RubyGems - logstash-patterns-core - Versions diffs - 4.1.2 → 4.3.2 - Mend

logstash-patterns-core 4.1.2 → 4.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (77) hide show

checksums.yaml +5 -5
data/CHANGELOG.md +119 -0
data/Gemfile +8 -1
data/LICENSE +199 -10
data/README.md +12 -19
data/lib/logstash/patterns/core.rb +11 -3
data/logstash-patterns-core.gemspec +1 -1
data/patterns/ecs-v1/aws +28 -0
data/patterns/ecs-v1/bacula +53 -0
data/patterns/ecs-v1/bind +13 -0
data/patterns/ecs-v1/bro +30 -0
data/patterns/ecs-v1/exim +26 -0
data/patterns/ecs-v1/firewalls +111 -0
data/patterns/ecs-v1/grok-patterns +95 -0
data/patterns/ecs-v1/haproxy +40 -0
data/patterns/ecs-v1/httpd +17 -0
data/patterns/ecs-v1/java +34 -0
data/patterns/ecs-v1/junos +13 -0
data/patterns/ecs-v1/linux-syslog +16 -0
data/patterns/{maven → ecs-v1/maven} +0 -0
data/patterns/ecs-v1/mcollective +4 -0
data/patterns/ecs-v1/mongodb +7 -0
data/patterns/ecs-v1/nagios +124 -0
data/patterns/ecs-v1/postgresql +2 -0
data/patterns/ecs-v1/rails +13 -0
data/patterns/ecs-v1/redis +3 -0
data/patterns/ecs-v1/ruby +2 -0
data/patterns/ecs-v1/squid +6 -0
data/patterns/ecs-v1/zeek +33 -0
data/patterns/{aws → legacy/aws} +1 -1
data/patterns/{bacula → legacy/bacula} +5 -5
data/patterns/legacy/bind +3 -0
data/patterns/{bro → legacy/bro} +0 -0
data/patterns/{exim → legacy/exim} +8 -2
data/patterns/{firewalls → legacy/firewalls} +2 -2
data/patterns/{grok-patterns → legacy/grok-patterns} +4 -4
data/patterns/{haproxy → legacy/haproxy} +1 -1
data/patterns/{httpd → legacy/httpd} +2 -2
data/patterns/{java → legacy/java} +1 -3
data/patterns/{junos → legacy/junos} +0 -0
data/patterns/{linux-syslog → legacy/linux-syslog} +0 -0
data/patterns/legacy/maven +1 -0
data/patterns/{mcollective → legacy/mcollective} +0 -0
data/patterns/{mcollective-patterns → legacy/mcollective-patterns} +0 -0
data/patterns/{mongodb → legacy/mongodb} +0 -0
data/patterns/{nagios → legacy/nagios} +1 -1
data/patterns/{postgresql → legacy/postgresql} +0 -0
data/patterns/{rails → legacy/rails} +0 -0
data/patterns/{redis → legacy/redis} +0 -0
data/patterns/{ruby → legacy/ruby} +0 -0
data/patterns/legacy/squid +4 -0
data/spec/patterns/aws_spec.rb +395 -0
data/spec/patterns/bacula_spec.rb +367 -0
data/spec/patterns/bind_spec.rb +92 -0
data/spec/patterns/bro_spec.rb +613 -0
data/spec/patterns/core_spec.rb +260 -15
data/spec/patterns/exim_spec.rb +201 -0
data/spec/patterns/firewalls_spec.rb +707 -66
data/spec/patterns/haproxy_spec.rb +253 -28
data/spec/patterns/httpd_spec.rb +248 -86
data/spec/patterns/java_spec.rb +375 -0
data/spec/patterns/junos_spec.rb +101 -0
data/spec/patterns/mcollective_spec.rb +35 -0
data/spec/patterns/mongodb_spec.rb +170 -33
data/spec/patterns/nagios_spec.rb +299 -78
data/spec/patterns/netscreen_spec.rb +123 -0
data/spec/patterns/rails3_spec.rb +87 -29
data/spec/patterns/redis_spec.rb +216 -140
data/spec/patterns/shorewall_spec.rb +85 -74
data/spec/patterns/squid_spec.rb +139 -0
data/spec/patterns/syslog_spec.rb +266 -22
data/spec/spec_helper.rb +83 -5
metadata +70 -31
data/patterns/bind +0 -3
data/patterns/squid +0 -4
data/spec/patterns/bro.rb +0 -126
data/spec/patterns/s3_spec.rb +0 -173

data/spec/patterns/rails3_spec.rb CHANGED Viewed

@@ -2,55 +2,113 @@
 require "spec_helper"
 require "logstash/patterns/core"
-describe "RAILS" do
-  let(:rails3_pattern)  { "RAILS3" }
+describe_pattern "RAILS3", ['legacy', 'ecs-v1'] do
-  context "Parsing RAILS3 single-line log from raw log file" do
+  context "single-line log" do
-    let(:value) { 'Started POST "/api/v3/internal/allowed" for 127.0.0.1 at 2015-08-05 11:37:01 +0200' }
-    subject     { grok_match(rails3_pattern, value) }
+    let(:message) { 'Started POST "/api/v3/internal/allowed" for 127.0.0.1 at 2015-08-05 11:37:01 +0200' }
     # Started
-    it { should include("verb" => "POST" ) }
-    it { should include("request" => "/api/v3/internal/allowed" ) }
+    it do
+      if ecs_compatibility?
+        should include("http" => hash_including("request" => { "method" => "POST" }))
+      else
+        should include("verb" => "POST")
+      end
+    end
+    it do
+      if ecs_compatibility?
+      else
+        should include("request" => "/api/v3/internal/allowed")
+      end
+    end
     # for
-    it { should include("clientip" => "127.0.0.1" ) }
+    it do
+      if ecs_compatibility?
+        should include("source" => { "address" => "127.0.0.1" })
+      else
+        should include("clientip" => "127.0.0.1")
+      end
+    end
     # at
     it { should include("timestamp" => "2015-08-05 11:37:01 +0200" ) }
   end
-  context "Parsing RAILS3 multi-line log from raw log file" do
+  context "multi-line log" do
-    let(:value) { 'Started GET "/puppet/postfix/notes?target_id=162&target_type=issue&last_fetched_at=1438695732" for 127.0.0.1 at 2015-08-05 07:40:22 +0200
+    let(:message) { 'Started GET "/puppet/postfix/notes?target_id=162&target_type=issue&last_fetched_at=1438695732" for 127.0.0.1 at 2015-08-05 07:40:22 +0200
 Processing by Projects::NotesController#index as JSON
   Parameters: {"target_id"=>"162", "target_type"=>"issue", "last_fetched_at"=>"1438695732", "namespace_id"=>"puppet", "project_id"=>"postfix"}
-Completed 200 OK in 640ms (Views: 1.7ms | ActiveRecord: 91.0ms)' }
-    subject     { grok_match(rails3_pattern, value) }
+Completed 200 OK in 640ms (Views: 1.7ms | ActiveRecord: 91.0ms)' }
     # started
-    it { should include("verb" => "GET" ) }
-    it { should include("request" => "/puppet/postfix/notes?target_id=162&target_type=issue&last_fetched_at=1438695732" ) }
+    it do
+      if ecs_compatibility?
+        should include("http" => hash_including("request" => { "method" => "GET" }))
+      else
+        should include("verb" => "GET")
+      end
+    end
+    it do
+      if ecs_compatibility?
+        should include("url" => {"original"=>"/puppet/postfix/notes?target_id=162&target_type=issue&last_fetched_at=1438695732"})
+      else
+        should include("request" => "/puppet/postfix/notes?target_id=162&target_type=issue&last_fetched_at=1438695732" )
+      end
+    end
     # for
-    it { should include("clientip" => "127.0.0.1" ) }
+    it do
+      if ecs_compatibility?
+        should include("source" => { "address" => "127.0.0.1" })
+      else
+        should include("clientip" => "127.0.0.1")
+      end
+    end
     # at
-    it { should include("timestamp" => "2015-08-05 07:40:22 +0200" ) }
+    it { should include("timestamp" => "2015-08-05 07:40:22 +0200") }
     # Processing by
-    it { should include("controller" => "Projects::NotesController" ) }
-    it { should include("action" => "index" ) }
+    it do
+      if ecs_compatibility?
+        should include("rails" => hash_including("controller" => { "class"=>"Projects::NotesController", "action"=>"index" }))
+      else
+        should include("controller" => "Projects::NotesController")
+        should include("action" => "index")
+      end
+    end
     # as
-    it { should include("format" => "JSON" ) }
+    it do
+      if ecs_compatibility?
+        should include("rails" => hash_including("request" => hash_including("format" => 'JSON')))
+      else
+        should include("format" => "JSON" )
+      end
+    end
     # Parameters
-    it { should include("params" => '"target_id"=>"162", "target_type"=>"issue", "last_fetched_at"=>"1438695732", "namespace_id"=>"puppet", "project_id"=>"postfix"' ) }
+    it do
+      params = '"target_id"=>"162", "target_type"=>"issue", "last_fetched_at"=>"1438695732", "namespace_id"=>"puppet", "project_id"=>"postfix"'
+      if ecs_compatibility?
+        should include("rails" => hash_including("request" => hash_including("params" => params)))
+      else
+        should include("params" => params)
+      end
+    end
     # Completed
-    it { should include("response" => "200" ) }
+    it do
+      if ecs_compatibility?
+        should include("http" => hash_including("response" => { "status_code" => 200 }))
+      else
+        should include("response" => "200" )
+      end
+    end
     # in
-    it { should include("totalms" =>  "640" ) }
-    # (Views:
-    it { should include("viewms" =>  "1.7" ) }
-    # | ActiveRecord:
-    it { should include("activerecordms" =>  "91.0" ) }
+    it do
+      if ecs_compatibility?
+        should include("rails" => hash_including("request" => hash_including("duration" => { "total" => 640.0, "view" => 1.7, "active_record" => 91.0 })))
+      else
+        should include("totalms" => "640", "viewms" => "1.7", "activerecordms" => "91.0")
+      end
+    end
   end
 end

data/spec/patterns/redis_spec.rb CHANGED Viewed

@@ -2,170 +2,246 @@
 require "spec_helper"
 require "logstash/patterns/core"
-describe "REDISTIMESTAMP" do
+describe_pattern 'REDISTIMESTAMP', [ 'legacy', 'ecs-v1' ] do
-  let(:value) { '14 Nov 07:01:22.119'}
-  let(:pattern) { "REDISTIMESTAMP" }
+  let(:message) { '14 Nov 07:01:22.119'}
   it "a pattern pass the grok expression" do
-    expect(grok_match(pattern, value)).to pass
+    expect(grok_match(pattern, message)).to pass
   end
 end
-describe "REDISLOG" do
+describe_pattern 'REDISLOG', [ 'legacy', 'ecs-v1' ] do
-  let(:value)   { "[4018] 14 Nov 07:01:22.119 * Background saving terminated with success" }
-  let(:pattern) { "REDISLOG" }
-  let(:grok)    { grok_match(pattern, value) }
+  let(:message) { "[4018] 14 Nov 07:01:22.119 * Background saving terminated with success" }
   it "a pattern pass the grok expression" do
     expect(grok).to pass
   end
   it "generates the pid field" do
-    expect(grok).to include("pid" => "4018")
+    if ecs_compatibility?
+      expect(grok).to include("process" => { 'pid' => 4018 })
+    else
+      expect(grok).to include("pid" => "4018")
+    end
   end
 end
+describe_pattern 'REDISMONLOG', [ 'legacy', 'ecs-v1' ] do
+  context "simple command" do
+    let(:message) { "1470637867.953466 [0 195.168.1.1:52500] \"info\"" }
+    it "a pattern pass the grok expression" do
+      expect(grok).to pass
+    end
+    it "generates the timestamp field" do
+      expect(grok).to include("timestamp" => "1470637867.953466")
+    end
+    it "generates the database field" do
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('database' => { 'id' => '0' }))
+      else
+        expect(grok).to include("database" => "0")
+      end
+    end
+    it "generates the client field" do
+      if ecs_compatibility?
+        expect(grok).to include("client" => hash_including('ip' => '195.168.1.1'))
+      else
+        expect(grok).to include("client" => "195.168.1.1")
+      end
+    end
+    it "generates the port field" do
+      if ecs_compatibility?
+        expect(grok).to include("client" => hash_including('port' => 52500))
+      else
+        expect(grok).to include("port" => "52500")
+      end
+    end
+    it "generates the command field" do
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('command' => { 'name' => 'info' }))
+      else
+        expect(grok).to include("command" => "info")
+      end
+    end
+  end
+  context "one param command" do
+    let(:message) { "1339518083.107412 [0 127.0.0.1:60866] \"keys\" \"*\"" }
+    it "a pattern pass the grok expression" do
+      expect(grok).to pass
+    end
+    it "generates the timestamp field" do
+      expect(grok).to include("timestamp" => "1339518083.107412")
+    end
+    it "generates the database field" do
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('database' => { 'id' => '0' }))
+      else
+        expect(grok).to include("database" => "0")
+      end
+    end
+    it "generates the client field" do
+      if ecs_compatibility?
+        expect(grok).to include("client" => hash_including('ip' => '127.0.0.1'))
+      else
+        expect(grok).to include("client" => "127.0.0.1")
+      end
+    end
+    it "generates the port field" do
+      if ecs_compatibility?
+        expect(grok).to include("client" => hash_including('port' => 60866))
+      else
+        expect(grok).to include("port" => "60866")
+      end
+    end
+    it "generates the command field" do
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('command' => hash_including('name' => 'keys')))
+      else
+        expect(grok).to include("command" => "keys")
+      end
+    end
+    it "generates the params field" do
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('command' => hash_including('args' => '"*"')))
+      else
+        expect(grok).to include("params" => "\"*\"")
+      end
+    end
-describe "REDISMONLOG - SIMPLE COMMAND" do
-  let(:value)   { "1470637867.953466 [0 195.168.1.1:52500] \"info\"" }
-  let(:pattern) { "REDISMONLOG" }
-  let(:grok)    { grok_match(pattern, value) }
-  it "a pattern pass the grok expression" do
-    expect(grok).to pass
-  end
-  it "generates the timestamp field" do
-    expect(grok).to include("timestamp" => "1470637867.953466")
-  end
-  it "generates the database field" do
-    expect(grok).to include("database" => "0")
-  end
-  it "generates the client field" do
-    expect(grok).to include("client" => "195.168.1.1")
-  end
-  it "generates the port field" do
-    expect(grok).to include("port" => "52500")
-  end
-  it "generates the command field" do
-    expect(grok).to include("command" => "info")
-  end
-end
-describe "REDISMONLOG - ONE PARAM COMMAND" do
-  let(:value)   { "1339518083.107412 [0 127.0.0.1:60866] \"keys\" \"*\"" }
-  let(:pattern) { "REDISMONLOG" }
-  let(:grok)    { grok_match(pattern, value) }
-  it "a pattern pass the grok expression" do
-    expect(grok).to pass
-  end
-  it "generates the timestamp field" do
-    expect(grok).to include("timestamp" => "1339518083.107412")
-  end
-  it "generates the database field" do
-    expect(grok).to include("database" => "0")
-  end
-  it "generates the client field" do
-    expect(grok).to include("client" => "127.0.0.1")
-  end
-  it "generates the port field" do
-    expect(grok).to include("port" => "60866")
-  end
-  it "generates the command field" do
-    expect(grok).to include("command" => "keys")
-  end
-  it "generates the params field" do
-    expect(grok).to include("params" => "\"*\"")
   end
 end
-describe "REDISMONLOG - TWO PARAM COMMAND" do
+describe_pattern "REDISMONLOG", [ 'legacy', 'ecs-v1' ] do
+  context 'two param command' do
+    let(:message) { "1470637925.186681 [0 127.0.0.1:39404] \"rpush\" \"my:special:key\" \"{\\\"data\\\":\"cdr\\\",\\\"payload\\\":\\\"json\\\"}\"" }
+    it "a pattern pass the grok expression" do
+      expect(grok).to pass
+    end
+    it "generates the timestamp field" do
+      expect(grok).to include("timestamp" => "1470637925.186681")
+    end
+    it "generates the database field" do
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('database' => hash_including('id' => '0')))
+      else
+        expect(grok).to include("database" => "0")
+      end
+    end
+    it "generates the client field" do
+      if ecs_compatibility?
+        expect(grok).to include("client" => hash_including('ip' => '127.0.0.1'))
+      else
+        expect(grok).to include("client" => "127.0.0.1")
+      end
+    end
+    it "generates the port field" do
+      if ecs_compatibility?
+        expect(grok).to include("client" => hash_including('port' => 39404))
+      else
+        expect(grok).to include("port" => "39404")
+      end
+    end
+    it "generates the command field" do
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('command' => hash_including('name' => 'rpush')))
+      else
+        expect(grok).to include("command" => "rpush")
+      end
+    end
+    it "generates the params field" do
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('command' => hash_including('args' => "\"my:special:key\" \"{\\\"data\\\":\"cdr\\\",\\\"payload\\\":\\\"json\\\"}\"")))
+      else
+        expect(grok).to include("params" => "\"my:special:key\" \"{\\\"data\\\":\"cdr\\\",\\\"payload\\\":\\\"json\\\"}\"")
+      end
+    end
+  end
+  context "variadic command" do
+    let(:message) { "1470637875.777457 [15 195.168.1.1:52500] \"intentionally\" \"broken\" \"variadic\" \"log\" \"entry\"" }
+    it "a pattern pass the grok expression" do
+      expect(grok).to pass
+    end
+    it "generates the timestamp field" do
+      expect(grok).to include("timestamp" => "1470637875.777457")
+    end
+    it "generates the database field" do
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('database' => hash_including('id' => '15')))
+      else
+        expect(grok).to include("database" => "15")
+      end
+    end
+    it "generates the client field" do
+      if ecs_compatibility?
+        expect(grok).to include("client" => hash_including('ip' => '195.168.1.1'))
+      else
+        expect(grok).to include("client" => "195.168.1.1")
+      end
+    end
+    it "generates the port field" do
+      if ecs_compatibility?
+        expect(grok).to include("client" => hash_including('port' => 52500))
+      else
+        expect(grok).to include("port" => "52500")
+      end
+    end
+    it "generates the command field" do
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('command' => hash_including('name' => 'intentionally')))
+      else
+        expect(grok).to include("command" => "intentionally")
+      end
+    end
+    it "generates the params field" do
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('command' => hash_including('args' => "\"broken\" \"variadic\" \"log\" \"entry\"")))
+      else
+        expect(grok).to include("params" => "\"broken\" \"variadic\" \"log\" \"entry\"")
+      end
+    end
-  let(:value)   { "1470637925.186681 [0 127.0.0.1:39404] \"rpush\" \"my:special:key\" \"{\\\"data\\\":\"cdr\\\",\\\"payload\\\":\\\"json\\\"}\"" }
-  let(:pattern) { "REDISMONLOG" }
-  let(:grok)    { grok_match(pattern, value) }
-  it "a pattern pass the grok expression" do
-    expect(grok).to pass
-  end
-  it "generates the timestamp field" do
-    expect(grok).to include("timestamp" => "1470637925.186681")
-  end
-  it "generates the database field" do
-    expect(grok).to include("database" => "0")
-  end
-  it "generates the client field" do
-    expect(grok).to include("client" => "127.0.0.1")
-  end
-  it "generates the port field" do
-    expect(grok).to include("port" => "39404")
-  end
-  it "generates the command field" do
-    expect(grok).to include("command" => "rpush")
-  end
-  it "generates the params field" do
-    expect(grok).to include("params" => "\"my:special:key\" \"{\\\"data\\\":\"cdr\\\",\\\"payload\\\":\\\"json\\\"}\"")
   end
 end
-describe "REDISMONLOG - VARIADIC COMMAND" do
-  let(:value)   { "1470637875.777457 [15 195.168.1.1:52500] \"intentionally\" \"broken\" \"variadic\" \"log\" \"entry\"" }
-  let(:pattern) { "REDISMONLOG" }
-  let(:grok)    { grok_match(pattern, value) }
-  it "a pattern pass the grok expression" do
-    expect(grok).to pass
-  end
-  it "generates the timestamp field" do
-    expect(grok).to include("timestamp" => "1470637875.777457")
-  end
-  it "generates the database field" do
-    expect(grok).to include("database" => "15")
-  end
-  it "generates the client field" do
-    expect(grok).to include("client" => "195.168.1.1")
-  end
-  it "generates the port field" do
-    expect(grok).to include("port" => "52500")
-  end
-  it "generates the command field" do
-    expect(grok).to include("command" => "intentionally")
-  end
-  it "generates the params field" do
-    expect(grok).to include("params" => "\"broken\" \"variadic\" \"log\" \"entry\"")
-  end
-end