logstash-patterns-core 4.1.2 → 4.3.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/CHANGELOG.md +119 -0
- data/Gemfile +8 -1
- data/LICENSE +199 -10
- data/README.md +12 -19
- data/lib/logstash/patterns/core.rb +11 -3
- data/logstash-patterns-core.gemspec +1 -1
- data/patterns/ecs-v1/aws +28 -0
- data/patterns/ecs-v1/bacula +53 -0
- data/patterns/ecs-v1/bind +13 -0
- data/patterns/ecs-v1/bro +30 -0
- data/patterns/ecs-v1/exim +26 -0
- data/patterns/ecs-v1/firewalls +111 -0
- data/patterns/ecs-v1/grok-patterns +95 -0
- data/patterns/ecs-v1/haproxy +40 -0
- data/patterns/ecs-v1/httpd +17 -0
- data/patterns/ecs-v1/java +34 -0
- data/patterns/ecs-v1/junos +13 -0
- data/patterns/ecs-v1/linux-syslog +16 -0
- data/patterns/{maven → ecs-v1/maven} +0 -0
- data/patterns/ecs-v1/mcollective +4 -0
- data/patterns/ecs-v1/mongodb +7 -0
- data/patterns/ecs-v1/nagios +124 -0
- data/patterns/ecs-v1/postgresql +2 -0
- data/patterns/ecs-v1/rails +13 -0
- data/patterns/ecs-v1/redis +3 -0
- data/patterns/ecs-v1/ruby +2 -0
- data/patterns/ecs-v1/squid +6 -0
- data/patterns/ecs-v1/zeek +33 -0
- data/patterns/{aws → legacy/aws} +1 -1
- data/patterns/{bacula → legacy/bacula} +5 -5
- data/patterns/legacy/bind +3 -0
- data/patterns/{bro → legacy/bro} +0 -0
- data/patterns/{exim → legacy/exim} +8 -2
- data/patterns/{firewalls → legacy/firewalls} +2 -2
- data/patterns/{grok-patterns → legacy/grok-patterns} +4 -4
- data/patterns/{haproxy → legacy/haproxy} +1 -1
- data/patterns/{httpd → legacy/httpd} +2 -2
- data/patterns/{java → legacy/java} +1 -3
- data/patterns/{junos → legacy/junos} +0 -0
- data/patterns/{linux-syslog → legacy/linux-syslog} +0 -0
- data/patterns/legacy/maven +1 -0
- data/patterns/{mcollective → legacy/mcollective} +0 -0
- data/patterns/{mcollective-patterns → legacy/mcollective-patterns} +0 -0
- data/patterns/{mongodb → legacy/mongodb} +0 -0
- data/patterns/{nagios → legacy/nagios} +1 -1
- data/patterns/{postgresql → legacy/postgresql} +0 -0
- data/patterns/{rails → legacy/rails} +0 -0
- data/patterns/{redis → legacy/redis} +0 -0
- data/patterns/{ruby → legacy/ruby} +0 -0
- data/patterns/legacy/squid +4 -0
- data/spec/patterns/aws_spec.rb +395 -0
- data/spec/patterns/bacula_spec.rb +367 -0
- data/spec/patterns/bind_spec.rb +92 -0
- data/spec/patterns/bro_spec.rb +613 -0
- data/spec/patterns/core_spec.rb +260 -15
- data/spec/patterns/exim_spec.rb +201 -0
- data/spec/patterns/firewalls_spec.rb +707 -66
- data/spec/patterns/haproxy_spec.rb +253 -28
- data/spec/patterns/httpd_spec.rb +248 -86
- data/spec/patterns/java_spec.rb +375 -0
- data/spec/patterns/junos_spec.rb +101 -0
- data/spec/patterns/mcollective_spec.rb +35 -0
- data/spec/patterns/mongodb_spec.rb +170 -33
- data/spec/patterns/nagios_spec.rb +299 -78
- data/spec/patterns/netscreen_spec.rb +123 -0
- data/spec/patterns/rails3_spec.rb +87 -29
- data/spec/patterns/redis_spec.rb +216 -140
- data/spec/patterns/shorewall_spec.rb +85 -74
- data/spec/patterns/squid_spec.rb +139 -0
- data/spec/patterns/syslog_spec.rb +266 -22
- data/spec/spec_helper.rb +83 -5
- metadata +70 -31
- data/patterns/bind +0 -3
- data/patterns/squid +0 -4
- data/spec/patterns/bro.rb +0 -126
- data/spec/patterns/s3_spec.rb +0 -173
@@ -2,242 +2,463 @@
|
|
2
2
|
require "spec_helper"
|
3
3
|
require "logstash/patterns/core"
|
4
4
|
|
5
|
-
|
5
|
+
describe_pattern "NAGIOSLOGLINE - CURRENT HOST STATE", [ 'legacy', 'ecs-v1' ] do
|
6
6
|
|
7
|
-
let(:
|
8
|
-
let(:grok) { grok_match(subject, value) }
|
7
|
+
let(:message) { "[1427925600] CURRENT HOST STATE: nagioshost;UP;HARD;1;PING OK - Packet loss = 0%, RTA = 2.24 ms" }
|
9
8
|
|
10
9
|
it "a pattern pass the grok expression" do
|
11
10
|
expect(grok).to pass
|
12
11
|
end
|
13
12
|
|
14
13
|
it "matches a simple message" do
|
15
|
-
expect(
|
14
|
+
expect(pattern).to match(message)
|
16
15
|
end
|
17
16
|
|
18
17
|
it "generates the nagios_epoch field" do
|
19
|
-
|
18
|
+
if ecs_compatibility?
|
19
|
+
expect(grok).to include("timestamp" => "1427925600")
|
20
|
+
else
|
21
|
+
expect(grok).to include("nagios_epoch" => "1427925600")
|
22
|
+
end
|
20
23
|
end
|
21
24
|
|
22
25
|
it "generates the nagios_message field" do
|
23
|
-
|
26
|
+
if ecs_compatibility?
|
27
|
+
expect(grok).to include("message" => [message, "PING OK - Packet loss = 0%, RTA = 2.24 ms"])
|
28
|
+
else
|
29
|
+
expect(grok).to include("nagios_message" => "PING OK - Packet loss = 0%, RTA = 2.24 ms")
|
30
|
+
end
|
24
31
|
end
|
25
32
|
|
26
33
|
it "generates the nagios_hostname field" do
|
27
|
-
|
34
|
+
if ecs_compatibility?
|
35
|
+
expect(grok).to include("host" => { "hostname" => "nagioshost" })
|
36
|
+
else
|
37
|
+
expect(grok).to include("nagios_hostname" => "nagioshost")
|
38
|
+
end
|
28
39
|
end
|
29
40
|
|
30
41
|
it "generates the nagios_state field" do
|
31
|
-
|
42
|
+
if ecs_compatibility?
|
43
|
+
expect(grok).to include("service" => hash_including("state" => "UP"))
|
44
|
+
else
|
45
|
+
expect(grok).to include("nagios_state" => "UP")
|
46
|
+
end
|
32
47
|
end
|
33
48
|
|
34
49
|
it "generates the nagios_statetype field" do
|
35
|
-
|
50
|
+
if ecs_compatibility?
|
51
|
+
expect(grok).to include("nagios" => hash_including("log" => hash_including("state_type" => "HARD")))
|
52
|
+
else
|
53
|
+
expect(grok).to include("nagios_statetype" => "HARD")
|
54
|
+
end
|
36
55
|
end
|
37
56
|
|
38
57
|
end
|
39
58
|
|
40
|
-
|
59
|
+
describe_pattern "NAGIOSLOGLINE - CURRENT SERVICE STATE", [ 'legacy', 'ecs-v1' ] do
|
41
60
|
|
42
|
-
let(:
|
43
|
-
let(:grok) { grok_match(subject, value) }
|
61
|
+
let(:message) { "[1427925600] CURRENT SERVICE STATE: nagioshost;SSH;OK;HARD;1;nagiosmessage" }
|
44
62
|
|
45
63
|
it "a pattern pass the grok expression" do
|
46
64
|
expect(grok).to pass
|
47
65
|
end
|
48
66
|
|
49
67
|
it "matches a simple message" do
|
50
|
-
expect(
|
68
|
+
expect(pattern).to match(message)
|
51
69
|
end
|
52
70
|
|
53
71
|
it "generates the nagios_type field" do
|
54
|
-
|
72
|
+
if ecs_compatibility?
|
73
|
+
expect(grok).to include("nagios" => hash_including("log" => hash_including("type" => "CURRENT SERVICE STATE")))
|
74
|
+
else
|
75
|
+
expect(grok).to include("nagios_type" => "CURRENT SERVICE STATE")
|
76
|
+
end
|
55
77
|
end
|
56
78
|
|
57
79
|
it "generates the nagios_epoch field" do
|
58
|
-
|
80
|
+
if ecs_compatibility?
|
81
|
+
expect(grok).to include("timestamp" => "1427925600")
|
82
|
+
else
|
83
|
+
expect(grok).to include("nagios_epoch" => "1427925600")
|
84
|
+
end
|
59
85
|
end
|
60
86
|
|
61
87
|
it "generates the nagios_message field" do
|
62
|
-
|
88
|
+
if ecs_compatibility?
|
89
|
+
expect(grok).to include("message" => [message, "nagiosmessage"])
|
90
|
+
else
|
91
|
+
expect(grok).to include("nagios_message" => "nagiosmessage")
|
92
|
+
end
|
63
93
|
end
|
64
94
|
|
65
|
-
it "generates the
|
66
|
-
|
95
|
+
it "generates the hostname field" do
|
96
|
+
if ecs_compatibility?
|
97
|
+
expect(grok).to include("host" => { "hostname" => "nagioshost" })
|
98
|
+
else
|
99
|
+
expect(grok).to include("nagios_hostname" => "nagioshost")
|
100
|
+
end
|
67
101
|
end
|
68
102
|
|
69
|
-
it "generates the
|
70
|
-
|
103
|
+
it "generates the service field" do
|
104
|
+
if ecs_compatibility?
|
105
|
+
expect(grok).to include("service" => hash_including("name" => "SSH"))
|
106
|
+
else
|
107
|
+
expect(grok).to include("nagios_service" => "SSH")
|
108
|
+
end
|
71
109
|
end
|
72
110
|
|
73
111
|
it "generates the nagios_state field" do
|
74
|
-
|
112
|
+
if ecs_compatibility?
|
113
|
+
expect(grok).to include("service" => hash_including("state" => "OK"))
|
114
|
+
else
|
115
|
+
expect(grok).to include("nagios_state" => "OK")
|
116
|
+
end
|
75
117
|
end
|
76
118
|
|
77
119
|
it "generates the nagios_statetype field" do
|
78
|
-
|
79
|
-
|
120
|
+
if ecs_compatibility?
|
121
|
+
expect(grok).to include("nagios" => hash_including("log" => hash_including("state_type" => "HARD")))
|
122
|
+
else
|
123
|
+
expect(grok).to include("nagios_statetype" => "HARD")
|
124
|
+
end
|
125
|
+
end
|
126
|
+
|
127
|
+
it "generates the nagios_statecode field" do
|
128
|
+
if ecs_compatibility?
|
129
|
+
expect(grok).to include("nagios" => hash_including("log" => hash_including("attempt" => 1)))
|
130
|
+
else
|
131
|
+
# NOTE: (legacy) nagios_statecode corresponds to current_attempt (according to Nagios' source)
|
132
|
+
expect(grok).to include("nagios_statecode" => "1")
|
133
|
+
end
|
134
|
+
end
|
135
|
+
|
136
|
+
context 'real-world example' do
|
137
|
+
|
138
|
+
let(:message) do
|
139
|
+
'[1427956600] CURRENT SERVICE STATE: prod-virtual-ESz06;check_vmfs_prod-PvDC2;CRITICAL;HARD;3;CRITICAL - /vmfs/volumes/prod-vsRoot - total: 8191.75 Gb - used: 7859.84 Gb (95%)- free: 331.90 Gb (5%)'
|
140
|
+
end
|
141
|
+
|
142
|
+
it 'matches' do
|
143
|
+
if ecs_compatibility?
|
144
|
+
expect(grok).to include(
|
145
|
+
"host" => { "hostname" => "prod-virtual-ESz06" },
|
146
|
+
"service" => { "name" => "check_vmfs_prod-PvDC2", "state" => 'CRITICAL' },
|
147
|
+
"nagios" => { "log" => {
|
148
|
+
"type" => "CURRENT SERVICE STATE",
|
149
|
+
"state_type" => "HARD",
|
150
|
+
"attempt" => 3
|
151
|
+
}},
|
152
|
+
"message" => [message, "CRITICAL - /vmfs/volumes/prod-vsRoot - total: 8191.75 Gb - used: 7859.84 Gb (95%)- free: 331.90 Gb (5%)"]
|
153
|
+
)
|
154
|
+
else
|
155
|
+
expect(grok).to include(
|
156
|
+
"nagios_type"=>"CURRENT SERVICE STATE",
|
157
|
+
"nagios_state"=>"CRITICAL",
|
158
|
+
"nagios_statetype"=>"HARD",
|
159
|
+
"nagios_hostname"=>"prod-virtual-ESz06",
|
160
|
+
"nagios_statecode"=>"3", # NOTE: "incorrect" - corresponds to current_attempt (according to Nagios' source)
|
161
|
+
"nagios_message"=>"CRITICAL - /vmfs/volumes/prod-vsRoot - total: 8191.75 Gb - used: 7859.84 Gb (95%)- free: 331.90 Gb (5%)"
|
162
|
+
)
|
163
|
+
end
|
164
|
+
end
|
80
165
|
|
166
|
+
end
|
81
167
|
end
|
82
168
|
|
83
|
-
|
169
|
+
describe_pattern "NAGIOSLOGLINE - TIMEPERIOD TRANSITION", [ 'legacy', 'ecs-v1' ] do
|
84
170
|
|
85
|
-
let(:
|
86
|
-
let(:grok) { grok_match(subject, value) }
|
171
|
+
let(:message) { "[1427925600] TIMEPERIOD TRANSITION: 24X7;-1;1" }
|
87
172
|
|
88
|
-
it "
|
89
|
-
expect(
|
90
|
-
end
|
91
|
-
|
92
|
-
it "matches a simple message" do
|
93
|
-
expect(subject).to match(value)
|
173
|
+
it "matches the message" do
|
174
|
+
expect(pattern).to match(message)
|
94
175
|
end
|
95
176
|
|
96
177
|
it "generates the nagios_type field" do
|
97
|
-
|
178
|
+
if ecs_compatibility?
|
179
|
+
expect(grok).to include("nagios" => hash_including("log" => hash_including("type" => 'TIMEPERIOD TRANSITION')))
|
180
|
+
else
|
181
|
+
expect(grok).to include("nagios_type" => "TIMEPERIOD TRANSITION")
|
182
|
+
end
|
98
183
|
end
|
99
184
|
|
100
185
|
it "generates the nagios_epoch field" do
|
101
|
-
expect(grok).to include("nagios_epoch" => "1427925600")
|
186
|
+
expect(grok).to include("nagios_epoch" => "1427925600") unless ecs_compatibility?
|
102
187
|
end
|
103
188
|
|
104
|
-
it "generates the
|
105
|
-
|
189
|
+
it "generates the service field" do
|
190
|
+
if ecs_compatibility?
|
191
|
+
expect(grok).to include("service" => hash_including("name" => '24X7'))
|
192
|
+
else
|
193
|
+
expect(grok).to include("nagios_service" => "24X7")
|
194
|
+
end
|
195
|
+
end
|
196
|
+
|
197
|
+
it "generates the period from/to fields" do
|
198
|
+
if ecs_compatibility?
|
199
|
+
expect(grok).to include("nagios" => hash_including("log" => hash_including("period_from" => -1, "period_to" => 1)))
|
200
|
+
else
|
201
|
+
expect(grok).to include("nagios_unknown1" => "-1", "nagios_unknown2" => "1")
|
202
|
+
end
|
106
203
|
end
|
107
204
|
|
108
205
|
# Regression test for but fixed in Nagios patterns #30
|
109
206
|
it "doesn't end in a semi-colon" do
|
110
|
-
|
207
|
+
message = grok['message']
|
208
|
+
message = message.last if message.is_a?(Array)
|
209
|
+
expect(message).to_not end_with(";")
|
111
210
|
end
|
112
211
|
|
113
212
|
end
|
114
213
|
|
115
|
-
|
214
|
+
describe_pattern "NAGIOSLOGLINE - SERVICE ALERT", [ 'legacy', 'ecs-v1' ] do
|
116
215
|
|
117
|
-
let(:
|
118
|
-
let(:grok) { grok_match(subject, value) }
|
216
|
+
let(:message) { "[1427925689] SERVICE ALERT: varnish;Varnish Backend Connections;CRITICAL;SOFT;1;Current value: 154.0, warn threshold: 10.0, crit threshold: 20.0" }
|
119
217
|
|
120
218
|
it "a pattern pass the grok expression" do
|
121
219
|
expect(grok).to pass
|
122
220
|
end
|
123
221
|
|
124
222
|
it "matches a simple message" do
|
125
|
-
expect(
|
223
|
+
expect(pattern).to match(message)
|
126
224
|
end
|
127
225
|
|
128
226
|
it "generates the nagios_type field" do
|
129
|
-
|
227
|
+
if ecs_compatibility?
|
228
|
+
expect(grok).to include("nagios" => hash_including("log" => hash_including("type" => 'SERVICE ALERT')))
|
229
|
+
else
|
230
|
+
expect(grok).to include("nagios_type" => "SERVICE ALERT")
|
231
|
+
end
|
130
232
|
end
|
131
233
|
|
132
234
|
it "generates the nagios_epoch field" do
|
133
|
-
|
235
|
+
if ecs_compatibility?
|
236
|
+
expect(grok).to include("timestamp" => "1427925689")
|
237
|
+
else
|
238
|
+
expect(grok).to include("nagios_epoch" => "1427925689")
|
239
|
+
end
|
134
240
|
end
|
135
241
|
|
136
|
-
it "generates the
|
137
|
-
|
242
|
+
it "generates the hostname field" do
|
243
|
+
if ecs_compatibility?
|
244
|
+
expect(grok).to include("host" => { "hostname" => "varnish" })
|
245
|
+
else
|
246
|
+
expect(grok).to include("nagios_hostname" => "varnish")
|
247
|
+
end
|
138
248
|
end
|
139
249
|
|
140
|
-
it "generates the
|
141
|
-
|
250
|
+
it "generates the service field" do
|
251
|
+
if ecs_compatibility?
|
252
|
+
expect(grok).to include("service" => hash_including("name" => 'Varnish Backend Connections'))
|
253
|
+
else
|
254
|
+
expect(grok).to include("nagios_service" => "Varnish Backend Connections")
|
255
|
+
end
|
142
256
|
end
|
143
257
|
|
144
258
|
it "generates the nagios_state field" do
|
145
|
-
|
259
|
+
if ecs_compatibility?
|
260
|
+
expect(grok).to include("service" => hash_including("state" => "CRITICAL"))
|
261
|
+
else
|
262
|
+
expect(grok).to include("nagios_state" => "CRITICAL")
|
263
|
+
end
|
146
264
|
end
|
147
265
|
|
148
266
|
it "generates the nagios_statelevel field" do
|
149
|
-
|
267
|
+
if ecs_compatibility?
|
268
|
+
expect(grok).to include("nagios" => hash_including("log" => hash_including("state_type" => "SOFT")))
|
269
|
+
else
|
270
|
+
expect(grok).to include("nagios_statelevel" => "SOFT")
|
271
|
+
end
|
272
|
+
end
|
273
|
+
|
274
|
+
it "generates the nagios_attempt field" do
|
275
|
+
if ecs_compatibility?
|
276
|
+
pending "TODO: are we hitting a grok bug here ?!?"
|
277
|
+
# [nagios][log][attempt]:int is clearly there (changing to :float gets this passing)
|
278
|
+
# ... but in this particular case we still get the raw "1" string back
|
279
|
+
expect(grok).to include("nagios" => hash_including("log" => hash_including("attempt" => 1)))
|
280
|
+
else
|
281
|
+
expect(grok).to include("nagios_attempt" => "1")
|
282
|
+
end
|
150
283
|
end
|
151
284
|
|
152
285
|
it "generates the nagios_message field" do
|
153
|
-
|
286
|
+
if ecs_compatibility?
|
287
|
+
expect(grok['message'].last).to eql "Current value: 154.0, warn threshold: 10.0, crit threshold: 20.0"
|
288
|
+
else
|
289
|
+
expect(grok).to include("nagios_message" => "Current value: 154.0, warn threshold: 10.0, crit threshold: 20.0")
|
290
|
+
end
|
154
291
|
end
|
155
292
|
|
156
293
|
end
|
157
294
|
|
158
|
-
|
295
|
+
describe_pattern "NAGIOSLOGLINE - SERVICE NOTIFICATION", [ 'legacy', 'ecs-v1' ] do
|
159
296
|
|
160
|
-
let(:
|
161
|
-
let(:grok) { grok_match(subject, value) }
|
297
|
+
let(:message) { "[1427950229] SERVICE NOTIFICATION: nagiosadmin;varnish;Varnish Backend Connections;CRITICAL;notify-service-by-email;Current value: 337.0, warn threshold: 10.0, crit threshold: 20.0" }
|
162
298
|
|
163
299
|
it "a pattern pass the grok expression" do
|
164
300
|
expect(grok).to pass
|
165
301
|
end
|
166
302
|
|
167
303
|
it "matches a simple message" do
|
168
|
-
expect(
|
304
|
+
expect(pattern).to match(message)
|
169
305
|
end
|
170
306
|
|
171
307
|
it "generates the nagios_type field" do
|
172
|
-
|
308
|
+
if ecs_compatibility?
|
309
|
+
expect(grok).to include("nagios" => hash_including("log" => hash_including("type" => 'SERVICE NOTIFICATION')))
|
310
|
+
else
|
311
|
+
expect(grok).to include("nagios_type" => "SERVICE NOTIFICATION")
|
312
|
+
end
|
173
313
|
end
|
174
314
|
|
175
315
|
it "generates the nagios_epoch field" do
|
176
|
-
|
316
|
+
if ecs_compatibility?
|
317
|
+
expect(grok).to include("timestamp" => "1427950229")
|
318
|
+
else
|
319
|
+
expect(grok).to include("nagios_epoch" => "1427950229")
|
320
|
+
end
|
177
321
|
end
|
178
322
|
|
179
323
|
it "generates the nagios_notifyname field" do
|
180
|
-
|
324
|
+
if ecs_compatibility?
|
325
|
+
expect(grok).to include("user" => { "name" => "nagiosadmin" }) # Nagios contact's contact_name
|
326
|
+
else
|
327
|
+
expect(grok).to include("nagios_notifyname" => "nagiosadmin")
|
328
|
+
end
|
181
329
|
end
|
182
330
|
|
183
|
-
it "generates the
|
184
|
-
|
331
|
+
it "generates the hostname field" do
|
332
|
+
if ecs_compatibility?
|
333
|
+
expect(grok).to include("host" => { "hostname" => "varnish" })
|
334
|
+
else
|
335
|
+
expect(grok).to include("nagios_hostname" => "varnish")
|
336
|
+
end
|
185
337
|
end
|
186
338
|
|
187
|
-
it "generates the
|
188
|
-
|
339
|
+
it "generates the service field" do
|
340
|
+
if ecs_compatibility?
|
341
|
+
expect(grok).to include("service" => hash_including("name" => 'Varnish Backend Connections'))
|
342
|
+
else
|
343
|
+
expect(grok).to include("nagios_service" => "Varnish Backend Connections")
|
344
|
+
end
|
189
345
|
end
|
190
346
|
|
191
347
|
it "generates the nagios_state field" do
|
192
|
-
|
348
|
+
if ecs_compatibility?
|
349
|
+
expect(grok).to include("service" => hash_including("state" => "CRITICAL"))
|
350
|
+
else
|
351
|
+
expect(grok).to include("nagios_state" => "CRITICAL")
|
352
|
+
end
|
193
353
|
end
|
194
354
|
|
195
355
|
it "generates the nagios_contact field" do
|
196
|
-
|
356
|
+
if ecs_compatibility?
|
357
|
+
expect(grok).to include("nagios" => hash_including("log" => hash_including("notification_command" => "notify-service-by-email")))
|
358
|
+
else
|
359
|
+
expect(grok).to include("nagios_contact" => "notify-service-by-email")
|
360
|
+
end
|
197
361
|
end
|
198
362
|
|
199
363
|
it "generates the nagios_message field" do
|
200
|
-
|
364
|
+
if ecs_compatibility?
|
365
|
+
expect(grok['message'].last).to eql "Current value: 337.0, warn threshold: 10.0, crit threshold: 20.0"
|
366
|
+
else
|
367
|
+
expect(grok).to include("nagios_message" => "Current value: 337.0, warn threshold: 10.0, crit threshold: 20.0")
|
368
|
+
end
|
201
369
|
end
|
202
370
|
|
203
371
|
end
|
204
372
|
|
205
373
|
|
206
|
-
|
374
|
+
describe_pattern "NAGIOSLOGLINE - HOST NOTIFICATION", [ 'legacy', 'ecs-v1' ] do
|
207
375
|
|
208
|
-
let(:
|
209
|
-
let(:grok) { grok_match(subject, value) }
|
210
|
-
|
211
|
-
it "a pattern pass the grok expression" do
|
212
|
-
expect(grok).to pass
|
213
|
-
end
|
376
|
+
let(:message) { "[1429878690] HOST NOTIFICATION: nagiosadmin;127.0.0.1;DOWN;host-notify-by-email;CRITICAL - Socket timeout after 10 seconds" }
|
214
377
|
|
215
378
|
it "matches a simple message" do
|
216
|
-
expect(
|
379
|
+
expect(pattern).to match(message)
|
217
380
|
end
|
218
381
|
|
219
382
|
it "generates the nagios_type field" do
|
220
|
-
|
383
|
+
if ecs_compatibility?
|
384
|
+
expect(grok).to include("nagios" => hash_including("log" => hash_including("type" => "HOST NOTIFICATION")))
|
385
|
+
else
|
386
|
+
expect(grok).to include("nagios_type" => "HOST NOTIFICATION")
|
387
|
+
end
|
221
388
|
end
|
222
389
|
|
223
390
|
it "generates the nagios_epoch field" do
|
224
|
-
expect(grok).to include("nagios_epoch" => "1429878690")
|
391
|
+
expect(grok).to include("nagios_epoch" => "1429878690") unless ecs_compatibility?
|
225
392
|
end
|
226
393
|
|
227
394
|
it "generates the nagios_notifyname field" do
|
228
|
-
|
395
|
+
if ecs_compatibility?
|
396
|
+
expect(grok).to include("user" => { "name" => "nagiosadmin" }) # Nagios contact's contact_name
|
397
|
+
else
|
398
|
+
expect(grok).to include("nagios_notifyname" => "nagiosadmin")
|
399
|
+
end
|
229
400
|
end
|
230
401
|
|
231
402
|
it "generates the nagios_hostname field" do
|
232
|
-
|
403
|
+
if ecs_compatibility?
|
404
|
+
expect(grok).to include("host" => { "hostname" => "127.0.0.1" })
|
405
|
+
else
|
406
|
+
expect(grok).to include("nagios_hostname" => "127.0.0.1")
|
407
|
+
end
|
233
408
|
end
|
234
409
|
|
235
410
|
it "generates the nagios_contact field" do
|
236
|
-
|
411
|
+
if ecs_compatibility?
|
412
|
+
expect(grok).to include("nagios" => hash_including("log" => hash_including("notification_command" => "host-notify-by-email")))
|
413
|
+
else
|
414
|
+
expect(grok).to include("nagios_contact" => "host-notify-by-email")
|
415
|
+
end
|
237
416
|
end
|
238
417
|
|
239
418
|
it "generates the nagios_message field" do
|
240
|
-
|
419
|
+
if ecs_compatibility?
|
420
|
+
expect(grok['message'].last).to eql "CRITICAL - Socket timeout after 10 seconds"
|
421
|
+
else
|
422
|
+
expect(grok).to include("nagios_message" => "CRITICAL - Socket timeout after 10 seconds")
|
423
|
+
end
|
241
424
|
end
|
242
425
|
|
243
426
|
end
|
427
|
+
|
428
|
+
describe_pattern "NAGIOSLOGLINE - SCHEDULE_HOST_DOWNTIME", [ 'legacy', 'ecs-v1' ] do
|
429
|
+
|
430
|
+
let(:message) { "[1334609999] EXTERNAL COMMAND: SCHEDULE_HOST_DOWNTIME;sputnik;1334665800;1334553600;1;0;120;nagiosadmin;test;" }
|
431
|
+
|
432
|
+
it "matches" do
|
433
|
+
if ecs_compatibility?
|
434
|
+
expect(grok).to include(
|
435
|
+
"host" => { "hostname" => "sputnik" },
|
436
|
+
"nagios" => { "log" => {
|
437
|
+
"type" => "EXTERNAL COMMAND",
|
438
|
+
"command" => "SCHEDULE_HOST_DOWNTIME",
|
439
|
+
"start_time" => "1334665800",
|
440
|
+
"end_time" => "1334553600",
|
441
|
+
"fixed" => '1',
|
442
|
+
"trigger_id" => '0',
|
443
|
+
"duration" => 120,
|
444
|
+
|
445
|
+
}},
|
446
|
+
"user" => { "name" => 'nagiosadmin' },
|
447
|
+
"message" => message
|
448
|
+
)
|
449
|
+
else
|
450
|
+
expect(grok).to include(
|
451
|
+
"nagios_epoch"=>"1334609999",
|
452
|
+
"nagios_type"=>"EXTERNAL COMMAND",
|
453
|
+
"nagios_command"=>"SCHEDULE_HOST_DOWNTIME",
|
454
|
+
"nagios_hostname"=>"sputnik",
|
455
|
+
"nagios_duration"=>"120",
|
456
|
+
"nagios_fixed"=>"1",
|
457
|
+
"nagios_trigger_id"=>"0",
|
458
|
+
"nagios_start_time"=>"1334665800",
|
459
|
+
"nagios_end_time"=>"1334553600",
|
460
|
+
"author"=>"nagiosadmin"
|
461
|
+
)
|
462
|
+
end
|
463
|
+
end
|
464
|
+
end
|
@@ -0,0 +1,123 @@
|
|
1
|
+
# encoding: utf-8
|
2
|
+
require "spec_helper"
|
3
|
+
require "logstash/patterns/core"
|
4
|
+
|
5
|
+
describe_pattern "NETSCREENSESSIONLOG", ['legacy', 'ecs-v1'] do
|
6
|
+
|
7
|
+
context "traffic denied (Juniper)" do
|
8
|
+
|
9
|
+
let(:message) do
|
10
|
+
'Jun 2 14:53:31 sample-host isg1000-A2: NetScreen device_id=0000011001000011 [Root]system-notification-00257(traffic): ' +
|
11
|
+
'start_time="2015-11-11 10:02:10" duration=0 policy_id=244 service=https proto=6 src zone=Untrust dst zone=Trust ' +
|
12
|
+
'action=Permit sent=0 rcvd=0 src=74.168.138.252 dst=72.72.72.72 src_port=1732 dst_port=443 ' +
|
13
|
+
'src-xlated ip=1.255.20.1 port=22041 dst-xlated ip=1.244.136.50 port=443 session_id=488451 reason=Creation'
|
14
|
+
end
|
15
|
+
|
16
|
+
it 'matches' do
|
17
|
+
if ecs_compatibility?
|
18
|
+
expect(subject).to include("timestamp" => "Jun 2 14:53:31")
|
19
|
+
expect(subject).to include("netscreen"=>{
|
20
|
+
"session"=>{"id"=>"488451", "start_time"=>"2015-11-11 10:02:10", "duration"=>0, "type"=>"traffic", "reason"=>"Creation"},
|
21
|
+
"policy_id"=>"244", "service"=>"https", "protocol_number"=>6, "device_id"=>"0000011001000011"
|
22
|
+
})
|
23
|
+
expect(subject).to include("event"=>{"code"=>"00257", "action"=>"Permit"})
|
24
|
+
# expect(subject).to include("network"=>{"protocol"=>"https"})
|
25
|
+
expect(subject).to include("source"=>{"bytes"=>0, "nat"=>{"port"=>22041, "ip"=>"1.255.20.1"}, "port"=>1732, "address"=>"74.168.138.252"})
|
26
|
+
expect(subject).to include("destination"=>{"bytes"=>0, "nat"=>{"port"=>443, "ip"=>"1.244.136.50"}, "port"=>443, "address"=>"72.72.72.72"})
|
27
|
+
expect(subject).to include("observer"=>{
|
28
|
+
"ingress"=>{"zone"=>"Untrust"}, "hostname"=>"sample-host", "name"=>"isg1000-A2", "product"=>"NetScreen",
|
29
|
+
"egress"=>{"zone"=>"Trust"}
|
30
|
+
})
|
31
|
+
else
|
32
|
+
expect(subject).to include("date" => "Jun 2 14:53:31")
|
33
|
+
expect(subject).to include(
|
34
|
+
"device"=>"sample-host",
|
35
|
+
"device_id"=>"0000011001000011",
|
36
|
+
"start_time"=>"\"2015-11-11 10:02:10\"",
|
37
|
+
"duration"=>"0",
|
38
|
+
"policy_id"=>"244",
|
39
|
+
"service"=>"https",
|
40
|
+
"proto"=>"6",
|
41
|
+
"src_zone"=>"Untrust", "dst_zone"=>"Trust",
|
42
|
+
"action"=>"Permit",
|
43
|
+
"sent"=>"0", "rcvd"=>"0",
|
44
|
+
"src_ip"=>"74.168.138.252", "dst_ip"=>"72.72.72.72",
|
45
|
+
"src_port"=>"1732", "dst_port"=>"443",
|
46
|
+
"src_xlated_ip"=>"1.255.20.1", "src_xlated_port"=>"22041",
|
47
|
+
"dst_xlated_ip"=>"1.244.136.50", "dst_xlated_port"=>"443",
|
48
|
+
"session_id"=>"488451", "reason"=>"Creation",
|
49
|
+
)
|
50
|
+
end
|
51
|
+
end
|
52
|
+
|
53
|
+
end
|
54
|
+
|
55
|
+
context "traffic denied (without port/xlated/session_id/reason suffix)" do
|
56
|
+
|
57
|
+
let(:message) do
|
58
|
+
'Mar 18 17:56:52 192.168.56.11 lowly_lizard: NetScreen device_id=netscreen2 [Root]system-notification-00257(traffic): ' +
|
59
|
+
'start_time="2009-03-18 16:07:06" duration=0 policy_id=320001 service=msrpc Endpoint Mapper(tcp) proto=6 ' +
|
60
|
+
'src zone=Null dst zone=self action=Deny sent=0 rcvd=16384 src=21.10.90.125 dst=23.16.1.1'
|
61
|
+
end
|
62
|
+
|
63
|
+
it 'matches in ECS mode' do
|
64
|
+
if ecs_compatibility?
|
65
|
+
expect(subject).to include("timestamp" => "Mar 18 17:56:52")
|
66
|
+
expect(subject).to include("netscreen"=>{
|
67
|
+
"device_id"=>"netscreen2",
|
68
|
+
"policy_id"=>"320001",
|
69
|
+
"service"=>"msrpc Endpoint Mapper(tcp)",
|
70
|
+
"protocol_number"=>6,
|
71
|
+
"session"=>{"start_time"=>"2009-03-18 16:07:06", "type"=>"traffic", "duration"=>0}
|
72
|
+
})
|
73
|
+
expect(subject).to include("source"=>{"address"=>"21.10.90.125", "bytes"=>0})
|
74
|
+
expect(subject).to include("destination"=>{"address"=>"23.16.1.1", "bytes"=>16384})
|
75
|
+
else
|
76
|
+
expect(grok['tags']).to include('_grokparsefailure')
|
77
|
+
end
|
78
|
+
end
|
79
|
+
end
|
80
|
+
|
81
|
+
context "'standard' traffic denied" do
|
82
|
+
|
83
|
+
let(:message) do
|
84
|
+
'Jun 2 14:53:31 fire00 aka1: NetScreen device_id=aka1 [Root]system-notification-00257(traffic): start_time="2006-06-02 14:53:30" ' +
|
85
|
+
'duration=0 policy_id=120 service=udp/port:17210 proto=17 src zone=Trust dst zone=DMZ action=Deny sent=0 rcvd=0 ' +
|
86
|
+
'src=192.168.2.2 dst=1.2.3.4 src_port=53 dst_port=17210'
|
87
|
+
end
|
88
|
+
|
89
|
+
it 'matches (in ECS mode)' do
|
90
|
+
if ecs_compatibility?
|
91
|
+
expect(subject).to include("event"=>{"action"=>"Deny", "code"=>"00257"})
|
92
|
+
else
|
93
|
+
expect(grok['tags']).to include('_grokparsefailure')
|
94
|
+
expect(subject).to_not include("date" => "Jun 2 14:53:31")
|
95
|
+
end
|
96
|
+
end
|
97
|
+
|
98
|
+
context "(with session id)" do
|
99
|
+
|
100
|
+
let(:message) do
|
101
|
+
super() + ' session_id=0 reason=Traffic Denied'
|
102
|
+
end
|
103
|
+
|
104
|
+
it 'matches (in ECS mode)' do
|
105
|
+
if ecs_compatibility?
|
106
|
+
expect(subject).to include("netscreen"=>hash_including("device_id"=>"aka1", "service"=>"udp/port:17210",
|
107
|
+
"session"=>hash_including("reason"=>"Traffic Denied")))
|
108
|
+
expect(subject).to include("observer"=>{
|
109
|
+
"ingress"=>{"zone"=>"Trust"},
|
110
|
+
"egress"=>{"zone"=>"DMZ"}, "hostname"=>"fire00", "name"=>"aka1",
|
111
|
+
"product"=>"NetScreen"
|
112
|
+
})
|
113
|
+
else
|
114
|
+
expect(grok['tags']).to include('_grokparsefailure')
|
115
|
+
expect(subject).to_not include("date" => "Jun 2 14:53:31")
|
116
|
+
end
|
117
|
+
end
|
118
|
+
|
119
|
+
end
|
120
|
+
|
121
|
+
end
|
122
|
+
|
123
|
+
end
|