logstash-patterns-core 4.1.2 → 4.3.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/CHANGELOG.md +119 -0
- data/Gemfile +8 -1
- data/LICENSE +199 -10
- data/README.md +12 -19
- data/lib/logstash/patterns/core.rb +11 -3
- data/logstash-patterns-core.gemspec +1 -1
- data/patterns/ecs-v1/aws +28 -0
- data/patterns/ecs-v1/bacula +53 -0
- data/patterns/ecs-v1/bind +13 -0
- data/patterns/ecs-v1/bro +30 -0
- data/patterns/ecs-v1/exim +26 -0
- data/patterns/ecs-v1/firewalls +111 -0
- data/patterns/ecs-v1/grok-patterns +95 -0
- data/patterns/ecs-v1/haproxy +40 -0
- data/patterns/ecs-v1/httpd +17 -0
- data/patterns/ecs-v1/java +34 -0
- data/patterns/ecs-v1/junos +13 -0
- data/patterns/ecs-v1/linux-syslog +16 -0
- data/patterns/{maven → ecs-v1/maven} +0 -0
- data/patterns/ecs-v1/mcollective +4 -0
- data/patterns/ecs-v1/mongodb +7 -0
- data/patterns/ecs-v1/nagios +124 -0
- data/patterns/ecs-v1/postgresql +2 -0
- data/patterns/ecs-v1/rails +13 -0
- data/patterns/ecs-v1/redis +3 -0
- data/patterns/ecs-v1/ruby +2 -0
- data/patterns/ecs-v1/squid +6 -0
- data/patterns/ecs-v1/zeek +33 -0
- data/patterns/{aws → legacy/aws} +1 -1
- data/patterns/{bacula → legacy/bacula} +5 -5
- data/patterns/legacy/bind +3 -0
- data/patterns/{bro → legacy/bro} +0 -0
- data/patterns/{exim → legacy/exim} +8 -2
- data/patterns/{firewalls → legacy/firewalls} +2 -2
- data/patterns/{grok-patterns → legacy/grok-patterns} +4 -4
- data/patterns/{haproxy → legacy/haproxy} +1 -1
- data/patterns/{httpd → legacy/httpd} +2 -2
- data/patterns/{java → legacy/java} +1 -3
- data/patterns/{junos → legacy/junos} +0 -0
- data/patterns/{linux-syslog → legacy/linux-syslog} +0 -0
- data/patterns/legacy/maven +1 -0
- data/patterns/{mcollective → legacy/mcollective} +0 -0
- data/patterns/{mcollective-patterns → legacy/mcollective-patterns} +0 -0
- data/patterns/{mongodb → legacy/mongodb} +0 -0
- data/patterns/{nagios → legacy/nagios} +1 -1
- data/patterns/{postgresql → legacy/postgresql} +0 -0
- data/patterns/{rails → legacy/rails} +0 -0
- data/patterns/{redis → legacy/redis} +0 -0
- data/patterns/{ruby → legacy/ruby} +0 -0
- data/patterns/legacy/squid +4 -0
- data/spec/patterns/aws_spec.rb +395 -0
- data/spec/patterns/bacula_spec.rb +367 -0
- data/spec/patterns/bind_spec.rb +92 -0
- data/spec/patterns/bro_spec.rb +613 -0
- data/spec/patterns/core_spec.rb +260 -15
- data/spec/patterns/exim_spec.rb +201 -0
- data/spec/patterns/firewalls_spec.rb +707 -66
- data/spec/patterns/haproxy_spec.rb +253 -28
- data/spec/patterns/httpd_spec.rb +248 -86
- data/spec/patterns/java_spec.rb +375 -0
- data/spec/patterns/junos_spec.rb +101 -0
- data/spec/patterns/mcollective_spec.rb +35 -0
- data/spec/patterns/mongodb_spec.rb +170 -33
- data/spec/patterns/nagios_spec.rb +299 -78
- data/spec/patterns/netscreen_spec.rb +123 -0
- data/spec/patterns/rails3_spec.rb +87 -29
- data/spec/patterns/redis_spec.rb +216 -140
- data/spec/patterns/shorewall_spec.rb +85 -74
- data/spec/patterns/squid_spec.rb +139 -0
- data/spec/patterns/syslog_spec.rb +266 -22
- data/spec/spec_helper.rb +83 -5
- metadata +70 -31
- data/patterns/bind +0 -3
- data/patterns/squid +0 -4
- data/spec/patterns/bro.rb +0 -126
- data/spec/patterns/s3_spec.rb +0 -173
@@ -2,83 +2,220 @@
|
|
2
2
|
require "spec_helper"
|
3
3
|
require "logstash/patterns/core"
|
4
4
|
|
5
|
-
|
6
|
-
|
7
|
-
let(:pattern) { "MONGO3_LOG" }
|
5
|
+
describe_pattern "MONGO3_LOG", ['legacy', 'ecs-v1'] do
|
8
6
|
|
9
7
|
context "parsing an standard/basic message" do
|
10
8
|
|
11
|
-
let(:
|
12
|
-
|
13
|
-
subject { grok_match(pattern, value) }
|
9
|
+
let(:message) { "2014-11-03T18:28:32.450-0500 I NETWORK [initandlisten] waiting for connections on port 27017" }
|
14
10
|
|
15
11
|
it { should include("timestamp" => "2014-11-03T18:28:32.450-0500") }
|
16
12
|
|
17
|
-
it
|
13
|
+
it do
|
14
|
+
if ecs_compatibility?
|
15
|
+
should include("log" => { 'level' => "I" })
|
16
|
+
else
|
17
|
+
should include("severity" => "I")
|
18
|
+
end
|
19
|
+
end
|
18
20
|
|
19
|
-
it
|
21
|
+
it do
|
22
|
+
if ecs_compatibility?
|
23
|
+
should include("mongodb" => hash_including("component" => "NETWORK"))
|
24
|
+
else
|
25
|
+
should include("component" => "NETWORK")
|
26
|
+
end
|
27
|
+
end
|
20
28
|
|
21
|
-
it
|
29
|
+
it do
|
30
|
+
if ecs_compatibility?
|
31
|
+
should include("mongodb" => hash_including("context" => "initandlisten"))
|
32
|
+
else
|
33
|
+
should include("context" => "initandlisten")
|
34
|
+
end
|
35
|
+
end
|
22
36
|
|
23
37
|
it "generates a message field" do
|
24
|
-
expect(subject["message"]).to
|
38
|
+
expect(subject["message"]).to eql [ message, "waiting for connections on port 27017" ]
|
25
39
|
end
|
26
40
|
end
|
27
41
|
|
28
42
|
context "parsing a message with a missing component" do
|
29
43
|
|
30
|
-
let(:
|
44
|
+
let(:message) { "2015-02-24T18:17:47.148+0000 F - [conn11] Got signal: 11 (Segmentation fault)." }
|
31
45
|
|
32
|
-
|
46
|
+
it 'matches' do
|
47
|
+
should include("timestamp" => "2015-02-24T18:17:47.148+0000")
|
33
48
|
|
34
|
-
|
49
|
+
if ecs_compatibility?
|
50
|
+
expect( grok_result['mongodb'].keys ).to_not include("component")
|
51
|
+
else
|
52
|
+
should include("component" => "-")
|
53
|
+
end
|
35
54
|
|
36
|
-
|
55
|
+
if ecs_compatibility?
|
56
|
+
should include("log" => { 'level' => "F" })
|
57
|
+
else
|
58
|
+
should include("severity" => "F")
|
59
|
+
end
|
37
60
|
|
38
|
-
|
39
|
-
|
40
|
-
|
61
|
+
if ecs_compatibility?
|
62
|
+
should include("mongodb" => hash_including("context" => "conn11"))
|
63
|
+
else
|
64
|
+
should include("context" => "conn11")
|
65
|
+
end
|
66
|
+
end
|
41
67
|
|
42
68
|
it "generates a message field" do
|
43
|
-
expect(subject["message"]).to
|
69
|
+
expect(subject["message"]).to eql [ message, "Got signal: 11 (Segmentation fault)." ]
|
44
70
|
end
|
45
71
|
end
|
46
72
|
|
47
73
|
context "parsing a message with a multiwords context" do
|
48
74
|
|
49
|
-
let(:
|
50
|
-
|
51
|
-
subject { grok_match(pattern, value) }
|
75
|
+
let(:message) { "2015-04-23T06:57:28.256+0200 I JOURNAL [journal writer] Journal writer thread started" }
|
52
76
|
|
53
|
-
it
|
77
|
+
it 'matches' do
|
78
|
+
should include("timestamp" => "2015-04-23T06:57:28.256+0200")
|
54
79
|
|
55
|
-
|
80
|
+
if ecs_compatibility?
|
81
|
+
should include("log" => { 'level' => "I" })
|
82
|
+
else
|
83
|
+
should include("severity" => "I")
|
84
|
+
end
|
56
85
|
|
57
|
-
|
86
|
+
if ecs_compatibility?
|
87
|
+
should include("mongodb" => hash_including("component" => "JOURNAL"))
|
88
|
+
else
|
89
|
+
should include("component" => "JOURNAL")
|
90
|
+
end
|
58
91
|
|
59
|
-
|
92
|
+
if ecs_compatibility?
|
93
|
+
should include("mongodb" => hash_including("context" => "journal writer"))
|
94
|
+
else
|
95
|
+
should include("context" => "journal writer")
|
96
|
+
end
|
97
|
+
end
|
60
98
|
|
61
99
|
it "generates a message field" do
|
62
100
|
expect(subject["message"]).to include("Journal writer thread started")
|
63
101
|
end
|
102
|
+
|
103
|
+
context '3.6 simple log line' do
|
104
|
+
|
105
|
+
let(:message) do
|
106
|
+
'2020-08-13T11:58:09.672+0200 I NETWORK [conn2] end connection 127.0.0.1:41258 (1 connection now open)'
|
107
|
+
end
|
108
|
+
|
109
|
+
it 'matches' do
|
110
|
+
should include("timestamp" => "2020-08-13T11:58:09.672+0200")
|
111
|
+
|
112
|
+
if ecs_compatibility?
|
113
|
+
should include("mongodb" => hash_including("component" => "NETWORK"))
|
114
|
+
else
|
115
|
+
should include("component" => "NETWORK")
|
116
|
+
end
|
117
|
+
|
118
|
+
if ecs_compatibility?
|
119
|
+
should include("mongodb" => hash_including("context" => "conn2"))
|
120
|
+
else
|
121
|
+
should include("context" => "conn2")
|
122
|
+
end
|
123
|
+
|
124
|
+
expect(subject["message"]).to include("end connection 127.0.0.1:41258 (1 connection now open)")
|
125
|
+
end
|
126
|
+
|
127
|
+
end
|
128
|
+
|
129
|
+
context '3.6 long log line' do
|
130
|
+
|
131
|
+
let(:command) do
|
132
|
+
'command config.$cmd command: createIndexes { createIndexes: "system.sessions", ' +
|
133
|
+
'indexes: [ { key: { lastUse: 1 }, name: "lsidTTLIndex", expireAfterSeconds: 1800 } ], $db: "config" } ' +
|
134
|
+
'numYields:0 reslen:101 locks:{ Global: { acquireCount: { r: 2, w: 2 } }, Database: { acquireCount: { w: 2 } }, ' +
|
135
|
+
'Collection: { acquireCount: { w: 1 } } } protocol:op_msg 0ms'
|
136
|
+
end
|
137
|
+
|
138
|
+
let(:message) do
|
139
|
+
'2020-08-13T11:57:45.259+0200 I COMMAND [LogicalSessionCacheRefresh] ' + command
|
140
|
+
end
|
141
|
+
|
142
|
+
it 'matches' do
|
143
|
+
should include("timestamp" => "2020-08-13T11:57:45.259+0200")
|
144
|
+
|
145
|
+
if ecs_compatibility?
|
146
|
+
should include("mongodb" => hash_including("component" => "COMMAND"))
|
147
|
+
else
|
148
|
+
should include("component" => "COMMAND")
|
149
|
+
end
|
150
|
+
|
151
|
+
if ecs_compatibility?
|
152
|
+
should include("mongodb" => hash_including("context" => "LogicalSessionCacheRefresh"))
|
153
|
+
else
|
154
|
+
should include("context" => "LogicalSessionCacheRefresh")
|
155
|
+
end
|
156
|
+
|
157
|
+
expect(subject["message"]).to eql [message, command]
|
158
|
+
end
|
159
|
+
|
160
|
+
end
|
161
|
+
|
64
162
|
end
|
65
163
|
|
66
164
|
context "parsing a message without context" do
|
67
165
|
|
68
|
-
let(:
|
69
|
-
|
70
|
-
subject { grok_match(pattern, value) }
|
166
|
+
let(:message) { "2015-04-23T07:00:13.864+0200 I CONTROL Ctrl-C signal" }
|
71
167
|
|
72
|
-
it
|
168
|
+
it 'matches' do
|
169
|
+
should include("timestamp" => "2015-04-23T07:00:13.864+0200")
|
73
170
|
|
74
|
-
|
171
|
+
if ecs_compatibility?
|
172
|
+
should include("log" => { 'level' => "I" })
|
173
|
+
else
|
174
|
+
should include("severity" => "I")
|
175
|
+
end
|
75
176
|
|
76
|
-
|
177
|
+
if ecs_compatibility?
|
178
|
+
should include("mongodb" => hash_including("component" => "CONTROL"))
|
179
|
+
else
|
180
|
+
should include("component" => "CONTROL")
|
181
|
+
end
|
77
182
|
|
78
|
-
|
183
|
+
if ecs_compatibility?
|
184
|
+
expect( grok_result['mongodb'].keys ).to_not include("context")
|
185
|
+
else
|
186
|
+
should_not have_key("context")
|
187
|
+
end
|
188
|
+
end
|
79
189
|
|
80
190
|
it "generates a message field" do
|
81
|
-
expect(subject["message"]).to
|
191
|
+
expect(subject["message"]).to eql [ message, "Ctrl-C signal" ]
|
82
192
|
end
|
83
193
|
end
|
84
194
|
end
|
195
|
+
|
196
|
+
describe_pattern "MONGO_SLOWQUERY", ['legacy', 'ecs-v1'] do
|
197
|
+
|
198
|
+
let(:message) do
|
199
|
+
"[conn11485496] query sample.User query: { clientId: 12345 } ntoreturn:0 ntoskip:0 nscanned:287011 keyUpdates:0 numYields: 2 locks(micros) r:4187700 nreturned:18 reslen:14019 2340ms"
|
200
|
+
end
|
201
|
+
|
202
|
+
it do
|
203
|
+
if ecs_compatibility?
|
204
|
+
should include("mongodb" => {
|
205
|
+
"database" => "sample", "collection" => "User",
|
206
|
+
"query" => { "original"=>"{ clientId: 12345 }" },
|
207
|
+
"profile" => {
|
208
|
+
"op" => "query",
|
209
|
+
"ntoreturn" => 0, "ntoskip" => 0, "nscanned" => 287011, "nreturned" => 18,
|
210
|
+
"duration" => 2340
|
211
|
+
}
|
212
|
+
})
|
213
|
+
else
|
214
|
+
should include("database" => "sample", "collection" => "User")
|
215
|
+
should include("ntoreturn" => '0', "ntoskip" => '0', "nscanned" => "287011", "nreturned" => "18")
|
216
|
+
should include("query" => "{ clientId: 12345 }")
|
217
|
+
should include("duration" => "2340")
|
218
|
+
end
|
219
|
+
end
|
220
|
+
|
221
|
+
end
|