logstash-patterns-core 4.1.2 → 4.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (77) hide show
  1. checksums.yaml +5 -5
  2. data/CHANGELOG.md +119 -0
  3. data/Gemfile +8 -1
  4. data/LICENSE +199 -10
  5. data/README.md +12 -19
  6. data/lib/logstash/patterns/core.rb +11 -3
  7. data/logstash-patterns-core.gemspec +1 -1
  8. data/patterns/ecs-v1/aws +28 -0
  9. data/patterns/ecs-v1/bacula +53 -0
  10. data/patterns/ecs-v1/bind +13 -0
  11. data/patterns/ecs-v1/bro +30 -0
  12. data/patterns/ecs-v1/exim +26 -0
  13. data/patterns/ecs-v1/firewalls +111 -0
  14. data/patterns/ecs-v1/grok-patterns +95 -0
  15. data/patterns/ecs-v1/haproxy +40 -0
  16. data/patterns/ecs-v1/httpd +17 -0
  17. data/patterns/ecs-v1/java +34 -0
  18. data/patterns/ecs-v1/junos +13 -0
  19. data/patterns/ecs-v1/linux-syslog +16 -0
  20. data/patterns/{maven → ecs-v1/maven} +0 -0
  21. data/patterns/ecs-v1/mcollective +4 -0
  22. data/patterns/ecs-v1/mongodb +7 -0
  23. data/patterns/ecs-v1/nagios +124 -0
  24. data/patterns/ecs-v1/postgresql +2 -0
  25. data/patterns/ecs-v1/rails +13 -0
  26. data/patterns/ecs-v1/redis +3 -0
  27. data/patterns/ecs-v1/ruby +2 -0
  28. data/patterns/ecs-v1/squid +6 -0
  29. data/patterns/ecs-v1/zeek +33 -0
  30. data/patterns/{aws → legacy/aws} +1 -1
  31. data/patterns/{bacula → legacy/bacula} +5 -5
  32. data/patterns/legacy/bind +3 -0
  33. data/patterns/{bro → legacy/bro} +0 -0
  34. data/patterns/{exim → legacy/exim} +8 -2
  35. data/patterns/{firewalls → legacy/firewalls} +2 -2
  36. data/patterns/{grok-patterns → legacy/grok-patterns} +4 -4
  37. data/patterns/{haproxy → legacy/haproxy} +1 -1
  38. data/patterns/{httpd → legacy/httpd} +2 -2
  39. data/patterns/{java → legacy/java} +1 -3
  40. data/patterns/{junos → legacy/junos} +0 -0
  41. data/patterns/{linux-syslog → legacy/linux-syslog} +0 -0
  42. data/patterns/legacy/maven +1 -0
  43. data/patterns/{mcollective → legacy/mcollective} +0 -0
  44. data/patterns/{mcollective-patterns → legacy/mcollective-patterns} +0 -0
  45. data/patterns/{mongodb → legacy/mongodb} +0 -0
  46. data/patterns/{nagios → legacy/nagios} +1 -1
  47. data/patterns/{postgresql → legacy/postgresql} +0 -0
  48. data/patterns/{rails → legacy/rails} +0 -0
  49. data/patterns/{redis → legacy/redis} +0 -0
  50. data/patterns/{ruby → legacy/ruby} +0 -0
  51. data/patterns/legacy/squid +4 -0
  52. data/spec/patterns/aws_spec.rb +395 -0
  53. data/spec/patterns/bacula_spec.rb +367 -0
  54. data/spec/patterns/bind_spec.rb +92 -0
  55. data/spec/patterns/bro_spec.rb +613 -0
  56. data/spec/patterns/core_spec.rb +260 -15
  57. data/spec/patterns/exim_spec.rb +201 -0
  58. data/spec/patterns/firewalls_spec.rb +707 -66
  59. data/spec/patterns/haproxy_spec.rb +253 -28
  60. data/spec/patterns/httpd_spec.rb +248 -86
  61. data/spec/patterns/java_spec.rb +375 -0
  62. data/spec/patterns/junos_spec.rb +101 -0
  63. data/spec/patterns/mcollective_spec.rb +35 -0
  64. data/spec/patterns/mongodb_spec.rb +170 -33
  65. data/spec/patterns/nagios_spec.rb +299 -78
  66. data/spec/patterns/netscreen_spec.rb +123 -0
  67. data/spec/patterns/rails3_spec.rb +87 -29
  68. data/spec/patterns/redis_spec.rb +216 -140
  69. data/spec/patterns/shorewall_spec.rb +85 -74
  70. data/spec/patterns/squid_spec.rb +139 -0
  71. data/spec/patterns/syslog_spec.rb +266 -22
  72. data/spec/spec_helper.rb +83 -5
  73. metadata +70 -31
  74. data/patterns/bind +0 -3
  75. data/patterns/squid +0 -4
  76. data/spec/patterns/bro.rb +0 -126
  77. data/spec/patterns/s3_spec.rb +0 -173
@@ -2,83 +2,220 @@
2
2
  require "spec_helper"
3
3
  require "logstash/patterns/core"
4
4
 
5
- describe "MONGO3_LOG" do
6
-
7
- let(:pattern) { "MONGO3_LOG" }
5
+ describe_pattern "MONGO3_LOG", ['legacy', 'ecs-v1'] do
8
6
 
9
7
  context "parsing an standard/basic message" do
10
8
 
11
- let(:value) { "2014-11-03T18:28:32.450-0500 I NETWORK [initandlisten] waiting for connections on port 27017" }
12
-
13
- subject { grok_match(pattern, value) }
9
+ let(:message) { "2014-11-03T18:28:32.450-0500 I NETWORK [initandlisten] waiting for connections on port 27017" }
14
10
 
15
11
  it { should include("timestamp" => "2014-11-03T18:28:32.450-0500") }
16
12
 
17
- it { should include("severity" => "I") }
13
+ it do
14
+ if ecs_compatibility?
15
+ should include("log" => { 'level' => "I" })
16
+ else
17
+ should include("severity" => "I")
18
+ end
19
+ end
18
20
 
19
- it { should include("component" => "NETWORK") }
21
+ it do
22
+ if ecs_compatibility?
23
+ should include("mongodb" => hash_including("component" => "NETWORK"))
24
+ else
25
+ should include("component" => "NETWORK")
26
+ end
27
+ end
20
28
 
21
- it { should include("context" => "initandlisten") }
29
+ it do
30
+ if ecs_compatibility?
31
+ should include("mongodb" => hash_including("context" => "initandlisten"))
32
+ else
33
+ should include("context" => "initandlisten")
34
+ end
35
+ end
22
36
 
23
37
  it "generates a message field" do
24
- expect(subject["message"]).to include("waiting for connections on port 27017")
38
+ expect(subject["message"]).to eql [ message, "waiting for connections on port 27017" ]
25
39
  end
26
40
  end
27
41
 
28
42
  context "parsing a message with a missing component" do
29
43
 
30
- let(:value) { "2015-02-24T18:17:47.148+0000 F - [conn11] Got signal: 11 (Segmentation fault)." }
44
+ let(:message) { "2015-02-24T18:17:47.148+0000 F - [conn11] Got signal: 11 (Segmentation fault)." }
31
45
 
32
- subject { grok_match(pattern, value) }
46
+ it 'matches' do
47
+ should include("timestamp" => "2015-02-24T18:17:47.148+0000")
33
48
 
34
- it { should include("timestamp" => "2015-02-24T18:17:47.148+0000") }
49
+ if ecs_compatibility?
50
+ expect( grok_result['mongodb'].keys ).to_not include("component")
51
+ else
52
+ should include("component" => "-")
53
+ end
35
54
 
36
- it { should include("severity" => "F") }
55
+ if ecs_compatibility?
56
+ should include("log" => { 'level' => "F" })
57
+ else
58
+ should include("severity" => "F")
59
+ end
37
60
 
38
- it { should include("component" => "-") }
39
-
40
- it { should include("context" => "conn11") }
61
+ if ecs_compatibility?
62
+ should include("mongodb" => hash_including("context" => "conn11"))
63
+ else
64
+ should include("context" => "conn11")
65
+ end
66
+ end
41
67
 
42
68
  it "generates a message field" do
43
- expect(subject["message"]).to include("Got signal: 11 (Segmentation fault).")
69
+ expect(subject["message"]).to eql [ message, "Got signal: 11 (Segmentation fault)." ]
44
70
  end
45
71
  end
46
72
 
47
73
  context "parsing a message with a multiwords context" do
48
74
 
49
- let(:value) { "2015-04-23T06:57:28.256+0200 I JOURNAL [journal writer] Journal writer thread started" }
50
-
51
- subject { grok_match(pattern, value) }
75
+ let(:message) { "2015-04-23T06:57:28.256+0200 I JOURNAL [journal writer] Journal writer thread started" }
52
76
 
53
- it { should include("timestamp" => "2015-04-23T06:57:28.256+0200") }
77
+ it 'matches' do
78
+ should include("timestamp" => "2015-04-23T06:57:28.256+0200")
54
79
 
55
- it { should include("severity" => "I") }
80
+ if ecs_compatibility?
81
+ should include("log" => { 'level' => "I" })
82
+ else
83
+ should include("severity" => "I")
84
+ end
56
85
 
57
- it { should include("component" => "JOURNAL") }
86
+ if ecs_compatibility?
87
+ should include("mongodb" => hash_including("component" => "JOURNAL"))
88
+ else
89
+ should include("component" => "JOURNAL")
90
+ end
58
91
 
59
- it { should include("context" => "journal writer") }
92
+ if ecs_compatibility?
93
+ should include("mongodb" => hash_including("context" => "journal writer"))
94
+ else
95
+ should include("context" => "journal writer")
96
+ end
97
+ end
60
98
 
61
99
  it "generates a message field" do
62
100
  expect(subject["message"]).to include("Journal writer thread started")
63
101
  end
102
+
103
+ context '3.6 simple log line' do
104
+
105
+ let(:message) do
106
+ '2020-08-13T11:58:09.672+0200 I NETWORK [conn2] end connection 127.0.0.1:41258 (1 connection now open)'
107
+ end
108
+
109
+ it 'matches' do
110
+ should include("timestamp" => "2020-08-13T11:58:09.672+0200")
111
+
112
+ if ecs_compatibility?
113
+ should include("mongodb" => hash_including("component" => "NETWORK"))
114
+ else
115
+ should include("component" => "NETWORK")
116
+ end
117
+
118
+ if ecs_compatibility?
119
+ should include("mongodb" => hash_including("context" => "conn2"))
120
+ else
121
+ should include("context" => "conn2")
122
+ end
123
+
124
+ expect(subject["message"]).to include("end connection 127.0.0.1:41258 (1 connection now open)")
125
+ end
126
+
127
+ end
128
+
129
+ context '3.6 long log line' do
130
+
131
+ let(:command) do
132
+ 'command config.$cmd command: createIndexes { createIndexes: "system.sessions", ' +
133
+ 'indexes: [ { key: { lastUse: 1 }, name: "lsidTTLIndex", expireAfterSeconds: 1800 } ], $db: "config" } ' +
134
+ 'numYields:0 reslen:101 locks:{ Global: { acquireCount: { r: 2, w: 2 } }, Database: { acquireCount: { w: 2 } }, ' +
135
+ 'Collection: { acquireCount: { w: 1 } } } protocol:op_msg 0ms'
136
+ end
137
+
138
+ let(:message) do
139
+ '2020-08-13T11:57:45.259+0200 I COMMAND [LogicalSessionCacheRefresh] ' + command
140
+ end
141
+
142
+ it 'matches' do
143
+ should include("timestamp" => "2020-08-13T11:57:45.259+0200")
144
+
145
+ if ecs_compatibility?
146
+ should include("mongodb" => hash_including("component" => "COMMAND"))
147
+ else
148
+ should include("component" => "COMMAND")
149
+ end
150
+
151
+ if ecs_compatibility?
152
+ should include("mongodb" => hash_including("context" => "LogicalSessionCacheRefresh"))
153
+ else
154
+ should include("context" => "LogicalSessionCacheRefresh")
155
+ end
156
+
157
+ expect(subject["message"]).to eql [message, command]
158
+ end
159
+
160
+ end
161
+
64
162
  end
65
163
 
66
164
  context "parsing a message without context" do
67
165
 
68
- let(:value) { "2015-04-23T07:00:13.864+0200 I CONTROL Ctrl-C signal" }
69
-
70
- subject { grok_match(pattern, value) }
166
+ let(:message) { "2015-04-23T07:00:13.864+0200 I CONTROL Ctrl-C signal" }
71
167
 
72
- it { should include("timestamp" => "2015-04-23T07:00:13.864+0200") }
168
+ it 'matches' do
169
+ should include("timestamp" => "2015-04-23T07:00:13.864+0200")
73
170
 
74
- it { should include("severity" => "I") }
171
+ if ecs_compatibility?
172
+ should include("log" => { 'level' => "I" })
173
+ else
174
+ should include("severity" => "I")
175
+ end
75
176
 
76
- it { should include("component" => "CONTROL") }
177
+ if ecs_compatibility?
178
+ should include("mongodb" => hash_including("component" => "CONTROL"))
179
+ else
180
+ should include("component" => "CONTROL")
181
+ end
77
182
 
78
- it { should_not have_key("context") }
183
+ if ecs_compatibility?
184
+ expect( grok_result['mongodb'].keys ).to_not include("context")
185
+ else
186
+ should_not have_key("context")
187
+ end
188
+ end
79
189
 
80
190
  it "generates a message field" do
81
- expect(subject["message"]).to include("Ctrl-C signal")
191
+ expect(subject["message"]).to eql [ message, "Ctrl-C signal" ]
82
192
  end
83
193
  end
84
194
  end
195
+
196
+ describe_pattern "MONGO_SLOWQUERY", ['legacy', 'ecs-v1'] do
197
+
198
+ let(:message) do
199
+ "[conn11485496] query sample.User query: { clientId: 12345 } ntoreturn:0 ntoskip:0 nscanned:287011 keyUpdates:0 numYields: 2 locks(micros) r:4187700 nreturned:18 reslen:14019 2340ms"
200
+ end
201
+
202
+ it do
203
+ if ecs_compatibility?
204
+ should include("mongodb" => {
205
+ "database" => "sample", "collection" => "User",
206
+ "query" => { "original"=>"{ clientId: 12345 }" },
207
+ "profile" => {
208
+ "op" => "query",
209
+ "ntoreturn" => 0, "ntoskip" => 0, "nscanned" => 287011, "nreturned" => 18,
210
+ "duration" => 2340
211
+ }
212
+ })
213
+ else
214
+ should include("database" => "sample", "collection" => "User")
215
+ should include("ntoreturn" => '0', "ntoskip" => '0', "nscanned" => "287011", "nreturned" => "18")
216
+ should include("query" => "{ clientId: 12345 }")
217
+ should include("duration" => "2340")
218
+ end
219
+ end
220
+
221
+ end