any message sent to SQS. Messages exceeding
+  # this size will be dropped. See
+  # http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/limits-messages.html.
+  config :message_max_size, :validate => :bytes, :default => '256KiB'
+
+  # The name of the target SQS queue. Note that this is just the name of the
+  # queue, not the URL or ARN.
+  config :queue, :validate => :string, :required => true
+
+  # Account ID of the AWS account which owns the queue. Note IAM permissions
+  # need to be configured on both accounts to function.
+  config :queue_owner_aws_account_id, :validate => :string, :required => false
+
+  public
+  def register
+    @sqs = Aws::SQS::Client.new(aws_options_hash)
+
+    if @batch_events > 10
+      raise LogStash::ConfigurationError, 'The maximum batch size is 10 events'
+    elsif @batch_events < 1
+      raise LogStash::ConfigurationError, 'The batch size must be greater than 0'
+   end
+
+    begin
+      params = { queue_name: @queue }
+      params[:queue_owner_aws_account_id] = @queue_owner_aws_account_id if @queue_owner_aws_account_id
+
+      @logger.debug('Connecting to SQS queue', params.merge(region: region))
+      @queue_url = @sqs.get_queue_url(params)[:queue_url]
+      @logger.info('Connected to SQS queue successfully', params.merge(region: region))
+    rescue Aws::SQS::Errors::ServiceError => e
+      @logger.error('Failed to connect to SQS', :error => e)
+      raise LogStash::ConfigurationError, 'Verify the SQS queue name and your credentials'
+    end
+  end
+
+  public
+  def multi_receive_encoded(encoded_events)
+    if @batch_events > 1
+      multi_receive_encoded_batch(encoded_events)
+    else
+      multi_receive_encoded_single(encoded_events)
+    end
+  end
+
+  private
+  def multi_receive_encoded_batch(encoded_events)
+    bytes = 0
+    entries = []
+
+    # Split the events into multiple batches to ensure that no single batch
+    # exceeds `@message_max_size` bytes.
+    encoded_events.each_with_index do |encoded_event, index|
+      event, encoded = encoded_event
+
+      if encoded.bytesize > @message_max_size
+        @logger.warn('Message exceeds maximum length and will be dropped', :message_size => encoded.bytesize)
+        next
+      end
+
+      if entries.size >= @batch_events or (bytes + encoded.bytesize) > @message_max_size
+        send_message_batch(entries)
+
+        bytes = 0
+        entries = []
+      end
+
+      bytes += encoded.bytesize
+      entries.push(:id => index.to_s, :message_body => encoded)
+    end
+
+    send_message_batch(entries) unless entries.empty?
+  end
+
+  private
+  def multi_receive_encoded_single(encoded_events)
+    encoded_events.each do |encoded_event|
+      event, encoded = encoded_event
+
+      if encoded.bytesize > @message_max_size
+        @logger.warn('Message exceeds maximum length and will be dropped', :message_size => encoded.bytesize)
+        next
+      end
+
+      @sqs.send_message(:queue_url => @queue_url, :message_body => encoded)
+    end
+  end
+
+  private
+  def send_message_batch(entries)
+    @logger.debug("Publishing #{entries.size} messages to SQS", :queue_url => @queue_url, :entries => entries)
+    @sqs.send_message_batch(:queue_url => @queue_url, :entries => entries)
+  end
+end

data/lib/logstash/plugin_mixins/aws_config/generic.rb

@@ -0,0 +1,54 @@
+module LogStash::PluginMixins::AwsConfig::Generic
+  def self.included(base)
+    base.extend(self)
+    base.generic_aws_config
+  end
+
+  def generic_aws_config
+    # The AWS Region
+    config :region, :validate => :string, :default => LogStash::PluginMixins::AwsConfig::US_EAST_1
+
+    # This plugin uses the AWS SDK and supports several ways to get credentials, which will be tried in this order:
+    #
+    # 1. Static configuration, using `access_key_id` and `secret_access_key` params in the logstash plugin config
+    # 2. External credentials file specified by `aws_credentials_file`
+    # 3. Environment variables `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`
+    # 4. Environment variables `AMAZON_ACCESS_KEY_ID` and `AMAZON_SECRET_ACCESS_KEY`
+    # 5. IAM Instance Profile (available when running inside EC2)
+    config :access_key_id, :validate => :string
+
+    # The AWS Secret Access Key
+    config :secret_access_key, :validate => :password
+
+    # The AWS Session token for temporary credential
+    config :session_token, :validate => :password
+
+    # URI to proxy server if required
+    config :proxy_uri, :validate => :string
+
+    # Custom endpoint to connect to s3
+    config :endpoint, :validate => :string
+
+    # The AWS IAM Role to assume, if any.
+    # This is used to generate temporary credentials typically for cross-account access.
+    # See https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html for more information.
+    # When `role_arn` is set, AWS (`access_key_id`/`secret_access_key`) credentials still get used if they're configured.
+    config :role_arn, :validate => :string
+
+    # Session name to use when assuming an IAM role
+    config :role_session_name, :validate => :string, :default => "logstash"
+
+    # Path to YAML file containing a hash of AWS credentials.
+    # This file will only be loaded if `access_key_id` and
+    # `secret_access_key` aren't set. The contents of the
+    # file should look like this:
+    #
+    # [source,ruby]
+    # ----------------------------------
+    #     :access_key_id: "12345"
+    #     :secret_access_key: "54321"
+    # ----------------------------------
+    #
+    config :aws_credentials_file, :validate => :string
+  end
+end

data/lib/logstash/plugin_mixins/aws_config/v2.rb

@@ -0,0 +1,93 @@
+# encoding: utf-8
+require "logstash/plugin_mixins/aws_config/generic"
+
+module LogStash::PluginMixins::AwsConfig::V2
+  def self.included(base)
+    base.extend(self)
+    base.send(:include, LogStash::PluginMixins::AwsConfig::Generic)
+  end
+
+  public
+  def aws_options_hash
+    opts = {}
+
+    opts[:http_proxy] = @proxy_uri if @proxy_uri
+
+    if @role_arn
+      credentials = assume_role(opts.dup)
+      opts[:credentials] = credentials
+    else
+      credentials = aws_credentials
+      opts[:credentials] = credentials if credentials
+    end
+
+    if self.respond_to?(:aws_service_endpoint)
+      # used by CloudWatch to basically do the same as bellow (returns { region: region })
+      opts.merge!(self.aws_service_endpoint(@region))
+    else
+      # NOTE: setting :region works with the aws sdk (resolves correct endpoint)
+      opts[:region] = @region
+    end
+
+    opts[:endpoint] = @endpoint unless @endpoint.nil?
+
+    if respond_to?(:additional_settings)
+      opts = symbolize_keys_and_cast_true_false(additional_settings).merge(opts)
+    end
+
+    return opts
+  end
+
+  private
+
+  def aws_credentials
+    if @access_key_id && @secret_access_key
+      Aws::Credentials.new(@access_key_id, @secret_access_key.value, @session_token ? @session_token.value : nil)
+    elsif @access_key_id.nil? ^ @secret_access_key.nil?
+      @logger.warn("Likely config error: Only one of access_key_id or secret_access_key was provided but not both.")
+      secret_access_key = @secret_access_key ? @secret_access_key.value : nil
+      Aws::Credentials.new(@access_key_id, secret_access_key, @session_token ? @session_token.value : nil)
+    elsif @aws_credentials_file
+      credentials_opts = YAML.load_file(@aws_credentials_file)
+      credentials_opts.default_proc = lambda { |hash, key| hash.fetch(key.to_s, nil) }
+      Aws::Credentials.new(credentials_opts[:access_key_id],
+                           credentials_opts[:secret_access_key],
+                           credentials_opts[:session_token])
+    else
+      nil # AWS client will read ENV or ~/.aws/credentials
+    end
+  end
+  alias credentials aws_credentials
+
+  def assume_role(opts = {})
+    unless opts.key?(:credentials)
+      credentials = aws_credentials
+      opts[:credentials] = credentials if credentials
+    end
+
+    # for a regional endpoint :region is always required by AWS
+    opts[:region] = @region
+
+    Aws::AssumeRoleCredentials.new(
+        :client => Aws::STS::Client.new(opts),
+        :role_arn => @role_arn,
+        :role_session_name => @role_session_name
+    )
+  end
+
+  def symbolize_keys_and_cast_true_false(hash)
+    case hash
+    when Hash
+      symbolized = {}
+      hash.each { |key, value| symbolized[key.to_sym] = symbolize_keys_and_cast_true_false(value) }
+      symbolized
+    when 'true'
+      true
+    when 'false'
+      false
+    else
+      hash
+    end
+  end
+
+end

data/lib/logstash/plugin_mixins/aws_config.rb

@@ -0,0 +1,8 @@
+# encoding: utf-8
+require "logstash/config/mixin"
+
+module LogStash::PluginMixins::AwsConfig
+  require "logstash/plugin_mixins/aws_config/v2"
+
+  US_EAST_1 = "us-east-1"
+end

data/lib/logstash-integration-aws_jars.rb

@@ -0,0 +1,4 @@
+# AUTOGENERATED BY THE GRADLE SCRIPT. DO NOT EDIT.
+
+require 'jar_dependencies'
+require_jar('org.logstash.plugins.integration.aws', 'logstash-integration-aws', '7.1.1')

data/lib/tasks/build.rake

@@ -0,0 +1,15 @@
+# encoding: utf-8
+require "jars/installer"
+require "fileutils"
+
+task :vendor do
+  exit(1) unless system './gradlew vendor'
+  version = File.read("VERSION").strip
+end
+
+desc "clean"
+task :clean do
+  ["build", "vendor/jar-dependencies", "Gemfile.lock"].each do |p|
+    FileUtils.rm_rf(p)
+  end
+end

data/logstash-integration-aws.gemspec

@@ -0,0 +1,55 @@
+INTEGRATION_AWS_VERSION = File.read(File.expand_path(File.join(File.dirname(__FILE__), "VERSION"))).strip unless defined?(INTEGRATION_AWS_VERSION)
+
+Gem::Specification.new do |s|
+  s.name            = "logstash-integration-aws"
+  s.version         = INTEGRATION_AWS_VERSION
+  s.licenses        = ["Apache-2.0"]
+  s.summary         = "Collection of Logstash plugins that integrate with AWS"
+  s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
+  s.authors         = ["Elastic"]
+  s.email           = "info@elastic.co"
+  s.homepage        = "http://www.elastic.co/guide/en/logstash/current/index.html"
+  s.platform        = "java"
+  s.metadata        = {
+    "logstash_plugin" => "true",
+    "logstash_group" => "integration",
+    "integration_plugins" => %w(
+      logstash-codec-cloudfront
+      logstash-codec-cloudtrail
+      logstash-input-cloudwatch
+      logstash-input-s3
+      logstash-input-sqs
+      logstash-output-cloudwatch
+      logstash-output-s3
+      logstash-output-sns
+      logstash-output-sqs).join(",")
+  }
+
+
+  s.require_paths   = ["lib", "vendor/jar-dependencies"]
+  s.files           = Dir["lib/**/*","spec/**/*","*.gemspec","*.md","CONTRIBUTORS","Gemfile","LICENSE","NOTICE.TXT", "VERSION", "docs/**/*", "vendor/jar-dependencies/**/*.jar", "vendor/jar-dependencies/**/*.rb"]
+  s.test_files      = s.files.grep(%r{^(test|spec|features)/})
+
+
+  s.add_runtime_dependency "logstash-core-plugin-api", ">= 2.1.12", "<= 2.99"
+  s.add_runtime_dependency "concurrent-ruby"
+  s.add_runtime_dependency "logstash-codec-json"
+  s.add_runtime_dependency "logstash-codec-plain"
+  s.add_runtime_dependency "rufus-scheduler", ">= 3.0.9"
+  s.add_runtime_dependency "stud", "~> 0.0.22"
+  s.add_runtime_dependency "aws-sdk-core", "~> 3"
+  s.add_runtime_dependency "aws-sdk-s3"
+  s.add_runtime_dependency "aws-sdk-sqs"
+  s.add_runtime_dependency "aws-sdk-sns"
+  s.add_runtime_dependency "aws-sdk-cloudwatch"
+  s.add_runtime_dependency "aws-sdk-cloudfront"
+  s.add_runtime_dependency "aws-sdk-resourcegroups"
+
+  s.add_development_dependency "logstash-codec-json_lines"
+  s.add_development_dependency "logstash-codec-multiline"
+  s.add_development_dependency "logstash-codec-json"
+  s.add_development_dependency "logstash-codec-line"
+  s.add_development_dependency "logstash-devutils"
+  s.add_development_dependency "logstash-input-generator"
+  s.add_development_dependency "timecop"
+end

data/spec/codecs/cloudfront_spec.rb

@@ -0,0 +1,92 @@
+# encoding: utf-8
+require "logstash/devutils/rspec/spec_helper"
+require "logstash/codecs/cloudfront"
+require "logstash/errors"
+require "stringio"
+require "zlib"
+
+def compress_with_gzip(io)
+  compressed = StringIO.new('', 'r+b')
+
+  gzip = Zlib::GzipWriter.new(compressed)
+  gzip.write(io.read)
+  gzip.finish
+
+  compressed.rewind
+
+  compressed
+end
+
+describe LogStash::Codecs::Cloudfront do
+  let!(:uncompressed_cloudfront_log) do
+    # Using format from
+    # http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html
+    str = StringIO.new
+
+    str << "#Version: 1.0\n"
+    str << "#Fields: date time x-edge-location c-ip x-event sc-bytes x-cf-status x-cf-client-id cs-uri-stem cs-uri-query c-referrer x-page-url​  c-user-agent x-sname x-sname-query x-file-ext x-sid\n"
+    str << "2010-03-12   23:51:20   SEA4   192.0.2.147   connect   2014   OK   bfd8a98bee0840d9b871b7f6ade9908f   rtmp://shqshne4jdp4b6.cloudfront.net/cfx/st​  key=value   http://player.longtailvideo.com/player.swf   http://www.longtailvideo.com/support/jw-player-setup-wizard?example=204   LNX%2010,0,32,18   -   -   -   -\n"
+    str << "2010-03-12   23:51:21   SEA4   192.0.2.222   play   3914   OK   bfd8a98bee0840d9b871b7f6ade9908f   rtmp://shqshne4jdp4b6.cloudfront.net/cfx/st​  key=value   http://player.longtailvideo.com/player.swf   http://www.longtailvideo.com/support/jw-player-setup-wizard?example=204   LNX%2010,0,32,18   myvideo   p=2&q=4   flv   1\n"
+
+    str.rewind
+    str
+  end
+
+  describe "#decode" do
+    it "should create events from a gzip file" do
+      events = []
+
+      subject.decode(compress_with_gzip(uncompressed_cloudfront_log)) do |event|
+        events << event
+      end
+
+      expect(events.size).to eq(2)
+    end
+
+    it 'should extract the metadata of the file' do
+      events = []
+
+      subject.decode(compress_with_gzip(uncompressed_cloudfront_log)) do |event|
+        events << event
+      end
+
+      expect(events.first.get("cloudfront_version")).to eq("1.0")
+      expect(events.first.get("cloudfront_fields")).to eq("date time x-edge-location c-ip x-event sc-bytes x-cf-status x-cf-client-id cs-uri-stem cs-uri-query c-referrer x-page-url​  c-user-agent x-sname x-sname-query x-file-ext x-sid")
+    end
+  end
+
+  describe "#extract_version" do
+    it "returns the version from a matched string" do
+      line = "#Version: 1.0"
+
+      expect(subject.extract_version(line)).to eq("1.0")
+    end
+
+    it "doesn't return anything if version isnt matched" do
+      line = "Bleh my string"
+      expect(subject.extract_version(line)).to eq(nil)
+    end
+
+    it "doesn't match if #Version is not at the beginning of the string" do
+      line = "2010-03-12   23:53:44   SEA4   192.0.2.4   stop   323914   OK   bfd8a98bee0840d9b871b7f6ade9908f #Version: 1.0 Bleh blah"
+      expect(subject.extract_version(line)).to eq(nil)
+    end
+  end
+
+  describe "#extract_fields" do
+    it "return a string with all the fields" do
+      line = "#Fields: date time x-edge-location c-ip x-event sc-bytes x-cf-status x-cf-client-id cs-uri-stem cs-uri-query c-referrer x-page-url​  c-user-agent x-sname x-sname-query x-file-ext x-sid"
+      expect(subject.extract_fields(line)).to eq("date time x-edge-location c-ip x-event sc-bytes x-cf-status x-cf-client-id cs-uri-stem cs-uri-query c-referrer x-page-url​  c-user-agent x-sname x-sname-query x-file-ext x-sid")
+    end
+
+    it "doesn't return anything if we can the fields list" do
+      line = "Bleh my string"
+      expect(subject.extract_fields(line)).to eq(nil)
+    end
+
+    it "doesnt match if #Fields: is not at the beginning of the string" do
+      line = "2010-03-12   23:53:44   SEA4   192.0.2.4   stop   323914   OK   bfd8a98bee0840d9b871b7f6ade9908f #Fields: 1.0 Bleh blah"
+      expect(subject.extract_fields(line)).to eq(nil)
+    end
+  end
+end

data/spec/codecs/cloudtrail_spec.rb

@@ -0,0 +1,56 @@
+require "logstash/devutils/rspec/spec_helper"
+require "logstash/plugin"
+require "logstash/codecs/cloudtrail"
+require 'resolv'
+
+describe LogStash::Codecs::CloudTrail do
+
+  shared_examples_for "it handles valid ip addresses" do
+    it 'should pass through valid ip addresses' do
+      ip_addresses.each do |valid_ip_address|
+        subject.decode("{\"Records\":[{\"sourceIpAddress\":\"#{valid_ip_address}\"}]}") do |event|
+          expect(event.get("sourceIpAddress")).to eq(valid_ip_address)
+          expect(event.get("sourceHost")).to be_nil
+        end
+      end
+    end
+  end
+
+  describe '#decode' do
+    it 'accepts data without a Records property' do
+      expect { |b|
+        subject.decode('{}', &b)
+      }.not_to yield_control
+    end
+
+    it 'accepts records with null requestParameters' do
+      expect { |b|
+        subject.decode('{"Records":[{"requestParameters":null}]}', &b)
+      }.to yield_control
+    end
+
+    context 'with ipv4 sourceIpAddress values' do
+      let(:ip_addresses) { ["127.0.0.1", "8.8.8.8", "10.10.10.10", "100.100.100.100", "1.12.123.234"] }
+      it_behaves_like 'it handles valid ip addresses'
+    end
+
+    context 'with ipv6 sourceIpAddress values' do
+      let(:ip_addresses) { ["2001:0db8:85a3:0000:0000:8a2e:0370:7334", "2001:db8:85a3::8a2e:370:7334", "::1", "::"] }
+      it_behaves_like 'it handles valid ip addresses'
+    end
+
+    it 'accepts records with an invalid sourceIpAddress' do
+      subject.decode('{"Records":[{"sourceIpAddress":"www.elastic.co"}]}') do |event|
+        expect(event.get("sourceIpAddress")).to be_nil
+        expect(event.get("sourceHost")).to eq("www.elastic.co")
+      end
+    end
+
+    it 'accepts records with a no sourceIpAddress' do
+      subject.decode('{"Records":[{"sourceIpAddress":null}]}') do |event|
+        expect(event.get("sourceIpAddress")).to be_nil
+        expect(event.get("sourceHost")).to be_nil
+      end
+    end
+  end
+end

data/spec/fixtures/aws_credentials_file_sample_test.yml

@@ -0,0 +1,2 @@
+:access_key_id: '1234'
+:secret_access_key: secret

data/spec/fixtures/aws_temporary_credentials_file_sample_test.yml

@@ -0,0 +1,3 @@
+:access_key_id: '1234'
+:secret_access_key: secret
+:session_token: session_token

data/spec/fixtures/cloudfront.log

@@ -0,0 +1,4 @@
+#Version: 1.0
+#Fields: date time x-edge-location c-ip x-event sc-bytes x-cf-status x-cf-client-id cs-uri-stem cs-uri-query c-referrer x-page-url​  c-user-agent x-sname x-sname-query x-file-ext x-sid
+2010-03-12   23:51:20   SEA4   192.0.2.147   connect   2014   OK   bfd8a98bee0840d9b871b7f6ade9908f   rtmp://shqshne4jdp4b6.cloudfront.net/cfx/st​  key=value   http://player.longtailvideo.com/player.swf   http://www.longtailvideo.com/support/jw-player-setup-wizard?example=204   LNX%2010,0,32,18   -   -   -   -
+2010-03-12   23:51:21   SEA4   192.0.2.222   play   3914   OK   bfd8a98bee0840d9b871b7f6ade9908f   rtmp://shqshne4jdp4b6.cloudfront.net/cfx/st​  key=value   http://player.longtailvideo.com/player.swf   http://www.longtailvideo.com/support/jw-player-setup-wizard?example=204   LNX%2010,0,32,18   myvideo   p=2&q=4   flv   1

data/spec/fixtures/invalid_utf8.gbk.log

@@ -0,0 +1,2 @@
+2015-01-01T02:52:45.866722Z no "GET http://www.logstash.com:80/utfmadness/��4od HTTP/1.1"
+

data/spec/fixtures/json.log

@@ -0,0 +1,2 @@
+{ "hello": "world" }
+{ "hello": "awesome world" }

data/spec/fixtures/json_with_message.log

@@ -0,0 +1,2 @@
+{ "message": ["GET", 32, "/health"] }
+{ "message": true }

data/spec/fixtures/multiline.log

@@ -0,0 +1,6 @@
+__SEPARATOR__
+file:1 record:1 line:1
+file:1 record:1 line:2
+__SEPARATOR__
+file:1 record:2 line:1
+file:1 record:2 line:2

data/spec/fixtures/uncompressed.log

@@ -0,0 +1,2 @@
+2010-03-12   23:51:20   SEA4   192.0.2.147   connect   2014   OK   bfd8a98bee0840d9b871b7f6ade9908f   rtmp://shqshne4jdp4b6.cloudfront.net/cfx/st​  key=value   http://player.longtailvideo.com/player.swf   http://www.longtailvideo.com/support/jw-player-setup-wizard?example=204   LNX%2010,0,32,18   -   -   -   -
+2010-03-12   23:51:21   SEA4   192.0.2.222   play   3914   OK   bfd8a98bee0840d9b871b7f6ade9908f   rtmp://shqshne4jdp4b6.cloudfront.net/cfx/st​  key=value   http://player.longtailvideo.com/player.swf   http://www.longtailvideo.com/support/jw-player-setup-wizard?example=204   LNX%2010,0,32,18   myvideo   p=2&q=4   flv   1