logstash-patterns-core 4.1.0 → 4.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +5 -5
- data/CHANGELOG.md +118 -0
- data/CONTRIBUTORS +1 -0
- data/Gemfile +8 -1
- data/LICENSE +199 -10
- data/README.md +12 -19
- data/lib/logstash/patterns/core.rb +11 -3
- data/logstash-patterns-core.gemspec +1 -1
- data/patterns/ecs-v1/aws +28 -0
- data/patterns/ecs-v1/bacula +53 -0
- data/patterns/ecs-v1/bind +13 -0
- data/patterns/ecs-v1/bro +30 -0
- data/patterns/ecs-v1/exim +26 -0
- data/patterns/ecs-v1/firewalls +111 -0
- data/patterns/ecs-v1/grok-patterns +95 -0
- data/patterns/ecs-v1/haproxy +40 -0
- data/patterns/ecs-v1/httpd +17 -0
- data/patterns/ecs-v1/java +34 -0
- data/patterns/ecs-v1/junos +13 -0
- data/patterns/ecs-v1/linux-syslog +16 -0
- data/patterns/{maven → ecs-v1/maven} +0 -0
- data/patterns/ecs-v1/mcollective +4 -0
- data/patterns/ecs-v1/mongodb +7 -0
- data/patterns/ecs-v1/nagios +124 -0
- data/patterns/ecs-v1/postgresql +2 -0
- data/patterns/ecs-v1/rails +13 -0
- data/patterns/ecs-v1/redis +3 -0
- data/patterns/ecs-v1/ruby +2 -0
- data/patterns/ecs-v1/squid +6 -0
- data/patterns/ecs-v1/zeek +33 -0
- data/patterns/{aws → legacy/aws} +1 -1
- data/patterns/{bacula → legacy/bacula} +5 -5
- data/patterns/legacy/bind +3 -0
- data/patterns/{bro → legacy/bro} +0 -0
- data/patterns/{exim → legacy/exim} +8 -2
- data/patterns/{firewalls → legacy/firewalls} +2 -2
- data/patterns/{grok-patterns → legacy/grok-patterns} +5 -5
- data/patterns/{haproxy → legacy/haproxy} +1 -1
- data/patterns/{httpd → legacy/httpd} +3 -3
- data/patterns/{java → legacy/java} +1 -3
- data/patterns/{junos → legacy/junos} +0 -0
- data/patterns/{linux-syslog → legacy/linux-syslog} +0 -0
- data/patterns/legacy/maven +1 -0
- data/patterns/{mcollective → legacy/mcollective} +0 -0
- data/patterns/{mcollective-patterns → legacy/mcollective-patterns} +0 -0
- data/patterns/{mongodb → legacy/mongodb} +0 -0
- data/patterns/{nagios → legacy/nagios} +1 -1
- data/patterns/{postgresql → legacy/postgresql} +0 -0
- data/patterns/{rails → legacy/rails} +0 -0
- data/patterns/{redis → legacy/redis} +0 -0
- data/patterns/{ruby → legacy/ruby} +0 -0
- data/patterns/legacy/squid +4 -0
- data/spec/patterns/aws_spec.rb +395 -0
- data/spec/patterns/bacula_spec.rb +367 -0
- data/spec/patterns/bind_spec.rb +78 -0
- data/spec/patterns/bro_spec.rb +613 -0
- data/spec/patterns/core_spec.rb +271 -6
- data/spec/patterns/exim_spec.rb +201 -0
- data/spec/patterns/firewalls_spec.rb +707 -66
- data/spec/patterns/haproxy_spec.rb +253 -28
- data/spec/patterns/httpd_spec.rb +255 -77
- data/spec/patterns/java_spec.rb +375 -0
- data/spec/patterns/junos_spec.rb +101 -0
- data/spec/patterns/mcollective_spec.rb +35 -0
- data/spec/patterns/mongodb_spec.rb +170 -33
- data/spec/patterns/nagios_spec.rb +299 -78
- data/spec/patterns/netscreen_spec.rb +123 -0
- data/spec/patterns/rails3_spec.rb +87 -29
- data/spec/patterns/redis_spec.rb +157 -121
- data/spec/patterns/shorewall_spec.rb +85 -74
- data/spec/patterns/squid_spec.rb +139 -0
- data/spec/patterns/syslog_spec.rb +266 -22
- data/spec/spec_helper.rb +83 -5
- metadata +70 -30
- data/patterns/bind +0 -3
- data/patterns/squid +0 -4
- data/spec/patterns/bro.rb +0 -126
- data/spec/patterns/s3_spec.rb +0 -173
| @@ -0,0 +1,123 @@ | |
| 1 | 
            +
            # encoding: utf-8
         | 
| 2 | 
            +
            require "spec_helper"
         | 
| 3 | 
            +
            require "logstash/patterns/core"
         | 
| 4 | 
            +
             | 
| 5 | 
            +
            describe_pattern "NETSCREENSESSIONLOG", ['legacy', 'ecs-v1'] do
         | 
| 6 | 
            +
             | 
| 7 | 
            +
              context "traffic denied (Juniper)" do
         | 
| 8 | 
            +
             | 
| 9 | 
            +
                let(:message) do
         | 
| 10 | 
            +
                  'Jun  2 14:53:31 sample-host isg1000-A2: NetScreen device_id=0000011001000011 [Root]system-notification-00257(traffic): ' +
         | 
| 11 | 
            +
                      'start_time="2015-11-11 10:02:10" duration=0 policy_id=244 service=https proto=6 src zone=Untrust dst zone=Trust ' +
         | 
| 12 | 
            +
                      'action=Permit sent=0 rcvd=0 src=74.168.138.252 dst=72.72.72.72 src_port=1732 dst_port=443 ' +
         | 
| 13 | 
            +
                      'src-xlated ip=1.255.20.1 port=22041 dst-xlated ip=1.244.136.50 port=443 session_id=488451 reason=Creation'
         | 
| 14 | 
            +
                end
         | 
| 15 | 
            +
             | 
| 16 | 
            +
                it 'matches' do
         | 
| 17 | 
            +
                  if ecs_compatibility?
         | 
| 18 | 
            +
                    expect(subject).to include("timestamp" => "Jun  2 14:53:31")
         | 
| 19 | 
            +
                    expect(subject).to include("netscreen"=>{
         | 
| 20 | 
            +
                        "session"=>{"id"=>"488451", "start_time"=>"2015-11-11 10:02:10", "duration"=>0, "type"=>"traffic", "reason"=>"Creation"},
         | 
| 21 | 
            +
                        "policy_id"=>"244", "service"=>"https", "protocol_number"=>6, "device_id"=>"0000011001000011"
         | 
| 22 | 
            +
                    })
         | 
| 23 | 
            +
                    expect(subject).to include("event"=>{"code"=>"00257", "action"=>"Permit"})
         | 
| 24 | 
            +
                    # expect(subject).to include("network"=>{"protocol"=>"https"})
         | 
| 25 | 
            +
                    expect(subject).to include("source"=>{"bytes"=>0, "nat"=>{"port"=>22041, "ip"=>"1.255.20.1"}, "port"=>1732, "address"=>"74.168.138.252"})
         | 
| 26 | 
            +
                    expect(subject).to include("destination"=>{"bytes"=>0, "nat"=>{"port"=>443, "ip"=>"1.244.136.50"}, "port"=>443, "address"=>"72.72.72.72"})
         | 
| 27 | 
            +
                    expect(subject).to include("observer"=>{
         | 
| 28 | 
            +
                        "ingress"=>{"zone"=>"Untrust"}, "hostname"=>"sample-host", "name"=>"isg1000-A2", "product"=>"NetScreen",
         | 
| 29 | 
            +
                        "egress"=>{"zone"=>"Trust"}
         | 
| 30 | 
            +
                    })
         | 
| 31 | 
            +
                  else
         | 
| 32 | 
            +
                    expect(subject).to include("date" => "Jun  2 14:53:31")
         | 
| 33 | 
            +
                    expect(subject).to include(
         | 
| 34 | 
            +
                               "device"=>"sample-host",
         | 
| 35 | 
            +
                               "device_id"=>"0000011001000011",
         | 
| 36 | 
            +
                               "start_time"=>"\"2015-11-11 10:02:10\"",
         | 
| 37 | 
            +
                               "duration"=>"0",
         | 
| 38 | 
            +
                               "policy_id"=>"244",
         | 
| 39 | 
            +
                               "service"=>"https",
         | 
| 40 | 
            +
                               "proto"=>"6",
         | 
| 41 | 
            +
                               "src_zone"=>"Untrust", "dst_zone"=>"Trust",
         | 
| 42 | 
            +
                               "action"=>"Permit",
         | 
| 43 | 
            +
                               "sent"=>"0", "rcvd"=>"0",
         | 
| 44 | 
            +
                               "src_ip"=>"74.168.138.252", "dst_ip"=>"72.72.72.72",
         | 
| 45 | 
            +
                               "src_port"=>"1732", "dst_port"=>"443",
         | 
| 46 | 
            +
                               "src_xlated_ip"=>"1.255.20.1", "src_xlated_port"=>"22041",
         | 
| 47 | 
            +
                               "dst_xlated_ip"=>"1.244.136.50", "dst_xlated_port"=>"443",
         | 
| 48 | 
            +
                               "session_id"=>"488451", "reason"=>"Creation",
         | 
| 49 | 
            +
                               )
         | 
| 50 | 
            +
                  end
         | 
| 51 | 
            +
                end
         | 
| 52 | 
            +
             | 
| 53 | 
            +
              end
         | 
| 54 | 
            +
             | 
| 55 | 
            +
              context "traffic denied (without port/xlated/session_id/reason suffix)" do
         | 
| 56 | 
            +
             | 
| 57 | 
            +
                let(:message) do
         | 
| 58 | 
            +
                  'Mar 18 17:56:52 192.168.56.11 lowly_lizard: NetScreen device_id=netscreen2 [Root]system-notification-00257(traffic): ' +
         | 
| 59 | 
            +
                      'start_time="2009-03-18 16:07:06" duration=0 policy_id=320001 service=msrpc Endpoint Mapper(tcp) proto=6 ' +
         | 
| 60 | 
            +
                      'src zone=Null dst zone=self action=Deny sent=0 rcvd=16384 src=21.10.90.125 dst=23.16.1.1'
         | 
| 61 | 
            +
                end
         | 
| 62 | 
            +
             | 
| 63 | 
            +
                it 'matches in ECS mode' do
         | 
| 64 | 
            +
                  if ecs_compatibility?
         | 
| 65 | 
            +
                    expect(subject).to include("timestamp" => "Mar 18 17:56:52")
         | 
| 66 | 
            +
                    expect(subject).to include("netscreen"=>{
         | 
| 67 | 
            +
                        "device_id"=>"netscreen2",
         | 
| 68 | 
            +
                        "policy_id"=>"320001",
         | 
| 69 | 
            +
                        "service"=>"msrpc Endpoint Mapper(tcp)",
         | 
| 70 | 
            +
                        "protocol_number"=>6,
         | 
| 71 | 
            +
                        "session"=>{"start_time"=>"2009-03-18 16:07:06", "type"=>"traffic", "duration"=>0}
         | 
| 72 | 
            +
                    })
         | 
| 73 | 
            +
                    expect(subject).to include("source"=>{"address"=>"21.10.90.125", "bytes"=>0})
         | 
| 74 | 
            +
                    expect(subject).to include("destination"=>{"address"=>"23.16.1.1", "bytes"=>16384})
         | 
| 75 | 
            +
                  else
         | 
| 76 | 
            +
                    expect(grok['tags']).to include('_grokparsefailure')
         | 
| 77 | 
            +
                  end
         | 
| 78 | 
            +
                end
         | 
| 79 | 
            +
              end
         | 
| 80 | 
            +
             | 
| 81 | 
            +
              context "'standard' traffic denied" do
         | 
| 82 | 
            +
             | 
| 83 | 
            +
                let(:message) do
         | 
| 84 | 
            +
                  'Jun  2 14:53:31 fire00 aka1: NetScreen device_id=aka1  [Root]system-notification-00257(traffic): start_time="2006-06-02 14:53:30" ' +
         | 
| 85 | 
            +
                      'duration=0 policy_id=120 service=udp/port:17210 proto=17 src zone=Trust dst zone=DMZ action=Deny sent=0 rcvd=0 ' +
         | 
| 86 | 
            +
                      'src=192.168.2.2 dst=1.2.3.4 src_port=53 dst_port=17210'
         | 
| 87 | 
            +
                end
         | 
| 88 | 
            +
             | 
| 89 | 
            +
                it 'matches (in ECS mode)' do
         | 
| 90 | 
            +
                  if ecs_compatibility?
         | 
| 91 | 
            +
                    expect(subject).to include("event"=>{"action"=>"Deny", "code"=>"00257"})
         | 
| 92 | 
            +
                  else
         | 
| 93 | 
            +
                    expect(grok['tags']).to include('_grokparsefailure')
         | 
| 94 | 
            +
                    expect(subject).to_not include("date" => "Jun  2 14:53:31")
         | 
| 95 | 
            +
                  end
         | 
| 96 | 
            +
                end
         | 
| 97 | 
            +
             | 
| 98 | 
            +
                context "(with session id)" do
         | 
| 99 | 
            +
             | 
| 100 | 
            +
                  let(:message) do
         | 
| 101 | 
            +
                    super() + ' session_id=0 reason=Traffic Denied'
         | 
| 102 | 
            +
                  end
         | 
| 103 | 
            +
             | 
| 104 | 
            +
                  it 'matches (in ECS mode)' do
         | 
| 105 | 
            +
                    if ecs_compatibility?
         | 
| 106 | 
            +
                      expect(subject).to include("netscreen"=>hash_including("device_id"=>"aka1", "service"=>"udp/port:17210",
         | 
| 107 | 
            +
                                                 "session"=>hash_including("reason"=>"Traffic Denied")))
         | 
| 108 | 
            +
                      expect(subject).to include("observer"=>{
         | 
| 109 | 
            +
                          "ingress"=>{"zone"=>"Trust"},
         | 
| 110 | 
            +
                          "egress"=>{"zone"=>"DMZ"}, "hostname"=>"fire00", "name"=>"aka1",
         | 
| 111 | 
            +
                          "product"=>"NetScreen"
         | 
| 112 | 
            +
                      })
         | 
| 113 | 
            +
                    else
         | 
| 114 | 
            +
                      expect(grok['tags']).to include('_grokparsefailure')
         | 
| 115 | 
            +
                      expect(subject).to_not include("date" => "Jun  2 14:53:31")
         | 
| 116 | 
            +
                    end
         | 
| 117 | 
            +
                  end
         | 
| 118 | 
            +
             | 
| 119 | 
            +
                end
         | 
| 120 | 
            +
             | 
| 121 | 
            +
              end
         | 
| 122 | 
            +
             | 
| 123 | 
            +
            end
         | 
| @@ -2,55 +2,113 @@ | |
| 2 2 | 
             
            require "spec_helper"
         | 
| 3 3 | 
             
            require "logstash/patterns/core"
         | 
| 4 4 |  | 
| 5 | 
            -
             | 
| 6 | 
            -
              let(:rails3_pattern)  { "RAILS3" }
         | 
| 5 | 
            +
            describe_pattern "RAILS3", ['legacy', 'ecs-v1'] do
         | 
| 7 6 |  | 
| 8 | 
            -
              context " | 
| 7 | 
            +
              context "single-line log" do
         | 
| 9 8 |  | 
| 10 | 
            -
                let(: | 
| 11 | 
            -
             | 
| 12 | 
            -
                subject     { grok_match(rails3_pattern, value) }
         | 
| 9 | 
            +
                let(:message) { 'Started POST "/api/v3/internal/allowed" for 127.0.0.1 at 2015-08-05 11:37:01 +0200' }
         | 
| 13 10 |  | 
| 14 11 | 
             
                # Started
         | 
| 15 | 
            -
                it  | 
| 16 | 
            -
             | 
| 12 | 
            +
                it do
         | 
| 13 | 
            +
                  if ecs_compatibility?
         | 
| 14 | 
            +
                    should include("http" => hash_including("request" => { "method" => "POST" }))
         | 
| 15 | 
            +
                  else
         | 
| 16 | 
            +
                    should include("verb" => "POST")
         | 
| 17 | 
            +
                  end
         | 
| 18 | 
            +
                end
         | 
| 19 | 
            +
             | 
| 20 | 
            +
                it do
         | 
| 21 | 
            +
                  if ecs_compatibility?
         | 
| 22 | 
            +
                  else
         | 
| 23 | 
            +
                    should include("request" => "/api/v3/internal/allowed")
         | 
| 24 | 
            +
                  end
         | 
| 25 | 
            +
                end
         | 
| 17 26 | 
             
                # for
         | 
| 18 | 
            -
                it  | 
| 27 | 
            +
                it do
         | 
| 28 | 
            +
                  if ecs_compatibility?
         | 
| 29 | 
            +
                    should include("source" => { "address" => "127.0.0.1" })
         | 
| 30 | 
            +
                  else
         | 
| 31 | 
            +
                    should include("clientip" => "127.0.0.1")
         | 
| 32 | 
            +
                  end
         | 
| 33 | 
            +
                end
         | 
| 19 34 | 
             
                # at
         | 
| 20 35 | 
             
                it { should include("timestamp" => "2015-08-05 11:37:01 +0200" ) }
         | 
| 21 36 | 
             
              end
         | 
| 22 37 |  | 
| 23 | 
            -
              context " | 
| 38 | 
            +
              context "multi-line log" do
         | 
| 24 39 |  | 
| 25 | 
            -
                let(: | 
| 40 | 
            +
                let(:message) { 'Started GET "/puppet/postfix/notes?target_id=162&target_type=issue&last_fetched_at=1438695732" for 127.0.0.1 at 2015-08-05 07:40:22 +0200
         | 
| 26 41 | 
             
            Processing by Projects::NotesController#index as JSON
         | 
| 27 42 | 
             
              Parameters: {"target_id"=>"162", "target_type"=>"issue", "last_fetched_at"=>"1438695732", "namespace_id"=>"puppet", "project_id"=>"postfix"}
         | 
| 28 | 
            -
            Completed 200 OK in 640ms (Views: 1.7ms | ActiveRecord: 91.0ms)' } | 
| 29 | 
            -
                subject     { grok_match(rails3_pattern, value) }
         | 
| 43 | 
            +
            Completed 200 OK in 640ms (Views: 1.7ms | ActiveRecord: 91.0ms)' }
         | 
| 30 44 |  | 
| 31 45 | 
             
                # started
         | 
| 32 | 
            -
                it  | 
| 33 | 
            -
             | 
| 46 | 
            +
                it do
         | 
| 47 | 
            +
                  if ecs_compatibility?
         | 
| 48 | 
            +
                    should include("http" => hash_including("request" => { "method" => "GET" }))
         | 
| 49 | 
            +
                  else
         | 
| 50 | 
            +
                    should include("verb" => "GET")
         | 
| 51 | 
            +
                  end
         | 
| 52 | 
            +
                end
         | 
| 53 | 
            +
             | 
| 54 | 
            +
                it do
         | 
| 55 | 
            +
                  if ecs_compatibility?
         | 
| 56 | 
            +
                    should include("url" => {"original"=>"/puppet/postfix/notes?target_id=162&target_type=issue&last_fetched_at=1438695732"})
         | 
| 57 | 
            +
                  else
         | 
| 58 | 
            +
                    should include("request" => "/puppet/postfix/notes?target_id=162&target_type=issue&last_fetched_at=1438695732" )
         | 
| 59 | 
            +
                  end
         | 
| 60 | 
            +
                end
         | 
| 34 61 | 
             
                # for
         | 
| 35 | 
            -
                it  | 
| 62 | 
            +
                it do
         | 
| 63 | 
            +
                  if ecs_compatibility?
         | 
| 64 | 
            +
                    should include("source" => { "address" => "127.0.0.1" })
         | 
| 65 | 
            +
                  else
         | 
| 66 | 
            +
                    should include("clientip" => "127.0.0.1")
         | 
| 67 | 
            +
                  end
         | 
| 68 | 
            +
                end
         | 
| 36 69 | 
             
                # at
         | 
| 37 | 
            -
                it { should include("timestamp" => "2015-08-05 07:40:22 +0200" | 
| 70 | 
            +
                it { should include("timestamp" => "2015-08-05 07:40:22 +0200") }
         | 
| 38 71 | 
             
                # Processing by
         | 
| 39 | 
            -
                it  | 
| 40 | 
            -
             | 
| 72 | 
            +
                it do
         | 
| 73 | 
            +
                  if ecs_compatibility?
         | 
| 74 | 
            +
                    should include("rails" => hash_including("controller" => { "class"=>"Projects::NotesController", "action"=>"index" }))
         | 
| 75 | 
            +
                  else
         | 
| 76 | 
            +
                    should include("controller" => "Projects::NotesController")
         | 
| 77 | 
            +
                    should include("action" => "index")
         | 
| 78 | 
            +
                  end
         | 
| 79 | 
            +
                end
         | 
| 41 80 | 
             
                # as
         | 
| 42 | 
            -
                it  | 
| 81 | 
            +
                it do
         | 
| 82 | 
            +
                  if ecs_compatibility?
         | 
| 83 | 
            +
                    should include("rails" => hash_including("request" => hash_including("format" => 'JSON')))
         | 
| 84 | 
            +
                  else
         | 
| 85 | 
            +
                    should include("format" => "JSON" )
         | 
| 86 | 
            +
                  end
         | 
| 87 | 
            +
                end
         | 
| 43 88 | 
             
                # Parameters
         | 
| 44 | 
            -
                it  | 
| 89 | 
            +
                it do
         | 
| 90 | 
            +
                  params = '"target_id"=>"162", "target_type"=>"issue", "last_fetched_at"=>"1438695732", "namespace_id"=>"puppet", "project_id"=>"postfix"'
         | 
| 91 | 
            +
                  if ecs_compatibility?
         | 
| 92 | 
            +
                    should include("rails" => hash_including("request" => hash_including("params" => params)))
         | 
| 93 | 
            +
                  else
         | 
| 94 | 
            +
                    should include("params" => params)
         | 
| 95 | 
            +
                  end
         | 
| 96 | 
            +
                end
         | 
| 45 97 | 
             
                # Completed
         | 
| 46 | 
            -
                it  | 
| 98 | 
            +
                it do
         | 
| 99 | 
            +
                  if ecs_compatibility?
         | 
| 100 | 
            +
                    should include("http" => hash_including("response" => { "status_code" => 200 }))
         | 
| 101 | 
            +
                  else
         | 
| 102 | 
            +
                    should include("response" => "200" )
         | 
| 103 | 
            +
                  end
         | 
| 104 | 
            +
                end
         | 
| 47 105 | 
             
                # in
         | 
| 48 | 
            -
                it  | 
| 49 | 
            -
             | 
| 50 | 
            -
             | 
| 51 | 
            -
             | 
| 52 | 
            -
             | 
| 53 | 
            -
             | 
| 106 | 
            +
                it do
         | 
| 107 | 
            +
                  if ecs_compatibility?
         | 
| 108 | 
            +
                    should include("rails" => hash_including("request" => hash_including("duration" => { "total" => 640.0, "view" => 1.7, "active_record" => 91.0 })))
         | 
| 109 | 
            +
                  else
         | 
| 110 | 
            +
                    should include("totalms" => "640", "viewms" => "1.7", "activerecordms" => "91.0")
         | 
| 111 | 
            +
                  end
         | 
| 112 | 
            +
                end
         | 
| 54 113 | 
             
              end
         | 
| 55 | 
            -
             | 
| 56 114 | 
             
            end
         | 
    
        data/spec/patterns/redis_spec.rb
    CHANGED
    
    | @@ -2,170 +2,206 @@ | |
| 2 2 | 
             
            require "spec_helper"
         | 
| 3 3 | 
             
            require "logstash/patterns/core"
         | 
| 4 4 |  | 
| 5 | 
            -
             | 
| 5 | 
            +
            describe_pattern 'REDISTIMESTAMP', [ 'legacy', 'ecs-v1' ] do
         | 
| 6 6 |  | 
| 7 | 
            -
              let(: | 
| 8 | 
            -
              let(:pattern) { "REDISTIMESTAMP" }
         | 
| 7 | 
            +
              let(:message) { '14 Nov 07:01:22.119'}
         | 
| 9 8 |  | 
| 10 9 | 
             
              it "a pattern pass the grok expression" do
         | 
| 11 | 
            -
                expect(grok_match(pattern,  | 
| 10 | 
            +
                expect(grok_match(pattern, message)).to pass
         | 
| 12 11 | 
             
              end
         | 
| 13 12 |  | 
| 14 13 | 
             
            end
         | 
| 15 14 |  | 
| 16 | 
            -
             | 
| 15 | 
            +
            describe_pattern 'REDISLOG', [ 'legacy', 'ecs-v1' ] do
         | 
| 17 16 |  | 
| 18 | 
            -
              let(: | 
| 19 | 
            -
              let(:pattern) { "REDISLOG" }
         | 
| 20 | 
            -
              let(:grok)    { grok_match(pattern, value) }
         | 
| 17 | 
            +
              let(:message) { "[4018] 14 Nov 07:01:22.119 * Background saving terminated with success" }
         | 
| 21 18 |  | 
| 22 19 | 
             
              it "a pattern pass the grok expression" do
         | 
| 23 20 | 
             
                expect(grok).to pass
         | 
| 24 21 | 
             
              end
         | 
| 25 22 |  | 
| 26 23 | 
             
              it "generates the pid field" do
         | 
| 27 | 
            -
                 | 
| 24 | 
            +
                if ecs_compatibility?
         | 
| 25 | 
            +
                  expect(grok).to include("process" => { 'pid' => 4018 })
         | 
| 26 | 
            +
                else
         | 
| 27 | 
            +
                  expect(grok).to include("pid" => "4018")
         | 
| 28 | 
            +
                end
         | 
| 28 29 | 
             
              end
         | 
| 29 30 |  | 
| 30 31 | 
             
            end
         | 
| 31 32 |  | 
| 33 | 
            +
            describe_pattern 'REDISMONLOG', [ 'legacy', 'ecs-v1' ] do
         | 
| 34 | 
            +
             | 
| 35 | 
            +
              context "simple command" do
         | 
| 36 | 
            +
             | 
| 37 | 
            +
                let(:message) { "1470637867.953466 [0 195.168.1.1:52500] \"info\"" }
         | 
| 38 | 
            +
             | 
| 39 | 
            +
                it "a pattern pass the grok expression" do
         | 
| 40 | 
            +
                  expect(grok).to pass
         | 
| 41 | 
            +
                end
         | 
| 42 | 
            +
             | 
| 43 | 
            +
                it "generates the timestamp field" do
         | 
| 44 | 
            +
                  expect(grok).to include("timestamp" => "1470637867.953466")
         | 
| 45 | 
            +
                end
         | 
| 46 | 
            +
             | 
| 47 | 
            +
                it "generates the database field" do
         | 
| 48 | 
            +
                  if ecs_compatibility?
         | 
| 49 | 
            +
                    expect(grok).to include("redis" => hash_including('database' => { 'id' => '0' }))
         | 
| 50 | 
            +
                  else
         | 
| 51 | 
            +
                    expect(grok).to include("database" => "0")
         | 
| 52 | 
            +
                  end
         | 
| 53 | 
            +
                end
         | 
| 54 | 
            +
             | 
| 55 | 
            +
                it "generates the client field" do
         | 
| 56 | 
            +
                  if ecs_compatibility?
         | 
| 57 | 
            +
                    expect(grok).to include("client" => hash_including('ip' => '195.168.1.1'))
         | 
| 58 | 
            +
                  else
         | 
| 59 | 
            +
                    expect(grok).to include("client" => "195.168.1.1")
         | 
| 60 | 
            +
                  end
         | 
| 61 | 
            +
                end
         | 
| 62 | 
            +
             | 
| 63 | 
            +
                it "generates the port field" do
         | 
| 64 | 
            +
                  if ecs_compatibility?
         | 
| 65 | 
            +
                    expect(grok).to include("client" => hash_including('port' => 52500))
         | 
| 66 | 
            +
                  else
         | 
| 67 | 
            +
                    expect(grok).to include("port" => "52500")
         | 
| 68 | 
            +
                  end
         | 
| 69 | 
            +
                end
         | 
| 70 | 
            +
             | 
| 71 | 
            +
                it "generates the command field" do
         | 
| 72 | 
            +
                  if ecs_compatibility?
         | 
| 73 | 
            +
                    expect(grok).to include("redis" => hash_including('command' => { 'name' => 'info' }))
         | 
| 74 | 
            +
                  else
         | 
| 75 | 
            +
                    expect(grok).to include("command" => "info")
         | 
| 76 | 
            +
                  end
         | 
| 77 | 
            +
                end
         | 
| 78 | 
            +
             | 
| 79 | 
            +
              end
         | 
| 80 | 
            +
             | 
| 81 | 
            +
              context "one param command" do
         | 
| 82 | 
            +
             | 
| 83 | 
            +
                let(:message) { "1339518083.107412 [0 127.0.0.1:60866] \"keys\" \"*\"" }
         | 
| 84 | 
            +
             | 
| 85 | 
            +
                it "a pattern pass the grok expression" do
         | 
| 86 | 
            +
                  expect(grok).to pass
         | 
| 87 | 
            +
                end
         | 
| 88 | 
            +
             | 
| 89 | 
            +
                it "generates the timestamp field" do
         | 
| 90 | 
            +
                  expect(grok).to include("timestamp" => "1339518083.107412")
         | 
| 91 | 
            +
                end
         | 
| 92 | 
            +
             | 
| 93 | 
            +
                it "generates the database field" do
         | 
| 94 | 
            +
                  if ecs_compatibility?
         | 
| 95 | 
            +
                    expect(grok).to include("redis" => hash_including('database' => { 'id' => '0' }))
         | 
| 96 | 
            +
                  else
         | 
| 97 | 
            +
                    expect(grok).to include("database" => "0")
         | 
| 98 | 
            +
                  end
         | 
| 99 | 
            +
                end
         | 
| 100 | 
            +
             | 
| 101 | 
            +
                it "generates the client field" do
         | 
| 102 | 
            +
                  if ecs_compatibility?
         | 
| 103 | 
            +
                    expect(grok).to include("client" => hash_including('ip' => '127.0.0.1'))
         | 
| 104 | 
            +
                  else
         | 
| 105 | 
            +
                    expect(grok).to include("client" => "127.0.0.1")
         | 
| 106 | 
            +
                  end
         | 
| 107 | 
            +
                end
         | 
| 108 | 
            +
             | 
| 109 | 
            +
                it "generates the port field" do
         | 
| 110 | 
            +
                  if ecs_compatibility?
         | 
| 111 | 
            +
                    expect(grok).to include("client" => hash_including('port' => 60866))
         | 
| 112 | 
            +
                  else
         | 
| 113 | 
            +
                    expect(grok).to include("port" => "60866")
         | 
| 114 | 
            +
                  end
         | 
| 115 | 
            +
                end
         | 
| 116 | 
            +
             | 
| 117 | 
            +
                it "generates the command field" do
         | 
| 118 | 
            +
                  if ecs_compatibility?
         | 
| 119 | 
            +
                    expect(grok).to include("redis" => hash_including('command' => hash_including('name' => 'keys')))
         | 
| 120 | 
            +
                  else
         | 
| 121 | 
            +
                    expect(grok).to include("command" => "keys")
         | 
| 122 | 
            +
                  end
         | 
| 123 | 
            +
                end
         | 
| 124 | 
            +
             | 
| 125 | 
            +
                it "generates the params field" do
         | 
| 126 | 
            +
                  if ecs_compatibility?
         | 
| 127 | 
            +
                    expect(grok).to include("redis" => hash_including('command' => hash_including('args' => '"*"')))
         | 
| 128 | 
            +
                  else
         | 
| 129 | 
            +
                    expect(grok).to include("params" => "\"*\"")
         | 
| 130 | 
            +
                  end
         | 
| 131 | 
            +
                end
         | 
| 32 132 |  | 
| 33 | 
            -
            describe "REDISMONLOG - SIMPLE COMMAND" do
         | 
| 34 | 
            -
             | 
| 35 | 
            -
              let(:value)   { "1470637867.953466 [0 195.168.1.1:52500] \"info\"" }
         | 
| 36 | 
            -
              let(:pattern) { "REDISMONLOG" }
         | 
| 37 | 
            -
              let(:grok)    { grok_match(pattern, value) }
         | 
| 38 | 
            -
             | 
| 39 | 
            -
              it "a pattern pass the grok expression" do
         | 
| 40 | 
            -
                expect(grok).to pass
         | 
| 41 | 
            -
              end
         | 
| 42 | 
            -
             | 
| 43 | 
            -
              it "generates the timestamp field" do
         | 
| 44 | 
            -
                expect(grok).to include("timestamp" => "1470637867.953466")
         | 
| 45 | 
            -
              end
         | 
| 46 | 
            -
             | 
| 47 | 
            -
              it "generates the database field" do
         | 
| 48 | 
            -
                expect(grok).to include("database" => "0")
         | 
| 49 | 
            -
              end
         | 
| 50 | 
            -
             | 
| 51 | 
            -
              it "generates the client field" do
         | 
| 52 | 
            -
                expect(grok).to include("client" => "195.168.1.1")
         | 
| 53 | 
            -
              end
         | 
| 54 | 
            -
             | 
| 55 | 
            -
              it "generates the port field" do
         | 
| 56 | 
            -
                expect(grok).to include("port" => "52500")
         | 
| 57 | 
            -
              end
         | 
| 58 | 
            -
             | 
| 59 | 
            -
              it "generates the command field" do
         | 
| 60 | 
            -
                expect(grok).to include("command" => "info")
         | 
| 61 133 | 
             
              end
         | 
| 62 134 |  | 
| 63 135 | 
             
            end
         | 
| 64 136 |  | 
| 65 | 
            -
             | 
| 66 | 
            -
             | 
| 67 | 
            -
              let(:value)   { "1339518083.107412 [0 127.0.0.1:60866] \"keys\" \"*\"" }
         | 
| 68 | 
            -
              let(:pattern) { "REDISMONLOG" }
         | 
| 69 | 
            -
              let(:grok)    { grok_match(pattern, value) }
         | 
| 70 | 
            -
             | 
| 71 | 
            -
              it "a pattern pass the grok expression" do
         | 
| 72 | 
            -
                expect(grok).to pass
         | 
| 73 | 
            -
              end
         | 
| 74 | 
            -
             | 
| 75 | 
            -
              it "generates the timestamp field" do
         | 
| 76 | 
            -
                expect(grok).to include("timestamp" => "1339518083.107412")
         | 
| 77 | 
            -
              end
         | 
| 78 | 
            -
             | 
| 79 | 
            -
              it "generates the database field" do
         | 
| 80 | 
            -
                expect(grok).to include("database" => "0")
         | 
| 81 | 
            -
              end
         | 
| 82 | 
            -
             | 
| 83 | 
            -
              it "generates the client field" do
         | 
| 84 | 
            -
                expect(grok).to include("client" => "127.0.0.1")
         | 
| 85 | 
            -
              end
         | 
| 86 | 
            -
             | 
| 87 | 
            -
              it "generates the port field" do
         | 
| 88 | 
            -
                expect(grok).to include("port" => "60866")
         | 
| 89 | 
            -
              end
         | 
| 137 | 
            +
            describe_pattern "REDISMONLOG" do
         | 
| 90 138 |  | 
| 91 | 
            -
               | 
| 92 | 
            -
                expect(grok).to include("command" => "keys")
         | 
| 93 | 
            -
              end
         | 
| 139 | 
            +
              context 'two param command' do
         | 
| 94 140 |  | 
| 95 | 
            -
             | 
| 96 | 
            -
                expect(grok).to include("params" => "\"*\"")
         | 
| 97 | 
            -
              end
         | 
| 141 | 
            +
                let(:message) { "1470637925.186681 [0 127.0.0.1:39404] \"rpush\" \"my:special:key\" \"{\\\"data\\\":\"cdr\\\",\\\"payload\\\":\\\"json\\\"}\"" }
         | 
| 98 142 |  | 
| 99 | 
            -
             | 
| 143 | 
            +
                it "a pattern pass the grok expression" do
         | 
| 144 | 
            +
                  expect(grok).to pass
         | 
| 145 | 
            +
                end
         | 
| 100 146 |  | 
| 101 | 
            -
             | 
| 147 | 
            +
                it "generates the timestamp field" do
         | 
| 148 | 
            +
                  expect(grok).to include("timestamp" => "1470637925.186681")
         | 
| 149 | 
            +
                end
         | 
| 102 150 |  | 
| 103 | 
            -
             | 
| 104 | 
            -
             | 
| 105 | 
            -
             | 
| 151 | 
            +
                it "generates the database field" do
         | 
| 152 | 
            +
                  expect(grok).to include("database" => "0")
         | 
| 153 | 
            +
                end
         | 
| 106 154 |  | 
| 107 | 
            -
             | 
| 108 | 
            -
             | 
| 109 | 
            -
             | 
| 155 | 
            +
                it "generates the client field" do
         | 
| 156 | 
            +
                  expect(grok).to include("client" => "127.0.0.1")
         | 
| 157 | 
            +
                end
         | 
| 110 158 |  | 
| 111 | 
            -
             | 
| 112 | 
            -
             | 
| 113 | 
            -
             | 
| 159 | 
            +
                it "generates the port field" do
         | 
| 160 | 
            +
                  expect(grok).to include("port" => "39404")
         | 
| 161 | 
            +
                end
         | 
| 114 162 |  | 
| 115 | 
            -
             | 
| 116 | 
            -
             | 
| 117 | 
            -
             | 
| 163 | 
            +
                it "generates the command field" do
         | 
| 164 | 
            +
                  expect(grok).to include("command" => "rpush")
         | 
| 165 | 
            +
                end
         | 
| 118 166 |  | 
| 119 | 
            -
             | 
| 120 | 
            -
             | 
| 121 | 
            -
             | 
| 167 | 
            +
                it "generates the params field" do
         | 
| 168 | 
            +
                  expect(grok).to include("params" => "\"my:special:key\" \"{\\\"data\\\":\"cdr\\\",\\\"payload\\\":\\\"json\\\"}\"")
         | 
| 169 | 
            +
                end
         | 
| 122 170 |  | 
| 123 | 
            -
              it "generates the port field" do
         | 
| 124 | 
            -
                expect(grok).to include("port" => "39404")
         | 
| 125 171 | 
             
              end
         | 
| 126 172 |  | 
| 127 | 
            -
               | 
| 128 | 
            -
                expect(grok).to include("command" => "rpush")
         | 
| 129 | 
            -
              end
         | 
| 173 | 
            +
              context "variadic command" do
         | 
| 130 174 |  | 
| 131 | 
            -
             | 
| 132 | 
            -
                expect(grok).to include("params" => "\"my:special:key\" \"{\\\"data\\\":\"cdr\\\",\\\"payload\\\":\\\"json\\\"}\"")
         | 
| 133 | 
            -
              end
         | 
| 175 | 
            +
                let(:message) { "1470637875.777457 [15 195.168.1.1:52500] \"intentionally\" \"broken\" \"variadic\" \"log\" \"entry\"" }
         | 
| 134 176 |  | 
| 135 | 
            -
             | 
| 136 | 
            -
             | 
| 137 | 
            -
             | 
| 138 | 
            -
             | 
| 139 | 
            -
              let(:value)   { "1470637875.777457 [15 195.168.1.1:52500] \"intentionally\" \"broken\" \"variadic\" \"log\" \"entry\"" }
         | 
| 140 | 
            -
              let(:pattern) { "REDISMONLOG" }
         | 
| 141 | 
            -
              let(:grok)    { grok_match(pattern, value) }
         | 
| 177 | 
            +
                it "a pattern pass the grok expression" do
         | 
| 178 | 
            +
                  expect(grok).to pass
         | 
| 179 | 
            +
                end
         | 
| 142 180 |  | 
| 143 | 
            -
             | 
| 144 | 
            -
             | 
| 145 | 
            -
             | 
| 181 | 
            +
                it "generates the timestamp field" do
         | 
| 182 | 
            +
                  expect(grok).to include("timestamp" => "1470637875.777457")
         | 
| 183 | 
            +
                end
         | 
| 146 184 |  | 
| 147 | 
            -
             | 
| 148 | 
            -
             | 
| 149 | 
            -
             | 
| 185 | 
            +
                it "generates the database field" do
         | 
| 186 | 
            +
                  expect(grok).to include("database" => "15")
         | 
| 187 | 
            +
                end
         | 
| 150 188 |  | 
| 151 | 
            -
             | 
| 152 | 
            -
             | 
| 153 | 
            -
             | 
| 189 | 
            +
                it "generates the client field" do
         | 
| 190 | 
            +
                  expect(grok).to include("client" => "195.168.1.1")
         | 
| 191 | 
            +
                end
         | 
| 154 192 |  | 
| 155 | 
            -
             | 
| 156 | 
            -
             | 
| 157 | 
            -
             | 
| 193 | 
            +
                it "generates the port field" do
         | 
| 194 | 
            +
                  expect(grok).to include("port" => "52500")
         | 
| 195 | 
            +
                end
         | 
| 158 196 |  | 
| 159 | 
            -
             | 
| 160 | 
            -
             | 
| 161 | 
            -
             | 
| 197 | 
            +
                it "generates the command field" do
         | 
| 198 | 
            +
                  expect(grok).to include("command" => "intentionally")
         | 
| 199 | 
            +
                end
         | 
| 162 200 |  | 
| 163 | 
            -
             | 
| 164 | 
            -
             | 
| 165 | 
            -
             | 
| 201 | 
            +
                it "generates the params field" do
         | 
| 202 | 
            +
                  expect(grok).to include("params" => "\"broken\" \"variadic\" \"log\" \"entry\"")
         | 
| 203 | 
            +
                end
         | 
| 166 204 |  | 
| 167 | 
            -
              it "generates the params field" do
         | 
| 168 | 
            -
                expect(grok).to include("params" => "\"broken\" \"variadic\" \"log\" \"entry\"")
         | 
| 169 205 | 
             
              end
         | 
| 170 206 |  | 
| 171 | 
            -
            end
         | 
| 207 | 
            +
            end
         |