RubyGems - logstash-lib - Versions diffs - 1.3.2 - Mend

logstash-lib 1.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (419) hide show

data/.gitignore +24 -0
data/.tailor +8 -0
data/.travis.yml +12 -0
data/CHANGELOG +1185 -0
data/CONTRIBUTING.md +61 -0
data/CONTRIBUTORS +79 -0
data/LICENSE +14 -0
data/Makefile +460 -0
data/README.md +120 -0
data/STYLE.md +96 -0
data/bin/logstash +37 -0
data/bin/logstash-test +4 -0
data/bin/logstash-web +4 -0
data/bin/logstash.lib.sh +78 -0
data/bot/check_pull_changelog.rb +89 -0
data/docs/configuration.md +260 -0
data/docs/docgen.rb +242 -0
data/docs/extending/example-add-a-new-filter.md +121 -0
data/docs/extending/index.md +91 -0
data/docs/flags.md +43 -0
data/docs/generate_index.rb +28 -0
data/docs/index.html.erb +56 -0
data/docs/learn.md +46 -0
data/docs/life-of-an-event.md +109 -0
data/docs/logging-tool-comparisons.md +60 -0
data/docs/plugin-doc.html.erb +91 -0
data/docs/plugin-milestones.md +41 -0
data/docs/plugin-synopsis.html.erb +24 -0
data/docs/release-engineering.md +46 -0
data/docs/release-test-results.md +14 -0
data/docs/repositories.md +35 -0
data/docs/tutorials/10-minute-walkthrough/apache-elasticsearch.conf +35 -0
data/docs/tutorials/10-minute-walkthrough/apache-parse.conf +33 -0
data/docs/tutorials/10-minute-walkthrough/apache_log.1 +1 -0
data/docs/tutorials/10-minute-walkthrough/apache_log.2.bz2 +0 -0
data/docs/tutorials/10-minute-walkthrough/hello-search.conf +25 -0
data/docs/tutorials/10-minute-walkthrough/hello.conf +16 -0
data/docs/tutorials/10-minute-walkthrough/index.md +124 -0
data/docs/tutorials/10-minute-walkthrough/step-5-output.txt +17 -0
data/docs/tutorials/getting-started-centralized-overview-diagram.png +0 -0
data/docs/tutorials/getting-started-centralized-overview-diagram.xml +1 -0
data/docs/tutorials/getting-started-centralized.md +217 -0
data/docs/tutorials/getting-started-simple.md +200 -0
data/docs/tutorials/just-enough-rabbitmq-for-logstash.md +201 -0
data/docs/tutorials/media/frontend-response-codes.png +0 -0
data/docs/tutorials/metrics-from-logs.md +84 -0
data/docs/tutorials/zeromq.md +118 -0
data/extract_services.rb +29 -0
data/gembag.rb +64 -0
data/lib/logstash-event.rb +2 -0
data/lib/logstash.rb +4 -0
data/lib/logstash/JRUBY-6970-openssl.rb +22 -0
data/lib/logstash/JRUBY-6970.rb +102 -0
data/lib/logstash/agent.rb +305 -0
data/lib/logstash/certs/cacert.pem +3895 -0
data/lib/logstash/codecs/base.rb +49 -0
data/lib/logstash/codecs/compress_spooler.rb +50 -0
data/lib/logstash/codecs/dots.rb +18 -0
data/lib/logstash/codecs/edn.rb +28 -0
data/lib/logstash/codecs/edn_lines.rb +36 -0
data/lib/logstash/codecs/fluent.rb +55 -0
data/lib/logstash/codecs/graphite.rb +114 -0
data/lib/logstash/codecs/json.rb +41 -0
data/lib/logstash/codecs/json_lines.rb +52 -0
data/lib/logstash/codecs/json_spooler.rb +22 -0
data/lib/logstash/codecs/line.rb +58 -0
data/lib/logstash/codecs/msgpack.rb +43 -0
data/lib/logstash/codecs/multiline.rb +189 -0
data/lib/logstash/codecs/netflow.rb +342 -0
data/lib/logstash/codecs/netflow/util.rb +212 -0
data/lib/logstash/codecs/noop.rb +19 -0
data/lib/logstash/codecs/oldlogstashjson.rb +56 -0
data/lib/logstash/codecs/plain.rb +48 -0
data/lib/logstash/codecs/rubydebug.rb +22 -0
data/lib/logstash/codecs/spool.rb +38 -0
data/lib/logstash/config/Makefile +4 -0
data/lib/logstash/config/config_ast.rb +380 -0
data/lib/logstash/config/file.rb +39 -0
data/lib/logstash/config/grammar.rb +3504 -0
data/lib/logstash/config/grammar.treetop +241 -0
data/lib/logstash/config/mixin.rb +464 -0
data/lib/logstash/config/registry.rb +13 -0
data/lib/logstash/config/test.conf +18 -0
data/lib/logstash/errors.rb +10 -0
data/lib/logstash/event.rb +262 -0
data/lib/logstash/filters/advisor.rb +178 -0
data/lib/logstash/filters/alter.rb +173 -0
data/lib/logstash/filters/anonymize.rb +93 -0
data/lib/logstash/filters/base.rb +190 -0
data/lib/logstash/filters/checksum.rb +50 -0
data/lib/logstash/filters/cidr.rb +76 -0
data/lib/logstash/filters/cipher.rb +145 -0
data/lib/logstash/filters/clone.rb +35 -0
data/lib/logstash/filters/collate.rb +114 -0
data/lib/logstash/filters/csv.rb +94 -0
data/lib/logstash/filters/date.rb +244 -0
data/lib/logstash/filters/dns.rb +201 -0
data/lib/logstash/filters/drop.rb +32 -0
data/lib/logstash/filters/elapsed.rb +256 -0
data/lib/logstash/filters/elasticsearch.rb +73 -0
data/lib/logstash/filters/environment.rb +27 -0
data/lib/logstash/filters/extractnumbers.rb +84 -0
data/lib/logstash/filters/gelfify.rb +52 -0
data/lib/logstash/filters/geoip.rb +145 -0
data/lib/logstash/filters/grep.rb +153 -0
data/lib/logstash/filters/grok.rb +425 -0
data/lib/logstash/filters/grokdiscovery.rb +75 -0
data/lib/logstash/filters/i18n.rb +51 -0
data/lib/logstash/filters/json.rb +90 -0
data/lib/logstash/filters/json_encode.rb +52 -0
data/lib/logstash/filters/kv.rb +232 -0
data/lib/logstash/filters/metaevent.rb +68 -0
data/lib/logstash/filters/metrics.rb +237 -0
data/lib/logstash/filters/multiline.rb +241 -0
data/lib/logstash/filters/mutate.rb +399 -0
data/lib/logstash/filters/noop.rb +21 -0
data/lib/logstash/filters/prune.rb +149 -0
data/lib/logstash/filters/punct.rb +32 -0
data/lib/logstash/filters/railsparallelrequest.rb +86 -0
data/lib/logstash/filters/range.rb +142 -0
data/lib/logstash/filters/ruby.rb +42 -0
data/lib/logstash/filters/sleep.rb +111 -0
data/lib/logstash/filters/split.rb +64 -0
data/lib/logstash/filters/sumnumbers.rb +73 -0
data/lib/logstash/filters/syslog_pri.rb +107 -0
data/lib/logstash/filters/translate.rb +121 -0
data/lib/logstash/filters/unique.rb +29 -0
data/lib/logstash/filters/urldecode.rb +57 -0
data/lib/logstash/filters/useragent.rb +112 -0
data/lib/logstash/filters/uuid.rb +58 -0
data/lib/logstash/filters/xml.rb +139 -0
data/lib/logstash/filters/zeromq.rb +123 -0
data/lib/logstash/filterworker.rb +122 -0
data/lib/logstash/inputs/base.rb +125 -0
data/lib/logstash/inputs/collectd.rb +306 -0
data/lib/logstash/inputs/drupal_dblog.rb +323 -0
data/lib/logstash/inputs/drupal_dblog/jdbcconnection.rb +66 -0
data/lib/logstash/inputs/elasticsearch.rb +140 -0
data/lib/logstash/inputs/eventlog.rb +129 -0
data/lib/logstash/inputs/eventlog/racob_fix.rb +44 -0
data/lib/logstash/inputs/exec.rb +69 -0
data/lib/logstash/inputs/file.rb +146 -0
data/lib/logstash/inputs/ganglia.rb +127 -0
data/lib/logstash/inputs/ganglia/gmondpacket.rb +146 -0
data/lib/logstash/inputs/ganglia/xdr.rb +327 -0
data/lib/logstash/inputs/gelf.rb +138 -0
data/lib/logstash/inputs/gemfire.rb +222 -0
data/lib/logstash/inputs/generator.rb +97 -0
data/lib/logstash/inputs/graphite.rb +41 -0
data/lib/logstash/inputs/heroku.rb +51 -0
data/lib/logstash/inputs/imap.rb +136 -0
data/lib/logstash/inputs/irc.rb +84 -0
data/lib/logstash/inputs/log4j.rb +136 -0
data/lib/logstash/inputs/lumberjack.rb +53 -0
data/lib/logstash/inputs/pipe.rb +57 -0
data/lib/logstash/inputs/rabbitmq.rb +126 -0
data/lib/logstash/inputs/rabbitmq/bunny.rb +118 -0
data/lib/logstash/inputs/rabbitmq/hot_bunnies.rb +1 -0
data/lib/logstash/inputs/rabbitmq/march_hare.rb +129 -0
data/lib/logstash/inputs/redis.rb +263 -0
data/lib/logstash/inputs/relp.rb +106 -0
data/lib/logstash/inputs/s3.rb +279 -0
data/lib/logstash/inputs/snmptrap.rb +87 -0
data/lib/logstash/inputs/sqlite.rb +185 -0
data/lib/logstash/inputs/sqs.rb +172 -0
data/lib/logstash/inputs/stdin.rb +46 -0
data/lib/logstash/inputs/stomp.rb +84 -0
data/lib/logstash/inputs/syslog.rb +237 -0
data/lib/logstash/inputs/tcp.rb +231 -0
data/lib/logstash/inputs/threadable.rb +18 -0
data/lib/logstash/inputs/twitter.rb +82 -0
data/lib/logstash/inputs/udp.rb +81 -0
data/lib/logstash/inputs/unix.rb +163 -0
data/lib/logstash/inputs/varnishlog.rb +48 -0
data/lib/logstash/inputs/websocket.rb +50 -0
data/lib/logstash/inputs/wmi.rb +72 -0
data/lib/logstash/inputs/xmpp.rb +81 -0
data/lib/logstash/inputs/zenoss.rb +143 -0
data/lib/logstash/inputs/zeromq.rb +165 -0
data/lib/logstash/kibana.rb +113 -0
data/lib/logstash/loadlibs.rb +9 -0
data/lib/logstash/logging.rb +89 -0
data/lib/logstash/monkeypatches-for-bugs.rb +2 -0
data/lib/logstash/monkeypatches-for-debugging.rb +47 -0
data/lib/logstash/monkeypatches-for-performance.rb +66 -0
data/lib/logstash/multiqueue.rb +53 -0
data/lib/logstash/namespace.rb +16 -0
data/lib/logstash/outputs/base.rb +120 -0
data/lib/logstash/outputs/boundary.rb +116 -0
data/lib/logstash/outputs/circonus.rb +78 -0
data/lib/logstash/outputs/cloudwatch.rb +351 -0
data/lib/logstash/outputs/csv.rb +55 -0
data/lib/logstash/outputs/datadog.rb +93 -0
data/lib/logstash/outputs/datadog_metrics.rb +123 -0
data/lib/logstash/outputs/elasticsearch.rb +332 -0
data/lib/logstash/outputs/elasticsearch/elasticsearch-template.json +44 -0
data/lib/logstash/outputs/elasticsearch_http.rb +256 -0
data/lib/logstash/outputs/elasticsearch_river.rb +214 -0
data/lib/logstash/outputs/email.rb +299 -0
data/lib/logstash/outputs/exec.rb +40 -0
data/lib/logstash/outputs/file.rb +180 -0
data/lib/logstash/outputs/ganglia.rb +75 -0
data/lib/logstash/outputs/gelf.rb +208 -0
data/lib/logstash/outputs/gemfire.rb +103 -0
data/lib/logstash/outputs/google_bigquery.rb +570 -0
data/lib/logstash/outputs/google_cloud_storage.rb +431 -0
data/lib/logstash/outputs/graphite.rb +143 -0
data/lib/logstash/outputs/graphtastic.rb +185 -0
data/lib/logstash/outputs/hipchat.rb +80 -0
data/lib/logstash/outputs/http.rb +142 -0
data/lib/logstash/outputs/irc.rb +80 -0
data/lib/logstash/outputs/jira.rb +109 -0
data/lib/logstash/outputs/juggernaut.rb +105 -0
data/lib/logstash/outputs/librato.rb +146 -0
data/lib/logstash/outputs/loggly.rb +93 -0
data/lib/logstash/outputs/lumberjack.rb +51 -0
data/lib/logstash/outputs/metriccatcher.rb +103 -0
data/lib/logstash/outputs/mongodb.rb +81 -0
data/lib/logstash/outputs/nagios.rb +119 -0
data/lib/logstash/outputs/nagios_nsca.rb +123 -0
data/lib/logstash/outputs/null.rb +18 -0
data/lib/logstash/outputs/opentsdb.rb +101 -0
data/lib/logstash/outputs/pagerduty.rb +79 -0
data/lib/logstash/outputs/pipe.rb +132 -0
data/lib/logstash/outputs/rabbitmq.rb +96 -0
data/lib/logstash/outputs/rabbitmq/bunny.rb +135 -0
data/lib/logstash/outputs/rabbitmq/hot_bunnies.rb +1 -0
data/lib/logstash/outputs/rabbitmq/march_hare.rb +143 -0
data/lib/logstash/outputs/redis.rb +245 -0
data/lib/logstash/outputs/riak.rb +152 -0
data/lib/logstash/outputs/riemann.rb +109 -0
data/lib/logstash/outputs/s3.rb +356 -0
data/lib/logstash/outputs/sns.rb +124 -0
data/lib/logstash/outputs/solr_http.rb +78 -0
data/lib/logstash/outputs/sqs.rb +141 -0
data/lib/logstash/outputs/statsd.rb +116 -0
data/lib/logstash/outputs/stdout.rb +53 -0
data/lib/logstash/outputs/stomp.rb +67 -0
data/lib/logstash/outputs/syslog.rb +145 -0
data/lib/logstash/outputs/tcp.rb +145 -0
data/lib/logstash/outputs/udp.rb +38 -0
data/lib/logstash/outputs/websocket.rb +46 -0
data/lib/logstash/outputs/websocket/app.rb +29 -0
data/lib/logstash/outputs/websocket/pubsub.rb +45 -0
data/lib/logstash/outputs/xmpp.rb +78 -0
data/lib/logstash/outputs/zabbix.rb +108 -0
data/lib/logstash/outputs/zeromq.rb +125 -0
data/lib/logstash/pipeline.rb +286 -0
data/lib/logstash/plugin.rb +150 -0
data/lib/logstash/plugin_mixins/aws_config.rb +93 -0
data/lib/logstash/program.rb +15 -0
data/lib/logstash/runner.rb +238 -0
data/lib/logstash/sized_queue.rb +8 -0
data/lib/logstash/test.rb +183 -0
data/lib/logstash/threadwatchdog.rb +37 -0
data/lib/logstash/time_addon.rb +33 -0
data/lib/logstash/util.rb +106 -0
data/lib/logstash/util/buftok.rb +139 -0
data/lib/logstash/util/charset.rb +39 -0
data/lib/logstash/util/fieldreference.rb +50 -0
data/lib/logstash/util/password.rb +25 -0
data/lib/logstash/util/prctl.rb +11 -0
data/lib/logstash/util/relp.rb +326 -0
data/lib/logstash/util/require-helper.rb +18 -0
data/lib/logstash/util/socket_peer.rb +7 -0
data/lib/logstash/util/zenoss.rb +566 -0
data/lib/logstash/util/zeromq.rb +47 -0
data/lib/logstash/version.rb +6 -0
data/locales/en.yml +170 -0
data/logstash-event.gemspec +29 -0
data/logstash.gemspec +128 -0
data/patterns/firewalls +60 -0
data/patterns/grok-patterns +91 -0
data/patterns/haproxy +37 -0
data/patterns/java +3 -0
data/patterns/linux-syslog +14 -0
data/patterns/mcollective +1 -0
data/patterns/mcollective-patterns +4 -0
data/patterns/nagios +108 -0
data/patterns/postgresql +3 -0
data/patterns/redis +3 -0
data/patterns/ruby +2 -0
data/pkg/build.sh +135 -0
data/pkg/centos/after-install.sh +1 -0
data/pkg/centos/before-install.sh +10 -0
data/pkg/centos/before-remove.sh +11 -0
data/pkg/centos/sysconfig +15 -0
data/pkg/debian/after-install.sh +5 -0
data/pkg/debian/before-install.sh +13 -0
data/pkg/debian/before-remove.sh +13 -0
data/pkg/debian/build.sh +34 -0
data/pkg/debian/debian/README +6 -0
data/pkg/debian/debian/changelog +17 -0
data/pkg/debian/debian/compat +1 -0
data/pkg/debian/debian/control +16 -0
data/pkg/debian/debian/copyright +27 -0
data/pkg/debian/debian/dirs +19 -0
data/pkg/debian/debian/docs +0 -0
data/pkg/debian/debian/logstash.default +39 -0
data/pkg/debian/debian/logstash.init +201 -0
data/pkg/debian/debian/logstash.install +1 -0
data/pkg/debian/debian/logstash.logrotate +9 -0
data/pkg/debian/debian/logstash.postinst +68 -0
data/pkg/debian/debian/logstash.postrm +23 -0
data/pkg/debian/debian/manpage.1.ex +59 -0
data/pkg/debian/debian/preinst.ex +37 -0
data/pkg/debian/debian/prerm.ex +40 -0
data/pkg/debian/debian/release.conf +5 -0
data/pkg/debian/debian/rules +80 -0
data/pkg/debian/debian/watch.ex +22 -0
data/pkg/logrotate.conf +8 -0
data/pkg/logstash-web.default +41 -0
data/pkg/logstash-web.sysv.debian +201 -0
data/pkg/logstash-web.upstart.ubuntu +18 -0
data/pkg/logstash.default +45 -0
data/pkg/logstash.sysv.debian +202 -0
data/pkg/logstash.sysv.redhat +158 -0
data/pkg/logstash.upstart.ubuntu +20 -0
data/pkg/rpm/SOURCES/logstash.conf +26 -0
data/pkg/rpm/SOURCES/logstash.init +80 -0
data/pkg/rpm/SOURCES/logstash.logrotate +8 -0
data/pkg/rpm/SOURCES/logstash.sysconfig +3 -0
data/pkg/rpm/SOURCES/logstash.wrapper +105 -0
data/pkg/rpm/SPECS/logstash.spec +180 -0
data/pkg/rpm/readme.md +4 -0
data/pkg/ubuntu/after-install.sh +7 -0
data/pkg/ubuntu/before-install.sh +12 -0
data/pkg/ubuntu/before-remove.sh +13 -0
data/pull_release_note.rb +25 -0
data/require-analyze.rb +22 -0
data/spec/README.md +14 -0
data/spec/codecs/edn.rb +40 -0
data/spec/codecs/edn_lines.rb +53 -0
data/spec/codecs/graphite.rb +96 -0
data/spec/codecs/json.rb +57 -0
data/spec/codecs/json_lines.rb +51 -0
data/spec/codecs/json_spooler.rb +43 -0
data/spec/codecs/msgpack.rb +39 -0
data/spec/codecs/multiline.rb +60 -0
data/spec/codecs/oldlogstashjson.rb +55 -0
data/spec/codecs/plain.rb +35 -0
data/spec/codecs/spool.rb +35 -0
data/spec/conditionals/test.rb +323 -0
data/spec/config.rb +31 -0
data/spec/event.rb +165 -0
data/spec/examples/fail2ban.rb +28 -0
data/spec/examples/graphite-input.rb +41 -0
data/spec/examples/mysql-slow-query.rb +70 -0
data/spec/examples/parse-apache-logs.rb +66 -0
data/spec/examples/parse-haproxy-logs.rb +115 -0
data/spec/examples/syslog.rb +48 -0
data/spec/filters/alter.rb +96 -0
data/spec/filters/anonymize.rb +189 -0
data/spec/filters/checksum.rb +41 -0
data/spec/filters/clone.rb +67 -0
data/spec/filters/collate.rb +122 -0
data/spec/filters/csv.rb +174 -0
data/spec/filters/date.rb +285 -0
data/spec/filters/date_performance.rb +31 -0
data/spec/filters/dns.rb +159 -0
data/spec/filters/drop.rb +19 -0
data/spec/filters/elapsed.rb +294 -0
data/spec/filters/environment.rb +43 -0
data/spec/filters/geoip.rb +62 -0
data/spec/filters/grep.rb +342 -0
data/spec/filters/grok.rb +473 -0
data/spec/filters/grok/timeout2.rb +56 -0
data/spec/filters/grok/timeouts.rb +39 -0
data/spec/filters/i18n.rb +25 -0
data/spec/filters/json.rb +72 -0
data/spec/filters/json_encode.rb +37 -0
data/spec/filters/kv.rb +403 -0
data/spec/filters/metrics.rb +212 -0
data/spec/filters/multiline.rb +119 -0
data/spec/filters/mutate.rb +180 -0
data/spec/filters/noop.rb +221 -0
data/spec/filters/prune.rb +441 -0
data/spec/filters/punct.rb +18 -0
data/spec/filters/railsparallelrequest.rb +112 -0
data/spec/filters/range.rb +169 -0
data/spec/filters/split.rb +58 -0
data/spec/filters/translate.rb +70 -0
data/spec/filters/unique.rb +25 -0
data/spec/filters/useragent.rb +42 -0
data/spec/filters/xml.rb +157 -0
data/spec/inputs/file.rb +107 -0
data/spec/inputs/gelf.rb +52 -0
data/spec/inputs/generator.rb +30 -0
data/spec/inputs/imap.rb +60 -0
data/spec/inputs/redis.rb +63 -0
data/spec/inputs/relp.rb +70 -0
data/spec/inputs/tcp.rb +101 -0
data/spec/jar.rb +21 -0
data/spec/outputs/csv.rb +266 -0
data/spec/outputs/elasticsearch.rb +161 -0
data/spec/outputs/elasticsearch_http.rb +240 -0
data/spec/outputs/email.rb +173 -0
data/spec/outputs/file.rb +82 -0
data/spec/outputs/graphite.rb +236 -0
data/spec/outputs/redis.rb +127 -0
data/spec/speed.rb +20 -0
data/spec/sqlite-test.rb +81 -0
data/spec/support/LOGSTASH-733.rb +21 -0
data/spec/support/LOGSTASH-820.rb +25 -0
data/spec/support/akamai-grok.rb +26 -0
data/spec/support/date-http.rb +17 -0
data/spec/support/postwait1.rb +26 -0
data/spec/support/pull375.rb +21 -0
data/spec/test_utils.rb +125 -0
data/spec/util/fieldeval_spec.rb +44 -0
data/test/jenkins/config.xml.erb +74 -0
data/test/jenkins/create-jobs.rb +23 -0
data/test/jenkins/generatorjob.config.xml +66 -0
data/tools/Gemfile +14 -0
data/tools/Gemfile.jruby-1.9.lock +322 -0
data/tools/Gemfile.rbx-2.1.lock +516 -0
data/tools/Gemfile.ruby-1.9.1.lock +310 -0
data/tools/Gemfile.ruby-2.0.0.lock +310 -0
metadata +629 -0

data/lib/logstash/codecs/json_spooler.rb ADDED

@@ -0,0 +1,22 @@
+# encoding: utf-8
+require "logstash/codecs/base"
+require "logstash/codecs/spool"
+# This is the base class for logstash codecs.
+class LogStash::Codecs::JsonSpooler < LogStash::Codecs::Spool
+  config_name "json_spooler"
+  milestone 1
+  public
+  def decode(data)
+    super(JSON.parse(data.force_encoding("UTF-8"))) do |event|
+      yield event
+    end
+  end # def decode
+  public
+  def encode(data)
+    super(data)
+  end # def encode
+end # class LogStash::Codecs::Json

data/lib/logstash/codecs/line.rb ADDED

@@ -0,0 +1,58 @@
+# encoding: utf-8
+require "logstash/codecs/base"
+require "logstash/util/charset"
+# Line-oriented text data.
+#
+# Decoding behavior: Only whole line events will be emitted.
+#
+# Encoding behavior: Each event will be emitted with a trailing newline.
+class LogStash::Codecs::Line < LogStash::Codecs::Base
+  config_name "line"
+  milestone 3
+  # Set the desired text format for encoding.
+  config :format, :validate => :string
+  # The character encoding used in this input. Examples include "UTF-8"
+  # and "cp1252"
+  #
+  # This setting is useful if your log files are in Latin-1 (aka cp1252)
+  # or in another character set other than UTF-8.
+  #
+  # This only affects "plain" format logs since json is UTF-8 already.
+  config :charset, :validate => ::Encoding.name_list, :default => "UTF-8"
+  public
+  def register
+    require "logstash/util/buftok"
+    @buffer = FileWatch::BufferedTokenizer.new
+    @converter = LogStash::Util::Charset.new(@charset)
+    @converter.logger = @logger
+  end
+  public
+  def decode(data)
+    @buffer.extract(data).each do |line|
+      yield LogStash::Event.new("message" => @converter.convert(line))
+    end
+  end # def decode
+  public
+  def flush(&block)
+    remainder = @buffer.flush
+    if !remainder.empty?
+      block.call(LogStash::Event.new({"message" => remainder}))
+    end
+  end
+  public
+  def encode(data)
+    if data.is_a? LogStash::Event and @format
+      @on_event.call(data.sprintf(@format) + "\n")
+    else
+      @on_event.call(data.to_s + "\n")
+    end
+  end # def encode
+end # class LogStash::Codecs::Plain

data/lib/logstash/codecs/msgpack.rb ADDED

@@ -0,0 +1,43 @@
+# encoding: utf-8
+require "logstash/codecs/base"
+class LogStash::Codecs::Msgpack < LogStash::Codecs::Base
+  config_name "msgpack"
+  milestone 1
+  config :format, :validate => :string, :default => nil
+  public
+  def register
+    require "msgpack"
+  end
+  public
+  def decode(data)
+    begin
+      # Msgpack does not care about UTF-8
+      event = LogStash::Event.new(MessagePack.unpack(data))
+      event["@timestamp"] = Time.at(event["@timestamp"]).utc if event["@timestamp"].is_a? Float
+      event["tags"] ||= []
+      if @format
+        event["message"] ||= event.sprintf(@format)
+      end
+    rescue => e
+      # Treat as plain text and try to do the best we can with it?
+      @logger.warn("Trouble parsing msgpack input, falling back to plain text",
+                   :input => data, :exception => e)
+      event["message"] = data
+      event["tags"] ||= []
+      event["tags"] << "_msgpackparsefailure"
+    end
+    yield event
+  end # def decode
+  public
+  def encode(event)
+    event["@timestamp"] = event["@timestamp"].to_f
+    @on_event.call event.to_hash.to_msgpack
+  end # def encode
+end # class LogStash::Codecs::Msgpack

data/lib/logstash/codecs/multiline.rb ADDED

@@ -0,0 +1,189 @@
+# encoding: utf-8
+require "logstash/codecs/base"
+# The multiline codec is for taking line-oriented text and merging them into a
+# single event.
+#
+# The original goal of this codec was to allow joining of multi-line messages
+# from files into a single event. For example - joining java exception and
+# stacktrace messages into a single event.
+#
+# The config looks like this:
+#
+#     input {
+#       stdin {
+#         codec => multiline {
+#           pattern => "pattern, a regexp"
+#           negate => true or false
+#           what => "previous" or "next"
+#         }
+#       }
+#     }
+#
+# The 'pattern' should match what you believe to be an indicator that the field
+# is part of a multi-line event.
+#
+# The 'what' must be "previous" or "next" and indicates the relation
+# to the multi-line event.
+#
+# The 'negate' can be "true" or "false" (defaults false). If true, a
+# message not matching the pattern will constitute a match of the multiline
+# filter and the what will be applied. (vice-versa is also true)
+#
+# For example, java stack traces are multiline and usually have the message
+# starting at the far-left, then each subsequent line indented. Do this:
+#
+#     input {
+#       stdin {
+#         codec => multiline {
+#           pattern => "^\s"
+#           what => "previous"
+#         }
+#       }
+#     }
+#
+# This says that any line starting with whitespace belongs to the previous line.
+#
+# Another example is to merge lines not starting with a date up to the previous
+# line..
+#
+#     input {
+#       file {
+#         path => "/var/log/someapp.log"
+#         codec => multiline {
+#           # Grok pattern names are valid! :)
+#           pattern => "^%{TIMESTAMP_ISO8601} "
+#           negate => true
+#           what => previous
+#         }
+#       }
+#     }
+#
+# This is the base class for logstash codecs.
+class LogStash::Codecs::Multiline < LogStash::Codecs::Base
+  config_name "multiline"
+  milestone 3
+  # The regular expression to match
+  config :pattern, :validate => :string, :required => true
+  # If the pattern matched, does event belong to the next or previous event?
+  config :what, :validate => ["previous", "next"], :required => true
+  # Negate the regexp pattern ('if not matched')
+  config :negate, :validate => :boolean, :default => false
+  # logstash ships by default with a bunch of patterns, so you don't
+  # necessarily need to define this yourself unless you are adding additional
+  # patterns.
+  #
+  # Pattern files are plain text with format:
+  #
+  #     NAME PATTERN
+  #
+  # For example:
+  #
+  #     NUMBER \d+
+  config :patterns_dir, :validate => :array, :default => []
+  # The character encoding used in this input. Examples include "UTF-8"
+  # and "cp1252"
+  #
+  # This setting is useful if your log files are in Latin-1 (aka cp1252)
+  # or in another character set other than UTF-8.
+  #
+  # This only affects "plain" format logs since json is UTF-8 already.
+  config :charset, :validate => ::Encoding.name_list, :default => "UTF-8"
+  # Tag multiline events with a given tag. This tag will only be added
+  # to events that actually have multiple lines in them.
+  config :multiline_tag, :validate => :string, :default => "multiline"
+  public
+  def register
+    require "grok-pure" # rubygem 'jls-grok'
+    # Detect if we are running from a jarfile, pick the right path.
+    patterns_path = []
+    if __FILE__ =~ /file:\/.*\.jar!.*/
+      patterns_path += ["#{File.dirname(__FILE__)}/../../patterns/*"]
+    else
+      patterns_path += ["#{File.dirname(__FILE__)}/../../../patterns/*"]
+    end
+    @grok = Grok.new
+    @patterns_dir = patterns_path.to_a + @patterns_dir
+    @patterns_dir.each do |path|
+      # Can't read relative paths from jars, try to normalize away '../'
+      while path =~ /file:\/.*\.jar!.*\/\.\.\//
+        # replace /foo/bar/../baz => /foo/baz
+        path = path.gsub(/[^\/]+\/\.\.\//, "")
+      end
+      if File.directory?(path)
+        path = File.join(path, "*")
+      end
+      Dir.glob(path).each do |file|
+        @logger.info("Grok loading patterns from file", :path => file)
+        @grok.add_patterns_from_file(file)
+      end
+    end
+    @grok.compile(@pattern)
+    @logger.debug("Registered multiline plugin", :type => @type, :config => @config)
+    @buffer = []
+    @handler = method("do_#{@what}".to_sym)
+  end # def register
+  public
+  def decode(text, &block)
+    text.force_encoding(@charset)
+    if @charset != "UTF-8"
+      # Convert to UTF-8 if not in that character set.
+      text = text.encode("UTF-8", :invalid => :replace, :undef => :replace)
+    end
+    match = @grok.match(text)
+    @logger.debug("Multiline", :pattern => @pattern, :text => text,
+                  :match => !match.nil?, :negate => @negate)
+    # Add negate option
+    match = (match and !@negate) || (!match and @negate)
+    @handler.call(text, match, &block)
+  end # def decode
+  def buffer(text)
+    @time = Time.now.utc if @buffer.empty?
+    @buffer << text
+  end
+  def flush(&block)
+    if @buffer.any?
+      event = LogStash::Event.new("@timestamp" => @time, "message" => @buffer.join("\n"))
+      # Tag multiline events
+      event.tag @multiline_tag if @multiline_tag && @buffer.size > 1
+      yield event
+      @buffer = []
+    end
+  end
+  def do_next(text, matched, &block)
+    buffer(text)
+    flush(&block) if !matched
+  end
+  def do_previous(text, matched, &block)
+    flush(&block) if !matched
+    buffer(text)
+  end
+  public
+  def encode(data)
+    # Nothing to do.
+    @on_event.call(data)
+  end # def encode
+end # class LogStash::Codecs::Plain

data/lib/logstash/codecs/netflow.rb ADDED

@@ -0,0 +1,342 @@
+# encoding: utf-8
+require "logstash/filters/base"
+require "logstash/namespace"
+# The "netflow" codec is for decoding Netflow v5/v9 flows.
+class LogStash::Codecs::Netflow < LogStash::Codecs::Base
+  config_name "netflow"
+  milestone 1
+  # Netflow v9 template cache TTL (minutes)
+  config :cache_ttl, :validate => :number, :default => 4000
+  # Specify into what field you want the Netflow data.
+  config :target, :validate => :string, :default => "netflow"
+  # Specify which Netflow versions you will accept.
+  config :versions, :validate => :array, :default => [5, 9]
+  public
+  def initialize(params={})
+    super(params)
+    @threadsafe = false
+  end
+  public
+  def register
+    require "logstash/codecs/netflow/util"
+    @templates = Vash.new()
+  end # def register
+  public
+  def decode(payload, &block)
+    header = Header.read(payload)
+    unless @versions.include?(header.version)
+      @logger.warn("Ignoring Netflow version v#{header.version}")
+      return
+    end
+    if header.version == 5
+      flowset = Netflow5PDU.read(payload)
+    elsif header.version == 9
+      flowset = Netflow9PDU.read(payload)
+    else
+      @logger.warn("Unsupported Netflow version v#{header.version}")
+      return
+    end
+    flowset.records.each do |record|
+      if flowset.version == 5
+        event = LogStash::Event.new
+        # FIXME Probably not doing this right WRT JRuby?
+        #
+        # The flowset header gives us the UTC epoch seconds along with
+        # residual nanoseconds so we can set @timestamp to that easily
+        event["@timestamp"] = Time.at(flowset.unix_sec, flowset.unix_nsec / 1000).utc
+        event[@target] = {}
+        # Copy some of the pertinent fields in the header to the event
+        ['version', 'flow_seq_num', 'engine_type', 'engine_id', 'sampling_algorithm', 'sampling_interval', 'flow_records'].each do |f|
+          event[@target][f] = flowset[f]
+        end
+        # Create fields in the event from each field in the flow record
+        record.each_pair do |k,v|
+          case k.to_s
+          when /_switched$/
+            # The flow record sets the first and last times to the device
+            # uptime in milliseconds. Given the actual uptime is provided
+            # in the flowset header along with the epoch seconds we can
+            # convert these into absolute times
+            millis = flowset.uptime - v
+            seconds = flowset.unix_sec - (millis / 1000)
+            micros = (flowset.unix_nsec / 1000) - (millis % 1000)
+            if micros < 0
+              seconds--
+              micros += 1000000
+            end
+            # FIXME Again, probably doing this wrong WRT JRuby?
+            event[@target][k.to_s] = Time.at(seconds, micros).utc.strftime("%Y-%m-%dT%H:%M:%S.%3NZ")
+          else
+            event[@target][k.to_s] = v
+          end
+        end
+        yield event
+      elsif flowset.version == 9
+        case record.flowset_id
+        when 0
+          # Template flowset
+          record.flowset_data.templates.each do |template|
+            catch (:field) do
+              fields = []
+              template.fields.each do |field|
+                entry = netflow_field_for(field.field_type, field.field_length)
+                if ! entry
+                  throw :field
+                end
+                fields += entry
+              end
+              # We get this far, we have a list of fields
+              #key = "#{flowset.source_id}|#{event["source"]}|#{template.template_id}"
+              key = "#{flowset.source_id}|#{template.template_id}"
+              @templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields)
+              # Purge any expired templates
+              @templates.cleanup!
+            end
+          end
+        when 1
+          # Options template flowset
+          record.flowset_data.templates.each do |template|
+            catch (:field) do
+              fields = []
+              template.option_fields.each do |field|
+                entry = netflow_field_for(field.field_type, field.field_length)
+                if ! entry
+                  throw :field
+                end
+                fields += entry
+              end
+              # We get this far, we have a list of fields
+              #key = "#{flowset.source_id}|#{event["source"]}|#{template.template_id}"
+              key = "#{flowset.source_id}|#{template.template_id}"
+              @templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields)
+              # Purge any expired templates
+              @templates.cleanup!
+            end
+          end
+        when 256..65535
+          # Data flowset
+          #key = "#{flowset.source_id}|#{event["source"]}|#{record.flowset_id}"
+          key = "#{flowset.source_id}|#{record.flowset_id}"
+          template = @templates[key]
+          if ! template
+            #@logger.warn("No matching template for flow id #{record.flowset_id} from #{event["source"]}")
+            @logger.warn("No matching template for flow id #{record.flowset_id}")
+            next
+          end
+          length = record.flowset_length - 4
+          # Template shouldn't be longer than the record and there should
+          # be at most 3 padding bytes
+          if template.num_bytes > length or ! (length % template.num_bytes).between?(0, 3)
+            @logger.warn("Template length doesn't fit cleanly into flowset", :template_id => record.flowset_id, :template_length => template.num_bytes, :record_length => length)
+            next
+          end
+          array = BinData::Array.new(:type => template, :initial_length => length / template.num_bytes)
+          records = array.read(record.flowset_data)
+          records.each do |r|
+            event = LogStash::Event.new(
+              "@timestamp" => Time.at(flowset.unix_sec).utc,
+              @target => {}
+            )
+            # Fewer fields in the v9 header
+            ['version', 'flow_seq_num'].each do |f|
+              event[@target][f] = flowset[f]
+            end
+            event[@target]['flowset_id'] = record.flowset_id
+            r.each_pair do |k,v|
+              case k.to_s
+              when /_switched$/
+                millis = flowset.uptime - v
+                seconds = flowset.unix_sec - (millis / 1000)
+                # v9 did away with the nanosecs field
+                micros = 1000000 - (millis % 1000)
+                event[@target][k.to_s] = Time.at(seconds, micros).utc.strftime("%Y-%m-%dT%H:%M:%S.%3NZ")
+              else
+                event[@target][k.to_s] = v
+              end
+            end
+            yield event
+          end
+        else
+          @logger.warn("Unsupported flowset id #{record.flowset_id}")
+        end
+      end
+    end
+  end # def filter
+  private
+  def uint_field(length, default)
+    # If length is 4, return :uint32, etc. and use default if length is 0
+    ("uint" + (((length > 0) ? length : default) * 8).to_s).to_sym
+  end # def uint_field
+  private
+  def netflow_field_for(type, length)
+    case type
+    when 1
+      [[uint_field(length, 4), :in_bytes]]
+    when 2
+      [[uint_field(length, 4), :in_pkts]]
+    when 3
+      [[uint_field(length, 4), :flows]]
+    when 4
+      [[:uint8, :protocol]]
+    when 5
+      [[:uint8, :src_tos]]
+    when 6
+      [[:uint8, :tcp_flags]]
+    when 7
+      [[:uint16, :l4_src_port]]
+    when 8
+      [[:ip4_addr, :ipv4_src_addr]]
+    when 9
+      [[:uint8, :src_mask]]
+    when 10
+      [[uint_field(length, 2), :input_snmp]]
+    when 11
+      [[:uint16, :l4_dst_port]]
+    when 12
+      [[:ip4_addr, :ipv4_dst_addr]]
+    when 13
+      [[:uint8, :dst_mask]]
+    when 14
+      [[uint_field(length, 2), :output_snmp]]
+    when 15
+      [[:ip4_addr, :ipv4_next_hop]]
+    when 16
+      [[uint_field(length, 2), :src_as]]
+    when 17
+      [[uint_field(length, 2), :dst_as]]
+    when 18
+      [[:ip4_addr, :bgp_ipv4_next_hop]]
+    when 19
+      [[uint_field(length, 4), :mul_dst_pkts]]
+    when 20
+      [[uint_field(length, 4), :mul_dst_bytes]]
+    when 21
+      [[:uint32, :last_switched]]
+    when 22
+      [[:uint32, :first_switched]]
+    when 23
+      [[uint_field(length, 4), :out_bytes]]
+    when 24
+      [[uint_field(length, 4), :out_pkts]]
+    when 25
+      [[:uint16, :min_pkt_length]]
+    when 26
+      [[:uint16, :max_pkg_length]]
+    when 27
+      [[:ip6_addr, :ipv6_src_addr]]
+    when 28
+      [[:ip6_addr, :ipv6_dst_addr]]
+    when 29
+      [[:uint8, :ipv6_src_mask]]
+    when 30
+      [[:uint8, :ipv6_dst_mask]]
+    when 31
+      [[:uint24, :ipv6_flow_label]]
+    when 32
+      [[:uint16, :icmp_type]]
+    when 33
+      [[:uint8, :mul_igmp_type]]
+    when 34
+      [[:uint32, :sampling_interval]]
+    when 35
+      [[:uint8, :sampling_algorithm]]
+    when 36
+      [[:uint16, :flow_active_timeout]]
+    when 37
+      [[:uint16, :flow_inactive_timeout]]
+    when 38
+      [[:uint8, :engine_type]]
+    when 39
+      [[:uint8, :engine_id]]
+    when 40
+      [[uint_field(length, 4), :total_bytes_exp]]
+    when 41
+      [[uint_field(length, 4), :total_pkts_exp]]
+    when 42
+      [[uint_field(length, 4), :total_flows_exp]]
+    when 43 # Vendor specific field
+      [[:skip, nil, {:length => length}]]
+    when 44
+      [[:ip4_addr, :ipv4_src_prefix]]
+    when 45
+      [[:ip4_addr, :ipv4_dst_prefix]]
+    when 46
+      [[:uint8, :mpls_top_label_type]]
+    when 47
+      [[:uint32, :mpls_top_label_ip_addr]]
+    when 48
+      [[uint_field(length, 4), :flow_sampler_id]]
+    when 49
+      [[:uint8, :flow_sampler_mode]]
+    when 50
+      [[:uint32, :flow_sampler_random_interval]]
+    when 51 # Vendor specific field
+      [[:skip, nil, {:length => length}]]
+    when 52
+      [[:uint8, :min_ttl]]
+    when 53
+      [[:uint8, :max_ttl]]
+    when 54
+      [[:uint16, :ipv4_ident]]
+    when 55
+      [[:uint8, :dst_tos]]
+    when 56
+      [[:mac_addr, :in_src_mac]]
+    when 57
+      [[:mac_addr, :out_dst_mac]]
+    when 58
+      [[:uint16, :src_vlan]]
+    when 59
+      [[:uint16, :dst_vlan]]
+    when 60
+      [[:uint8, :ip_protocol_version]]
+    when 61
+      [[:uint8, :direction]]
+    when 62
+      [[:ip6_addr, :ipv6_next_hop]]
+    when 63
+      [[:ip6_addr, :bgp_ipv6_next_hop]]
+    when 64
+      [[:uint32, :ipv6_option_headers]]
+    when 65..69 # Vendor specific fields
+      [[:skip, nil, {:length => length}]]
+    when 80
+      [[:mac_addr, :in_dst_mac]]
+    when 81
+      [[:mac_addr, :out_src_mac]]
+    when 82
+      [[:string, :if_name, {:length => length, :trim_padding => true}]]
+    when 83
+      [[:string, :if_desc, {:length => length, :trim_padding => true}]]
+    else
+      @logger.warn("Unsupported field", :type => type, :length => length)
+      nil
+    end
+  end # def netflow_field_for
+end # class LogStash::Filters::Netflow