logstash-patterns-core 4.0.1 → 4.2.0

data/patterns/haproxy

@@ -31,7 +31,7 @@ HAPROXYCAPTUREDRESPONSEHEADERS %{DATA:captured_response_headers}
 # HAPROXYCAPTUREDRESPONSEHEADERS %{DATA:response_header_content_type}\|%{DATA:response_header_content_encoding}\|%{DATA:response_header_cache_control}\|%{DATA:response_header_last_modified}
 
 # parse a haproxy 'httplog' line
-HAPROXYHTTPBASE %{IP:client_ip}:%{INT:client_port} \[%{HAPROXYDATE:accept_date}\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_request}/%{INT:time_queue}/%{INT:time_backend_connect}/%{INT:time_backend_response}/%{NOTSPACE:time_duration} %{INT:http_status_code} %{NOTSPACE:bytes_read} %{DATA:captured_request_cookie} %{DATA:captured_response_cookie} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue} (\{%{HAPROXYCAPTUREDREQUESTHEADERS}\})?( )?(\{%{HAPROXYCAPTUREDRESPONSEHEADERS}\})?( )?"(<BADREQ>|(%{WORD:http_verb} (%{URIPROTO:http_proto}://)?(?:%{USER:http_user}(?::[^@]*)?@)?(?:%{URIHOST:http_host})?(?:%{URIPATHPARAM:http_request})?( HTTP/%{NUMBER:http_version})?))?"
+HAPROXYHTTPBASE %{IP:client_ip}:%{INT:client_port} \[%{HAPROXYDATE:accept_date}\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_request}/%{INT:time_queue}/%{INT:time_backend_connect}/%{INT:time_backend_response}/%{NOTSPACE:time_duration} %{INT:http_status_code} %{NOTSPACE:bytes_read} %{DATA:captured_request_cookie} %{DATA:captured_response_cookie} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue} (\{%{HAPROXYCAPTUREDREQUESTHEADERS}\})?( )?(\{%{HAPROXYCAPTUREDRESPONSEHEADERS}\})?( )?"(<BADREQ>|(%{WORD:http_verb} (%{URIPROTO:http_proto}://)?(?:%{USER:http_user}(?::[^@]*)?@)?(?:%{URIHOST:http_host})?(?:%{URIPATHPARAM:http_request})?( HTTP/%{NUMBER:http_version})?))?"?
 
 HAPROXYHTTP (?:%{SYSLOGTIMESTAMP:syslog_timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{HAPROXYHTTPBASE}
 

data/patterns/httpd

@@ -0,0 +1,15 @@
+HTTPDUSER %{EMAILADDRESS}|%{USER}
+HTTPDERROR_DATE %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}
+
+# Log formats
+HTTPD_COMMONLOG %{IPORHOST:clientip} %{HTTPDUSER:ident} %{HTTPDUSER:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" (?:-|%{NUMBER:response}) (?:-|%{NUMBER:bytes})
+HTTPD_COMBINEDLOG %{HTTPD_COMMONLOG} %{QS:referrer} %{QS:agent}
+
+# Error logs
+HTTPD20_ERRORLOG \[%{HTTPDERROR_DATE:timestamp}\] \[%{LOGLEVEL:loglevel}\] (?:\[client %{IPORHOST:clientip}\] ){0,1}%{GREEDYDATA:message}
+HTTPD24_ERRORLOG \[%{HTTPDERROR_DATE:timestamp}\] \[%{WORD:module}:%{LOGLEVEL:loglevel}\] \[pid %{POSINT:pid}(:tid %{NUMBER:tid})?\]( \(%{POSINT:proxy_errorcode}\)%{DATA:proxy_message}:)?( \[client %{IPORHOST:clientip}:%{POSINT:clientport}\])?( %{DATA:errorcode}:)? %{GREEDYDATA:message}
+HTTPD_ERRORLOG %{HTTPD20_ERRORLOG}|%{HTTPD24_ERRORLOG}
+
+# Deprecated
+COMMONAPACHELOG %{HTTPD_COMMONLOG}
+COMBINEDAPACHELOG %{HTTPD_COMBINEDLOG}

data/patterns/java

@@ -1,15 +1,12 @@
 JAVACLASS (?:[a-zA-Z$_][a-zA-Z$_0-9]*\.)*[a-zA-Z$_][a-zA-Z$_0-9]*
 #Space is an allowed character to match special cases like 'Native Method' or 'Unknown Source'
-JAVAFILE (?:[A-Za-z0-9_. -]+)
-#Allow special <init> method
-JAVAMETHOD (?:(<init>)|[a-zA-Z$_][a-zA-Z$_0-9]*)
+JAVAFILE (?:[a-zA-Z$_0-9. -]+)
+#Allow special <init>, <clinit> methods
+JAVAMETHOD (?:(<(?:cl)?init>)|[a-zA-Z$_][a-zA-Z$_0-9]*)
 #Line number is optional in special cases 'Native method' or 'Unknown source'
 JAVASTACKTRACEPART %{SPACE}at %{JAVACLASS:class}\.%{JAVAMETHOD:method}\(%{JAVAFILE:file}(?::%{NUMBER:line})?\)
 # Java Logs
 JAVATHREAD (?:[A-Z]{2}-Processor[\d]+)
-JAVACLASS (?:[a-zA-Z0-9-]+\.)+[A-Za-z0-9$]+
-JAVAFILE (?:[A-Za-z0-9_.-]+)
-JAVASTACKTRACEPART at %{JAVACLASS:class}\.%{WORD:method}\(%{JAVAFILE:file}:%{NUMBER:line}\)
 JAVALOGMESSAGE (.*)
 # MMM dd, yyyy HH:mm:ss eg: Jan 9, 2014 7:13:13 AM
 CATALINA_DATESTAMP %{MONTH} %{MONTHDAY}, 20%{YEAR} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) (?:AM|PM)

data/patterns/linux-syslog

@@ -11,6 +11,6 @@ SYSLOGLINE %{SYSLOGBASE2} %{GREEDYDATA:message}
 # IETF 5424 syslog(8) format (see http://www.rfc-editor.org/info/rfc5424)
 SYSLOG5424PRI <%{NONNEGINT:syslog5424_pri}>
 SYSLOG5424SD \[%{DATA}\]+
-SYSLOG5424BASE %{SYSLOG5424PRI}%{NONNEGINT:syslog5424_ver} +(?:%{TIMESTAMP_ISO8601:syslog5424_ts}|-) +(?:%{HOSTNAME:syslog5424_host}|-) +(-|%{SYSLOG5424PRINTASCII:syslog5424_app}) +(-|%{SYSLOG5424PRINTASCII:syslog5424_proc}) +(-|%{SYSLOG5424PRINTASCII:syslog5424_msgid}) +(?:%{SYSLOG5424SD:syslog5424_sd}|-|)
+SYSLOG5424BASE %{SYSLOG5424PRI}%{NONNEGINT:syslog5424_ver} +(?:%{TIMESTAMP_ISO8601:syslog5424_ts}|-) +(?:%{IPORHOST:syslog5424_host}|-) +(-|%{SYSLOG5424PRINTASCII:syslog5424_app}) +(-|%{SYSLOG5424PRINTASCII:syslog5424_proc}) +(-|%{SYSLOG5424PRINTASCII:syslog5424_msgid}) +(?:%{SYSLOG5424SD:syslog5424_sd}|-|)
 
 SYSLOG5424LINE %{SYSLOG5424BASE} +%{GREEDYDATA:syslog5424_msg}

data/patterns/maven

@@ -0,0 +1 @@
+MAVEN_VERSION (?:(\d+)\.)?(?:(\d+)\.)?(\*|\d+)(?:[.-](RELEASE|SNAPSHOT))?

data/patterns/nagios

@@ -89,7 +89,7 @@ NAGIOS_PASSIVE_HOST_CHECK %{NAGIOS_TYPE_PASSIVE_HOST_CHECK:nagios_type}: %{DATA:
 NAGIOS_SERVICE_EVENT_HANDLER %{NAGIOS_TYPE_SERVICE_EVENT_HANDLER:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{DATA:nagios_event_handler_name}
 NAGIOS_HOST_EVENT_HANDLER %{NAGIOS_TYPE_HOST_EVENT_HANDLER:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{DATA:nagios_event_handler_name}
 
-NAGIOS_TIMEPERIOD_TRANSITION %{NAGIOS_TYPE_TIMEPERIOD_TRANSITION:nagios_type}: %{DATA:nagios_service};%{DATA:nagios_unknown1};%{DATA:nagios_unknown2}
+NAGIOS_TIMEPERIOD_TRANSITION %{NAGIOS_TYPE_TIMEPERIOD_TRANSITION:nagios_type}: %{DATA:nagios_service};%{NUMBER:nagios_unknown1};%{NUMBER:nagios_unknown2}
 
 ####################
 #### External checks

data/patterns/redis

@@ -1,3 +1,3 @@
 REDISTIMESTAMP %{MONTHDAY} %{MONTH} %{TIME}
 REDISLOG \[%{POSINT:pid}\] %{REDISTIMESTAMP:timestamp} \* 
-
+REDISMONLOG %{NUMBER:timestamp} \[%{INT:database} %{IP:client}:%{NUMBER:port}\] "%{WORD:command}"\s?%{GREEDYDATA:params}

data/patterns/squid

@@ -0,0 +1,4 @@
+# Pattern squid3
+# Documentation of squid3 logs formats can be found at the following link:
+# http://wiki.squid-cache.org/Features/LogFormat
+SQUID3 %{NUMBER:timestamp}\s+%{NUMBER:duration}\s%{IP:client_address}\s%{WORD:cache_result}/%{POSINT:status_code}\s%{NUMBER:bytes}\s%{WORD:request_method}\s%{NOTSPACE:url}\s(%{NOTSPACE:user}|-)\s%{WORD:hierarchy_code}/%{IPORHOST:server}\s%{NOTSPACE:content_type}

data/spec/patterns/core_spec.rb

@@ -20,16 +20,6 @@ describe "SYSLOGLINE" do
 
 end
 
-describe "COMMONAPACHELOG" do
-
-  let(:value) { '83.149.9.216 - - [24/Feb/2015:23:13:42 +0000] "GET /presentations/logstash-monitorama-2013/images/kibana-search.png HTTP/1.1" 200 203023 "http://semicomplete.com/presentations/logstash-monitorama-2013/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36'}
-
-  it "generates the clientip field" do
-    expect(grok_match(subject, value)).to include("clientip" => "83.149.9.216")
-  end
-
-end
-
 describe "HTTP DATE parsing" do
 
   context "HTTPDATE", "when having a German month" do
@@ -73,6 +63,19 @@ describe "TOMCATLOG" do
   end
 end
 
+describe 'LOGLEVEL' do
+  it 'matches info label' do
+    expect(grok_match(subject, 'INFO')).to pass
+    expect(grok_match(subject, 'info')).to pass
+  end
+
+  it 'matches information label' do
+    expect(grok_match(subject, 'information')).to pass
+    expect(grok_match(subject, 'Information')).to pass
+    expect(grok_match(subject, 'INFORMATION')).to pass
+  end
+end
+
 describe "IPORHOST" do
 
   let(:pattern)    { "IPORHOST" }
@@ -100,14 +103,224 @@ describe "UNIXPATH" do
   let(:value)   { '/foo/bar' }
 
   it "should match the path" do
-    expect(grok_match(pattern,value)).to pass
+    expect(grok_match(pattern, value, true)).to pass
   end
 
   context "when using comma separators and other regexp" do
 
+    let(:pattern) { '((a=(?<a>%{UNIXPATH})?|b=(?<b>%{UNIXPATH})?)(,\s)?)+' }
+
+    let(:grok) do
+      grok = LogStash::Filters::Grok.new("match" => ["message", pattern])
+      grok.register
+      grok
+    end
+
     let(:value) { 'a=/some/path, b=/some/other/path' }
 
+    it "was expected to extract both but never really did" do # or maybe on JRuby 1.7
+      event = build_event(value)
+      grok.filter(event)
+      expect( event.to_hash['a'] ).to eql '/some/path,'
+      expect( event.to_hash['b'] ).to be nil
+    end
+
+  end
+
+  context 'relative path' do
+
+    let(:path_matcher) do # non-exact matcher
+      grok = LogStash::Filters::Grok.new("match" => ["message", '%{UNIXPATH:path}'])
+      grok.register
+      lambda { |msg| event = build_event(msg); grok.filter(event); event }
+    end
+
+    it "should not match (only partially)" do
+      expect(grok_match(pattern, 'a/./b/c', true)).to_not pass
+      event = path_matcher.('a/./b/c')
+      expect( event.to_hash['path'] ).to eql '/./b/c'
+
+      expect(grok_match(pattern, ',/.', true)).to_not pass
+      event = path_matcher.(',/.')
+      expect( event.to_hash['path'] ).to eql '/.'
+
+      expect(grok_match(pattern, '+/.../', true)).to_not pass
+      event = path_matcher.('+/.../')
+      expect( event.to_hash['path'] ).to eql '/.../'
+
+      expect(grok_match(pattern, '~/b/', true)).to_not pass
+      event = path_matcher.('~/b/')
+      expect( event.to_hash['path'] ).to eql '/b/'
+
+      expect(grok_match(pattern, './b//', true)).to_not pass
+      expect(grok_match(pattern, 'a//b', true)).to_not pass
+    end
+
+    it "should not match paths starting with ." do
+      expect(grok_match(pattern, '../0', true)).to_not pass
+      expect(grok_match(pattern, './~', true)).to_not pass
+      expect(grok_match(pattern, '.../-', true)).to_not pass
+      expect(grok_match(pattern, './', true)).to_not pass
+      expect(grok_match(pattern, './,', true)).to_not pass
+      expect(grok_match(pattern, '../', true)).to_not pass
+      expect(grok_match(pattern, '.a/', true)).to_not pass
+      expect(grok_match(pattern, '.~/', true)).to_not pass
+    end
+
+    it "should not match expression wout separator" do
+      expect(grok_match(pattern, '.')).to_not pass
+      expect(grok_match(pattern, '..')).to_not pass
+      expect(grok_match(pattern, '...')).to_not pass
+      expect(grok_match(pattern, '.,')).to_not pass
+      expect(grok_match(pattern, '.-')).to_not pass
+    end
+
+  end
+
+  context "dotted path" do
+
+    it "should match path containing ." do
+      expect(grok_match(pattern, '/some/./path/', true)).to pass
+      expect(grok_match(pattern, '/some/../path', true)).to pass
+      expect(grok_match(pattern, '/../.', true)).to pass
+      expect(grok_match(pattern, '/.', true)).to pass
+      expect(grok_match(pattern, '/..', true)).to pass
+      expect(grok_match(pattern, '/...', true)).to pass
+    end
+
+  end
+
+  context "separators" do
+
+    it "should match root" do
+      expect(grok_match(pattern, '/', true)).to pass
+    end
+
+    it "should match" do
+      expect(grok_match(pattern, '//', true)).to pass
+      expect(grok_match(pattern, '//00', true)).to pass
+      expect(grok_match(pattern, '///a', true)).to pass
+      expect(grok_match(pattern, '/a//', true)).to pass
+      expect(grok_match(pattern, '///a//b/c///', true)).to pass
+    end
+
+    it "should not match windows separator" do
+      expect(grok_match(pattern, "\\a", true)).to_not pass
+      expect(grok_match(pattern, '/0\\', true)).to_not pass
+      expect(grok_match(pattern, "/a\\b", true)).to_not pass
+    end
+
+  end
+
+  context "long path" do
+
+    let(:grok) do
+      grok = LogStash::Filters::Grok.new("match" => ["message", '%{UNIXPATH:path} '], 'timeout_millis' => 1500)
+      grok.register
+      grok
+    end
+
+    let(:value) { '/opt/abcdef/1/.22/3:3+3/foo@BAR/X-Y+Z/~Sample_l_SUBc b' }
+
     it "should match the path" do
+      event = build_event(value)
+      grok.filter(event)
+      expect( event.to_hash['path'] ).to eql '/opt/abcdef/1/.22/3:3+3/foo@BAR/X-Y+Z/~Sample_l_SUBc'
+    end
+
+    it "should not match with invalid chars (or cause DoS)" do
+      event = build_event(value.sub('SUB', '&^_'))
+      grok.filter(event) # used to call a looong looop (DoS) despite the timeout guard
+      expect( event.to_hash['tags'] ).to include '_grokparsefailure'
+    end
+  end
+
+  it "matches paths with non-ascii characters" do
+    event = build_event path = '/opt/Čierný_Peter/.中'
+    build_grok('UNIXPATH:path').filter event
+    expect( event.get('path') ).to eql path
+  end
+
+end
+
+describe "WINPATH" do
+
+  let(:pattern) { 'WINPATH' }
+  let(:value)   { 'C:\\foo\\bar' }
+
+  it "should match the path" do
+    expect(grok_match(pattern, value, true)).to pass
+  end
+
+  it "should match root path" do
+    expect(grok_match(pattern, 'C:\\', true)).to pass
+    expect(grok_match(pattern, 'C:\\\\', true)).to pass
+    expect(grok_match(pattern, 'a:\\', true)).to pass
+    expect(grok_match(pattern, 'x:\\\\', true)).to pass
+  end
+
+  it "should match paths with spaces" do
+    expect(grok_match(pattern, 'C:\\Documents and Settings\\Public', true)).to pass
+    expect(grok_match(pattern, 'C:\\\\Users\\\\Public\\\\.Mozilla Firefox', true)).to pass
+  end
+
+  it "should not match unix-style paths" do
+    expect(grok_match(pattern, '/foo', true)).to_not pass
+    expect(grok_match(pattern, '//C/path', true)).to_not pass
+    expect(grok_match(pattern, '/', true)).to_not pass
+    expect(grok_match(pattern, '/foo/bar', true)).to_not pass
+    expect(grok_match(pattern, '/..', true)).to_not pass
+    expect(grok_match(pattern, 'C://', true)).to_not pass
+  end
+
+  it "matches paths with non-ascii characters" do
+    expect(grok_match(pattern, 'C:\\Čierný Peter\\.中.exe', true)).to pass
+  end
+
+  context 'relative paths' do
+
+    it "should not match" do
+      expect(grok_match(pattern, 'a\\bar', true)).to_not pass
+      expect(grok_match(pattern, 'foo\\bar', true)).to_not pass
+      expect(grok_match(pattern, 'C\\A\\B', true)).to_not pass
+      expect(grok_match(pattern, 'C\\\\0', true)).to_not pass
+      expect(grok_match(pattern, '.\\0', true)).to_not pass
+      expect(grok_match(pattern, '..\\', true)).to_not pass
+      expect(grok_match(pattern, '...\\-', true)).to_not pass
+      expect(grok_match(pattern, '.\\', true)).to_not pass
+      expect(grok_match(pattern, '.\\,', true)).to_not pass
+      expect(grok_match(pattern, '..\\', true)).to_not pass
+      expect(grok_match(pattern, '.a\\', true)).to_not pass
+    end
+
+    it "should not match expression wout separator" do
+      expect(grok_match(pattern, '.')).to_not pass
+      expect(grok_match(pattern, '..')).to_not pass
+      expect(grok_match(pattern, '...')).to_not pass
+      expect(grok_match(pattern, 'C:')).to_not pass
+      expect(grok_match(pattern, 'C')).to_not pass
+    end
+
+  end
+
+end
+
+
+describe "URIPROTO" do
+  let(:pattern) { 'URIPROTO' }
+
+  context "http is a valid URIPROTO" do
+    let(:value) { 'http' }
+
+    it "should match" do
+      expect(grok_match(pattern,value)).to pass
+    end
+  end
+
+  context "android-app is a valid URIPROTO" do
+    let(:value) { 'android-app' }
+
+    it "should match" do
       expect(grok_match(pattern,value)).to pass
     end
   end
@@ -193,5 +406,92 @@ describe "IPV4" do
       expect(grok_match(pattern,value)).not_to pass
     end
   end
+end
+
+describe "URN" do
+
+  let(:pattern)       { "URN" }
+
+  # Valid URNs
+  # http://tools.ietf.org/html/rfc2141#section-2
+  let(:simple)        { "urn:example:foo" }
+  let(:unreserved)    { "urn:example:" +
+    [*'A'..'Z', *'a'..'z', *'0'..'9', "()+,-.::=@;$_!*'"].join() }
+  let(:reserved)      { "urn:example:/#?" }
+  let(:escaped_upper) { "urn:example:%25foo%2Fbar%3F%23" }
+  let(:escaped_lower) { "urn:example:%25foo%2fbar%3f%23" }
+  let(:only_escaped)  { "urn:example:%00" }
+  let(:long_nid)      { "urn:example-example-example-example-:foo" }
+
+  # Invalid URNs
+  let(:bad_prefix)     { "URN:example:foo" }
+  let(:empty_nid)      { "urn::foo" }
+  let(:leading_hyphen) { "urn:-example:foo" }
+  let(:bad_nid)        { "urn:example.com:foo" }
+  let(:percent_nid)    { "urn:example%41com:foo" }
+  let(:too_long_nid)   { "urn:example-example-example-example-x:foo" }
+  let(:empty_nss)      { "urn:example:" }
+  let(:naked_percent)  { "urn:example:%" }
+  let(:short_percent)  { "urn:example:%a" }
+  let(:nonhex_percent) { "urn:example:%ax" }
+
+  context "when testing a valid URN" do
+    it "should match a simple URN" do
+      expect(grok_match(pattern, simple)).to pass
+    end
+
+    it "should match a complex URN" do
+      expect(grok_match(pattern, unreserved)).to pass
+    end
+
+    it "should allow reserved characters" do
+      expect(grok_match(pattern, reserved)).to pass
+    end
+
+    it "should allow percent-escapes" do
+      expect(grok_match(pattern, escaped_upper)).to pass
+      expect(grok_match(pattern, escaped_lower)).to pass
+      expect(grok_match(pattern, only_escaped)).to pass
+    end
+
+    it "should match a URN with a 32-character NID" do
+      expect(grok_match(pattern, long_nid)).to pass
+    end
+  end
+
+  context "when testing an invalid URN" do
+    it "should reject capitalized 'URN'" do
+      expect(grok_match(pattern, bad_prefix)).not_to pass
+    end
 
+    it "should reject an empty NID" do
+      expect(grok_match(pattern, empty_nid)).not_to pass
+    end
+
+    it "should reject an NID with a leading hyphen" do
+      expect(grok_match(pattern, leading_hyphen)).not_to pass
+    end
+
+    it "should reject an NID with a special character" do
+      expect(grok_match(pattern, bad_nid)).not_to pass
+    end
+
+    it "should reject an NID with a percent sign" do
+      expect(grok_match(pattern, percent_nid)).not_to pass
+    end
+
+    it "should reject an NID longer than 32 characters" do
+      expect(grok_match(pattern, too_long_nid)).not_to pass
+    end
+
+    it "should reject a URN with an empty NSS" do
+      expect(grok_match(pattern, empty_nss)).not_to pass
+    end
+
+    it "should reject non-escape percent signs" do
+      expect(grok_match(pattern, naked_percent)).not_to pass
+      expect(grok_match(pattern, short_percent)).not_to pass
+      expect(grok_match(pattern, nonhex_percent)).not_to pass
+    end
+  end
 end

data/spec/patterns/firewalls_spec.rb

@@ -19,6 +19,21 @@ describe "FIREWALLS" do
       expect(subject["message"]).to include("(Secondary) Switching to ACTIVE - Service card in other unit has failed")
     end
   end
+  
+  let(:pattern106015) { "CISCOFW106015" }
+
+  context "parsing a 106015 message" do
+
+    let(:value) { "Deny TCP (no connection) from 192.168.150.65/2278 to 64.101.128.83/80 flags RST on interface inside" }
+
+    subject     { grok_match(pattern106015, value) }
+
+    it { should include("interface" => "inside") }
+
+    it "generates a message field" do
+      expect(subject["message"]).to include("Deny TCP (no connection) from 192.168.150.65/2278 to 64.101.128.83/80 flags RST on interface inside")
+    end
+  end
 
   let(:pattern106100)    { "CISCOFW106100" }
 
@@ -50,6 +65,22 @@ describe "FIREWALLS" do
     end
   end
 
+  let(:pattern304001)    { "CISCOFW304001" }
+
+  context "parsing a 304001 message" do
+
+    let(:value) { "10.20.30.40(DOMAIN\\login) Accessed URL 10.11.12.13:http://example.org/" }
+
+    subject     { grok_match(pattern304001, value) }
+
+    it 'should break the message up into fields' do
+      expect(subject['src_ip']).to eq('10.20.30.40')
+      expect(subject['src_fwuser']).to eq('DOMAIN\\login')
+      expect(subject['dst_ip']).to eq('10.11.12.13')
+      expect(subject['dst_url']).to eq('http://example.org/')
+    end
+  end
+
   let(:pattern106023) { "CISCOFW106023" }
 
   context "parsing a 106023 message" do