logstash-patterns-core 4.0.1 → 4.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (31) hide show
  1. checksums.yaml +5 -5
  2. data/CHANGELOG.md +54 -8
  3. data/CONTRIBUTORS +2 -0
  4. data/Gemfile +8 -1
  5. data/LICENSE +199 -10
  6. data/README.md +1 -1
  7. data/logstash-patterns-core.gemspec +2 -2
  8. data/patterns/aws +3 -0
  9. data/patterns/bind +3 -0
  10. data/patterns/firewalls +6 -1
  11. data/patterns/grok-patterns +8 -14
  12. data/patterns/haproxy +1 -1
  13. data/patterns/httpd +15 -0
  14. data/patterns/java +3 -6
  15. data/patterns/linux-syslog +1 -1
  16. data/patterns/maven +1 -0
  17. data/patterns/nagios +1 -1
  18. data/patterns/redis +1 -1
  19. data/patterns/squid +4 -0
  20. data/spec/patterns/core_spec.rb +311 -11
  21. data/spec/patterns/firewalls_spec.rb +31 -0
  22. data/spec/patterns/haproxy_spec.rb +17 -0
  23. data/spec/patterns/httpd_spec.rb +169 -9
  24. data/spec/patterns/java_spec.rb +45 -0
  25. data/spec/patterns/maven_spec.rb +61 -0
  26. data/spec/patterns/nagios_spec.rb +5 -1
  27. data/spec/patterns/redis_spec.rb +171 -0
  28. data/spec/patterns/s3_spec.rb +41 -0
  29. data/spec/patterns/syslog_spec.rb +14 -0
  30. data/spec/spec_helper.rb +8 -4
  31. metadata +26 -8
data/spec/patterns/s3_spec.rb CHANGED
@@ -130,3 +130,44 @@ describe "S3_ACCESS_LOG" do
130
130
 
131
131
  end
132
132
  end
133
+
134
+ describe "CLOUDFRONT_ACCESS_LOG" do
135
+
136
+ let(:pattern) { "CLOUDFRONT_ACCESS_LOG" }
137
+
138
+ context "parsing a cloudfront access log" do
139
+
140
+ let(:value) { "2016-06-10 18:41:39 IAD53 224281 192.168.1.1 GET d27enomp470abc.cloudfront.net /content/sample/thing.pdf 200 https://example.com/ Mozilla/5.0%2520(Windows%2520NT%25206.1;%2520WOW64)%2520AppleWebKit/537.36%2520(KHTML,%2520like%2520Gecko)%2520Chrome/51.0.2704.79%2520Safari/537.36 - - Miss UGskZ6dUKY7b4C6Pt7wAWVsU2KO-vTRe-mR4r9H-WQMjhNvY6w1Xcg== host.example.com https 883 0.036 - TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Miss" }
141
+
142
+ subject { grok_match(pattern, value) }
143
+
144
+ it { should include("timestamp" => "2016-06-10 18:41:39" ) }
145
+ it { should include("x_edge_location" => "IAD53" ) }
146
+ it { should include("sc_bytes" => 224281 ) }
147
+ it { should include("clientip" => "192.168.1.1" ) }
148
+ it { should include("cs_method" => "GET" ) }
149
+ it { should include("cs_host" => "d27enomp470abc.cloudfront.net" ) }
150
+ it { should include("cs_uri_stem" => "/content/sample/thing.pdf" ) }
151
+ it { should include("sc_status" => 200 ) }
152
+ it { should include("referrer" => "https://example.com/" ) }
153
+ it { should include("agent" => "Mozilla/5.0%2520(Windows%2520NT%25206.1;%2520WOW64)%2520AppleWebKit/537.36%2520(KHTML,%2520like%2520Gecko)%2520Chrome/51.0.2704.79%2520Safari/537.36" ) }
154
+ it { should include("cs_uri_query" => "-" ) }
155
+ it { should include("cookies" => "-" ) }
156
+ it { should include("x_edge_result_type" => "Miss" ) }
157
+ it { should include("x_edge_request_id" => "UGskZ6dUKY7b4C6Pt7wAWVsU2KO-vTRe-mR4r9H-WQMjhNvY6w1Xcg==" ) }
158
+ it { should include("x_host_header" => "host.example.com" ) }
159
+ it { should include("cs_protocol" => "https" ) }
160
+ it { should include("cs_bytes" => 883 ) }
161
+ it { should include("time_taken" => 0.036 ) }
162
+ it { should include("x_forwarded_for" => "-" ) }
163
+ it { should include("ssl_protocol" => "TLSv1.2" ) }
164
+ it { should include("ssl_cipher" => "ECDHE-RSA-AES128-GCM-SHA256" ) }
165
+ it { should include("x_edge_response_result_type" => "Miss" ) }
166
+
167
+ ["tags", "params"].each do |attribute|
168
+ it "have #{attribute} as nil" do
169
+ expect(subject[attribute]).to be_nil
170
+ end
171
+ end
172
+ end
173
+ end
data/spec/patterns/syslog_spec.rb CHANGED
@@ -4,6 +4,20 @@ require "logstash/patterns/core"
4
4
 
5
5
  describe "SYSLOGLINE" do
6
6
 
7
+ describe "SYSLOG5424BASE" do
8
+ it "matches host names in the syslog base pattern" do
9
+ expect(subject).to match("<174>1 2016-11-14T09:32:44+01:00 resolver.se named 6344 - - info: client 10.23.53.22#63252: query: googlehosted.l.googleusercontent.com IN A + (10.23.16.6)")
10
+ end
11
+
12
+ it "matches ipv4 in the syslog base pattern" do
13
+ expect(subject).to match("<174>1 2016-11-14T09:49:23+01:00 10.23.16.6 named 2255 - - info: client 10.23.56.93#63295 (i1.tmg.com): query: i1.tmg.com IN A + (10.23.4.13)")
14
+ end
15
+
16
+ it "matches ipv6 in the syslog base pattern" do
17
+ expect(subject).to match("<174>1 2016-11-14T09:49:23+01:00 2000:6a0:b:315:10:23:4:13 named 2255 - - info: client 10.23.56.9#63295 (i1.tmg.com): query: i1.tmg.com IN A + (10.23.4.13)")
18
+ end
19
+ end
20
+
7
21
  it "matches a simple message with pid" do
8
22
  expect(subject).to match("May 11 15:17:02 meow.soy.se CRON[10973]: pam_unix(cron:session): session opened for user root by (uid=0)")
9
23
  end
data/spec/spec_helper.rb CHANGED
@@ -24,15 +24,19 @@ end
24
24
  require "logstash/filters/grok"
25
25
 
26
26
  module GrokHelpers
27
- def grok_match(label, message)
28
- grok = build_grok(label)
27
+ def grok_match(label, message, exact_match = false)
28
+ grok = build_grok(label, exact_match)
29
29
  event = build_event(message)
30
30
  grok.filter(event)
31
31
  event.to_hash
32
32
  end
33
33
 
34
- def build_grok(label)
35
- grok = LogStash::Filters::Grok.new("match" => ["message", "%{#{label}}"])
34
+ def build_grok(label, exact_match = false)
35
+ if exact_match
36
+ grok = LogStash::Filters::Grok.new("match" => ["message", "^%{#{label}}$"])
37
+ else
38
+ grok = LogStash::Filters::Grok.new("match" => ["message", "%{#{label}}"])
39
+ end
36
40
  grok.register
37
41
  grok
38
42
  end
metadata CHANGED
@@ -1,29 +1,35 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: logstash-patterns-core
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.0.1
4
+ version: 4.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Elastic
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2016-05-09 00:00:00.000000000 Z
11
+ date: 2021-01-28 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  requirement: !ruby/object:Gem::Requirement
15
15
  requirements:
16
- - - "~>"
16
+ - - ">="
17
+ - !ruby/object:Gem::Version
18
+ version: '1.60'
19
+ - - "<="
17
20
  - !ruby/object:Gem::Version
18
- version: '2.0'
21
+ version: '2.99'
19
22
  name: logstash-core-plugin-api
20
23
  prerelease: false
21
24
  type: :runtime
22
25
  version_requirements: !ruby/object:Gem::Requirement
23
26
  requirements:
24
- - - "~>"
27
+ - - ">="
28
+ - !ruby/object:Gem::Version
29
+ version: '1.60'
30
+ - - "<="
25
31
  - !ruby/object:Gem::Version
26
- version: '2.0'
32
+ version: '2.99'
27
33
  - !ruby/object:Gem::Dependency
28
34
  requirement: !ruby/object:Gem::Requirement
29
35
  requirements:
@@ -52,7 +58,9 @@ dependencies:
52
58
  - - ">="
53
59
  - !ruby/object:Gem::Version
54
60
  version: '0'
55
- description: This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program
61
+ description: This gem is a Logstash plugin required to be installed on top of the
62
+ Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This
63
+ gem is not a stand-alone program
56
64
  email: info@elastic.co
57
65
  executables: []
58
66
  extensions: []
@@ -68,14 +76,17 @@ files:
68
76
  - logstash-patterns-core.gemspec
69
77
  - patterns/aws
70
78
  - patterns/bacula
79
+ - patterns/bind
71
80
  - patterns/bro
72
81
  - patterns/exim
73
82
  - patterns/firewalls
74
83
  - patterns/grok-patterns
75
84
  - patterns/haproxy
85
+ - patterns/httpd
76
86
  - patterns/java
77
87
  - patterns/junos
78
88
  - patterns/linux-syslog
89
+ - patterns/maven
79
90
  - patterns/mcollective
80
91
  - patterns/mcollective-patterns
81
92
  - patterns/mongodb
@@ -84,14 +95,18 @@ files:
84
95
  - patterns/rails
85
96
  - patterns/redis
86
97
  - patterns/ruby
98
+ - patterns/squid
87
99
  - spec/patterns/bro.rb
88
100
  - spec/patterns/core_spec.rb
89
101
  - spec/patterns/firewalls_spec.rb
90
102
  - spec/patterns/haproxy_spec.rb
91
103
  - spec/patterns/httpd_spec.rb
104
+ - spec/patterns/java_spec.rb
105
+ - spec/patterns/maven_spec.rb
92
106
  - spec/patterns/mongodb_spec.rb
93
107
  - spec/patterns/nagios_spec.rb
94
108
  - spec/patterns/rails3_spec.rb
109
+ - spec/patterns/redis_spec.rb
95
110
  - spec/patterns/s3_spec.rb
96
111
  - spec/patterns/shorewall_spec.rb
97
112
  - spec/patterns/syslog_spec.rb
@@ -117,7 +132,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
117
132
  version: '0'
118
133
  requirements: []
119
134
  rubyforge_project:
120
- rubygems_version: 2.4.8
135
+ rubygems_version: 2.6.13
121
136
  signing_key:
122
137
  specification_version: 4
123
138
  summary: Patterns to be used in logstash
@@ -127,9 +142,12 @@ test_files:
127
142
  - spec/patterns/firewalls_spec.rb
128
143
  - spec/patterns/haproxy_spec.rb
129
144
  - spec/patterns/httpd_spec.rb
145
+ - spec/patterns/java_spec.rb
146
+ - spec/patterns/maven_spec.rb
130
147
  - spec/patterns/mongodb_spec.rb
131
148
  - spec/patterns/nagios_spec.rb
132
149
  - spec/patterns/rails3_spec.rb
150
+ - spec/patterns/redis_spec.rb
133
151
  - spec/patterns/s3_spec.rb
134
152
  - spec/patterns/shorewall_spec.rb
135
153
  - spec/patterns/syslog_spec.rb