logstash-patterns-core 4.1.2 → 4.3.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +5 -5
- data/CHANGELOG.md +119 -0
- data/Gemfile +8 -1
- data/LICENSE +199 -10
- data/README.md +12 -19
- data/lib/logstash/patterns/core.rb +11 -3
- data/logstash-patterns-core.gemspec +1 -1
- data/patterns/ecs-v1/aws +28 -0
- data/patterns/ecs-v1/bacula +53 -0
- data/patterns/ecs-v1/bind +13 -0
- data/patterns/ecs-v1/bro +30 -0
- data/patterns/ecs-v1/exim +26 -0
- data/patterns/ecs-v1/firewalls +111 -0
- data/patterns/ecs-v1/grok-patterns +95 -0
- data/patterns/ecs-v1/haproxy +40 -0
- data/patterns/ecs-v1/httpd +17 -0
- data/patterns/ecs-v1/java +34 -0
- data/patterns/ecs-v1/junos +13 -0
- data/patterns/ecs-v1/linux-syslog +16 -0
- data/patterns/{maven → ecs-v1/maven} +0 -0
- data/patterns/ecs-v1/mcollective +4 -0
- data/patterns/ecs-v1/mongodb +7 -0
- data/patterns/ecs-v1/nagios +124 -0
- data/patterns/ecs-v1/postgresql +2 -0
- data/patterns/ecs-v1/rails +13 -0
- data/patterns/ecs-v1/redis +3 -0
- data/patterns/ecs-v1/ruby +2 -0
- data/patterns/ecs-v1/squid +6 -0
- data/patterns/ecs-v1/zeek +33 -0
- data/patterns/{aws → legacy/aws} +1 -1
- data/patterns/{bacula → legacy/bacula} +5 -5
- data/patterns/legacy/bind +3 -0
- data/patterns/{bro → legacy/bro} +0 -0
- data/patterns/{exim → legacy/exim} +8 -2
- data/patterns/{firewalls → legacy/firewalls} +2 -2
- data/patterns/{grok-patterns → legacy/grok-patterns} +4 -4
- data/patterns/{haproxy → legacy/haproxy} +1 -1
- data/patterns/{httpd → legacy/httpd} +2 -2
- data/patterns/{java → legacy/java} +1 -3
- data/patterns/{junos → legacy/junos} +0 -0
- data/patterns/{linux-syslog → legacy/linux-syslog} +0 -0
- data/patterns/legacy/maven +1 -0
- data/patterns/{mcollective → legacy/mcollective} +0 -0
- data/patterns/{mcollective-patterns → legacy/mcollective-patterns} +0 -0
- data/patterns/{mongodb → legacy/mongodb} +0 -0
- data/patterns/{nagios → legacy/nagios} +1 -1
- data/patterns/{postgresql → legacy/postgresql} +0 -0
- data/patterns/{rails → legacy/rails} +0 -0
- data/patterns/{redis → legacy/redis} +0 -0
- data/patterns/{ruby → legacy/ruby} +0 -0
- data/patterns/legacy/squid +4 -0
- data/spec/patterns/aws_spec.rb +395 -0
- data/spec/patterns/bacula_spec.rb +367 -0
- data/spec/patterns/bind_spec.rb +92 -0
- data/spec/patterns/bro_spec.rb +613 -0
- data/spec/patterns/core_spec.rb +260 -15
- data/spec/patterns/exim_spec.rb +201 -0
- data/spec/patterns/firewalls_spec.rb +707 -66
- data/spec/patterns/haproxy_spec.rb +253 -28
- data/spec/patterns/httpd_spec.rb +248 -86
- data/spec/patterns/java_spec.rb +375 -0
- data/spec/patterns/junos_spec.rb +101 -0
- data/spec/patterns/mcollective_spec.rb +35 -0
- data/spec/patterns/mongodb_spec.rb +170 -33
- data/spec/patterns/nagios_spec.rb +299 -78
- data/spec/patterns/netscreen_spec.rb +123 -0
- data/spec/patterns/rails3_spec.rb +87 -29
- data/spec/patterns/redis_spec.rb +216 -140
- data/spec/patterns/shorewall_spec.rb +85 -74
- data/spec/patterns/squid_spec.rb +139 -0
- data/spec/patterns/syslog_spec.rb +266 -22
- data/spec/spec_helper.rb +83 -5
- metadata +70 -31
- data/patterns/bind +0 -3
- data/patterns/squid +0 -4
- data/spec/patterns/bro.rb +0 -126
- data/spec/patterns/s3_spec.rb +0 -173
@@ -2,83 +2,220 @@
|
|
2
2
|
require "spec_helper"
|
3
3
|
require "logstash/patterns/core"
|
4
4
|
|
5
|
-
|
6
|
-
|
7
|
-
let(:pattern) { "MONGO3_LOG" }
|
5
|
+
describe_pattern "MONGO3_LOG", ['legacy', 'ecs-v1'] do
|
8
6
|
|
9
7
|
context "parsing an standard/basic message" do
|
10
8
|
|
11
|
-
let(:
|
12
|
-
|
13
|
-
subject { grok_match(pattern, value) }
|
9
|
+
let(:message) { "2014-11-03T18:28:32.450-0500 I NETWORK [initandlisten] waiting for connections on port 27017" }
|
14
10
|
|
15
11
|
it { should include("timestamp" => "2014-11-03T18:28:32.450-0500") }
|
16
12
|
|
17
|
-
it
|
13
|
+
it do
|
14
|
+
if ecs_compatibility?
|
15
|
+
should include("log" => { 'level' => "I" })
|
16
|
+
else
|
17
|
+
should include("severity" => "I")
|
18
|
+
end
|
19
|
+
end
|
18
20
|
|
19
|
-
it
|
21
|
+
it do
|
22
|
+
if ecs_compatibility?
|
23
|
+
should include("mongodb" => hash_including("component" => "NETWORK"))
|
24
|
+
else
|
25
|
+
should include("component" => "NETWORK")
|
26
|
+
end
|
27
|
+
end
|
20
28
|
|
21
|
-
it
|
29
|
+
it do
|
30
|
+
if ecs_compatibility?
|
31
|
+
should include("mongodb" => hash_including("context" => "initandlisten"))
|
32
|
+
else
|
33
|
+
should include("context" => "initandlisten")
|
34
|
+
end
|
35
|
+
end
|
22
36
|
|
23
37
|
it "generates a message field" do
|
24
|
-
expect(subject["message"]).to
|
38
|
+
expect(subject["message"]).to eql [ message, "waiting for connections on port 27017" ]
|
25
39
|
end
|
26
40
|
end
|
27
41
|
|
28
42
|
context "parsing a message with a missing component" do
|
29
43
|
|
30
|
-
let(:
|
44
|
+
let(:message) { "2015-02-24T18:17:47.148+0000 F - [conn11] Got signal: 11 (Segmentation fault)." }
|
31
45
|
|
32
|
-
|
46
|
+
it 'matches' do
|
47
|
+
should include("timestamp" => "2015-02-24T18:17:47.148+0000")
|
33
48
|
|
34
|
-
|
49
|
+
if ecs_compatibility?
|
50
|
+
expect( grok_result['mongodb'].keys ).to_not include("component")
|
51
|
+
else
|
52
|
+
should include("component" => "-")
|
53
|
+
end
|
35
54
|
|
36
|
-
|
55
|
+
if ecs_compatibility?
|
56
|
+
should include("log" => { 'level' => "F" })
|
57
|
+
else
|
58
|
+
should include("severity" => "F")
|
59
|
+
end
|
37
60
|
|
38
|
-
|
39
|
-
|
40
|
-
|
61
|
+
if ecs_compatibility?
|
62
|
+
should include("mongodb" => hash_including("context" => "conn11"))
|
63
|
+
else
|
64
|
+
should include("context" => "conn11")
|
65
|
+
end
|
66
|
+
end
|
41
67
|
|
42
68
|
it "generates a message field" do
|
43
|
-
expect(subject["message"]).to
|
69
|
+
expect(subject["message"]).to eql [ message, "Got signal: 11 (Segmentation fault)." ]
|
44
70
|
end
|
45
71
|
end
|
46
72
|
|
47
73
|
context "parsing a message with a multiwords context" do
|
48
74
|
|
49
|
-
let(:
|
50
|
-
|
51
|
-
subject { grok_match(pattern, value) }
|
75
|
+
let(:message) { "2015-04-23T06:57:28.256+0200 I JOURNAL [journal writer] Journal writer thread started" }
|
52
76
|
|
53
|
-
it
|
77
|
+
it 'matches' do
|
78
|
+
should include("timestamp" => "2015-04-23T06:57:28.256+0200")
|
54
79
|
|
55
|
-
|
80
|
+
if ecs_compatibility?
|
81
|
+
should include("log" => { 'level' => "I" })
|
82
|
+
else
|
83
|
+
should include("severity" => "I")
|
84
|
+
end
|
56
85
|
|
57
|
-
|
86
|
+
if ecs_compatibility?
|
87
|
+
should include("mongodb" => hash_including("component" => "JOURNAL"))
|
88
|
+
else
|
89
|
+
should include("component" => "JOURNAL")
|
90
|
+
end
|
58
91
|
|
59
|
-
|
92
|
+
if ecs_compatibility?
|
93
|
+
should include("mongodb" => hash_including("context" => "journal writer"))
|
94
|
+
else
|
95
|
+
should include("context" => "journal writer")
|
96
|
+
end
|
97
|
+
end
|
60
98
|
|
61
99
|
it "generates a message field" do
|
62
100
|
expect(subject["message"]).to include("Journal writer thread started")
|
63
101
|
end
|
102
|
+
|
103
|
+
context '3.6 simple log line' do
|
104
|
+
|
105
|
+
let(:message) do
|
106
|
+
'2020-08-13T11:58:09.672+0200 I NETWORK [conn2] end connection 127.0.0.1:41258 (1 connection now open)'
|
107
|
+
end
|
108
|
+
|
109
|
+
it 'matches' do
|
110
|
+
should include("timestamp" => "2020-08-13T11:58:09.672+0200")
|
111
|
+
|
112
|
+
if ecs_compatibility?
|
113
|
+
should include("mongodb" => hash_including("component" => "NETWORK"))
|
114
|
+
else
|
115
|
+
should include("component" => "NETWORK")
|
116
|
+
end
|
117
|
+
|
118
|
+
if ecs_compatibility?
|
119
|
+
should include("mongodb" => hash_including("context" => "conn2"))
|
120
|
+
else
|
121
|
+
should include("context" => "conn2")
|
122
|
+
end
|
123
|
+
|
124
|
+
expect(subject["message"]).to include("end connection 127.0.0.1:41258 (1 connection now open)")
|
125
|
+
end
|
126
|
+
|
127
|
+
end
|
128
|
+
|
129
|
+
context '3.6 long log line' do
|
130
|
+
|
131
|
+
let(:command) do
|
132
|
+
'command config.$cmd command: createIndexes { createIndexes: "system.sessions", ' +
|
133
|
+
'indexes: [ { key: { lastUse: 1 }, name: "lsidTTLIndex", expireAfterSeconds: 1800 } ], $db: "config" } ' +
|
134
|
+
'numYields:0 reslen:101 locks:{ Global: { acquireCount: { r: 2, w: 2 } }, Database: { acquireCount: { w: 2 } }, ' +
|
135
|
+
'Collection: { acquireCount: { w: 1 } } } protocol:op_msg 0ms'
|
136
|
+
end
|
137
|
+
|
138
|
+
let(:message) do
|
139
|
+
'2020-08-13T11:57:45.259+0200 I COMMAND [LogicalSessionCacheRefresh] ' + command
|
140
|
+
end
|
141
|
+
|
142
|
+
it 'matches' do
|
143
|
+
should include("timestamp" => "2020-08-13T11:57:45.259+0200")
|
144
|
+
|
145
|
+
if ecs_compatibility?
|
146
|
+
should include("mongodb" => hash_including("component" => "COMMAND"))
|
147
|
+
else
|
148
|
+
should include("component" => "COMMAND")
|
149
|
+
end
|
150
|
+
|
151
|
+
if ecs_compatibility?
|
152
|
+
should include("mongodb" => hash_including("context" => "LogicalSessionCacheRefresh"))
|
153
|
+
else
|
154
|
+
should include("context" => "LogicalSessionCacheRefresh")
|
155
|
+
end
|
156
|
+
|
157
|
+
expect(subject["message"]).to eql [message, command]
|
158
|
+
end
|
159
|
+
|
160
|
+
end
|
161
|
+
|
64
162
|
end
|
65
163
|
|
66
164
|
context "parsing a message without context" do
|
67
165
|
|
68
|
-
let(:
|
69
|
-
|
70
|
-
subject { grok_match(pattern, value) }
|
166
|
+
let(:message) { "2015-04-23T07:00:13.864+0200 I CONTROL Ctrl-C signal" }
|
71
167
|
|
72
|
-
it
|
168
|
+
it 'matches' do
|
169
|
+
should include("timestamp" => "2015-04-23T07:00:13.864+0200")
|
73
170
|
|
74
|
-
|
171
|
+
if ecs_compatibility?
|
172
|
+
should include("log" => { 'level' => "I" })
|
173
|
+
else
|
174
|
+
should include("severity" => "I")
|
175
|
+
end
|
75
176
|
|
76
|
-
|
177
|
+
if ecs_compatibility?
|
178
|
+
should include("mongodb" => hash_including("component" => "CONTROL"))
|
179
|
+
else
|
180
|
+
should include("component" => "CONTROL")
|
181
|
+
end
|
77
182
|
|
78
|
-
|
183
|
+
if ecs_compatibility?
|
184
|
+
expect( grok_result['mongodb'].keys ).to_not include("context")
|
185
|
+
else
|
186
|
+
should_not have_key("context")
|
187
|
+
end
|
188
|
+
end
|
79
189
|
|
80
190
|
it "generates a message field" do
|
81
|
-
expect(subject["message"]).to
|
191
|
+
expect(subject["message"]).to eql [ message, "Ctrl-C signal" ]
|
82
192
|
end
|
83
193
|
end
|
84
194
|
end
|
195
|
+
|
196
|
+
describe_pattern "MONGO_SLOWQUERY", ['legacy', 'ecs-v1'] do
|
197
|
+
|
198
|
+
let(:message) do
|
199
|
+
"[conn11485496] query sample.User query: { clientId: 12345 } ntoreturn:0 ntoskip:0 nscanned:287011 keyUpdates:0 numYields: 2 locks(micros) r:4187700 nreturned:18 reslen:14019 2340ms"
|
200
|
+
end
|
201
|
+
|
202
|
+
it do
|
203
|
+
if ecs_compatibility?
|
204
|
+
should include("mongodb" => {
|
205
|
+
"database" => "sample", "collection" => "User",
|
206
|
+
"query" => { "original"=>"{ clientId: 12345 }" },
|
207
|
+
"profile" => {
|
208
|
+
"op" => "query",
|
209
|
+
"ntoreturn" => 0, "ntoskip" => 0, "nscanned" => 287011, "nreturned" => 18,
|
210
|
+
"duration" => 2340
|
211
|
+
}
|
212
|
+
})
|
213
|
+
else
|
214
|
+
should include("database" => "sample", "collection" => "User")
|
215
|
+
should include("ntoreturn" => '0', "ntoskip" => '0', "nscanned" => "287011", "nreturned" => "18")
|
216
|
+
should include("query" => "{ clientId: 12345 }")
|
217
|
+
should include("duration" => "2340")
|
218
|
+
end
|
219
|
+
end
|
220
|
+
|
221
|
+
end
|