logstash-patterns-core 4.1.2 → 4.3.2

data/spec/patterns/nagios_spec.rb

@@ -2,242 +2,463 @@
 require "spec_helper"
 require "logstash/patterns/core"
 
-describe "NAGIOSLOGLINE - CURRENT HOST STATE" do
+describe_pattern "NAGIOSLOGLINE - CURRENT HOST STATE", [ 'legacy', 'ecs-v1' ] do
 
-  let(:value)   { "[1427925600] CURRENT HOST STATE: nagioshost;UP;HARD;1;PING OK - Packet loss = 0%, RTA = 2.24 ms" }
-  let(:grok)    { grok_match(subject, value) }
+  let(:message) { "[1427925600] CURRENT HOST STATE: nagioshost;UP;HARD;1;PING OK - Packet loss = 0%, RTA = 2.24 ms" }
 
   it "a pattern pass the grok expression" do
     expect(grok).to pass
   end
 
   it "matches a simple message" do
-    expect(subject).to match(value)
+    expect(pattern).to match(message)
   end
 
   it "generates the nagios_epoch field" do
-    expect(grok).to include("nagios_epoch" => "1427925600")
+    if ecs_compatibility?
+      expect(grok).to include("timestamp" => "1427925600")
+    else
+      expect(grok).to include("nagios_epoch" => "1427925600")
+    end
   end
 
   it "generates the nagios_message field" do
-    expect(grok).to include("nagios_message" => "PING OK - Packet loss = 0%, RTA = 2.24 ms")
+    if ecs_compatibility?
+      expect(grok).to include("message" => [message, "PING OK - Packet loss = 0%, RTA = 2.24 ms"])
+    else
+      expect(grok).to include("nagios_message" => "PING OK - Packet loss = 0%, RTA = 2.24 ms")
+    end
   end
 
   it "generates the nagios_hostname field" do
-    expect(grok).to include("nagios_hostname" => "nagioshost")
+    if ecs_compatibility?
+      expect(grok).to include("host" => { "hostname" => "nagioshost" })
+    else
+      expect(grok).to include("nagios_hostname" => "nagioshost")
+    end
   end
 
   it "generates the nagios_state field" do
-    expect(grok).to include("nagios_state" => "UP")
+    if ecs_compatibility?
+      expect(grok).to include("service" => hash_including("state" => "UP"))
+    else
+      expect(grok).to include("nagios_state" => "UP")
+    end
   end
 
   it "generates the nagios_statetype field" do
-    expect(grok).to include("nagios_statetype" => "HARD")
+    if ecs_compatibility?
+      expect(grok).to include("nagios" => hash_including("log" => hash_including("state_type" => "HARD")))
+    else
+      expect(grok).to include("nagios_statetype" => "HARD")
+    end
   end
 
 end
 
-describe "NAGIOSLOGLINE - CURRENT SERVICE STATE" do
+describe_pattern "NAGIOSLOGLINE - CURRENT SERVICE STATE", [ 'legacy', 'ecs-v1' ] do
 
-  let(:value)   { "[1427925600] CURRENT SERVICE STATE: nagioshost;nagiosservice;OK;HARD;1;nagiosmessage" }
-  let(:grok)    { grok_match(subject, value) }
+  let(:message) { "[1427925600] CURRENT SERVICE STATE: nagioshost;SSH;OK;HARD;1;nagiosmessage" }
 
   it "a pattern pass the grok expression" do
     expect(grok).to pass
   end
 
   it "matches a simple message" do
-    expect(subject).to match(value)
+    expect(pattern).to match(message)
   end
 
   it "generates the nagios_type field" do
-    expect(grok).to include("nagios_type" => "CURRENT SERVICE STATE")
+    if ecs_compatibility?
+      expect(grok).to include("nagios" => hash_including("log" => hash_including("type" => "CURRENT SERVICE STATE")))
+    else
+      expect(grok).to include("nagios_type" => "CURRENT SERVICE STATE")
+    end
   end
 
   it "generates the nagios_epoch field" do
-    expect(grok).to include("nagios_epoch" => "1427925600")
+    if ecs_compatibility?
+      expect(grok).to include("timestamp" => "1427925600")
+    else
+      expect(grok).to include("nagios_epoch" => "1427925600")
+    end
   end
 
   it "generates the nagios_message field" do
-    expect(grok).to include("nagios_message" => "nagiosmessage")
+    if ecs_compatibility?
+      expect(grok).to include("message" => [message, "nagiosmessage"])
+    else
+      expect(grok).to include("nagios_message" => "nagiosmessage")
+    end
   end
 
-  it "generates the nagios_hostname field" do
-    expect(grok).to include("nagios_hostname" => "nagioshost")
+  it "generates the hostname field" do
+    if ecs_compatibility?
+      expect(grok).to include("host" => { "hostname" => "nagioshost" })
+    else
+      expect(grok).to include("nagios_hostname" => "nagioshost")
+    end
   end
 
-  it "generates the nagios_service field" do
-    expect(grok).to include("nagios_service" => "nagiosservice")
+  it "generates the service field" do
+    if ecs_compatibility?
+      expect(grok).to include("service" => hash_including("name" => "SSH"))
+    else
+      expect(grok).to include("nagios_service" => "SSH")
+    end
   end
 
   it "generates the nagios_state field" do
-    expect(grok).to include("nagios_state" => "OK")
+    if ecs_compatibility?
+      expect(grok).to include("service" => hash_including("state" => "OK"))
+    else
+      expect(grok).to include("nagios_state" => "OK")
+    end
   end
 
   it "generates the nagios_statetype field" do
-    expect(grok).to include("nagios_statetype" => "HARD")
-  end
+    if ecs_compatibility?
+      expect(grok).to include("nagios" => hash_including("log" => hash_including("state_type" => "HARD")))
+    else
+      expect(grok).to include("nagios_statetype" => "HARD")
+    end
+  end
+
+  it "generates the nagios_statecode field" do
+    if ecs_compatibility?
+      expect(grok).to include("nagios" => hash_including("log" => hash_including("attempt" => 1)))
+    else
+      # NOTE: (legacy) nagios_statecode corresponds to current_attempt (according to Nagios' source)
+      expect(grok).to include("nagios_statecode" => "1")
+    end
+  end
+
+  context 'real-world example' do
+
+    let(:message) do
+      '[1427956600] CURRENT SERVICE STATE: prod-virtual-ESz06;check_vmfs_prod-PvDC2;CRITICAL;HARD;3;CRITICAL - /vmfs/volumes/prod-vsRoot - total: 8191.75 Gb - used: 7859.84 Gb (95%)- free: 331.90 Gb (5%)'
+    end
+
+    it 'matches' do
+      if ecs_compatibility?
+        expect(grok).to include(
+          "host" => { "hostname" => "prod-virtual-ESz06" },
+          "service" => { "name" => "check_vmfs_prod-PvDC2", "state" => 'CRITICAL' },
+          "nagios" => { "log" => {
+              "type" => "CURRENT SERVICE STATE",
+              "state_type" => "HARD",
+              "attempt" => 3
+          }},
+          "message" => [message, "CRITICAL - /vmfs/volumes/prod-vsRoot - total: 8191.75 Gb - used: 7859.84 Gb (95%)- free: 331.90 Gb (5%)"]
+        )
+      else
+        expect(grok).to include(
+          "nagios_type"=>"CURRENT SERVICE STATE",
+          "nagios_state"=>"CRITICAL",
+          "nagios_statetype"=>"HARD",
+          "nagios_hostname"=>"prod-virtual-ESz06",
+          "nagios_statecode"=>"3", # NOTE: "incorrect" - corresponds to current_attempt (according to Nagios' source)
+          "nagios_message"=>"CRITICAL - /vmfs/volumes/prod-vsRoot - total: 8191.75 Gb - used: 7859.84 Gb (95%)- free: 331.90 Gb (5%)"
+        )
+      end
+    end
 
+  end
 end
 
-describe "NAGIOSLOGLINE - TIMEPERIOD TRANSITION" do
+describe_pattern "NAGIOSLOGLINE - TIMEPERIOD TRANSITION", [ 'legacy', 'ecs-v1' ] do
 
-  let(:value)   { "[1427925600] TIMEPERIOD TRANSITION: 24X7;1;1" }
-  let(:grok)    { grok_match(subject, value) }
+  let(:message) { "[1427925600] TIMEPERIOD TRANSITION: 24X7;-1;1" }
 
-  it "a pattern pass the grok expression" do
-    expect(grok).to pass
-  end
-
-  it "matches a simple message" do
-    expect(subject).to match(value)
+  it "matches the message" do
+    expect(pattern).to match(message)
   end
 
   it "generates the nagios_type field" do
-    expect(grok).to include("nagios_type" => "TIMEPERIOD TRANSITION")
+    if ecs_compatibility?
+      expect(grok).to include("nagios" => hash_including("log" => hash_including("type" => 'TIMEPERIOD TRANSITION')))
+    else
+      expect(grok).to include("nagios_type" => "TIMEPERIOD TRANSITION")
+    end
   end
 
   it "generates the nagios_epoch field" do
-    expect(grok).to include("nagios_epoch" => "1427925600")
+    expect(grok).to include("nagios_epoch" => "1427925600") unless ecs_compatibility?
   end
 
-  it "generates the nagios_esrvice field" do
-    expect(grok).to include("nagios_service" => "24X7")
+  it "generates the service field" do
+    if ecs_compatibility?
+      expect(grok).to include("service" => hash_including("name" => '24X7'))
+    else
+      expect(grok).to include("nagios_service" => "24X7")
+    end
+  end
+
+  it "generates the period from/to fields" do
+    if ecs_compatibility?
+      expect(grok).to include("nagios" => hash_including("log" => hash_including("period_from" => -1, "period_to" => 1)))
+    else
+      expect(grok).to include("nagios_unknown1" => "-1", "nagios_unknown2" => "1")
+    end
   end
 
   # Regression test for but fixed in Nagios patterns #30
   it "doesn't end in a semi-colon" do
-    expect(grok['message']).to_not end_with(";")
+    message = grok['message']
+    message = message.last if message.is_a?(Array)
+    expect(message).to_not end_with(";")
   end
 
 end
 
-describe "NAGIOSLOGLINE - SERVICE ALERT" do
+describe_pattern "NAGIOSLOGLINE - SERVICE ALERT", [ 'legacy', 'ecs-v1' ] do
 
-  let(:value)   { "[1427925689] SERVICE ALERT: varnish;Varnish Backend Connections;CRITICAL;SOFT;1;Current value: 154.0, warn threshold: 10.0, crit threshold: 20.0" }
-  let(:grok)    { grok_match(subject, value) }
+  let(:message) { "[1427925689] SERVICE ALERT: varnish;Varnish Backend Connections;CRITICAL;SOFT;1;Current value: 154.0, warn threshold: 10.0, crit threshold: 20.0" }
 
   it "a pattern pass the grok expression" do
     expect(grok).to pass
   end
 
   it "matches a simple message" do
-    expect(subject).to match(value)
+    expect(pattern).to match(message)
   end
 
   it "generates the nagios_type field" do
-    expect(grok).to include("nagios_type" => "SERVICE ALERT")
+    if ecs_compatibility?
+      expect(grok).to include("nagios" => hash_including("log" => hash_including("type" => 'SERVICE ALERT')))
+    else
+      expect(grok).to include("nagios_type" => "SERVICE ALERT")
+    end
   end
 
   it "generates the nagios_epoch field" do
-    expect(grok).to include("nagios_epoch" => "1427925689")
+    if ecs_compatibility?
+      expect(grok).to include("timestamp" => "1427925689")
+    else
+      expect(grok).to include("nagios_epoch" => "1427925689")
+    end
   end
 
-  it "generates the nagios_hostname field" do
-    expect(grok).to include("nagios_hostname" => "varnish")
+  it "generates the hostname field" do
+    if ecs_compatibility?
+      expect(grok).to include("host" => { "hostname" => "varnish" })
+    else
+      expect(grok).to include("nagios_hostname" => "varnish")
+    end
   end
 
-  it "generates the nagios_service field" do
-    expect(grok).to include("nagios_service" => "Varnish Backend Connections")
+  it "generates the service field" do
+    if ecs_compatibility?
+      expect(grok).to include("service" => hash_including("name" => 'Varnish Backend Connections'))
+    else
+      expect(grok).to include("nagios_service" => "Varnish Backend Connections")
+    end
   end
 
   it "generates the nagios_state field" do
-    expect(grok).to include("nagios_state" => "CRITICAL")
+    if ecs_compatibility?
+      expect(grok).to include("service" => hash_including("state" => "CRITICAL"))
+    else
+      expect(grok).to include("nagios_state" => "CRITICAL")
+    end
   end
 
   it "generates the nagios_statelevel field" do
-    expect(grok).to include("nagios_statelevel" => "SOFT")
+    if ecs_compatibility?
+      expect(grok).to include("nagios" => hash_including("log" => hash_including("state_type" => "SOFT")))
+    else
+      expect(grok).to include("nagios_statelevel" => "SOFT")
+    end
+  end
+
+  it "generates the nagios_attempt field" do
+    if ecs_compatibility?
+      pending "TODO: are we hitting a grok bug here ?!?"
+      # [nagios][log][attempt]:int is clearly there (changing to :float gets this passing)
+      # ... but in this particular case we still get the raw "1" string back
+      expect(grok).to include("nagios" => hash_including("log" => hash_including("attempt" => 1)))
+    else
+      expect(grok).to include("nagios_attempt" => "1")
+    end
   end
 
   it "generates the nagios_message field" do
-    expect(grok).to include("nagios_message" => "Current value: 154.0, warn threshold: 10.0, crit threshold: 20.0")
+    if ecs_compatibility?
+      expect(grok['message'].last).to eql "Current value: 154.0, warn threshold: 10.0, crit threshold: 20.0"
+    else
+      expect(grok).to include("nagios_message" => "Current value: 154.0, warn threshold: 10.0, crit threshold: 20.0")
+    end
   end
 
 end
 
-describe "NAGIOSLOGLINE - SERVICE NOTIFICATION" do
+describe_pattern "NAGIOSLOGLINE - SERVICE NOTIFICATION", [ 'legacy', 'ecs-v1' ] do
 
-  let(:value)   { "[1427950229] SERVICE NOTIFICATION: nagiosadmin;varnish;Varnish Backend Connections;CRITICAL;notify-service-by-email;Current value: 337.0, warn threshold: 10.0, crit threshold: 20.0" }
-  let(:grok)    { grok_match(subject, value) }
+  let(:message) { "[1427950229] SERVICE NOTIFICATION: nagiosadmin;varnish;Varnish Backend Connections;CRITICAL;notify-service-by-email;Current value: 337.0, warn threshold: 10.0, crit threshold: 20.0" }
 
   it "a pattern pass the grok expression" do
     expect(grok).to pass
   end
 
   it "matches a simple message" do
-    expect(subject).to match(value)
+    expect(pattern).to match(message)
   end
 
   it "generates the nagios_type field" do
-    expect(grok).to include("nagios_type" => "SERVICE NOTIFICATION")
+    if ecs_compatibility?
+      expect(grok).to include("nagios" => hash_including("log" => hash_including("type" => 'SERVICE NOTIFICATION')))
+    else
+      expect(grok).to include("nagios_type" => "SERVICE NOTIFICATION")
+    end
   end
 
   it "generates the nagios_epoch field" do
-    expect(grok).to include("nagios_epoch" => "1427950229")
+    if ecs_compatibility?
+      expect(grok).to include("timestamp" => "1427950229")
+    else
+      expect(grok).to include("nagios_epoch" => "1427950229")
+    end
   end
 
   it "generates the nagios_notifyname field" do
-    expect(grok).to include("nagios_notifyname" => "nagiosadmin")
+    if ecs_compatibility?
+      expect(grok).to include("user" => { "name" => "nagiosadmin" }) # Nagios contact's contact_name
+    else
+      expect(grok).to include("nagios_notifyname" => "nagiosadmin")
+    end
   end
 
-  it "generates the nagios_hostname field" do
-    expect(grok).to include("nagios_hostname" => "varnish")
+  it "generates the hostname field" do
+    if ecs_compatibility?
+      expect(grok).to include("host" => { "hostname" => "varnish" })
+    else
+      expect(grok).to include("nagios_hostname" => "varnish")
+    end
   end
 
-  it "generates the nagios_service field" do
-    expect(grok).to include("nagios_service" => "Varnish Backend Connections")
+  it "generates the service field" do
+    if ecs_compatibility?
+      expect(grok).to include("service" => hash_including("name" => 'Varnish Backend Connections'))
+    else
+      expect(grok).to include("nagios_service" => "Varnish Backend Connections")
+    end
   end
 
   it "generates the nagios_state field" do
-    expect(grok).to include("nagios_state" => "CRITICAL")
+    if ecs_compatibility?
+      expect(grok).to include("service" => hash_including("state" => "CRITICAL"))
+    else
+      expect(grok).to include("nagios_state" => "CRITICAL")
+    end
   end
 
   it "generates the nagios_contact field" do
-    expect(grok).to include("nagios_contact" => "notify-service-by-email")
+    if ecs_compatibility?
+      expect(grok).to include("nagios" => hash_including("log" => hash_including("notification_command" => "notify-service-by-email")))
+    else
+      expect(grok).to include("nagios_contact" => "notify-service-by-email")
+    end
   end
 
   it "generates the nagios_message field" do
-    expect(grok).to include("nagios_message" => "Current value: 337.0, warn threshold: 10.0, crit threshold: 20.0")
+    if ecs_compatibility?
+      expect(grok['message'].last).to eql "Current value: 337.0, warn threshold: 10.0, crit threshold: 20.0"
+    else
+      expect(grok).to include("nagios_message" => "Current value: 337.0, warn threshold: 10.0, crit threshold: 20.0")
+    end
   end
 
 end
 
 
-describe "NAGIOSLOGLINE - HOST NOTIFICATION" do
+describe_pattern "NAGIOSLOGLINE - HOST NOTIFICATION", [ 'legacy', 'ecs-v1' ] do
 
-  let(:value)   { "[1429878690] HOST NOTIFICATION: nagiosadmin;nagioshost;DOWN;notify-host-by-email;CRITICAL - Socket timeout after 10 seconds" }
-  let(:grok)    { grok_match(subject, value) }
-
-  it "a pattern pass the grok expression" do
-    expect(grok).to pass
-  end
+  let(:message) { "[1429878690] HOST NOTIFICATION: nagiosadmin;127.0.0.1;DOWN;host-notify-by-email;CRITICAL - Socket timeout after 10 seconds" }
 
   it "matches a simple message" do
-    expect(subject).to match(value)
+    expect(pattern).to match(message)
   end
 
   it "generates the nagios_type field" do
-    expect(grok).to include("nagios_type" => "HOST NOTIFICATION")
+    if ecs_compatibility?
+      expect(grok).to include("nagios" => hash_including("log" => hash_including("type" => "HOST NOTIFICATION")))
+    else
+      expect(grok).to include("nagios_type" => "HOST NOTIFICATION")
+    end
   end
 
   it "generates the nagios_epoch field" do
-    expect(grok).to include("nagios_epoch" => "1429878690")
+    expect(grok).to include("nagios_epoch" => "1429878690") unless ecs_compatibility?
   end
 
   it "generates the nagios_notifyname field" do
-    expect(grok).to include("nagios_notifyname" => "nagiosadmin")
+    if ecs_compatibility?
+      expect(grok).to include("user" => { "name" => "nagiosadmin" }) # Nagios contact's contact_name
+    else
+      expect(grok).to include("nagios_notifyname" => "nagiosadmin")
+    end
   end
 
   it "generates the nagios_hostname field" do
-    expect(grok).to include("nagios_hostname" => "nagioshost")
+    if ecs_compatibility?
+      expect(grok).to include("host" => { "hostname" => "127.0.0.1" })
+    else
+      expect(grok).to include("nagios_hostname" => "127.0.0.1")
+    end
   end
 
   it "generates the nagios_contact field" do
-    expect(grok).to include("nagios_contact" => "notify-host-by-email")
+    if ecs_compatibility?
+      expect(grok).to include("nagios" => hash_including("log" => hash_including("notification_command" => "host-notify-by-email")))
+    else
+      expect(grok).to include("nagios_contact" => "host-notify-by-email")
+    end
   end
 
   it "generates the nagios_message field" do
-    expect(grok).to include("nagios_message" => "CRITICAL - Socket timeout after 10 seconds")
+    if ecs_compatibility?
+      expect(grok['message'].last).to eql "CRITICAL - Socket timeout after 10 seconds"
+    else
+      expect(grok).to include("nagios_message" => "CRITICAL - Socket timeout after 10 seconds")
+    end
   end
 
 end
+
+describe_pattern "NAGIOSLOGLINE - SCHEDULE_HOST_DOWNTIME", [ 'legacy', 'ecs-v1' ] do
+
+  let(:message) { "[1334609999] EXTERNAL COMMAND: SCHEDULE_HOST_DOWNTIME;sputnik;1334665800;1334553600;1;0;120;nagiosadmin;test;" }
+
+  it "matches" do
+    if ecs_compatibility?
+      expect(grok).to include(
+                          "host" => { "hostname" => "sputnik" },
+                          "nagios" => { "log" => {
+                              "type" => "EXTERNAL COMMAND",
+                              "command" => "SCHEDULE_HOST_DOWNTIME",
+                              "start_time" => "1334665800",
+                              "end_time" => "1334553600",
+                              "fixed" => '1',
+                              "trigger_id" => '0',
+                              "duration" => 120,
+
+                          }},
+                          "user" => { "name" => 'nagiosadmin' },
+                          "message" => message
+                      )
+    else
+      expect(grok).to include(
+                          "nagios_epoch"=>"1334609999",
+                          "nagios_type"=>"EXTERNAL COMMAND",
+                          "nagios_command"=>"SCHEDULE_HOST_DOWNTIME",
+                          "nagios_hostname"=>"sputnik",
+                          "nagios_duration"=>"120",
+                          "nagios_fixed"=>"1",
+                          "nagios_trigger_id"=>"0",
+                          "nagios_start_time"=>"1334665800",
+                          "nagios_end_time"=>"1334553600",
+                          "author"=>"nagiosadmin"
+      )
+    end
+  end
+end

data/spec/patterns/netscreen_spec.rb

@@ -0,0 +1,123 @@
+# encoding: utf-8
+require "spec_helper"
+require "logstash/patterns/core"
+
+describe_pattern "NETSCREENSESSIONLOG", ['legacy', 'ecs-v1'] do
+
+  context "traffic denied (Juniper)" do
+
+    let(:message) do
+      'Jun  2 14:53:31 sample-host isg1000-A2: NetScreen device_id=0000011001000011 [Root]system-notification-00257(traffic): ' +
+          'start_time="2015-11-11 10:02:10" duration=0 policy_id=244 service=https proto=6 src zone=Untrust dst zone=Trust ' +
+          'action=Permit sent=0 rcvd=0 src=74.168.138.252 dst=72.72.72.72 src_port=1732 dst_port=443 ' +
+          'src-xlated ip=1.255.20.1 port=22041 dst-xlated ip=1.244.136.50 port=443 session_id=488451 reason=Creation'
+    end
+
+    it 'matches' do
+      if ecs_compatibility?
+        expect(subject).to include("timestamp" => "Jun  2 14:53:31")
+        expect(subject).to include("netscreen"=>{
+            "session"=>{"id"=>"488451", "start_time"=>"2015-11-11 10:02:10", "duration"=>0, "type"=>"traffic", "reason"=>"Creation"},
+            "policy_id"=>"244", "service"=>"https", "protocol_number"=>6, "device_id"=>"0000011001000011"
+        })
+        expect(subject).to include("event"=>{"code"=>"00257", "action"=>"Permit"})
+        # expect(subject).to include("network"=>{"protocol"=>"https"})
+        expect(subject).to include("source"=>{"bytes"=>0, "nat"=>{"port"=>22041, "ip"=>"1.255.20.1"}, "port"=>1732, "address"=>"74.168.138.252"})
+        expect(subject).to include("destination"=>{"bytes"=>0, "nat"=>{"port"=>443, "ip"=>"1.244.136.50"}, "port"=>443, "address"=>"72.72.72.72"})
+        expect(subject).to include("observer"=>{
+            "ingress"=>{"zone"=>"Untrust"}, "hostname"=>"sample-host", "name"=>"isg1000-A2", "product"=>"NetScreen",
+            "egress"=>{"zone"=>"Trust"}
+        })
+      else
+        expect(subject).to include("date" => "Jun  2 14:53:31")
+        expect(subject).to include(
+                   "device"=>"sample-host",
+                   "device_id"=>"0000011001000011",
+                   "start_time"=>"\"2015-11-11 10:02:10\"",
+                   "duration"=>"0",
+                   "policy_id"=>"244",
+                   "service"=>"https",
+                   "proto"=>"6",
+                   "src_zone"=>"Untrust", "dst_zone"=>"Trust",
+                   "action"=>"Permit",
+                   "sent"=>"0", "rcvd"=>"0",
+                   "src_ip"=>"74.168.138.252", "dst_ip"=>"72.72.72.72",
+                   "src_port"=>"1732", "dst_port"=>"443",
+                   "src_xlated_ip"=>"1.255.20.1", "src_xlated_port"=>"22041",
+                   "dst_xlated_ip"=>"1.244.136.50", "dst_xlated_port"=>"443",
+                   "session_id"=>"488451", "reason"=>"Creation",
+                   )
+      end
+    end
+
+  end
+
+  context "traffic denied (without port/xlated/session_id/reason suffix)" do
+
+    let(:message) do
+      'Mar 18 17:56:52 192.168.56.11 lowly_lizard: NetScreen device_id=netscreen2 [Root]system-notification-00257(traffic): ' +
+          'start_time="2009-03-18 16:07:06" duration=0 policy_id=320001 service=msrpc Endpoint Mapper(tcp) proto=6 ' +
+          'src zone=Null dst zone=self action=Deny sent=0 rcvd=16384 src=21.10.90.125 dst=23.16.1.1'
+    end
+
+    it 'matches in ECS mode' do
+      if ecs_compatibility?
+        expect(subject).to include("timestamp" => "Mar 18 17:56:52")
+        expect(subject).to include("netscreen"=>{
+            "device_id"=>"netscreen2",
+            "policy_id"=>"320001",
+            "service"=>"msrpc Endpoint Mapper(tcp)",
+            "protocol_number"=>6,
+            "session"=>{"start_time"=>"2009-03-18 16:07:06", "type"=>"traffic", "duration"=>0}
+        })
+        expect(subject).to include("source"=>{"address"=>"21.10.90.125", "bytes"=>0})
+        expect(subject).to include("destination"=>{"address"=>"23.16.1.1", "bytes"=>16384})
+      else
+        expect(grok['tags']).to include('_grokparsefailure')
+      end
+    end
+  end
+
+  context "'standard' traffic denied" do
+
+    let(:message) do
+      'Jun  2 14:53:31 fire00 aka1: NetScreen device_id=aka1  [Root]system-notification-00257(traffic): start_time="2006-06-02 14:53:30" ' +
+          'duration=0 policy_id=120 service=udp/port:17210 proto=17 src zone=Trust dst zone=DMZ action=Deny sent=0 rcvd=0 ' +
+          'src=192.168.2.2 dst=1.2.3.4 src_port=53 dst_port=17210'
+    end
+
+    it 'matches (in ECS mode)' do
+      if ecs_compatibility?
+        expect(subject).to include("event"=>{"action"=>"Deny", "code"=>"00257"})
+      else
+        expect(grok['tags']).to include('_grokparsefailure')
+        expect(subject).to_not include("date" => "Jun  2 14:53:31")
+      end
+    end
+
+    context "(with session id)" do
+
+      let(:message) do
+        super() + ' session_id=0 reason=Traffic Denied'
+      end
+
+      it 'matches (in ECS mode)' do
+        if ecs_compatibility?
+          expect(subject).to include("netscreen"=>hash_including("device_id"=>"aka1", "service"=>"udp/port:17210",
+                                     "session"=>hash_including("reason"=>"Traffic Denied")))
+          expect(subject).to include("observer"=>{
+              "ingress"=>{"zone"=>"Trust"},
+              "egress"=>{"zone"=>"DMZ"}, "hostname"=>"fire00", "name"=>"aka1",
+              "product"=>"NetScreen"
+          })
+        else
+          expect(grok['tags']).to include('_grokparsefailure')
+          expect(subject).to_not include("date" => "Jun  2 14:53:31")
+        end
+      end
+
+    end
+
+  end
+
+end