logstash-patterns-core 4.1.2 → 4.3.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/CHANGELOG.md +119 -0
- data/Gemfile +8 -1
- data/LICENSE +199 -10
- data/README.md +12 -19
- data/lib/logstash/patterns/core.rb +11 -3
- data/logstash-patterns-core.gemspec +1 -1
- data/patterns/ecs-v1/aws +28 -0
- data/patterns/ecs-v1/bacula +53 -0
- data/patterns/ecs-v1/bind +13 -0
- data/patterns/ecs-v1/bro +30 -0
- data/patterns/ecs-v1/exim +26 -0
- data/patterns/ecs-v1/firewalls +111 -0
- data/patterns/ecs-v1/grok-patterns +95 -0
- data/patterns/ecs-v1/haproxy +40 -0
- data/patterns/ecs-v1/httpd +17 -0
- data/patterns/ecs-v1/java +34 -0
- data/patterns/ecs-v1/junos +13 -0
- data/patterns/ecs-v1/linux-syslog +16 -0
- data/patterns/{maven → ecs-v1/maven} +0 -0
- data/patterns/ecs-v1/mcollective +4 -0
- data/patterns/ecs-v1/mongodb +7 -0
- data/patterns/ecs-v1/nagios +124 -0
- data/patterns/ecs-v1/postgresql +2 -0
- data/patterns/ecs-v1/rails +13 -0
- data/patterns/ecs-v1/redis +3 -0
- data/patterns/ecs-v1/ruby +2 -0
- data/patterns/ecs-v1/squid +6 -0
- data/patterns/ecs-v1/zeek +33 -0
- data/patterns/{aws → legacy/aws} +1 -1
- data/patterns/{bacula → legacy/bacula} +5 -5
- data/patterns/legacy/bind +3 -0
- data/patterns/{bro → legacy/bro} +0 -0
- data/patterns/{exim → legacy/exim} +8 -2
- data/patterns/{firewalls → legacy/firewalls} +2 -2
- data/patterns/{grok-patterns → legacy/grok-patterns} +4 -4
- data/patterns/{haproxy → legacy/haproxy} +1 -1
- data/patterns/{httpd → legacy/httpd} +2 -2
- data/patterns/{java → legacy/java} +1 -3
- data/patterns/{junos → legacy/junos} +0 -0
- data/patterns/{linux-syslog → legacy/linux-syslog} +0 -0
- data/patterns/legacy/maven +1 -0
- data/patterns/{mcollective → legacy/mcollective} +0 -0
- data/patterns/{mcollective-patterns → legacy/mcollective-patterns} +0 -0
- data/patterns/{mongodb → legacy/mongodb} +0 -0
- data/patterns/{nagios → legacy/nagios} +1 -1
- data/patterns/{postgresql → legacy/postgresql} +0 -0
- data/patterns/{rails → legacy/rails} +0 -0
- data/patterns/{redis → legacy/redis} +0 -0
- data/patterns/{ruby → legacy/ruby} +0 -0
- data/patterns/legacy/squid +4 -0
- data/spec/patterns/aws_spec.rb +395 -0
- data/spec/patterns/bacula_spec.rb +367 -0
- data/spec/patterns/bind_spec.rb +92 -0
- data/spec/patterns/bro_spec.rb +613 -0
- data/spec/patterns/core_spec.rb +260 -15
- data/spec/patterns/exim_spec.rb +201 -0
- data/spec/patterns/firewalls_spec.rb +707 -66
- data/spec/patterns/haproxy_spec.rb +253 -28
- data/spec/patterns/httpd_spec.rb +248 -86
- data/spec/patterns/java_spec.rb +375 -0
- data/spec/patterns/junos_spec.rb +101 -0
- data/spec/patterns/mcollective_spec.rb +35 -0
- data/spec/patterns/mongodb_spec.rb +170 -33
- data/spec/patterns/nagios_spec.rb +299 -78
- data/spec/patterns/netscreen_spec.rb +123 -0
- data/spec/patterns/rails3_spec.rb +87 -29
- data/spec/patterns/redis_spec.rb +216 -140
- data/spec/patterns/shorewall_spec.rb +85 -74
- data/spec/patterns/squid_spec.rb +139 -0
- data/spec/patterns/syslog_spec.rb +266 -22
- data/spec/spec_helper.rb +83 -5
- metadata +70 -31
- data/patterns/bind +0 -3
- data/patterns/squid +0 -4
- data/spec/patterns/bro.rb +0 -126
- data/spec/patterns/s3_spec.rb +0 -173
@@ -0,0 +1,367 @@
|
|
1
|
+
# encoding: utf-8
|
2
|
+
require "spec_helper"
|
3
|
+
require "logstash/patterns/core"
|
4
|
+
|
5
|
+
describe_pattern "BACULA_LOG_MAX_CAPACITY", ['legacy', 'ecs-v1'] do
|
6
|
+
|
7
|
+
let(:message) do
|
8
|
+
'User defined maximum volume capacity 108,372,182,400 exceeded on device "FStorage" (/var/lib/bac/storage).'
|
9
|
+
end
|
10
|
+
|
11
|
+
it 'matches' do
|
12
|
+
if ecs_compatibility?
|
13
|
+
should include "bacula"=>{"volume"=>{"max_capacity"=>"108,372,182,400", "device"=>"FStorage", "path"=>"/var/lib/bac/storage"}}
|
14
|
+
else
|
15
|
+
should include("device"=>"FStorage")
|
16
|
+
end
|
17
|
+
end
|
18
|
+
|
19
|
+
end
|
20
|
+
|
21
|
+
describe_pattern "BACULA_LOG_END_VOLUME", ['legacy', 'ecs-v1'] do
|
22
|
+
|
23
|
+
let(:message) do
|
24
|
+
'End of medium on Volume "TestShortZN0014" Bytes=5,228,777 Blocks=82 at 21-Dec-2016 12:30.'
|
25
|
+
end
|
26
|
+
|
27
|
+
it 'matches' do
|
28
|
+
if ecs_compatibility?
|
29
|
+
should include "bacula"=>hash_including("volume"=>{"name"=>"TestShortZN0014", "bytes"=>"5,228,777", "blocks"=>"82"})
|
30
|
+
# bacula.timestamp is 'duplicate' information when the full BACULA_LOGLINE is matched
|
31
|
+
# we're keeping it as it includes year and might be slightly off the matched timestamp
|
32
|
+
should include "bacula"=>hash_including("timestamp"=>"21-Dec-2016 12:30")
|
33
|
+
else
|
34
|
+
should include("volume"=>"TestShortZN0014")
|
35
|
+
end
|
36
|
+
end
|
37
|
+
|
38
|
+
end
|
39
|
+
|
40
|
+
describe_pattern "BACULA_LOGLINE", ['legacy', 'ecs-v1'] do # BACULA_LOG_NEW_VOLUME
|
41
|
+
|
42
|
+
let(:message) do
|
43
|
+
'09-Jan 19:54 bacula-host JobId 265896: Created new Volume "FullAuto-8812" in catalog.'
|
44
|
+
# NOTE: we do not match full message log format that look like:
|
45
|
+
# 'Created new Volume="FullAuto-8812", Pool="FullFile", MediaType="FullFile" in catalog.'
|
46
|
+
end
|
47
|
+
|
48
|
+
it 'matches' do
|
49
|
+
should include (ecs_compatibility? ? "timestamp" : "bts") => '09-Jan 19:54'
|
50
|
+
if ecs_compatibility?
|
51
|
+
should include "bacula"=>{"volume"=>{"name"=>"FullAuto-8812"}, "job"=>{"id"=>"265896"}}
|
52
|
+
should include "host" => {"hostname"=>"bacula-host"}
|
53
|
+
else
|
54
|
+
should include("volume"=>"FullAuto-8812")
|
55
|
+
end
|
56
|
+
end
|
57
|
+
|
58
|
+
end
|
59
|
+
|
60
|
+
describe_pattern "BACULA_LOGLINE", ['legacy', 'ecs-v1'] do # BACULA_LOG_NEW_LABEL
|
61
|
+
|
62
|
+
let(:message) do
|
63
|
+
'25-Aug 10:50 bacula-sd JobId 24: Labeled new Volume "Vol-0018" on device "FileChgr1-Dev1" (/opt/bacula/disk).'
|
64
|
+
end
|
65
|
+
|
66
|
+
it 'matches' do
|
67
|
+
should include (ecs_compatibility? ? "timestamp" : "bts") => '25-Aug 10:50'
|
68
|
+
if ecs_compatibility?
|
69
|
+
should include "bacula"=>hash_including("volume"=>{"name"=>"Vol-0018", "device"=>"FileChgr1-Dev1", "path"=>"/opt/bacula/disk"})
|
70
|
+
should include "bacula"=>hash_including("job"=>{"id"=>"24"})
|
71
|
+
should include "host" => {"hostname"=>"bacula-sd"}
|
72
|
+
else
|
73
|
+
should include("volume"=>"Vol-0018", "device" => "FileChgr1-Dev1")
|
74
|
+
end
|
75
|
+
end
|
76
|
+
|
77
|
+
end
|
78
|
+
|
79
|
+
describe_pattern "BACULA_LOGLINE", ['legacy', 'ecs-v1'] do # BACULA_LOG_WROTE_LABEL
|
80
|
+
|
81
|
+
let(:message) do
|
82
|
+
'25-Aug 10:50 bacula-sd JobId 24: Wrote label to prelabeled Volume "Volume01" on device "Device01" (/dev/nst0)'
|
83
|
+
end
|
84
|
+
|
85
|
+
it 'matches' do
|
86
|
+
should include (ecs_compatibility? ? "timestamp" : "bts") => '25-Aug 10:50'
|
87
|
+
if ecs_compatibility?
|
88
|
+
should include "bacula"=>hash_including("volume"=>{"name"=>"Volume01", "device"=>"Device01", "path"=>"/dev/nst0"})
|
89
|
+
else
|
90
|
+
should include("jobid"=>"24")
|
91
|
+
end
|
92
|
+
end
|
93
|
+
|
94
|
+
end
|
95
|
+
|
96
|
+
describe_pattern "BACULA_LOGLINE", ['legacy', 'ecs-v1'] do # BACULA_LOG_NEW_MOUNT
|
97
|
+
|
98
|
+
let(:message) do
|
99
|
+
'24-Aug 01:54 crey-sd JobId 215534: New volume "DiffAuto-4861" mounted on device "vDrive-1" (/usr/local/bac/volumes) at 24-Aug-2015 01:54.'
|
100
|
+
end
|
101
|
+
|
102
|
+
it 'matches' do
|
103
|
+
should include (ecs_compatibility? ? "timestamp" : "bts") => '24-Aug 01:54'
|
104
|
+
if ecs_compatibility?
|
105
|
+
should include "bacula"=>hash_including("volume"=>{"name"=>"DiffAuto-4861", "device"=>"vDrive-1", "path"=>"/usr/local/bac/volumes"})
|
106
|
+
else
|
107
|
+
should include("device"=>"vDrive-1", "volume"=>"DiffAuto-4861", "hostname"=>"crey-sd", "jobid"=>"215534")
|
108
|
+
end
|
109
|
+
end
|
110
|
+
|
111
|
+
end
|
112
|
+
|
113
|
+
describe_pattern "BACULA_LOGLINE", ['legacy', 'ecs-v1'] do # BACULA_LOG_NOOPENDIR
|
114
|
+
|
115
|
+
let(:message) do
|
116
|
+
'24-Feb 16:36 starfury-fd JobId 3: Could not open directory "/root": ERR=Permission denied'
|
117
|
+
end
|
118
|
+
|
119
|
+
it 'matches' do
|
120
|
+
should include (ecs_compatibility? ? "timestamp" : "bts") => '24-Feb 16:36'
|
121
|
+
if ecs_compatibility?
|
122
|
+
should include "file"=>{"path"=>"/root"}
|
123
|
+
should include "error"=>{"message"=>"Permission denied"}
|
124
|
+
else
|
125
|
+
should include("berror"=>"Permission denied")
|
126
|
+
end
|
127
|
+
end
|
128
|
+
|
129
|
+
end
|
130
|
+
|
131
|
+
describe_pattern "BACULA_LOGLINE", ['legacy', 'ecs-v1'] do # BACULA_LOG_NOSTAT
|
132
|
+
|
133
|
+
let(:message) do
|
134
|
+
'15-Dec 17:50 u22.com JobId 13: Could not stat /var/lib/bacula/bacula.sql: ERR=No such file or directory'
|
135
|
+
end
|
136
|
+
|
137
|
+
it 'matches' do
|
138
|
+
if ecs_compatibility?
|
139
|
+
should include "timestamp" => '15-Dec 17:50'
|
140
|
+
should include "file"=>{"path"=>"/var/lib/bacula/bacula.sql"}
|
141
|
+
should include "error"=>{"message"=>"No such file or directory"}
|
142
|
+
else
|
143
|
+
# NOTE: not matching due BACULA_HOST
|
144
|
+
# should include "bts" => '15-Dec 17:50'
|
145
|
+
# should include "berror"=>"No such file or directory"
|
146
|
+
end
|
147
|
+
end
|
148
|
+
|
149
|
+
end
|
150
|
+
|
151
|
+
describe_pattern "BACULA_LOGLINE", ['legacy', 'ecs-v1'] do # BACULA_LOG_ALL_RECORDS_PRUNED
|
152
|
+
|
153
|
+
let(:message) do
|
154
|
+
'12-Apr 14:23 VU0EM005: All records pruned from Volume "06D125L3"; marking it "Purged"'
|
155
|
+
end
|
156
|
+
|
157
|
+
it 'matches' do
|
158
|
+
should include (ecs_compatibility? ? "timestamp" : "bts") => '12-Apr 14:23'
|
159
|
+
if ecs_compatibility?
|
160
|
+
should include "bacula"=>{"volume"=>{"name"=>"06D125L3"}},
|
161
|
+
"host"=>{"hostname"=>"VU0EM005"}
|
162
|
+
else
|
163
|
+
should include "hostname"=>"VU0EM005", "volume"=>"06D125L3"
|
164
|
+
end
|
165
|
+
end
|
166
|
+
|
167
|
+
end
|
168
|
+
|
169
|
+
describe_pattern "BACULA_LOGLINE", ['legacy', 'ecs-v1'] do # BACULA_LOG_PRUNED_JOBS
|
170
|
+
|
171
|
+
let(:message) do
|
172
|
+
'29-Jan 04:16 lbu02-dir: Pruned 24 Jobs for client uni-horn from catalog.'
|
173
|
+
end
|
174
|
+
|
175
|
+
it 'matches' do
|
176
|
+
should include (ecs_compatibility? ? "timestamp" : "bts") => '29-Jan 04:16'
|
177
|
+
if ecs_compatibility?
|
178
|
+
should include "bacula"=>{"client"=>{"name"=>"uni-horn"}}, "host"=>{"hostname"=>"lbu02-dir"}
|
179
|
+
else
|
180
|
+
should include "hostname"=>"lbu02-dir", "client"=>"uni-horn"
|
181
|
+
end
|
182
|
+
end
|
183
|
+
|
184
|
+
end
|
185
|
+
|
186
|
+
describe_pattern "BACULA_LOGLINE", ['legacy', 'ecs-v1'] do # BACULA_LOG_STARTJOB
|
187
|
+
|
188
|
+
let(:message) do
|
189
|
+
'06-Mar 20:00 srvbkp-dir JobId 1075: Start Backup JobId 1075, Job=srv1-bind.2018-03-06_20.00.01_05'
|
190
|
+
end
|
191
|
+
|
192
|
+
it 'matches' do
|
193
|
+
should include (ecs_compatibility? ? "timestamp" : "bts") => '06-Mar 20:00'
|
194
|
+
if ecs_compatibility?
|
195
|
+
should include "bacula"=>{"job"=>{"name"=>"srv1-bind.2018-03-06_20.00.01_05", "id"=>"1075"}}
|
196
|
+
else
|
197
|
+
should include "job"=>"srv1-bind.2018-03-06_20.00.01_05", "jobid"=>"1075"
|
198
|
+
end
|
199
|
+
end
|
200
|
+
|
201
|
+
end
|
202
|
+
|
203
|
+
describe_pattern "BACULA_LOGLINE", ['legacy', 'ecs-v1'] do # BACULA_LOG_DIFF_FS
|
204
|
+
|
205
|
+
let(:message) do
|
206
|
+
'01-Feb 00:34 ohms-fd JobId 1662: /var/spool/bareos is a different filesystem. Will not descend from /var into it.'
|
207
|
+
end
|
208
|
+
|
209
|
+
it 'matches' do
|
210
|
+
should include (ecs_compatibility? ? "timestamp" : "bts") => '01-Feb 00:34'
|
211
|
+
end
|
212
|
+
|
213
|
+
end
|
214
|
+
|
215
|
+
describe_pattern "BACULA_LOGLINE", ['legacy', 'ecs-v1'] do # BACULA_LOG_JOBEND
|
216
|
+
|
217
|
+
let(:message) do
|
218
|
+
'28-Aug 21:55 bacula-sd JobId 16: Job write elapsed time = 00:00:01, Transfer rate = 0 Bytes/second'
|
219
|
+
end
|
220
|
+
|
221
|
+
it 'matches' do
|
222
|
+
should include (ecs_compatibility? ? "timestamp" : "bts") => '28-Aug 21:55'
|
223
|
+
if ecs_compatibility?
|
224
|
+
should include "bacula"=>{"job"=>{"elapsed_time"=>"00:00:01", "id"=>"16"}}
|
225
|
+
else
|
226
|
+
should include "jobid"=>"16", "elapsed" => "00:00:01"
|
227
|
+
end
|
228
|
+
end
|
229
|
+
|
230
|
+
end
|
231
|
+
|
232
|
+
describe_pattern "BACULA_LOGLINE", ['legacy', 'ecs-v1'] do # BACULA_LOG_VOLUME_PREVWRITTEN
|
233
|
+
|
234
|
+
let(:message) do
|
235
|
+
'17-Jan-2003 16:45 home-sd: Volume test01 previously written, moving to end of data.'
|
236
|
+
end
|
237
|
+
|
238
|
+
it 'matches' do
|
239
|
+
if ecs_compatibility?
|
240
|
+
should include "timestamp" => '17-Jan-2003 16:45'
|
241
|
+
should include "bacula"=>{"volume"=>{"name"=>"test01"}}
|
242
|
+
else
|
243
|
+
# fails to match (due timestamp format)
|
244
|
+
end
|
245
|
+
end
|
246
|
+
|
247
|
+
end
|
248
|
+
|
249
|
+
describe_pattern "BACULA_LOG_READYAPPEND", ['legacy', 'ecs-v1'] do
|
250
|
+
|
251
|
+
let(:message) do
|
252
|
+
'Ready to append to end of Volume "F-0032" size=97835302'
|
253
|
+
end
|
254
|
+
|
255
|
+
it 'matches' do
|
256
|
+
if ecs_compatibility?
|
257
|
+
should include "bacula"=>{"volume"=>{"name"=>"F-0032", "size"=>97835302}}
|
258
|
+
else
|
259
|
+
should include "volume"=>"F-0032"
|
260
|
+
end
|
261
|
+
end
|
262
|
+
|
263
|
+
end
|
264
|
+
|
265
|
+
describe_pattern "BACULA_LOGLINE", ['legacy', 'ecs-v1'] do # BACULA_LOG_CLIENT_RBJ
|
266
|
+
|
267
|
+
let(:message) do
|
268
|
+
'01-Aug 13:30 toe-fd JobId 686: shell command: run ClientRunBeforeJob "/etc/bacula/cbe_hanfs.sh /mnt/baxter/fs1"'
|
269
|
+
end
|
270
|
+
|
271
|
+
it 'matches' do
|
272
|
+
if ecs_compatibility?
|
273
|
+
should include "bacula"=>{"job"=>{"id"=>"686", "client_run_before_command"=>'/etc/bacula/cbe_hanfs.sh /mnt/baxter/fs1'}}
|
274
|
+
else
|
275
|
+
should include "jobid"=>"686", "runjob"=>"/etc/bacula/cbe_hanfs.sh /mnt/baxter/fs1"
|
276
|
+
end
|
277
|
+
end
|
278
|
+
|
279
|
+
end
|
280
|
+
|
281
|
+
describe_pattern "BACULA_LOGLINE", ['legacy', 'ecs-v1'] do # BACULA_LOG_FATAL_CONN
|
282
|
+
|
283
|
+
let(:message) do
|
284
|
+
'11-Nov 13:28 bacula-dir JobId 11: Fatal error: bsock.c:133 Unable to connect to Client: dc0-fd on dc0.teamworld.com:9102. ERR=Connection refused'
|
285
|
+
end
|
286
|
+
|
287
|
+
it 'matches' do
|
288
|
+
if ecs_compatibility?
|
289
|
+
should include "client"=>{"address"=>"dc0.teamworld.com", "port"=>9102},
|
290
|
+
"bacula"=>hash_including("client"=>{"name"=>"dc0-fd"}),
|
291
|
+
"error"=>{"message"=>"Connection refused"}
|
292
|
+
else
|
293
|
+
should include "client"=>"dc0-fd", "berror"=>"Connection refused"
|
294
|
+
end
|
295
|
+
end
|
296
|
+
|
297
|
+
end
|
298
|
+
|
299
|
+
describe_pattern "BACULA_LOGLINE", ['legacy', 'ecs-v1'] do # BACULA_LOG_NO_AUTH
|
300
|
+
|
301
|
+
let(:message) do
|
302
|
+
'16-May 11:59 samy-dir JobId 0: Fatal error: Unable to authenticate with File daemon at "cardam.home.domain:9102". Possible causes:'
|
303
|
+
end
|
304
|
+
|
305
|
+
it 'matches' do
|
306
|
+
if ecs_compatibility?
|
307
|
+
# NOTE: due a grok bug port:int type-casting does not work :
|
308
|
+
#should include "client"=>{"address"=>"cardam.home.domain", "port"=>9102}
|
309
|
+
expect( subject['client'] ).to be_a Hash
|
310
|
+
expect( subject['client']['address'] ).to eql 'cardam.home.domain'
|
311
|
+
expect( subject['client']['port'].to_i ).to eql 9102
|
312
|
+
else
|
313
|
+
# does not match due client address:port
|
314
|
+
end
|
315
|
+
end
|
316
|
+
|
317
|
+
end
|
318
|
+
|
319
|
+
describe_pattern "BACULA_LOGLINE", ['legacy', 'ecs-v1'] do # BACULA_LOG_CANCELLING
|
320
|
+
|
321
|
+
let(:message) do
|
322
|
+
'03-Aug 06:20 DIRECTOR JobId 316677: Cancelling duplicate JobId=316646.'
|
323
|
+
end
|
324
|
+
|
325
|
+
it 'matches' do
|
326
|
+
if ecs_compatibility?
|
327
|
+
expect( subject ).to include "bacula" => hash_including("job" => {'id' => '316677', 'other_id' => '316646'})
|
328
|
+
else
|
329
|
+
expect( subject ).to include "jobid" => "316677"
|
330
|
+
end
|
331
|
+
end
|
332
|
+
|
333
|
+
end
|
334
|
+
|
335
|
+
describe_pattern "BACULA_LOGLINE", ['legacy', 'ecs-v1'] do # BACULA_LOG_MARKCANCEL
|
336
|
+
|
337
|
+
let(:message) do
|
338
|
+
'09-Aug 15:14 InternetServer-sd JobId 122971, Job nyi_maildir.2013-03-03_22.00.00_51 marked to be canceled.'
|
339
|
+
end
|
340
|
+
|
341
|
+
it 'matches' do
|
342
|
+
if ecs_compatibility?
|
343
|
+
expect( subject ).to include "bacula" => hash_including(
|
344
|
+
"job" => {'id' => '122971', 'name' => 'nyi_maildir.2013-03-03_22.00.00_51'})
|
345
|
+
else
|
346
|
+
expect( subject ).to include "job" => "nyi_maildir.2013-03-03_22.00.00_51"
|
347
|
+
end
|
348
|
+
end
|
349
|
+
|
350
|
+
end
|
351
|
+
|
352
|
+
|
353
|
+
describe_pattern "BACULA_LOGLINE", ['legacy', 'ecs-v1'] do # BACULA_LOG_FATAL_CONN
|
354
|
+
|
355
|
+
let(:message) do
|
356
|
+
'25-Aug 09:02 marlin2-dir JobId 10783: Fatal Error: JobId 10782 already running. Duplicate job not allowed.'
|
357
|
+
end
|
358
|
+
|
359
|
+
it 'matches' do
|
360
|
+
if ecs_compatibility?
|
361
|
+
expect( subject ).to include "bacula" => hash_including("job" => {'id' => '10783', 'other_id' => '10782'})
|
362
|
+
else
|
363
|
+
# NOTE: not matching due expecting 'error' instead of 'Error' in "Fatal Error: JobId ..."
|
364
|
+
end
|
365
|
+
end
|
366
|
+
|
367
|
+
end
|
@@ -0,0 +1,92 @@
|
|
1
|
+
# encoding: utf-8
|
2
|
+
require "spec_helper"
|
3
|
+
require "logstash/patterns/core"
|
4
|
+
|
5
|
+
describe_pattern "BIND9", ['legacy', 'ecs-v1'] do
|
6
|
+
|
7
|
+
let(:message) do # Bind 9.10
|
8
|
+
'17-Feb-2018 23:06:56.326 queries: info: client 172.26.0.1#12345 (test.example.com): query: test.example.com IN A +E(0)K (172.26.0.3)'
|
9
|
+
end
|
10
|
+
|
11
|
+
it 'matches' do
|
12
|
+
should include("timestamp" => "17-Feb-2018 23:06:56.326")
|
13
|
+
if ecs_compatibility?
|
14
|
+
should include("log" => hash_including("level" => "info"))
|
15
|
+
should include("client" => { "ip" => "172.26.0.1", "port" => 12345 })
|
16
|
+
should include("dns" => { "question" => { "name" => "test.example.com", "type" => 'A', "class" => 'IN' }})
|
17
|
+
should include("bind" => { "log" => hash_including("question" => hash_including("flags" => '+E(0)K'))})
|
18
|
+
should include("server" => { "ip" => "172.26.0.3" })
|
19
|
+
# NOTE: duplicate but still captured since we've been doing that before as well :
|
20
|
+
should include("bind" => { "log" => hash_including("question" => hash_including("name" => 'test.example.com'))})
|
21
|
+
else
|
22
|
+
should include("loglevel" => "info")
|
23
|
+
should include("clientip" => "172.26.0.1")
|
24
|
+
should include("clientport" => "12345")
|
25
|
+
should include("query" => ["test.example.com", "test.example.com"])
|
26
|
+
should include("querytype" => "A +E(0)K")
|
27
|
+
should include("dns" => "172.26.0.3")
|
28
|
+
end
|
29
|
+
end
|
30
|
+
|
31
|
+
context 'with client memory address (since Bind 9.11)' do
|
32
|
+
# logging format is the same <= 9.16, but if using a separate query-log all options need to be enabled :
|
33
|
+
# channel query.log {
|
34
|
+
# file "/var/log/named/query.log";
|
35
|
+
# severity debug 3;
|
36
|
+
# //print-time YES; // @timestamp
|
37
|
+
# //print-category YES; // queries:
|
38
|
+
# //print-severity YES; // info:
|
39
|
+
# };
|
40
|
+
|
41
|
+
let(:message) do # client @0x7f64500020ef - memory address of the data structure representing the client
|
42
|
+
'30-Jun-2018 15:50:00.999 queries: info: client @0x7f64500020ef 192.168.10.48#60061 (91.2.10.170.in-addr.internal): query: 91.2.10.170.in-addr.internal IN PTR + (192.168.2.2)'
|
43
|
+
end
|
44
|
+
|
45
|
+
it 'matches' do
|
46
|
+
should include("timestamp" => "30-Jun-2018 15:50:00.999")
|
47
|
+
if ecs_compatibility?
|
48
|
+
should include("log" => hash_including("level" => "info"))
|
49
|
+
should include("client" => { "ip" => "192.168.10.48", "port" => 60061 })
|
50
|
+
should include("dns" => { "question" => { "name" => "91.2.10.170.in-addr.internal", "type" => 'PTR', "class" => 'IN' }})
|
51
|
+
should include("bind" => { "log" => hash_including("question" => hash_including("flags" => '+')) })
|
52
|
+
should include("server" => { "ip" => "192.168.2.2" })
|
53
|
+
else
|
54
|
+
should include("loglevel" => "info")
|
55
|
+
should include("clientip" => "192.168.10.48")
|
56
|
+
should include("clientport" => "60061")
|
57
|
+
should include("query" => ["91.2.10.170.in-addr.internal", "91.2.10.170.in-addr.internal"])
|
58
|
+
should include("querytype" => "PTR +")
|
59
|
+
should include("dns" => "192.168.2.2")
|
60
|
+
end
|
61
|
+
end
|
62
|
+
|
63
|
+
end
|
64
|
+
|
65
|
+
end
|
66
|
+
|
67
|
+
describe_pattern "BIND9_QUERYLOGBASE", ['ecs-v1'] do
|
68
|
+
let(:message) do
|
69
|
+
'client @0x7f85b4026ed0 127.0.0.1#42520 (ci.elastic.co): query: ci.elastic.co IN A +E(0)K (35.193.103.164)'
|
70
|
+
end
|
71
|
+
|
72
|
+
it 'matches' do
|
73
|
+
should include("client" => { "ip" => "127.0.0.1", "port" => 42520 })
|
74
|
+
should include("dns" => { "question" => { "name" => "ci.elastic.co", "type" => 'A', "class" => 'IN' }})
|
75
|
+
should include("bind" => { "log" => hash_including("question" => hash_including("flags" => '+E(0)K') )})
|
76
|
+
should include("server" => { "ip" => "35.193.103.164" })
|
77
|
+
end
|
78
|
+
end
|
79
|
+
|
80
|
+
describe_pattern "BIND9_QUERYLOG", ['ecs-v1'] do
|
81
|
+
let(:message) do
|
82
|
+
'01-May-2019 00:27:48.084 queries: info: client @0x7f82bc11d4e0 192.168.1.111#53995 (google.com): query: google.com IN A +E(0) (10.80.1.88)'
|
83
|
+
end
|
84
|
+
|
85
|
+
it 'matches' do
|
86
|
+
should include("client" => { "ip" => "192.168.1.111", "port" => 53995 })
|
87
|
+
should include("dns" => { "question" => { "name" => "google.com", "type" => 'A', "class" => 'IN' }})
|
88
|
+
should include("bind" => { "log" => hash_including("question" => { "flags" => '+E(0)', "name" => 'google.com' })})
|
89
|
+
should include("server" => { "ip" => "10.80.1.88" })
|
90
|
+
should include("log" => { "level" => "info" })
|
91
|
+
end
|
92
|
+
end
|