logstash-patterns-core 4.1.2 → 4.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 22859cd7eb657e34fd50382564d8278cb6c51267
-  data.tar.gz: d2a3a2d31d9fc671e8f91b2150ded01d0f4b62df
+SHA256:
+  metadata.gz: 2dedffff182dadbed4b39e8e721d412b0d2d1f6f57798dd37dcd034b12c64588
+  data.tar.gz: ae6ea53743eb51e7e5d5d7a8951f6628bf9996dae0ccc41b6016c792819835dd
 SHA512:
-  metadata.gz: 5fbcaa7f6debbf1a1449d592c1dc2ef2129f0091b7d4918da66c062bc7e779a549863705c9d5854b1ee6403a982a5dfbd58f284d241833a7d89cda0ce701be9a
-  data.tar.gz: 27af30d700ec261798dd43ab86e0a1ab09075d017d572a11022f28f5ea964cf795d21375badb4cf0c91db176ae26e2296c8d1e3385063f2e6abc28f8e8ac1463
+  metadata.gz: 3673dcbada411244ed620b7827fe85bcfa74fcbea74b6668139242c9ab1f24c2cf44a1f780ccd4fb49ea94b8289b72a761b6996bc739406d87ebbef10a5a66ce
+  data.tar.gz: 5052131a60ae6ac99d169ca0564882a052569e6ff704ff6972c5ab9ab6356c98ac5cb6bf09f6b3a9560bce6bad6b62d6321835cf2b0c606125f197e60123da7f

data/CHANGELOG.md

@@ -1,3 +1,15 @@
+## 4.2.0
+  - Fix: Java stack trace's JAVAFILE to better match generated names
+  - Fix: match Information/INFORMATION in LOGLEVEL [#274](https://github.com/logstash-plugins/logstash-patterns-core/pull/274)
+  - Fix: NAGIOS TIMEPERIOD unknown (from/to) field matching [#275](https://github.com/logstash-plugins/logstash-patterns-core/pull/275)
+  - Fix: HTTPD access log parse failure on missing response [#282](https://github.com/logstash-plugins/logstash-patterns-core/pull/282)
+  - Fix: UNIXPATH to avoid DoS on long paths with unmatching chars [#292](https://github.com/logstash-plugins/logstash-patterns-core/pull/292)
+
+    For longer paths, a non matching character towards the end of the path would cause the RegExp engine a long time to abort.
+    With this change we're also explicit about not supporting relative paths (using the `PATH` pattern), these won't be properly matched.
+ 
+  - Feat: allow UNIXPATH to match non-ascii chars [#291](https://github.com/logstash-plugins/logstash-patterns-core/pull/291)
+
 ## 4.1.2
   - Fix some documentation issues
 

data/Gemfile

@@ -1,4 +1,11 @@
 source 'https://rubygems.org'
 
-# Specify your gem's dependencies in logstash-mass_effect.gemspec
 gemspec
+
+logstash_path = ENV["LOGSTASH_PATH"] || "../../logstash"
+use_logstash_source = ENV["LOGSTASH_SOURCE"] && ENV["LOGSTASH_SOURCE"].to_s == "1"
+
+if Dir.exist?(logstash_path) && use_logstash_source
+  gem 'logstash-core', :path => "#{logstash_path}/logstash-core"
+  gem 'logstash-core-plugin-api', :path => "#{logstash_path}/logstash-core-plugin-api"
+end

data/LICENSE

@@ -1,13 +1,202 @@
-Copyright (c) 2012–2016 Elasticsearch <http://www.elastic.co>
 
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
 
-    http://www.apache.org/licenses/LICENSE-2.0
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2020 Elastic and contributors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

data/README.md

@@ -1,6 +1,6 @@
 # Logstash Plugin
 
-[![Travis Build Status](https://travis-ci.org/logstash-plugins/logstash-patterns-core.svg)](https://travis-ci.org/logstash-plugins/logstash-patterns-core)
+[![Travis Build Status](https://travis-ci.com/logstash-plugins/logstash-patterns-core.svg)](https://travis-ci.com/logstash-plugins/logstash-patterns-core)
 
 This is a plugin for [Logstash](https://github.com/elastic/logstash).
 

data/logstash-patterns-core.gemspec

@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
 
   s.name            = 'logstash-patterns-core'
-  s.version         = '4.1.2'
+  s.version         = '4.2.0'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "Patterns to be used in logstash"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"

data/patterns/grok-patterns

@@ -32,9 +32,9 @@ HOSTNAME \b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62
 IPORHOST (?:%{IP}|%{HOSTNAME})
 HOSTPORT %{IPORHOST}:%{POSINT}
 
-# paths
+# paths (only absolute paths are matched)
 PATH (?:%{UNIXPATH}|%{WINPATH})
-UNIXPATH (/([\w_%!$@:.,+~-]+|\\.)*)+
+UNIXPATH (/[[[:alnum:]]_%!$@:.,+~-]*)+
 TTY (?:/dev/(pts|tty([pq])?)(\w+)?/?(?:[0-9]+))
 WINPATH (?>[A-Za-z]+:|\\)(?:\\[^\\?*]*)+
 URIPROTO [A-Za-z]([A-Za-z0-9+\-.]+)+
@@ -48,7 +48,7 @@ URIPATHPARAM %{URIPATH}(?:%{URIPARAM})?
 URI %{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})?
 
 # Months: January, Feb, 3, 03, 12, December
-MONTH \b(?:[Jj]an(?:uary|uar)?|[Ff]eb(?:ruary|ruar)?|[Mm](?:a|ä)?r(?:ch|z)?|[Aa]pr(?:il)?|[Mm]a(?:y|i)?|[Jj]un(?:e|i)?|[Jj]ul(?:y)?|[Aa]ug(?:ust)?|[Ss]ep(?:tember)?|[Oo](?:c|k)?t(?:ober)?|[Nn]ov(?:ember)?|[Dd]e(?:c|z)(?:ember)?)\b
+MONTH \b(?:[Jj]an(?:uary|uar)?|[Ff]eb(?:ruary|ruar)?|[Mm](?:a|ä)?r(?:ch|z)?|[Aa]pr(?:il)?|[Mm]a(?:y|i)?|[Jj]un(?:e|i)?|[Jj]ul(?:y|i)?|[Aa]ug(?:ust)?|[Ss]ep(?:tember)?|[Oo](?:c|k)?t(?:ober)?|[Nn]ov(?:ember)?|[Dd]e(?:c|z)(?:ember)?)\b
 MONTHNUM (?:0?[1-9]|1[0-2])
 MONTHNUM2 (?:0[1-9]|1[0-2])
 MONTHDAY (?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])
@@ -92,4 +92,4 @@ QS %{QUOTEDSTRING}
 SYSLOGBASE %{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:
 
 # Log Levels
-LOGLEVEL ([Aa]lert|ALERT|[Tt]race|TRACE|[Dd]ebug|DEBUG|[Nn]otice|NOTICE|[Ii]nfo|INFO|[Ww]arn?(?:ing)?|WARN?(?:ING)?|[Ee]rr?(?:or)?|ERR?(?:OR)?|[Cc]rit?(?:ical)?|CRIT?(?:ICAL)?|[Ff]atal|FATAL|[Ss]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?)
+LOGLEVEL ([Aa]lert|ALERT|[Tt]race|TRACE|[Dd]ebug|DEBUG|[Nn]otice|NOTICE|[Ii]nfo?(?:rmation)?|INFO?(?:RMATION)?|[Ww]arn?(?:ing)?|WARN?(?:ING)?|[Ee]rr?(?:or)?|ERR?(?:OR)?|[Cc]rit?(?:ical)?|CRIT?(?:ICAL)?|[Ff]atal|FATAL|[Ss]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?)

data/patterns/haproxy

@@ -31,7 +31,7 @@ HAPROXYCAPTUREDRESPONSEHEADERS %{DATA:captured_response_headers}
 # HAPROXYCAPTUREDRESPONSEHEADERS %{DATA:response_header_content_type}\|%{DATA:response_header_content_encoding}\|%{DATA:response_header_cache_control}\|%{DATA:response_header_last_modified}
 
 # parse a haproxy 'httplog' line
-HAPROXYHTTPBASE %{IP:client_ip}:%{INT:client_port} \[%{HAPROXYDATE:accept_date}\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_request}/%{INT:time_queue}/%{INT:time_backend_connect}/%{INT:time_backend_response}/%{NOTSPACE:time_duration} %{INT:http_status_code} %{NOTSPACE:bytes_read} %{DATA:captured_request_cookie} %{DATA:captured_response_cookie} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue} (\{%{HAPROXYCAPTUREDREQUESTHEADERS}\})?( )?(\{%{HAPROXYCAPTUREDRESPONSEHEADERS}\})?( )?"(<BADREQ>|(%{WORD:http_verb} (%{URIPROTO:http_proto}://)?(?:%{USER:http_user}(?::[^@]*)?@)?(?:%{URIHOST:http_host})?(?:%{URIPATHPARAM:http_request})?( HTTP/%{NUMBER:http_version})?))?"
+HAPROXYHTTPBASE %{IP:client_ip}:%{INT:client_port} \[%{HAPROXYDATE:accept_date}\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_request}/%{INT:time_queue}/%{INT:time_backend_connect}/%{INT:time_backend_response}/%{NOTSPACE:time_duration} %{INT:http_status_code} %{NOTSPACE:bytes_read} %{DATA:captured_request_cookie} %{DATA:captured_response_cookie} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue} (\{%{HAPROXYCAPTUREDREQUESTHEADERS}\})?( )?(\{%{HAPROXYCAPTUREDRESPONSEHEADERS}\})?( )?"(<BADREQ>|(%{WORD:http_verb} (%{URIPROTO:http_proto}://)?(?:%{USER:http_user}(?::[^@]*)?@)?(?:%{URIHOST:http_host})?(?:%{URIPATHPARAM:http_request})?( HTTP/%{NUMBER:http_version})?))?"?
 
 HAPROXYHTTP (?:%{SYSLOGTIMESTAMP:syslog_timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{HAPROXYHTTPBASE}
 

data/patterns/httpd

@@ -2,7 +2,7 @@ HTTPDUSER %{EMAILADDRESS}|%{USER}
 HTTPDERROR_DATE %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}
 
 # Log formats
-HTTPD_COMMONLOG %{IPORHOST:clientip} %{HTTPDUSER:ident} %{HTTPDUSER:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-)
+HTTPD_COMMONLOG %{IPORHOST:clientip} %{HTTPDUSER:ident} %{HTTPDUSER:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" (?:-|%{NUMBER:response}) (?:-|%{NUMBER:bytes})
 HTTPD_COMBINEDLOG %{HTTPD_COMMONLOG} %{QS:referrer} %{QS:agent}
 
 # Error logs

data/patterns/java

@@ -1,14 +1,12 @@
 JAVACLASS (?:[a-zA-Z$_][a-zA-Z$_0-9]*\.)*[a-zA-Z$_][a-zA-Z$_0-9]*
 #Space is an allowed character to match special cases like 'Native Method' or 'Unknown Source'
-JAVAFILE (?:[A-Za-z0-9_. -]+)
+JAVAFILE (?:[a-zA-Z$_0-9. -]+)
 #Allow special <init>, <clinit> methods
 JAVAMETHOD (?:(<(?:cl)?init>)|[a-zA-Z$_][a-zA-Z$_0-9]*)
 #Line number is optional in special cases 'Native method' or 'Unknown source'
 JAVASTACKTRACEPART %{SPACE}at %{JAVACLASS:class}\.%{JAVAMETHOD:method}\(%{JAVAFILE:file}(?::%{NUMBER:line})?\)
 # Java Logs
 JAVATHREAD (?:[A-Z]{2}-Processor[\d]+)
-JAVACLASS (?:[a-zA-Z0-9-]+\.)+[A-Za-z0-9$]+
-JAVAFILE (?:[A-Za-z0-9_.-]+)
 JAVALOGMESSAGE (.*)
 # MMM dd, yyyy HH:mm:ss eg: Jan 9, 2014 7:13:13 AM
 CATALINA_DATESTAMP %{MONTH} %{MONTHDAY}, 20%{YEAR} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) (?:AM|PM)

data/patterns/nagios

@@ -89,7 +89,7 @@ NAGIOS_PASSIVE_HOST_CHECK %{NAGIOS_TYPE_PASSIVE_HOST_CHECK:nagios_type}: %{DATA:
 NAGIOS_SERVICE_EVENT_HANDLER %{NAGIOS_TYPE_SERVICE_EVENT_HANDLER:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{DATA:nagios_event_handler_name}
 NAGIOS_HOST_EVENT_HANDLER %{NAGIOS_TYPE_HOST_EVENT_HANDLER:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{DATA:nagios_event_handler_name}
 
-NAGIOS_TIMEPERIOD_TRANSITION %{NAGIOS_TYPE_TIMEPERIOD_TRANSITION:nagios_type}: %{DATA:nagios_service};%{DATA:nagios_unknown1};%{DATA:nagios_unknown2}
+NAGIOS_TIMEPERIOD_TRANSITION %{NAGIOS_TYPE_TIMEPERIOD_TRANSITION:nagios_type}: %{DATA:nagios_service};%{NUMBER:nagios_unknown1};%{NUMBER:nagios_unknown2}
 
 ####################
 #### External checks

data/spec/patterns/core_spec.rb

@@ -63,6 +63,19 @@ describe "TOMCATLOG" do
   end
 end
 
+describe 'LOGLEVEL' do
+  it 'matches info label' do
+    expect(grok_match(subject, 'INFO')).to pass
+    expect(grok_match(subject, 'info')).to pass
+  end
+
+  it 'matches information label' do
+    expect(grok_match(subject, 'information')).to pass
+    expect(grok_match(subject, 'Information')).to pass
+    expect(grok_match(subject, 'INFORMATION')).to pass
+  end
+end
+
 describe "IPORHOST" do
 
   let(:pattern)    { "IPORHOST" }
@@ -90,19 +103,209 @@ describe "UNIXPATH" do
   let(:value)   { '/foo/bar' }
 
   it "should match the path" do
-    expect(grok_match(pattern,value)).to pass
+    expect(grok_match(pattern, value, true)).to pass
   end
 
   context "when using comma separators and other regexp" do
 
+    let(:pattern) { '((a=(?<a>%{UNIXPATH})?|b=(?<b>%{UNIXPATH})?)(,\s)?)+' }
+
+    let(:grok) do
+      grok = LogStash::Filters::Grok.new("match" => ["message", pattern])
+      grok.register
+      grok
+    end
+
     let(:value) { 'a=/some/path, b=/some/other/path' }
 
+    it "was expected to extract both but never really did" do # or maybe on JRuby 1.7
+      event = build_event(value)
+      grok.filter(event)
+      expect( event.to_hash['a'] ).to eql '/some/path,'
+      expect( event.to_hash['b'] ).to be nil
+    end
+
+  end
+
+  context 'relative path' do
+
+    let(:path_matcher) do # non-exact matcher
+      grok = LogStash::Filters::Grok.new("match" => ["message", '%{UNIXPATH:path}'])
+      grok.register
+      lambda { |msg| event = build_event(msg); grok.filter(event); event }
+    end
+
+    it "should not match (only partially)" do
+      expect(grok_match(pattern, 'a/./b/c', true)).to_not pass
+      event = path_matcher.('a/./b/c')
+      expect( event.to_hash['path'] ).to eql '/./b/c'
+
+      expect(grok_match(pattern, ',/.', true)).to_not pass
+      event = path_matcher.(',/.')
+      expect( event.to_hash['path'] ).to eql '/.'
+
+      expect(grok_match(pattern, '+/.../', true)).to_not pass
+      event = path_matcher.('+/.../')
+      expect( event.to_hash['path'] ).to eql '/.../'
+
+      expect(grok_match(pattern, '~/b/', true)).to_not pass
+      event = path_matcher.('~/b/')
+      expect( event.to_hash['path'] ).to eql '/b/'
+
+      expect(grok_match(pattern, './b//', true)).to_not pass
+      expect(grok_match(pattern, 'a//b', true)).to_not pass
+    end
+
+    it "should not match paths starting with ." do
+      expect(grok_match(pattern, '../0', true)).to_not pass
+      expect(grok_match(pattern, './~', true)).to_not pass
+      expect(grok_match(pattern, '.../-', true)).to_not pass
+      expect(grok_match(pattern, './', true)).to_not pass
+      expect(grok_match(pattern, './,', true)).to_not pass
+      expect(grok_match(pattern, '../', true)).to_not pass
+      expect(grok_match(pattern, '.a/', true)).to_not pass
+      expect(grok_match(pattern, '.~/', true)).to_not pass
+    end
+
+    it "should not match expression wout separator" do
+      expect(grok_match(pattern, '.')).to_not pass
+      expect(grok_match(pattern, '..')).to_not pass
+      expect(grok_match(pattern, '...')).to_not pass
+      expect(grok_match(pattern, '.,')).to_not pass
+      expect(grok_match(pattern, '.-')).to_not pass
+    end
+
+  end
+
+  context "dotted path" do
+
+    it "should match path containing ." do
+      expect(grok_match(pattern, '/some/./path/', true)).to pass
+      expect(grok_match(pattern, '/some/../path', true)).to pass
+      expect(grok_match(pattern, '/../.', true)).to pass
+      expect(grok_match(pattern, '/.', true)).to pass
+      expect(grok_match(pattern, '/..', true)).to pass
+      expect(grok_match(pattern, '/...', true)).to pass
+    end
+
+  end
+
+  context "separators" do
+
+    it "should match root" do
+      expect(grok_match(pattern, '/', true)).to pass
+    end
+
+    it "should match" do
+      expect(grok_match(pattern, '//', true)).to pass
+      expect(grok_match(pattern, '//00', true)).to pass
+      expect(grok_match(pattern, '///a', true)).to pass
+      expect(grok_match(pattern, '/a//', true)).to pass
+      expect(grok_match(pattern, '///a//b/c///', true)).to pass
+    end
+
+    it "should not match windows separator" do
+      expect(grok_match(pattern, "\\a", true)).to_not pass
+      expect(grok_match(pattern, '/0\\', true)).to_not pass
+      expect(grok_match(pattern, "/a\\b", true)).to_not pass
+    end
+
+  end
+
+  context "long path" do
+
+    let(:grok) do
+      grok = LogStash::Filters::Grok.new("match" => ["message", '%{UNIXPATH:path} '], 'timeout_millis' => 1500)
+      grok.register
+      grok
+    end
+
+    let(:value) { '/opt/abcdef/1/.22/3:3+3/foo@BAR/X-Y+Z/~Sample_l_SUBc b' }
+
     it "should match the path" do
-      expect(grok_match(pattern,value)).to pass
+      event = build_event(value)
+      grok.filter(event)
+      expect( event.to_hash['path'] ).to eql '/opt/abcdef/1/.22/3:3+3/foo@BAR/X-Y+Z/~Sample_l_SUBc'
+    end
+
+    it "should not match with invalid chars (or cause DoS)" do
+      event = build_event(value.sub('SUB', '&^_'))
+      grok.filter(event) # used to call a looong looop (DoS) despite the timeout guard
+      expect( event.to_hash['tags'] ).to include '_grokparsefailure'
     end
   end
+
+  it "matches paths with non-ascii characters" do
+    event = build_event path = '/opt/Čierný_Peter/.中'
+    build_grok('UNIXPATH:path').filter event
+    expect( event.get('path') ).to eql path
+  end
+
 end
 
+describe "WINPATH" do
+
+  let(:pattern) { 'WINPATH' }
+  let(:value)   { 'C:\\foo\\bar' }
+
+  it "should match the path" do
+    expect(grok_match(pattern, value, true)).to pass
+  end
+
+  it "should match root path" do
+    expect(grok_match(pattern, 'C:\\', true)).to pass
+    expect(grok_match(pattern, 'C:\\\\', true)).to pass
+    expect(grok_match(pattern, 'a:\\', true)).to pass
+    expect(grok_match(pattern, 'x:\\\\', true)).to pass
+  end
+
+  it "should match paths with spaces" do
+    expect(grok_match(pattern, 'C:\\Documents and Settings\\Public', true)).to pass
+    expect(grok_match(pattern, 'C:\\\\Users\\\\Public\\\\.Mozilla Firefox', true)).to pass
+  end
+
+  it "should not match unix-style paths" do
+    expect(grok_match(pattern, '/foo', true)).to_not pass
+    expect(grok_match(pattern, '//C/path', true)).to_not pass
+    expect(grok_match(pattern, '/', true)).to_not pass
+    expect(grok_match(pattern, '/foo/bar', true)).to_not pass
+    expect(grok_match(pattern, '/..', true)).to_not pass
+    expect(grok_match(pattern, 'C://', true)).to_not pass
+  end
+
+  it "matches paths with non-ascii characters" do
+    expect(grok_match(pattern, 'C:\\Čierný Peter\\.中.exe', true)).to pass
+  end
+
+  context 'relative paths' do
+
+    it "should not match" do
+      expect(grok_match(pattern, 'a\\bar', true)).to_not pass
+      expect(grok_match(pattern, 'foo\\bar', true)).to_not pass
+      expect(grok_match(pattern, 'C\\A\\B', true)).to_not pass
+      expect(grok_match(pattern, 'C\\\\0', true)).to_not pass
+      expect(grok_match(pattern, '.\\0', true)).to_not pass
+      expect(grok_match(pattern, '..\\', true)).to_not pass
+      expect(grok_match(pattern, '...\\-', true)).to_not pass
+      expect(grok_match(pattern, '.\\', true)).to_not pass
+      expect(grok_match(pattern, '.\\,', true)).to_not pass
+      expect(grok_match(pattern, '..\\', true)).to_not pass
+      expect(grok_match(pattern, '.a\\', true)).to_not pass
+    end
+
+    it "should not match expression wout separator" do
+      expect(grok_match(pattern, '.')).to_not pass
+      expect(grok_match(pattern, '..')).to_not pass
+      expect(grok_match(pattern, '...')).to_not pass
+      expect(grok_match(pattern, 'C:')).to_not pass
+      expect(grok_match(pattern, 'C')).to_not pass
+    end
+
+  end
+
+end
+
+
 describe "URIPROTO" do
   let(:pattern) { 'URIPROTO' }
 

data/spec/patterns/haproxy_spec.rb

@@ -56,4 +56,21 @@ describe "HAPROXY" do
 
   end
 
+  context "Parsing HAPROXY log line that is truncated and thus not ending with a double quote or HTTP version." do
+
+    let(:value) { 'Jul 31 22:20:22 loadbalancer haproxy[1190]: 203.0.113.54:59968 [31/Jul/2017:22:20:22.447] loadbalancer default/instance8 135/0/1/19/156 200 1015 - - --VR 8/8/0/0/0 0/0 "GET /path/to/request/that/exceeds/more/than/1024/characterssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss'}
+    subject     { grok_match(haproxyhttpbase_pattern, value)}
+
+    it { should include("client_ip" => "203.0.113.54") }
+    it { should include("http_verb" => "GET") }
+    it { should include("server_name" => "instance8") }
+    it { should include("http_request" => "/path/to/request/that/exceeds/more/than/1024/characterssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss") }
+    it { should_not have_key("http_version") }
+
+    it "generates a message field" do
+      expect(subject["message"]).to include("loadbalancer default/instance8")
+    end
+
+  end
+
 end

data/spec/patterns/httpd_spec.rb

@@ -4,12 +4,15 @@ require "logstash/patterns/core"
 
 describe "HTTPD_COMBINEDLOG" do
 
-  context "HTTPD_COMBINEDLOG", "Typical test case" do
+  let(:pattern) { 'HTTPD_COMBINEDLOG' }
+  let(:grok) { grok_match(pattern, message) }
 
-    let(:value) { '83.149.9.216 - - [24/Feb/2015:23:13:42 +0000] "GET /presentations/logstash-monitorama-2013/images/kibana-search.png HTTP/1.1" 200 203023 "http://semicomplete.com/presentations/logstash-monitorama-2013/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36"'}
+  context "typical test case" do
 
-    it "generates the clientip field" do
-      expect(grok_match(subject, value)).to include(
+    let(:message) { '83.149.9.216 - - [24/Feb/2015:23:13:42 +0000] "GET /presentations/logstash-monitorama-2013/images/kibana-search.png HTTP/1.1" 200 203023 "http://semicomplete.com/presentations/logstash-monitorama-2013/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36"'}
+
+    it "matches" do
+      expect(grok).to include(
         'clientip' => '83.149.9.216',
         'verb' => 'GET',
         'request' => '/presentations/logstash-monitorama-2013/images/kibana-search.png',
@@ -21,14 +24,32 @@ describe "HTTPD_COMBINEDLOG" do
       )
     end
 
+    it "does not capture 'null' fields" do
+      expect(grok).to include('auth' => '-', 'ident' => '-')
+    end
+
+  end
+
+  context "email address in auth field" do
+
+    let(:message) { '10.0.0.1 - username@example.com [07/Apr/2016:18:42:24 +0000] "GET /bar/foo/users/1/username%40example.com/authenticate?token=blargh&client_id=15 HTTP/1.1" 400 75 "" "Mozilla/5.0 (iPad; CPU OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1"'}
+
+    it "gets captured" do
+      expect(grok).to include("auth" => "username@example.com")
+    end
+
   end
 
-  context "HTTPD_COMBINEDLOG", "Email address in auth field" do
+  context 'sample OPTIONS line' do
+
+    let(:message) { '83.149.9.216 - a.user [11/Jan/2020:23:05:27 +0100] "OPTIONS /remote.php/ HTTP/1.1" - 7908 "-" "monitoring-client (v2.2)"' }
 
-    let(:value) { '10.0.0.1 - username@example.com [07/Apr/2016:18:42:24 +0000] "GET /bar/foo/users/1/username%40example.com/authenticate?token=blargh&client_id=15 HTTP/1.1" 400 75 "" "Mozilla/5.0 (iPad; CPU OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1"'}
+    it 'matches' do
+      expect(grok).to include("verb" => "OPTIONS", 'request' => '/remote.php/', 'httpversion' => '1.1', "bytes" => '7908')
+    end
 
-    it "generates the clientip field" do
-      expect(grok_match(subject, value)).to include("auth" => "username@example.com")
+    it 'does not capture optional response code' do
+      expect(grok.keys).to_not include("response")
     end
 
   end
@@ -37,13 +58,16 @@ end
 
 describe "HTTPD_ERRORLOG" do
 
-  context "HTTPD_ERRORLOG", "matches a full httpd 2.4 message" do
-    let(:value) {
+  let(:pattern) { 'HTTPD_ERRORLOG' }
+  let(:grok) { grok_match(pattern, message) }
+
+  context "matches a full httpd 2.4 message" do
+    let(:message) do
       "[Mon Aug 31 09:30:48.958285 2015] [proxy_fcgi:error] [pid 28787:tid 140169587934976] (70008)Partial results are valid but processing is incomplete: [client 58.13.45.166:59307] AH01075: Error dispatching request to : (reading input brigade), referer: http://example.com/index.php?id_product=11&controller=product"
-    }
+    end
     it "generates the fields" do
 
-      expect(grok_match(subject, value)).to include(
+      expect(grok).to include(
         'timestamp' => 'Mon Aug 31 09:30:48.958285 2015',
         'module' => 'proxy_fcgi',
         'loglevel' => 'error',
@@ -54,26 +78,26 @@ describe "HTTPD_ERRORLOG" do
         'clientip' => '58.13.45.166',
         'clientport' => '59307',
         'errorcode' => 'AH01075',
-        'message' => [ value, 'Error dispatching request to : (reading input brigade), referer: http://example.com/index.php?id_product=11&controller=product' ],
+        'message' => [ message, 'Error dispatching request to : (reading input brigade), referer: http://example.com/index.php?id_product=11&controller=product' ],
       )
     end
   end
 
   context "HTTPD_ERRORLOG", "matches a httpd 2.2 log message" do
-    let(:value) {
+    let(:message) do
       "[Mon Aug 31 16:27:04 2015] [error] [client 10.17.42.3] Premature end of script headers: example.com"
-    }
+    end
     it "generates the fields" do
-      expect(grok_match(subject, value)).to include(
+      expect(grok).to include(
         'timestamp' => 'Mon Aug 31 16:27:04 2015',
         'loglevel' => 'error',
         'clientip' => '10.17.42.3',
-        'message' => [ value, 'Premature end of script headers: example.com' ]
+        'message' => [ message, 'Premature end of script headers: example.com' ]
       )
     end
   end
 
-  context "HTTPD_ERRORLOG", "matches a short httpd 2.4 message" do
+  context "HTTPD_ERRORLOG", "a short httpd 2.4 message" do
     let(:value1) {
       "[Mon Aug 31 07:15:38.664897 2015] [proxy_fcgi:error] [pid 28786:tid 140169629898496] [client 81.139.1.34:52042] AH01071: Got error 'Primary script unknown\n'"
     }
@@ -107,7 +131,7 @@ describe "HTTPD_ERRORLOG" do
     end
   end
 
-  context "HTTPD_ERRORLOG", "matches an httpd 2.4 restart" do
+  context "HTTPD_ERRORLOG", "a httpd 2.4 restart message" do
     let(:value1) {
       "[Mon Aug 31 06:29:47.406518 2015] [mpm_event:notice] [pid 24968:tid 140169861986176] AH00489: Apache/2.4.16 (Ubuntu) configured -- resuming normal operations"
     }
@@ -139,5 +163,22 @@ describe "HTTPD_ERRORLOG" do
     end
   end
 
+  context 'a debug message' do
+    let(:message) do
+      '[Fri Feb 01 22:03:08.319124 2019] [authz_core:debug] [pid 9:tid 140597881775872] mod_authz_core.c(820): [client 172.17.0.1:50752] AH01626: authorization result of <RequireAny>: granted'
+    end
+
+    it 'matches imperfectly (legacy)' do
+      expect(grok).to include({
+                                  "timestamp"=>"Fri Feb 01 22:03:08.319124 2019",
+                                  "module"=>"authz_core",
+                                  "loglevel"=>"debug",
+                                  "pid"=>"9",
+                                  "tid"=>"140597881775872",
+                                  "errorcode"=>"mod_authz_core.c(820)",
+                                  "message"=>[message, "[client 172.17.0.1:50752] AH01626: authorization result of <RequireAny>: granted"]
+                              })
+    end
+  end
   
 end

data/spec/patterns/java_spec.rb

@@ -0,0 +1,45 @@
+# encoding: utf-8
+require "spec_helper"
+require "logstash/patterns/core"
+
+describe "JAVA" do
+  describe "JAVACLASS" do
+    let(:example) { 'hudson.node_monitors.AbstractAsyncNodeMonitorDescriptor' }
+    it "matches a java class with underscores" do
+      expect(grok_match(subject, example, true)['tags']).to be_nil
+    end
+  end
+  describe "JAVAFILE" do
+    let(:example) { 'Native Method' }
+    it "matches a java file name with spaces" do
+      expect(grok_match(subject, example, true)['tags']).to be_nil
+    end
+  end
+end
+
+describe "JAVASTACKTRACEPART" do
+  let(:pattern) { 'JAVASTACKTRACEPART' }
+  let(:message) { '  at com.sample.stacktrace.StackTraceExample.aMethod(StackTraceExample.java:42)' }
+  it "matches" do
+    grok = grok_match(pattern, message, true)
+    expect(grok).to include({
+                                "message"=>"  at com.sample.stacktrace.StackTraceExample.aMethod(StackTraceExample.java:42)",
+                                "method"=>"aMethod",
+                                "class"=>"com.sample.stacktrace.StackTraceExample",
+                                "file"=>"StackTraceExample.java",
+                                "line"=>"42"
+                            })
+  end
+
+  context 'generated file' do
+    let(:message) { '  at org.jruby.RubyMethod$INVOKER$i$call.call(RubyMethod$INVOKER$i$call.gen)' }
+    it "matches" do
+      grok = grok_match(pattern, message, true)
+      expect(grok).to include({
+                                  "method"=>"call",
+                                  "class"=>"org.jruby.RubyMethod$INVOKER$i$call",
+                                  "file"=>"RubyMethod$INVOKER$i$call.gen",
+                              })
+    end
+  end
+end

data/spec/patterns/nagios_spec.rb

@@ -82,7 +82,7 @@ end
 
 describe "NAGIOSLOGLINE - TIMEPERIOD TRANSITION" do
 
-  let(:value)   { "[1427925600] TIMEPERIOD TRANSITION: 24X7;1;1" }
+  let(:value)   { "[1427925600] TIMEPERIOD TRANSITION: 24X7;-1;1" }
   let(:grok)    { grok_match(subject, value) }
 
   it "a pattern pass the grok expression" do
@@ -105,6 +105,10 @@ describe "NAGIOSLOGLINE - TIMEPERIOD TRANSITION" do
     expect(grok).to include("nagios_service" => "24X7")
   end
 
+  it "generates the period from/to fields" do
+    expect(grok).to include("nagios_unknown1" => "-1", "nagios_unknown2" => "1")
+  end
+
   # Regression test for but fixed in Nagios patterns #30
   it "doesn't end in a semi-colon" do
     expect(grok['message']).to_not end_with(";")

data/spec/spec_helper.rb

@@ -24,15 +24,19 @@ end
 require "logstash/filters/grok"
 
 module GrokHelpers
-  def grok_match(label, message)
-    grok  = build_grok(label)
+  def grok_match(label, message, exact_match = false)
+    grok  = build_grok(label, exact_match)
     event = build_event(message)
     grok.filter(event)
     event.to_hash
   end
 
-  def build_grok(label)
-    grok = LogStash::Filters::Grok.new("match" => ["message", "%{#{label}}"])
+  def build_grok(label, exact_match = false)
+    if exact_match
+      grok = LogStash::Filters::Grok.new("match" => ["message", "^%{#{label}}$"])
+    else
+      grok = LogStash::Filters::Grok.new("match" => ["message", "%{#{label}}"])
+    end
     grok.register
     grok
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-patterns-core
 version: !ruby/object:Gem::Version
-  version: 4.1.2
+  version: 4.2.0
 platform: ruby
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-08-16 00:00:00.000000000 Z
+date: 2021-01-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -58,7 +58,9 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program
+description: This gem is a Logstash plugin required to be installed on top of the
+  Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This
+  gem is not a stand-alone program
 email: info@elastic.co
 executables: []
 extensions: []
@@ -99,6 +101,7 @@ files:
 - spec/patterns/firewalls_spec.rb
 - spec/patterns/haproxy_spec.rb
 - spec/patterns/httpd_spec.rb
+- spec/patterns/java_spec.rb
 - spec/patterns/maven_spec.rb
 - spec/patterns/mongodb_spec.rb
 - spec/patterns/nagios_spec.rb
@@ -129,7 +132,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.4.8
+rubygems_version: 2.6.13
 signing_key:
 specification_version: 4
 summary: Patterns to be used in logstash
@@ -139,6 +142,7 @@ test_files:
 - spec/patterns/firewalls_spec.rb
 - spec/patterns/haproxy_spec.rb
 - spec/patterns/httpd_spec.rb
+- spec/patterns/java_spec.rb
 - spec/patterns/maven_spec.rb
 - spec/patterns/mongodb_spec.rb
 - spec/patterns/nagios_spec.rb