RubyGems - logstash-patterns-core - Versions diffs - 4.0.2 → 4.3.0 - Mend

logstash-patterns-core 4.0.2 → 4.3.0

Files changed (79) hide show

checksums.yaml +5 -5
data/CHANGELOG.md +149 -8
data/CONTRIBUTORS +1 -0
data/Gemfile +11 -1
data/LICENSE +199 -10
data/README.md +12 -19
data/lib/logstash/patterns/core.rb +11 -3
data/logstash-patterns-core.gemspec +1 -1
data/patterns/ecs-v1/aws +28 -0
data/patterns/ecs-v1/bacula +53 -0
data/patterns/ecs-v1/bind +13 -0
data/patterns/ecs-v1/bro +30 -0
data/patterns/ecs-v1/exim +26 -0
data/patterns/ecs-v1/firewalls +111 -0
data/patterns/ecs-v1/grok-patterns +95 -0
data/patterns/ecs-v1/haproxy +40 -0
data/patterns/ecs-v1/httpd +17 -0
data/patterns/ecs-v1/java +34 -0
data/patterns/ecs-v1/junos +13 -0
data/patterns/ecs-v1/linux-syslog +16 -0
data/patterns/ecs-v1/maven +1 -0
data/patterns/ecs-v1/mcollective +4 -0
data/patterns/ecs-v1/mongodb +7 -0
data/patterns/ecs-v1/nagios +124 -0
data/patterns/ecs-v1/postgresql +2 -0
data/patterns/ecs-v1/rails +13 -0
data/patterns/ecs-v1/redis +3 -0
data/patterns/ecs-v1/ruby +2 -0
data/patterns/ecs-v1/squid +6 -0
data/patterns/ecs-v1/zeek +33 -0
data/patterns/legacy/aws +14 -0
data/patterns/{bacula → legacy/bacula} +5 -5
data/patterns/legacy/bind +3 -0
data/patterns/{bro → legacy/bro} +0 -0
data/patterns/{exim → legacy/exim} +8 -2
data/patterns/{firewalls → legacy/firewalls} +7 -2
data/patterns/{grok-patterns → legacy/grok-patterns} +5 -13
data/patterns/{haproxy → legacy/haproxy} +1 -1
data/patterns/legacy/httpd +15 -0
data/patterns/{java → legacy/java} +1 -4
data/patterns/{junos → legacy/junos} +0 -0
data/patterns/{linux-syslog → legacy/linux-syslog} +1 -1
data/patterns/legacy/maven +1 -0
data/patterns/{mcollective → legacy/mcollective} +0 -0
data/patterns/{mcollective-patterns → legacy/mcollective-patterns} +0 -0
data/patterns/{mongodb → legacy/mongodb} +0 -0
data/patterns/{nagios → legacy/nagios} +1 -1
data/patterns/{postgresql → legacy/postgresql} +0 -0
data/patterns/{rails → legacy/rails} +0 -0
data/patterns/legacy/redis +3 -0
data/patterns/{ruby → legacy/ruby} +0 -0
data/patterns/legacy/squid +4 -0
data/spec/patterns/aws_spec.rb +395 -0
data/spec/patterns/bacula_spec.rb +367 -0
data/spec/patterns/bind_spec.rb +78 -0
data/spec/patterns/bro_spec.rb +613 -0
data/spec/patterns/core_spec.rb +271 -16
data/spec/patterns/exim_spec.rb +201 -0
data/spec/patterns/firewalls_spec.rb +683 -49
data/spec/patterns/haproxy_spec.rb +253 -28
data/spec/patterns/httpd_spec.rb +291 -10
data/spec/patterns/java_spec.rb +375 -0
data/spec/patterns/junos_spec.rb +101 -0
data/spec/patterns/maven_spec.rb +61 -0
data/spec/patterns/mcollective_spec.rb +35 -0
data/spec/patterns/mongodb_spec.rb +170 -33
data/spec/patterns/nagios_spec.rb +299 -78
data/spec/patterns/netscreen_spec.rb +123 -0
data/spec/patterns/rails3_spec.rb +87 -29
data/spec/patterns/redis_spec.rb +207 -0
data/spec/patterns/shorewall_spec.rb +85 -74
data/spec/patterns/squid_spec.rb +139 -0
data/spec/patterns/syslog_spec.rb +266 -8
data/spec/spec_helper.rb +83 -5
metadata +74 -26
data/patterns/aws +0 -11
data/patterns/redis +0 -3
data/spec/patterns/bro.rb +0 -126
data/spec/patterns/s3_spec.rb +0 -132

data/spec/spec_helper.rb CHANGED Viewed

@@ -24,15 +24,55 @@ end
 require "logstash/filters/grok"
 module GrokHelpers
-  def grok_match(label, message)
-    grok  = build_grok(label)
+  module PatternModeSupport
+    @@pattern_mode = nil
+    def pattern_mode
+      @@pattern_mode
+    end
+    module_function :pattern_mode
+    def pattern_mode=(mode)
+      @@pattern_mode = mode
+    end
+  end
+  def ecs_compatibility?
+    case ecs_compatibility
+    when :disabled then false
+    when nil then nil
+    else true
+    end
+  end
+  def ecs_compatibility
+    case mode = PatternModeSupport.pattern_mode
+    when 'legacy' then :disabled
+    when 'ecs-v1' then :v1
+    when nil then nil
+    else fail "pattern_mode: #{mode.inspect}"
+    end
+  end
+  def grok_match(label, message, exact_match = false)
+    grok_match_event(label, message, exact_match).to_hash
+  end
+  def grok_match_event(label, message, exact_match = false)
+    grok  = build_grok(label, exact_match)
     event = build_event(message)
     grok.filter(event)
-    event.to_hash
+    event
   end
-  def build_grok(label)
-    grok = LogStash::Filters::Grok.new("match" => ["message", "%{#{label}}"])
+  def grok_exact_match(label, message)
+    grok_match(label, message, true)
+  end
+  def build_grok(label, exact_match = false)
+    grok_opts = { "match" => [ "message", exact_match ? "^%{#{label}}$" : "%{#{label}}" ] }
+    ecs_compat = ecs_compatibility # if not set use the plugin default
+    grok_opts["ecs_compatibility"] = ecs_compat unless ecs_compat.nil?
+    grok = LogStash::Filters::Grok.new(grok_opts)
     grok.register
     grok
   end
@@ -44,6 +84,31 @@ end
 RSpec.configure do |c|
   c.include GrokHelpers
+  c.include GrokHelpers::PatternModeSupport
+  c.extend GrokHelpers::PatternModeSupport
+end
+def describe_pattern(name, pattern_modes = [ nil ], &block)
+  pattern_modes.each do |mode|
+    RSpec.describe "#{name}#{mode ? " (#{mode})" : nil}" do
+      before(:each) do
+        @restore_pattern_mode = pattern_mode
+        self.pattern_mode = mode
+      end
+      after(:each) do
+        self.pattern_mode = @restore_pattern_mode
+      end
+      let(:pattern) { name }
+      let(:message) { raise 'let(:message) { ... } is missing' }
+      let(:event) { grok_match_event(pattern, message) }
+      let(:grok) { event.to_hash }
+      subject(:grok_result) { grok }
+      instance_eval(&block)
+    end
+  end
 end
 RSpec::Matchers.define :pass do |expected|
@@ -61,3 +126,16 @@ RSpec::Matchers.define :match do |value|
   end
 end
+RSpec.shared_examples_for 'top-level namespaces' do |namespaces, opts|
+  let(:internal_keys) { ['@timestamp', '@version'] }
+  let(:allowed_keys) { namespaces }
+  it "event is expected to only use namespaces: #{namespaces.inspect}" do
+    if instance_exec &(opts[:if] || -> { true })
+      event_hash = subject.to_hash
+      (event_hash.keys - (internal_keys + ['message'])).each do |top_level_key|
+        fail_msg = "found event.get('#{top_level_key}') : #{event_hash[top_level_key].inspect}"
+        expect(allowed_keys).to include(top_level_key), fail_msg
+      end
+    end
+  end
+end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-patterns-core
 version: !ruby/object:Gem::Version
-  version: 4.0.2
+  version: 4.3.0
 platform: ruby
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-07-14 00:00:00.000000000 Z
+date: 2021-02-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -58,7 +58,9 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program
+description: This gem is a Logstash plugin required to be installed on top of the
+  Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This
+  gem is not a stand-alone program
 email: info@elastic.co
 executables: []
 extensions: []
@@ -72,34 +74,70 @@ files:
 - README.md
 - lib/logstash/patterns/core.rb
 - logstash-patterns-core.gemspec
-- patterns/aws
-- patterns/bacula
-- patterns/bro
-- patterns/exim
-- patterns/firewalls
-- patterns/grok-patterns
-- patterns/haproxy
-- patterns/java
-- patterns/junos
-- patterns/linux-syslog
-- patterns/mcollective
-- patterns/mcollective-patterns
-- patterns/mongodb
-- patterns/nagios
-- patterns/postgresql
-- patterns/rails
-- patterns/redis
-- patterns/ruby
-- spec/patterns/bro.rb
+- patterns/ecs-v1/aws
+- patterns/ecs-v1/bacula
+- patterns/ecs-v1/bind
+- patterns/ecs-v1/bro
+- patterns/ecs-v1/exim
+- patterns/ecs-v1/firewalls
+- patterns/ecs-v1/grok-patterns
+- patterns/ecs-v1/haproxy
+- patterns/ecs-v1/httpd
+- patterns/ecs-v1/java
+- patterns/ecs-v1/junos
+- patterns/ecs-v1/linux-syslog
+- patterns/ecs-v1/maven
+- patterns/ecs-v1/mcollective
+- patterns/ecs-v1/mongodb
+- patterns/ecs-v1/nagios
+- patterns/ecs-v1/postgresql
+- patterns/ecs-v1/rails
+- patterns/ecs-v1/redis
+- patterns/ecs-v1/ruby
+- patterns/ecs-v1/squid
+- patterns/ecs-v1/zeek
+- patterns/legacy/aws
+- patterns/legacy/bacula
+- patterns/legacy/bind
+- patterns/legacy/bro
+- patterns/legacy/exim
+- patterns/legacy/firewalls
+- patterns/legacy/grok-patterns
+- patterns/legacy/haproxy
+- patterns/legacy/httpd
+- patterns/legacy/java
+- patterns/legacy/junos
+- patterns/legacy/linux-syslog
+- patterns/legacy/maven
+- patterns/legacy/mcollective
+- patterns/legacy/mcollective-patterns
+- patterns/legacy/mongodb
+- patterns/legacy/nagios
+- patterns/legacy/postgresql
+- patterns/legacy/rails
+- patterns/legacy/redis
+- patterns/legacy/ruby
+- patterns/legacy/squid
+- spec/patterns/aws_spec.rb
+- spec/patterns/bacula_spec.rb
+- spec/patterns/bind_spec.rb
+- spec/patterns/bro_spec.rb
 - spec/patterns/core_spec.rb
+- spec/patterns/exim_spec.rb
 - spec/patterns/firewalls_spec.rb
 - spec/patterns/haproxy_spec.rb
 - spec/patterns/httpd_spec.rb
+- spec/patterns/java_spec.rb
+- spec/patterns/junos_spec.rb
+- spec/patterns/maven_spec.rb
+- spec/patterns/mcollective_spec.rb
 - spec/patterns/mongodb_spec.rb
 - spec/patterns/nagios_spec.rb
+- spec/patterns/netscreen_spec.rb
 - spec/patterns/rails3_spec.rb
-- spec/patterns/s3_spec.rb
+- spec/patterns/redis_spec.rb
 - spec/patterns/shorewall_spec.rb
+- spec/patterns/squid_spec.rb
 - spec/patterns/syslog_spec.rb
 - spec/spec_helper.rb
 homepage: http://www.elastic.co/guide/en/logstash/current/index.html
@@ -123,20 +161,30 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.6.3
+rubygems_version: 2.6.13
 signing_key:
 specification_version: 4
 summary: Patterns to be used in logstash
 test_files:
-- spec/patterns/bro.rb
+- spec/patterns/aws_spec.rb
+- spec/patterns/bacula_spec.rb
+- spec/patterns/bind_spec.rb
+- spec/patterns/bro_spec.rb
 - spec/patterns/core_spec.rb
+- spec/patterns/exim_spec.rb
 - spec/patterns/firewalls_spec.rb
 - spec/patterns/haproxy_spec.rb
 - spec/patterns/httpd_spec.rb
+- spec/patterns/java_spec.rb
+- spec/patterns/junos_spec.rb
+- spec/patterns/maven_spec.rb
+- spec/patterns/mcollective_spec.rb
 - spec/patterns/mongodb_spec.rb
 - spec/patterns/nagios_spec.rb
+- spec/patterns/netscreen_spec.rb
 - spec/patterns/rails3_spec.rb
-- spec/patterns/s3_spec.rb
+- spec/patterns/redis_spec.rb
 - spec/patterns/shorewall_spec.rb
+- spec/patterns/squid_spec.rb
 - spec/patterns/syslog_spec.rb
 - spec/spec_helper.rb

data/patterns/aws DELETED Viewed

@@ -1,11 +0,0 @@
-S3_REQUEST_LINE (?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})
-S3_ACCESS_LOG %{WORD:owner} %{NOTSPACE:bucket} \[%{HTTPDATE:timestamp}\] %{IP:clientip} %{NOTSPACE:requester} %{NOTSPACE:request_id} %{NOTSPACE:operation} %{NOTSPACE:key} (?:"%{S3_REQUEST_LINE}"|-) (?:%{INT:response:int}|-) (?:-|%{NOTSPACE:error_code}) (?:%{INT:bytes:int}|-) (?:%{INT:object_size:int}|-) (?:%{INT:request_time_ms:int}|-) (?:%{INT:turnaround_time_ms:int}|-) (?:%{QS:referrer}|-) (?:"?%{QS:agent}"?|-) (?:-|%{NOTSPACE:version_id})
-ELB_URIPATHPARAM %{URIPATH:path}(?:%{URIPARAM:params})?
-ELB_URI %{URIPROTO:proto}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST:urihost})?(?:%{ELB_URIPATHPARAM})?
-ELB_REQUEST_LINE (?:%{WORD:verb} %{ELB_URI:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})
-ELB_ACCESS_LOG %{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:elb} %{IP:clientip}:%{INT:clientport:int} (?:(%{IP:backendip}:?:%{INT:backendport:int})|-) %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{INT:response:int} %{INT:backend_response:int} %{INT:received_bytes:int} %{INT:bytes:int} "%{ELB_REQUEST_LINE}"

data/patterns/redis DELETED Viewed

@@ -1,3 +0,0 @@
-REDISTIMESTAMP %{MONTHDAY} %{MONTH} %{TIME}
-REDISLOG \[%{POSINT:pid}\] %{REDISTIMESTAMP:timestamp} \*

data/spec/patterns/bro.rb DELETED Viewed

@@ -1,126 +0,0 @@
-# encoding: utf-8
-require "spec_helper"
-require "logstash/patterns/core"
-describe "HTTP" do
-  let(:value)   { "1432555199.633017	COpk6E3vkURP8QQNKl	192.168.9.35	55281	178.236.7.146	80	4	POST	www.amazon.it	/xa/dealcontent/v2/GetDeals?nocache=1432555199326	http://www.amazon.it/	Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36	223	1859	200	OK	-	-	-	(empty)	-	-	-	FrLEcY3AUPKdcYGf29	text/plain	FOJpbGzIMh9syPxH8	text/plain" }
-  let(:grok)    { grok_match(subject, value) }
-  it "a pattern pass the grok expression" do
-    expect(grok).to pass
-  end
-  it "matches a simple message" do
-    expect(subject).to match(value)
-  end
-  it "generates the ts field" do
-    expect(grok).to include("ts" => "1432555199.633017")
-  end
-  it "generates the uid field" do
-    expect(grok).to include("uid" => "COpk6E3vkURP8QQNKl")
-  end
-  it "generates the orig_h field" do
-    expect(grok).to include("orig_h" => "192.168.9.35")
-  end
-  it "generates the orig_p field" do
-    expect(grok).to include("orig_p" => "55281")
-  end
-  it "generates the resp_h field" do
-    expect(grok).to include("resp_h" => "178.236.7.146")
-  end
-  it "generates the resp_p field" do
-    expect(grok).to include("resp_p" => "80")
-  end
-  it "generates the trans_depth field" do
-    expect(grok).to include("trans_depth" => "4")
-  end
-  it "generates the method field" do
-    expect(grok).to include("method" => "POST")
-  end
-  it "generates the domain field" do
-    expect(grok).to include("domain" => "www.amazon.it")
-  end
-  it "generates the uri field" do
-    expect(grok).to include("uri" => "/xa/dealcontent/v2/GetDeals?nocache=1432555199326")
-  end
-  it "generates the referrer field" do
-    expect(grok).to include("referrer" => "http://www.amazon.it/")
-  end
-  it "generates the user_agent field" do
-    expect(grok).to include("user_agent" => "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36")
-  end
-  it "generates the request_body_len field" do
-    expect(grok).to include("request_body_len" => "223")
-  end
-  it "generates the response_body_len field" do
-    expect(grok).to include("response_body_len" => "1859")
-  end
-  it "generates the status_code field" do
-    expect(grok).to include("status_code" => "200")
-  end
-  it "generates the status_msg field" do
-    expect(grok).to include("status_msg" => "OK")
-  end
-  it "generates the info_code field" do
-    expect(grok).to include("info_code" => "-")
-  end
-  it "generates the info_msg field" do
-    expect(grok).to include("info_msg" => "-")
-  end
-  it "generates the filename field" do
-    expect(grok).to include("filename" => "-")
-  end
-  it "generates the bro_tags field" do
-    expect(grok).to include("bro_tags" => "(empty)")
-  end
-  it "generates the username field" do
-    expect(grok).to include("username" => "-")
-  end
-  it "generates the password field" do
-    expect(grok).to include("password" => "-")
-  end
-  it "generates the proxied field" do
-    expect(grok).to include("proxied" => "-")
-  end
-  it "generates the orig_fuids field" do
-    expect(grok).to include("orig_fuids" => "FrLEcY3AUPKdcYGf29")
-  end
-  it "generates the orig_mime_types field" do
-    expect(grok).to include("orig_mime_types" => "text/plain")
-  end
-  it "generates the resp_fuids field" do
-    expect(grok).to include("resp_fuids" => "FOJpbGzIMh9syPxH8")
-  end
-  it "generates the resp_mime_types field" do
-    expect(grok).to include("resp_mime_types" => "text/plain")
-  end
-end

data/spec/patterns/s3_spec.rb DELETED Viewed

@@ -1,132 +0,0 @@
-# encoding: utf-8
-require "spec_helper"
-require "logstash/patterns/core"
-describe "ELB_ACCESS_LOG" do
-  let(:pattern) { "ELB_ACCESS_LOG" }
-  context "parsing an access log" do
-    let(:value) { "2014-02-15T23:39:43.945958Z my-test-loadbalancer 192.168.131.39:2817 10.0.0.1:80 0.000073 0.001048 0.000057 200 200 0 29 \"GET http://www.example.com:80/ HTTP/1.1\"" }
-    subject { grok_match(pattern, value) }
-    it { should include("timestamp" => "2014-02-15T23:39:43.945958Z" ) }
-    it { should include("elb" => "my-test-loadbalancer" ) }
-    it { should include("clientip" => "192.168.131.39" ) }
-    it { should include("clientport" => 2817 ) }
-    it { should include("backendip" => "10.0.0.1" ) }
-    it { should include("backendport" => 80 ) }
-    it { should include("request_processing_time" => 0.000073 ) }
-    it { should include("backend_processing_time" => 0.001048 ) }
-    it { should include("response_processing_time" => 0.000057 ) }
-    it { should include("response" => 200 ) }
-    it { should include("backend_response" => 200 ) }
-    it { should include("received_bytes" => 0 ) }
-    it { should include("bytes" => 29 ) }
-    it { should include("verb" => "GET" ) }
-    it { should include("request" => "http://www.example.com:80/" ) }
-    it { should include("proto" => "http" ) }
-    it { should include("httpversion" => "1.1" ) }
-    it { should include("urihost" => "www.example.com:80" ) }
-    it { should include("path" => "/" ) }
-    ["tags", "params"].each do |attribute|
-      it "have #{attribute} as nil" do
-        expect(subject[attribute]).to be_nil
-      end
-    end
-  end
-  context "parsing a PUT request access log with missing backend info" do
-    let(:value) { '2015-04-10T08:11:09.865823Z us-west-1-production-media 49.150.87.133:55128 - -1 -1 -1 408 0 1294336 0 "PUT https://media.xxxyyyzzz.com:443/videos/F4_M-T4X0MM6Hvy1PFHesw HTTP/1.1"' }
-    subject { grok_match(pattern, value) }
-    it "a pattern pass the grok expression" do
-      expect(subject).to pass
-    end
-    ["backendip", "backendport"].each do |attribute|
-      it "have #{attribute} as nil" do
-        expect(subject[attribute]).to be_nil
-      end
-    end
-  end
-end
-describe "S3_ACCESS_LOG" do
-  let(:pattern)    { "S3_ACCESS_LOG" }
-  context "parsing GET.VERSIONING message" do
-    let(:value) { "79a5 mybucket [06/Feb/2014:00:00:38 +0000] 192.0.2.3 79a5 3E57427F3EXAMPLE REST.GET.VERSIONING - \"GET /mybucket?versioning HTTP/1.1\" 200 - 113 - 7 - \"-\" \"S3Console/0.4\" -" }
-    subject { grok_match(pattern, value) }
-    it { should include("owner" => "79a5" ) }
-    it { should include("bucket" => "mybucket" ) }
-    it { should include("timestamp" => "06/Feb/2014:00:00:38 +0000" ) }
-    it { should include("clientip" => "192.0.2.3" ) }
-    it { should include("requester" => "79a5" ) }
-    it { should include("request_id" => "3E57427F3EXAMPLE" ) }
-    it { should include("operation" => "REST.GET.VERSIONING" ) }
-    it { should include("key" => "-" ) }
-    it { should include("verb" => "GET" ) }
-    it { should include("request" => "/mybucket?versioning" ) }
-    it { should include("httpversion" => "1.1" ) }
-    it { should include("response" => 200 ) }
-    it { should include("bytes" => 113 ) }
-    it { should include("request_time_ms" => 7 ) }
-    it { should include("referrer" => "\"-\"" ) }
-    it { should include("agent" => "\"S3Console/0.4\"" ) }
-    ["tags", "error_code", "object_size", "turnaround_time_ms", "version_id"].each do |attribute|
-      it "have #{attribute} as nil" do
-        expect(subject[attribute]).to be_nil
-      end
-    end
-  end
-  context "parsing a GET.OBJECT message" do
-    let(:value) { "79a5 mybucket [12/May/2014:07:54:01 +0000] 10.0.1.2 - 7ACC4BE89EXAMPLE REST.GET.OBJECT foo/bar.html \"GET /foo/bar.html HTTP/1.1\" 304 - - 1718 10 - \"-\" \"Mozilla/5.0\" -" }
-    subject { grok_match(pattern, value) }
-    it { should include("owner" => "79a5" ) }
-    it { should include("bucket" => "mybucket" ) }
-    it { should include("timestamp" => "12/May/2014:07:54:01 +0000" ) }
-    it { should include("clientip" => "10.0.1.2" ) }
-    it { should include("requester" => "-" ) }
-    it { should include("request_id" => "7ACC4BE89EXAMPLE" ) }
-    it { should include("operation" => "REST.GET.OBJECT" ) }
-    it { should include("key" => "foo/bar.html" ) }
-    it { should include("verb" => "GET" ) }
-    it { should include("request" => "/foo/bar.html" ) }
-    it { should include("httpversion" => "1.1" ) }
-    it { should include("response" => 304 ) }
-    it { should include("object_size" => 1718 ) }
-    it { should include("request_time_ms" => 10 ) }
-    it { should include("referrer" => "\"-\"" ) }
-    it { should include("agent" => "\"Mozilla/5.0\"" ) }
-    ["tags", "error_code", "turnaround_time_ms", "version_id", "bytes"].each do |attribute|
-      it "have #{attribute} as nil" do
-        expect(subject[attribute]).to be_nil
-      end
-    end
-  end
-end