RubyGems - logstash-patterns-core - Versions diffs - 4.1.2 → 4.3.2 - Mend

logstash-patterns-core 4.1.2 → 4.3.2

Files changed (77) hide show

checksums.yaml +5 -5
data/CHANGELOG.md +119 -0
data/Gemfile +8 -1
data/LICENSE +199 -10
data/README.md +12 -19
data/lib/logstash/patterns/core.rb +11 -3
data/logstash-patterns-core.gemspec +1 -1
data/patterns/ecs-v1/aws +28 -0
data/patterns/ecs-v1/bacula +53 -0
data/patterns/ecs-v1/bind +13 -0
data/patterns/ecs-v1/bro +30 -0
data/patterns/ecs-v1/exim +26 -0
data/patterns/ecs-v1/firewalls +111 -0
data/patterns/ecs-v1/grok-patterns +95 -0
data/patterns/ecs-v1/haproxy +40 -0
data/patterns/ecs-v1/httpd +17 -0
data/patterns/ecs-v1/java +34 -0
data/patterns/ecs-v1/junos +13 -0
data/patterns/ecs-v1/linux-syslog +16 -0
data/patterns/{maven → ecs-v1/maven} +0 -0
data/patterns/ecs-v1/mcollective +4 -0
data/patterns/ecs-v1/mongodb +7 -0
data/patterns/ecs-v1/nagios +124 -0
data/patterns/ecs-v1/postgresql +2 -0
data/patterns/ecs-v1/rails +13 -0
data/patterns/ecs-v1/redis +3 -0
data/patterns/ecs-v1/ruby +2 -0
data/patterns/ecs-v1/squid +6 -0
data/patterns/ecs-v1/zeek +33 -0
data/patterns/{aws → legacy/aws} +1 -1
data/patterns/{bacula → legacy/bacula} +5 -5
data/patterns/legacy/bind +3 -0
data/patterns/{bro → legacy/bro} +0 -0
data/patterns/{exim → legacy/exim} +8 -2
data/patterns/{firewalls → legacy/firewalls} +2 -2
data/patterns/{grok-patterns → legacy/grok-patterns} +4 -4
data/patterns/{haproxy → legacy/haproxy} +1 -1
data/patterns/{httpd → legacy/httpd} +2 -2
data/patterns/{java → legacy/java} +1 -3
data/patterns/{junos → legacy/junos} +0 -0
data/patterns/{linux-syslog → legacy/linux-syslog} +0 -0
data/patterns/legacy/maven +1 -0
data/patterns/{mcollective → legacy/mcollective} +0 -0
data/patterns/{mcollective-patterns → legacy/mcollective-patterns} +0 -0
data/patterns/{mongodb → legacy/mongodb} +0 -0
data/patterns/{nagios → legacy/nagios} +1 -1
data/patterns/{postgresql → legacy/postgresql} +0 -0
data/patterns/{rails → legacy/rails} +0 -0
data/patterns/{redis → legacy/redis} +0 -0
data/patterns/{ruby → legacy/ruby} +0 -0
data/patterns/legacy/squid +4 -0
data/spec/patterns/aws_spec.rb +395 -0
data/spec/patterns/bacula_spec.rb +367 -0
data/spec/patterns/bind_spec.rb +92 -0
data/spec/patterns/bro_spec.rb +613 -0
data/spec/patterns/core_spec.rb +260 -15
data/spec/patterns/exim_spec.rb +201 -0
data/spec/patterns/firewalls_spec.rb +707 -66
data/spec/patterns/haproxy_spec.rb +253 -28
data/spec/patterns/httpd_spec.rb +248 -86
data/spec/patterns/java_spec.rb +375 -0
data/spec/patterns/junos_spec.rb +101 -0
data/spec/patterns/mcollective_spec.rb +35 -0
data/spec/patterns/mongodb_spec.rb +170 -33
data/spec/patterns/nagios_spec.rb +299 -78
data/spec/patterns/netscreen_spec.rb +123 -0
data/spec/patterns/rails3_spec.rb +87 -29
data/spec/patterns/redis_spec.rb +216 -140
data/spec/patterns/shorewall_spec.rb +85 -74
data/spec/patterns/squid_spec.rb +139 -0
data/spec/patterns/syslog_spec.rb +266 -22
data/spec/spec_helper.rb +83 -5
metadata +70 -31
data/patterns/bind +0 -3
data/patterns/squid +0 -4
data/spec/patterns/bro.rb +0 -126
data/spec/patterns/s3_spec.rb +0 -173

data/spec/patterns/mongodb_spec.rb CHANGED Viewed

@@ -2,83 +2,220 @@
 require "spec_helper"
 require "logstash/patterns/core"
-describe "MONGO3_LOG" do
-  let(:pattern)    { "MONGO3_LOG" }
+describe_pattern "MONGO3_LOG", ['legacy', 'ecs-v1'] do
   context "parsing an standard/basic message" do
-    let(:value) { "2014-11-03T18:28:32.450-0500 I NETWORK [initandlisten] waiting for connections on port 27017" }
-    subject     { grok_match(pattern, value) }
+    let(:message) { "2014-11-03T18:28:32.450-0500 I NETWORK [initandlisten] waiting for connections on port 27017" }
     it { should include("timestamp" => "2014-11-03T18:28:32.450-0500") }
-    it { should include("severity" => "I") }
+    it do
+      if ecs_compatibility?
+        should include("log" => { 'level' => "I" })
+      else
+        should include("severity" => "I")
+      end
+    end
-    it { should include("component" => "NETWORK") }
+    it do
+      if ecs_compatibility?
+        should include("mongodb" => hash_including("component" => "NETWORK"))
+      else
+        should include("component" => "NETWORK")
+      end
+    end
-    it { should include("context" => "initandlisten") }
+    it do
+      if ecs_compatibility?
+        should include("mongodb" => hash_including("context" => "initandlisten"))
+      else
+        should include("context" => "initandlisten")
+      end
+    end
     it "generates a message field" do
-      expect(subject["message"]).to include("waiting for connections on port 27017")
+      expect(subject["message"]).to eql [ message, "waiting for connections on port 27017" ]
     end
   end
   context "parsing a message with a missing component" do
-    let(:value) { "2015-02-24T18:17:47.148+0000 F -        [conn11] Got signal: 11 (Segmentation fault)." }
+    let(:message) { "2015-02-24T18:17:47.148+0000 F -        [conn11] Got signal: 11 (Segmentation fault)." }
-    subject     { grok_match(pattern, value) }
+    it 'matches' do
+      should include("timestamp" => "2015-02-24T18:17:47.148+0000")
-    it { should include("timestamp" => "2015-02-24T18:17:47.148+0000") }
+      if ecs_compatibility?
+        expect( grok_result['mongodb'].keys ).to_not include("component")
+      else
+        should include("component" => "-")
+      end
-    it { should include("severity" => "F") }
+      if ecs_compatibility?
+        should include("log" => { 'level' => "F" })
+      else
+        should include("severity" => "F")
+      end
-    it { should include("component" => "-") }
-    it { should include("context" => "conn11") }
+      if ecs_compatibility?
+        should include("mongodb" => hash_including("context" => "conn11"))
+      else
+        should include("context" => "conn11")
+      end
+    end
     it "generates a message field" do
-      expect(subject["message"]).to include("Got signal: 11 (Segmentation fault).")
+      expect(subject["message"]).to eql [ message, "Got signal: 11 (Segmentation fault)." ]
     end
   end
   context "parsing a message with a multiwords context" do
-    let(:value) { "2015-04-23T06:57:28.256+0200 I JOURNAL  [journal writer] Journal writer thread started" }
-    subject     { grok_match(pattern, value) }
+    let(:message) { "2015-04-23T06:57:28.256+0200 I JOURNAL  [journal writer] Journal writer thread started" }
-    it { should include("timestamp" => "2015-04-23T06:57:28.256+0200") }
+    it 'matches' do
+      should include("timestamp" => "2015-04-23T06:57:28.256+0200")
-    it { should include("severity" => "I") }
+      if ecs_compatibility?
+        should include("log" => { 'level' => "I" })
+      else
+        should include("severity" => "I")
+      end
-    it { should include("component" => "JOURNAL") }
+      if ecs_compatibility?
+        should include("mongodb" => hash_including("component" => "JOURNAL"))
+      else
+        should include("component" => "JOURNAL")
+      end
-    it { should include("context" => "journal writer") }
+      if ecs_compatibility?
+        should include("mongodb" => hash_including("context" => "journal writer"))
+      else
+        should include("context" => "journal writer")
+      end
+    end
     it "generates a message field" do
       expect(subject["message"]).to include("Journal writer thread started")
     end
+    context '3.6 simple log line' do
+      let(:message) do
+        '2020-08-13T11:58:09.672+0200 I NETWORK  [conn2] end connection 127.0.0.1:41258 (1 connection now open)'
+      end
+      it 'matches' do
+        should include("timestamp" => "2020-08-13T11:58:09.672+0200")
+        if ecs_compatibility?
+          should include("mongodb" => hash_including("component" => "NETWORK"))
+        else
+          should include("component" => "NETWORK")
+        end
+        if ecs_compatibility?
+          should include("mongodb" => hash_including("context" => "conn2"))
+        else
+          should include("context" => "conn2")
+        end
+        expect(subject["message"]).to include("end connection 127.0.0.1:41258 (1 connection now open)")
+      end
+    end
+    context '3.6 long log line' do
+      let(:command) do
+        'command config.$cmd command: createIndexes { createIndexes: "system.sessions", ' +
+            'indexes: [ { key: { lastUse: 1 }, name: "lsidTTLIndex", expireAfterSeconds: 1800 } ], $db: "config" } ' +
+            'numYields:0 reslen:101 locks:{ Global: { acquireCount: { r: 2, w: 2 } }, Database: { acquireCount: { w: 2 } }, ' +
+            'Collection: { acquireCount: { w: 1 } } } protocol:op_msg 0ms'
+      end
+      let(:message) do
+        '2020-08-13T11:57:45.259+0200 I COMMAND  [LogicalSessionCacheRefresh] ' + command
+      end
+      it 'matches' do
+        should include("timestamp" => "2020-08-13T11:57:45.259+0200")
+        if ecs_compatibility?
+          should include("mongodb" => hash_including("component" => "COMMAND"))
+        else
+          should include("component" => "COMMAND")
+        end
+        if ecs_compatibility?
+          should include("mongodb" => hash_including("context" => "LogicalSessionCacheRefresh"))
+        else
+          should include("context" => "LogicalSessionCacheRefresh")
+        end
+        expect(subject["message"]).to eql [message, command]
+      end
+    end
   end
   context "parsing a message without context" do
-    let(:value) { "2015-04-23T07:00:13.864+0200 I CONTROL  Ctrl-C signal" }
-    subject     { grok_match(pattern, value) }
+    let(:message) { "2015-04-23T07:00:13.864+0200 I CONTROL  Ctrl-C signal" }
-    it { should include("timestamp" => "2015-04-23T07:00:13.864+0200") }
+    it 'matches' do
+      should include("timestamp" => "2015-04-23T07:00:13.864+0200")
-    it { should include("severity" => "I") }
+      if ecs_compatibility?
+        should include("log" => { 'level' => "I" })
+      else
+        should include("severity" => "I")
+      end
-    it { should include("component" => "CONTROL") }
+      if ecs_compatibility?
+        should include("mongodb" => hash_including("component" => "CONTROL"))
+      else
+        should include("component" => "CONTROL")
+      end
-    it { should_not have_key("context") }
+      if ecs_compatibility?
+        expect( grok_result['mongodb'].keys ).to_not include("context")
+      else
+        should_not have_key("context")
+      end
+    end
     it "generates a message field" do
-      expect(subject["message"]).to include("Ctrl-C signal")
+      expect(subject["message"]).to eql [ message, "Ctrl-C signal" ]
     end
   end
 end
+describe_pattern "MONGO_SLOWQUERY", ['legacy', 'ecs-v1'] do
+  let(:message) do
+    "[conn11485496] query sample.User query: { clientId: 12345 } ntoreturn:0 ntoskip:0 nscanned:287011 keyUpdates:0 numYields: 2 locks(micros) r:4187700 nreturned:18 reslen:14019 2340ms"
+  end
+  it do
+    if ecs_compatibility?
+      should include("mongodb" => {
+          "database" => "sample", "collection" => "User",
+          "query" => { "original"=>"{ clientId: 12345 }" },
+          "profile" => {
+              "op" => "query",
+              "ntoreturn" => 0, "ntoskip" => 0, "nscanned" => 287011, "nreturned" => 18,
+              "duration" => 2340
+          }
+      })
+    else
+      should include("database" => "sample", "collection" => "User")
+      should include("ntoreturn" => '0', "ntoskip" => '0', "nscanned" => "287011", "nreturned" => "18")
+      should include("query" => "{ clientId: 12345 }")
+      should include("duration" => "2340")
+    end
+  end
+end