logstash-patterns-core 4.0.1 → 4.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/CHANGELOG.md +54 -8
- data/CONTRIBUTORS +2 -0
- data/Gemfile +8 -1
- data/LICENSE +199 -10
- data/README.md +1 -1
- data/logstash-patterns-core.gemspec +2 -2
- data/patterns/aws +3 -0
- data/patterns/bind +3 -0
- data/patterns/firewalls +6 -1
- data/patterns/grok-patterns +8 -14
- data/patterns/haproxy +1 -1
- data/patterns/httpd +15 -0
- data/patterns/java +3 -6
- data/patterns/linux-syslog +1 -1
- data/patterns/maven +1 -0
- data/patterns/nagios +1 -1
- data/patterns/redis +1 -1
- data/patterns/squid +4 -0
- data/spec/patterns/core_spec.rb +311 -11
- data/spec/patterns/firewalls_spec.rb +31 -0
- data/spec/patterns/haproxy_spec.rb +17 -0
- data/spec/patterns/httpd_spec.rb +169 -9
- data/spec/patterns/java_spec.rb +45 -0
- data/spec/patterns/maven_spec.rb +61 -0
- data/spec/patterns/nagios_spec.rb +5 -1
- data/spec/patterns/redis_spec.rb +171 -0
- data/spec/patterns/s3_spec.rb +41 -0
- data/spec/patterns/syslog_spec.rb +14 -0
- data/spec/spec_helper.rb +8 -4
- metadata +26 -8
data/spec/patterns/s3_spec.rb
CHANGED
|
@@ -130,3 +130,44 @@ describe "S3_ACCESS_LOG" do
|
|
|
130
130
|
|
|
131
131
|
end
|
|
132
132
|
end
|
|
133
|
+
|
|
134
|
+
describe "CLOUDFRONT_ACCESS_LOG" do
|
|
135
|
+
|
|
136
|
+
let(:pattern) { "CLOUDFRONT_ACCESS_LOG" }
|
|
137
|
+
|
|
138
|
+
context "parsing a cloudfront access log" do
|
|
139
|
+
|
|
140
|
+
let(:value) { "2016-06-10 18:41:39 IAD53 224281 192.168.1.1 GET d27enomp470abc.cloudfront.net /content/sample/thing.pdf 200 https://example.com/ Mozilla/5.0%2520(Windows%2520NT%25206.1;%2520WOW64)%2520AppleWebKit/537.36%2520(KHTML,%2520like%2520Gecko)%2520Chrome/51.0.2704.79%2520Safari/537.36 - - Miss UGskZ6dUKY7b4C6Pt7wAWVsU2KO-vTRe-mR4r9H-WQMjhNvY6w1Xcg== host.example.com https 883 0.036 - TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Miss" }
|
|
141
|
+
|
|
142
|
+
subject { grok_match(pattern, value) }
|
|
143
|
+
|
|
144
|
+
it { should include("timestamp" => "2016-06-10 18:41:39" ) }
|
|
145
|
+
it { should include("x_edge_location" => "IAD53" ) }
|
|
146
|
+
it { should include("sc_bytes" => 224281 ) }
|
|
147
|
+
it { should include("clientip" => "192.168.1.1" ) }
|
|
148
|
+
it { should include("cs_method" => "GET" ) }
|
|
149
|
+
it { should include("cs_host" => "d27enomp470abc.cloudfront.net" ) }
|
|
150
|
+
it { should include("cs_uri_stem" => "/content/sample/thing.pdf" ) }
|
|
151
|
+
it { should include("sc_status" => 200 ) }
|
|
152
|
+
it { should include("referrer" => "https://example.com/" ) }
|
|
153
|
+
it { should include("agent" => "Mozilla/5.0%2520(Windows%2520NT%25206.1;%2520WOW64)%2520AppleWebKit/537.36%2520(KHTML,%2520like%2520Gecko)%2520Chrome/51.0.2704.79%2520Safari/537.36" ) }
|
|
154
|
+
it { should include("cs_uri_query" => "-" ) }
|
|
155
|
+
it { should include("cookies" => "-" ) }
|
|
156
|
+
it { should include("x_edge_result_type" => "Miss" ) }
|
|
157
|
+
it { should include("x_edge_request_id" => "UGskZ6dUKY7b4C6Pt7wAWVsU2KO-vTRe-mR4r9H-WQMjhNvY6w1Xcg==" ) }
|
|
158
|
+
it { should include("x_host_header" => "host.example.com" ) }
|
|
159
|
+
it { should include("cs_protocol" => "https" ) }
|
|
160
|
+
it { should include("cs_bytes" => 883 ) }
|
|
161
|
+
it { should include("time_taken" => 0.036 ) }
|
|
162
|
+
it { should include("x_forwarded_for" => "-" ) }
|
|
163
|
+
it { should include("ssl_protocol" => "TLSv1.2" ) }
|
|
164
|
+
it { should include("ssl_cipher" => "ECDHE-RSA-AES128-GCM-SHA256" ) }
|
|
165
|
+
it { should include("x_edge_response_result_type" => "Miss" ) }
|
|
166
|
+
|
|
167
|
+
["tags", "params"].each do |attribute|
|
|
168
|
+
it "have #{attribute} as nil" do
|
|
169
|
+
expect(subject[attribute]).to be_nil
|
|
170
|
+
end
|
|
171
|
+
end
|
|
172
|
+
end
|
|
173
|
+
end
|
|
@@ -4,6 +4,20 @@ require "logstash/patterns/core"
|
|
|
4
4
|
|
|
5
5
|
describe "SYSLOGLINE" do
|
|
6
6
|
|
|
7
|
+
describe "SYSLOG5424BASE" do
|
|
8
|
+
it "matches host names in the syslog base pattern" do
|
|
9
|
+
expect(subject).to match("<174>1 2016-11-14T09:32:44+01:00 resolver.se named 6344 - - info: client 10.23.53.22#63252: query: googlehosted.l.googleusercontent.com IN A + (10.23.16.6)")
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
it "matches ipv4 in the syslog base pattern" do
|
|
13
|
+
expect(subject).to match("<174>1 2016-11-14T09:49:23+01:00 10.23.16.6 named 2255 - - info: client 10.23.56.93#63295 (i1.tmg.com): query: i1.tmg.com IN A + (10.23.4.13)")
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
it "matches ipv6 in the syslog base pattern" do
|
|
17
|
+
expect(subject).to match("<174>1 2016-11-14T09:49:23+01:00 2000:6a0:b:315:10:23:4:13 named 2255 - - info: client 10.23.56.9#63295 (i1.tmg.com): query: i1.tmg.com IN A + (10.23.4.13)")
|
|
18
|
+
end
|
|
19
|
+
end
|
|
20
|
+
|
|
7
21
|
it "matches a simple message with pid" do
|
|
8
22
|
expect(subject).to match("May 11 15:17:02 meow.soy.se CRON[10973]: pam_unix(cron:session): session opened for user root by (uid=0)")
|
|
9
23
|
end
|
data/spec/spec_helper.rb
CHANGED
|
@@ -24,15 +24,19 @@ end
|
|
|
24
24
|
require "logstash/filters/grok"
|
|
25
25
|
|
|
26
26
|
module GrokHelpers
|
|
27
|
-
def grok_match(label, message)
|
|
28
|
-
grok = build_grok(label)
|
|
27
|
+
def grok_match(label, message, exact_match = false)
|
|
28
|
+
grok = build_grok(label, exact_match)
|
|
29
29
|
event = build_event(message)
|
|
30
30
|
grok.filter(event)
|
|
31
31
|
event.to_hash
|
|
32
32
|
end
|
|
33
33
|
|
|
34
|
-
def build_grok(label)
|
|
35
|
-
|
|
34
|
+
def build_grok(label, exact_match = false)
|
|
35
|
+
if exact_match
|
|
36
|
+
grok = LogStash::Filters::Grok.new("match" => ["message", "^%{#{label}}$"])
|
|
37
|
+
else
|
|
38
|
+
grok = LogStash::Filters::Grok.new("match" => ["message", "%{#{label}}"])
|
|
39
|
+
end
|
|
36
40
|
grok.register
|
|
37
41
|
grok
|
|
38
42
|
end
|
metadata
CHANGED
|
@@ -1,29 +1,35 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-patterns-core
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.0
|
|
4
|
+
version: 4.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Elastic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2021-01-28 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
|
15
15
|
requirements:
|
|
16
|
-
- - "
|
|
16
|
+
- - ">="
|
|
17
|
+
- !ruby/object:Gem::Version
|
|
18
|
+
version: '1.60'
|
|
19
|
+
- - "<="
|
|
17
20
|
- !ruby/object:Gem::Version
|
|
18
|
-
version: '2.
|
|
21
|
+
version: '2.99'
|
|
19
22
|
name: logstash-core-plugin-api
|
|
20
23
|
prerelease: false
|
|
21
24
|
type: :runtime
|
|
22
25
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
26
|
requirements:
|
|
24
|
-
- - "
|
|
27
|
+
- - ">="
|
|
28
|
+
- !ruby/object:Gem::Version
|
|
29
|
+
version: '1.60'
|
|
30
|
+
- - "<="
|
|
25
31
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: '2.
|
|
32
|
+
version: '2.99'
|
|
27
33
|
- !ruby/object:Gem::Dependency
|
|
28
34
|
requirement: !ruby/object:Gem::Requirement
|
|
29
35
|
requirements:
|
|
@@ -52,7 +58,9 @@ dependencies:
|
|
|
52
58
|
- - ">="
|
|
53
59
|
- !ruby/object:Gem::Version
|
|
54
60
|
version: '0'
|
|
55
|
-
description: This gem is a Logstash plugin required to be installed on top of the
|
|
61
|
+
description: This gem is a Logstash plugin required to be installed on top of the
|
|
62
|
+
Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This
|
|
63
|
+
gem is not a stand-alone program
|
|
56
64
|
email: info@elastic.co
|
|
57
65
|
executables: []
|
|
58
66
|
extensions: []
|
|
@@ -68,14 +76,17 @@ files:
|
|
|
68
76
|
- logstash-patterns-core.gemspec
|
|
69
77
|
- patterns/aws
|
|
70
78
|
- patterns/bacula
|
|
79
|
+
- patterns/bind
|
|
71
80
|
- patterns/bro
|
|
72
81
|
- patterns/exim
|
|
73
82
|
- patterns/firewalls
|
|
74
83
|
- patterns/grok-patterns
|
|
75
84
|
- patterns/haproxy
|
|
85
|
+
- patterns/httpd
|
|
76
86
|
- patterns/java
|
|
77
87
|
- patterns/junos
|
|
78
88
|
- patterns/linux-syslog
|
|
89
|
+
- patterns/maven
|
|
79
90
|
- patterns/mcollective
|
|
80
91
|
- patterns/mcollective-patterns
|
|
81
92
|
- patterns/mongodb
|
|
@@ -84,14 +95,18 @@ files:
|
|
|
84
95
|
- patterns/rails
|
|
85
96
|
- patterns/redis
|
|
86
97
|
- patterns/ruby
|
|
98
|
+
- patterns/squid
|
|
87
99
|
- spec/patterns/bro.rb
|
|
88
100
|
- spec/patterns/core_spec.rb
|
|
89
101
|
- spec/patterns/firewalls_spec.rb
|
|
90
102
|
- spec/patterns/haproxy_spec.rb
|
|
91
103
|
- spec/patterns/httpd_spec.rb
|
|
104
|
+
- spec/patterns/java_spec.rb
|
|
105
|
+
- spec/patterns/maven_spec.rb
|
|
92
106
|
- spec/patterns/mongodb_spec.rb
|
|
93
107
|
- spec/patterns/nagios_spec.rb
|
|
94
108
|
- spec/patterns/rails3_spec.rb
|
|
109
|
+
- spec/patterns/redis_spec.rb
|
|
95
110
|
- spec/patterns/s3_spec.rb
|
|
96
111
|
- spec/patterns/shorewall_spec.rb
|
|
97
112
|
- spec/patterns/syslog_spec.rb
|
|
@@ -117,7 +132,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
117
132
|
version: '0'
|
|
118
133
|
requirements: []
|
|
119
134
|
rubyforge_project:
|
|
120
|
-
rubygems_version: 2.
|
|
135
|
+
rubygems_version: 2.6.13
|
|
121
136
|
signing_key:
|
|
122
137
|
specification_version: 4
|
|
123
138
|
summary: Patterns to be used in logstash
|
|
@@ -127,9 +142,12 @@ test_files:
|
|
|
127
142
|
- spec/patterns/firewalls_spec.rb
|
|
128
143
|
- spec/patterns/haproxy_spec.rb
|
|
129
144
|
- spec/patterns/httpd_spec.rb
|
|
145
|
+
- spec/patterns/java_spec.rb
|
|
146
|
+
- spec/patterns/maven_spec.rb
|
|
130
147
|
- spec/patterns/mongodb_spec.rb
|
|
131
148
|
- spec/patterns/nagios_spec.rb
|
|
132
149
|
- spec/patterns/rails3_spec.rb
|
|
150
|
+
- spec/patterns/redis_spec.rb
|
|
133
151
|
- spec/patterns/s3_spec.rb
|
|
134
152
|
- spec/patterns/shorewall_spec.rb
|
|
135
153
|
- spec/patterns/syslog_spec.rb
|