RubyGems - logstash-patterns-core - Versions diffs - 4.1.2 → 4.3.2 - Mend

logstash-patterns-core 4.1.2 → 4.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (77) hide show

checksums.yaml +5 -5
data/CHANGELOG.md +119 -0
data/Gemfile +8 -1
data/LICENSE +199 -10
data/README.md +12 -19
data/lib/logstash/patterns/core.rb +11 -3
data/logstash-patterns-core.gemspec +1 -1
data/patterns/ecs-v1/aws +28 -0
data/patterns/ecs-v1/bacula +53 -0
data/patterns/ecs-v1/bind +13 -0
data/patterns/ecs-v1/bro +30 -0
data/patterns/ecs-v1/exim +26 -0
data/patterns/ecs-v1/firewalls +111 -0
data/patterns/ecs-v1/grok-patterns +95 -0
data/patterns/ecs-v1/haproxy +40 -0
data/patterns/ecs-v1/httpd +17 -0
data/patterns/ecs-v1/java +34 -0
data/patterns/ecs-v1/junos +13 -0
data/patterns/ecs-v1/linux-syslog +16 -0
data/patterns/{maven → ecs-v1/maven} +0 -0
data/patterns/ecs-v1/mcollective +4 -0
data/patterns/ecs-v1/mongodb +7 -0
data/patterns/ecs-v1/nagios +124 -0
data/patterns/ecs-v1/postgresql +2 -0
data/patterns/ecs-v1/rails +13 -0
data/patterns/ecs-v1/redis +3 -0
data/patterns/ecs-v1/ruby +2 -0
data/patterns/ecs-v1/squid +6 -0
data/patterns/ecs-v1/zeek +33 -0
data/patterns/{aws → legacy/aws} +1 -1
data/patterns/{bacula → legacy/bacula} +5 -5
data/patterns/legacy/bind +3 -0
data/patterns/{bro → legacy/bro} +0 -0
data/patterns/{exim → legacy/exim} +8 -2
data/patterns/{firewalls → legacy/firewalls} +2 -2
data/patterns/{grok-patterns → legacy/grok-patterns} +4 -4
data/patterns/{haproxy → legacy/haproxy} +1 -1
data/patterns/{httpd → legacy/httpd} +2 -2
data/patterns/{java → legacy/java} +1 -3
data/patterns/{junos → legacy/junos} +0 -0
data/patterns/{linux-syslog → legacy/linux-syslog} +0 -0
data/patterns/legacy/maven +1 -0
data/patterns/{mcollective → legacy/mcollective} +0 -0
data/patterns/{mcollective-patterns → legacy/mcollective-patterns} +0 -0
data/patterns/{mongodb → legacy/mongodb} +0 -0
data/patterns/{nagios → legacy/nagios} +1 -1
data/patterns/{postgresql → legacy/postgresql} +0 -0
data/patterns/{rails → legacy/rails} +0 -0
data/patterns/{redis → legacy/redis} +0 -0
data/patterns/{ruby → legacy/ruby} +0 -0
data/patterns/legacy/squid +4 -0
data/spec/patterns/aws_spec.rb +395 -0
data/spec/patterns/bacula_spec.rb +367 -0
data/spec/patterns/bind_spec.rb +92 -0
data/spec/patterns/bro_spec.rb +613 -0
data/spec/patterns/core_spec.rb +260 -15
data/spec/patterns/exim_spec.rb +201 -0
data/spec/patterns/firewalls_spec.rb +707 -66
data/spec/patterns/haproxy_spec.rb +253 -28
data/spec/patterns/httpd_spec.rb +248 -86
data/spec/patterns/java_spec.rb +375 -0
data/spec/patterns/junos_spec.rb +101 -0
data/spec/patterns/mcollective_spec.rb +35 -0
data/spec/patterns/mongodb_spec.rb +170 -33
data/spec/patterns/nagios_spec.rb +299 -78
data/spec/patterns/netscreen_spec.rb +123 -0
data/spec/patterns/rails3_spec.rb +87 -29
data/spec/patterns/redis_spec.rb +216 -140
data/spec/patterns/shorewall_spec.rb +85 -74
data/spec/patterns/squid_spec.rb +139 -0
data/spec/patterns/syslog_spec.rb +266 -22
data/spec/spec_helper.rb +83 -5
metadata +70 -31
data/patterns/bind +0 -3
data/patterns/squid +0 -4
data/spec/patterns/bro.rb +0 -126
data/spec/patterns/s3_spec.rb +0 -173

data/spec/patterns/mongodb_spec.rb CHANGED Viewed

@@ -2,83 +2,220 @@
 require "spec_helper"
 require "logstash/patterns/core"
-describe "MONGO3_LOG" do
-  let(:pattern)    { "MONGO3_LOG" }
+describe_pattern "MONGO3_LOG", ['legacy', 'ecs-v1'] do
   context "parsing an standard/basic message" do
-    let(:value) { "2014-11-03T18:28:32.450-0500 I NETWORK [initandlisten] waiting for connections on port 27017" }
-    subject     { grok_match(pattern, value) }
+    let(:message) { "2014-11-03T18:28:32.450-0500 I NETWORK [initandlisten] waiting for connections on port 27017" }
     it { should include("timestamp" => "2014-11-03T18:28:32.450-0500") }
-    it { should include("severity" => "I") }
+    it do
+      if ecs_compatibility?
+        should include("log" => { 'level' => "I" })
+      else
+        should include("severity" => "I")
+      end
+    end
-    it { should include("component" => "NETWORK") }
+    it do
+      if ecs_compatibility?
+        should include("mongodb" => hash_including("component" => "NETWORK"))
+      else
+        should include("component" => "NETWORK")
+      end
+    end
-    it { should include("context" => "initandlisten") }
+    it do
+      if ecs_compatibility?
+        should include("mongodb" => hash_including("context" => "initandlisten"))
+      else
+        should include("context" => "initandlisten")
+      end
+    end
     it "generates a message field" do
-      expect(subject["message"]).to include("waiting for connections on port 27017")
+      expect(subject["message"]).to eql [ message, "waiting for connections on port 27017" ]
     end
   end
   context "parsing a message with a missing component" do
-    let(:value) { "2015-02-24T18:17:47.148+0000 F -        [conn11] Got signal: 11 (Segmentation fault)." }
+    let(:message) { "2015-02-24T18:17:47.148+0000 F -        [conn11] Got signal: 11 (Segmentation fault)." }
-    subject     { grok_match(pattern, value) }
+    it 'matches' do
+      should include("timestamp" => "2015-02-24T18:17:47.148+0000")
-    it { should include("timestamp" => "2015-02-24T18:17:47.148+0000") }
+      if ecs_compatibility?
+        expect( grok_result['mongodb'].keys ).to_not include("component")
+      else
+        should include("component" => "-")
+      end
-    it { should include("severity" => "F") }
+      if ecs_compatibility?
+        should include("log" => { 'level' => "F" })
+      else
+        should include("severity" => "F")
+      end
-    it { should include("component" => "-") }
-    it { should include("context" => "conn11") }
+      if ecs_compatibility?
+        should include("mongodb" => hash_including("context" => "conn11"))
+      else
+        should include("context" => "conn11")
+      end
+    end
     it "generates a message field" do
-      expect(subject["message"]).to include("Got signal: 11 (Segmentation fault).")
+      expect(subject["message"]).to eql [ message, "Got signal: 11 (Segmentation fault)." ]
     end
   end
   context "parsing a message with a multiwords context" do
-    let(:value) { "2015-04-23T06:57:28.256+0200 I JOURNAL  [journal writer] Journal writer thread started" }
-    subject     { grok_match(pattern, value) }
+    let(:message) { "2015-04-23T06:57:28.256+0200 I JOURNAL  [journal writer] Journal writer thread started" }
-    it { should include("timestamp" => "2015-04-23T06:57:28.256+0200") }
+    it 'matches' do
+      should include("timestamp" => "2015-04-23T06:57:28.256+0200")
-    it { should include("severity" => "I") }
+      if ecs_compatibility?
+        should include("log" => { 'level' => "I" })
+      else
+        should include("severity" => "I")
+      end
-    it { should include("component" => "JOURNAL") }
+      if ecs_compatibility?
+        should include("mongodb" => hash_including("component" => "JOURNAL"))
+      else
+        should include("component" => "JOURNAL")
+      end
-    it { should include("context" => "journal writer") }
+      if ecs_compatibility?
+        should include("mongodb" => hash_including("context" => "journal writer"))
+      else
+        should include("context" => "journal writer")
+      end
+    end
     it "generates a message field" do
       expect(subject["message"]).to include("Journal writer thread started")
     end
+    context '3.6 simple log line' do
+      let(:message) do
+        '2020-08-13T11:58:09.672+0200 I NETWORK  [conn2] end connection 127.0.0.1:41258 (1 connection now open)'
+      end
+      it 'matches' do
+        should include("timestamp" => "2020-08-13T11:58:09.672+0200")
+        if ecs_compatibility?
+          should include("mongodb" => hash_including("component" => "NETWORK"))
+        else
+          should include("component" => "NETWORK")
+        end
+        if ecs_compatibility?
+          should include("mongodb" => hash_including("context" => "conn2"))
+        else
+          should include("context" => "conn2")
+        end
+        expect(subject["message"]).to include("end connection 127.0.0.1:41258 (1 connection now open)")
+      end
+    end
+    context '3.6 long log line' do
+      let(:command) do
+        'command config.$cmd command: createIndexes { createIndexes: "system.sessions", ' +
+            'indexes: [ { key: { lastUse: 1 }, name: "lsidTTLIndex", expireAfterSeconds: 1800 } ], $db: "config" } ' +
+            'numYields:0 reslen:101 locks:{ Global: { acquireCount: { r: 2, w: 2 } }, Database: { acquireCount: { w: 2 } }, ' +
+            'Collection: { acquireCount: { w: 1 } } } protocol:op_msg 0ms'
+      end
+      let(:message) do
+        '2020-08-13T11:57:45.259+0200 I COMMAND  [LogicalSessionCacheRefresh] ' + command
+      end
+      it 'matches' do
+        should include("timestamp" => "2020-08-13T11:57:45.259+0200")
+        if ecs_compatibility?
+          should include("mongodb" => hash_including("component" => "COMMAND"))
+        else
+          should include("component" => "COMMAND")
+        end
+        if ecs_compatibility?
+          should include("mongodb" => hash_including("context" => "LogicalSessionCacheRefresh"))
+        else
+          should include("context" => "LogicalSessionCacheRefresh")
+        end
+        expect(subject["message"]).to eql [message, command]
+      end
+    end
   end
   context "parsing a message without context" do
-    let(:value) { "2015-04-23T07:00:13.864+0200 I CONTROL  Ctrl-C signal" }
-    subject     { grok_match(pattern, value) }
+    let(:message) { "2015-04-23T07:00:13.864+0200 I CONTROL  Ctrl-C signal" }
-    it { should include("timestamp" => "2015-04-23T07:00:13.864+0200") }
+    it 'matches' do
+      should include("timestamp" => "2015-04-23T07:00:13.864+0200")
-    it { should include("severity" => "I") }
+      if ecs_compatibility?
+        should include("log" => { 'level' => "I" })
+      else
+        should include("severity" => "I")
+      end
-    it { should include("component" => "CONTROL") }
+      if ecs_compatibility?
+        should include("mongodb" => hash_including("component" => "CONTROL"))
+      else
+        should include("component" => "CONTROL")
+      end
-    it { should_not have_key("context") }
+      if ecs_compatibility?
+        expect( grok_result['mongodb'].keys ).to_not include("context")
+      else
+        should_not have_key("context")
+      end
+    end
     it "generates a message field" do
-      expect(subject["message"]).to include("Ctrl-C signal")
+      expect(subject["message"]).to eql [ message, "Ctrl-C signal" ]
     end
   end
 end
+describe_pattern "MONGO_SLOWQUERY", ['legacy', 'ecs-v1'] do
+  let(:message) do
+    "[conn11485496] query sample.User query: { clientId: 12345 } ntoreturn:0 ntoskip:0 nscanned:287011 keyUpdates:0 numYields: 2 locks(micros) r:4187700 nreturned:18 reslen:14019 2340ms"
+  end
+  it do
+    if ecs_compatibility?
+      should include("mongodb" => {
+          "database" => "sample", "collection" => "User",
+          "query" => { "original"=>"{ clientId: 12345 }" },
+          "profile" => {
+              "op" => "query",
+              "ntoreturn" => 0, "ntoskip" => 0, "nscanned" => 287011, "nreturned" => 18,
+              "duration" => 2340
+          }
+      })
+    else
+      should include("database" => "sample", "collection" => "User")
+      should include("ntoreturn" => '0', "ntoskip" => '0', "nscanned" => "287011", "nreturned" => "18")
+      should include("query" => "{ clientId: 12345 }")
+      should include("duration" => "2340")
+    end
+  end
+end