logstash-patterns-core 4.1.2 → 4.3.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/CHANGELOG.md +119 -0
- data/Gemfile +8 -1
- data/LICENSE +199 -10
- data/README.md +12 -19
- data/lib/logstash/patterns/core.rb +11 -3
- data/logstash-patterns-core.gemspec +1 -1
- data/patterns/ecs-v1/aws +28 -0
- data/patterns/ecs-v1/bacula +53 -0
- data/patterns/ecs-v1/bind +13 -0
- data/patterns/ecs-v1/bro +30 -0
- data/patterns/ecs-v1/exim +26 -0
- data/patterns/ecs-v1/firewalls +111 -0
- data/patterns/ecs-v1/grok-patterns +95 -0
- data/patterns/ecs-v1/haproxy +40 -0
- data/patterns/ecs-v1/httpd +17 -0
- data/patterns/ecs-v1/java +34 -0
- data/patterns/ecs-v1/junos +13 -0
- data/patterns/ecs-v1/linux-syslog +16 -0
- data/patterns/{maven → ecs-v1/maven} +0 -0
- data/patterns/ecs-v1/mcollective +4 -0
- data/patterns/ecs-v1/mongodb +7 -0
- data/patterns/ecs-v1/nagios +124 -0
- data/patterns/ecs-v1/postgresql +2 -0
- data/patterns/ecs-v1/rails +13 -0
- data/patterns/ecs-v1/redis +3 -0
- data/patterns/ecs-v1/ruby +2 -0
- data/patterns/ecs-v1/squid +6 -0
- data/patterns/ecs-v1/zeek +33 -0
- data/patterns/{aws → legacy/aws} +1 -1
- data/patterns/{bacula → legacy/bacula} +5 -5
- data/patterns/legacy/bind +3 -0
- data/patterns/{bro → legacy/bro} +0 -0
- data/patterns/{exim → legacy/exim} +8 -2
- data/patterns/{firewalls → legacy/firewalls} +2 -2
- data/patterns/{grok-patterns → legacy/grok-patterns} +4 -4
- data/patterns/{haproxy → legacy/haproxy} +1 -1
- data/patterns/{httpd → legacy/httpd} +2 -2
- data/patterns/{java → legacy/java} +1 -3
- data/patterns/{junos → legacy/junos} +0 -0
- data/patterns/{linux-syslog → legacy/linux-syslog} +0 -0
- data/patterns/legacy/maven +1 -0
- data/patterns/{mcollective → legacy/mcollective} +0 -0
- data/patterns/{mcollective-patterns → legacy/mcollective-patterns} +0 -0
- data/patterns/{mongodb → legacy/mongodb} +0 -0
- data/patterns/{nagios → legacy/nagios} +1 -1
- data/patterns/{postgresql → legacy/postgresql} +0 -0
- data/patterns/{rails → legacy/rails} +0 -0
- data/patterns/{redis → legacy/redis} +0 -0
- data/patterns/{ruby → legacy/ruby} +0 -0
- data/patterns/legacy/squid +4 -0
- data/spec/patterns/aws_spec.rb +395 -0
- data/spec/patterns/bacula_spec.rb +367 -0
- data/spec/patterns/bind_spec.rb +92 -0
- data/spec/patterns/bro_spec.rb +613 -0
- data/spec/patterns/core_spec.rb +260 -15
- data/spec/patterns/exim_spec.rb +201 -0
- data/spec/patterns/firewalls_spec.rb +707 -66
- data/spec/patterns/haproxy_spec.rb +253 -28
- data/spec/patterns/httpd_spec.rb +248 -86
- data/spec/patterns/java_spec.rb +375 -0
- data/spec/patterns/junos_spec.rb +101 -0
- data/spec/patterns/mcollective_spec.rb +35 -0
- data/spec/patterns/mongodb_spec.rb +170 -33
- data/spec/patterns/nagios_spec.rb +299 -78
- data/spec/patterns/netscreen_spec.rb +123 -0
- data/spec/patterns/rails3_spec.rb +87 -29
- data/spec/patterns/redis_spec.rb +216 -140
- data/spec/patterns/shorewall_spec.rb +85 -74
- data/spec/patterns/squid_spec.rb +139 -0
- data/spec/patterns/syslog_spec.rb +266 -22
- data/spec/spec_helper.rb +83 -5
- metadata +70 -31
- data/patterns/bind +0 -3
- data/patterns/squid +0 -4
- data/spec/patterns/bro.rb +0 -126
- data/spec/patterns/s3_spec.rb +0 -173
@@ -2,19 +2,60 @@
|
|
2
2
|
require "spec_helper"
|
3
3
|
require "logstash/patterns/core"
|
4
4
|
|
5
|
-
|
5
|
+
describe_pattern "HAPROXYHTTP", ['legacy', 'ecs-v1'] do
|
6
6
|
|
7
|
-
|
7
|
+
context "log line from raw syslog line" do
|
8
8
|
|
9
|
-
|
9
|
+
let(:message) do
|
10
|
+
'Dec 9 13:01:26 localhost haproxy[28029]: 127.0.0.1:39759 [09/Dec/2013:12:59:46.633] loadbalancer default/instance8 0/51536/1/48082/99627 200 83285 - - ---- 87/87/87/1/0 0/67 {77.24.148.74} "GET /path/to/image HTTP/1.1"'
|
11
|
+
end
|
12
|
+
|
13
|
+
it "matches" do
|
14
|
+
if ecs_compatibility?
|
15
|
+
expect(subject).to include("timestamp"=>"Dec 9 13:01:26")
|
16
|
+
expect(subject).to include("host"=>{"hostname"=>"localhost"})
|
17
|
+
expect(subject).to include("process"=>{"pid"=>28029, "name"=>"haproxy"})
|
18
|
+
expect(subject).to include("source"=>{"port"=>39759, "address"=>"127.0.0.1", "bytes"=>83285})
|
19
|
+
expect(subject).to include("haproxy" => hash_including("request_date"=>"09/Dec/2013:12:59:46.633"))
|
20
|
+
expect(subject).to include("haproxy" => hash_including("frontend_name"=>"loadbalancer", "backend_name"=>"default", "server_name"=>"instance8"))
|
21
|
+
expect(subject).to include("haproxy" => hash_including(
|
22
|
+
"total_waiting_time_ms"=>51536, "connection_wait_time_ms"=>1, "total_time_ms"=>"99627",
|
23
|
+
"http" => hash_including("request"=>hash_including("time_wait_ms"=>0, "time_wait_without_data_ms"=>48082))
|
24
|
+
))
|
25
|
+
expect(subject).to include("http" => hash_including("response"=>{"status_code"=>200}))
|
26
|
+
|
27
|
+
expect(subject).to include("haproxy" => hash_including("termination_state"=>"----"))
|
28
|
+
|
29
|
+
expect(subject).to include("haproxy" => hash_including("connections"=>{"active"=>87, "frontend"=>87, "backend"=>87, "server"=>1, "retries"=>0}))
|
30
|
+
expect(subject).to include("haproxy" => hash_including("backend_queue"=>67, "server_queue"=>0))
|
10
31
|
|
11
|
-
|
12
|
-
|
32
|
+
expect(subject).to include("http" => hash_including("request" => {"method"=>'GET'}, "version" => '1.1'))
|
33
|
+
|
34
|
+
expect(subject).to include("url" => { "original"=>"/path/to/image", "path"=>"/path/to/image" })
|
35
|
+
else
|
36
|
+
expect(subject).to include("syslog_timestamp" => "Dec 9 13:01:26")
|
37
|
+
expect(subject).to include("syslog_server" => "localhost")
|
38
|
+
expect(subject).to include("http_request" => "/path/to/image", "http_status_code" => "200", "http_verb" => "GET", "http_version" => "1.1")
|
39
|
+
expect(subject).to include("program" => "haproxy")
|
40
|
+
expect(subject).to include("client_ip" => "127.0.0.1")
|
41
|
+
expect(subject).to include("http_verb" => "GET")
|
42
|
+
expect(subject).to include("server_name" => "instance8")
|
43
|
+
end
|
44
|
+
end
|
45
|
+
|
46
|
+
it "has no captured cookies" do
|
47
|
+
if ecs_compatibility?
|
48
|
+
expect((subject['haproxy']['http']['request'] || {}).keys).to_not include('captured_cookie')
|
49
|
+
expect((subject['haproxy']['http']['response'] || {}).keys).to_not include('captured_cookie')
|
50
|
+
end
|
51
|
+
end
|
13
52
|
|
14
|
-
it
|
15
|
-
|
16
|
-
|
17
|
-
|
53
|
+
it "includes header captures" do
|
54
|
+
if ecs_compatibility?
|
55
|
+
expect((subject['haproxy']['http'])).to include('request' => hash_including('captured_headers' => '77.24.148.74'))
|
56
|
+
expect((subject['haproxy']['http']['response'] || {}).keys).to_not include('captured_headers')
|
57
|
+
end
|
58
|
+
end
|
18
59
|
|
19
60
|
it "generates a message field" do
|
20
61
|
expect(subject["message"]).to include("loadbalancer default/instance8")
|
@@ -22,38 +63,222 @@ describe "HAPROXY" do
|
|
22
63
|
|
23
64
|
end
|
24
65
|
|
25
|
-
context "
|
66
|
+
context "log line (without headers) from raw syslog line with ISO8601 timestamp" do
|
26
67
|
|
27
|
-
let(:
|
28
|
-
|
68
|
+
let(:message) do
|
69
|
+
'2015-08-26T02:09:48+02:00 localhost haproxy[14389]: 5.196.2.38:39527 [03/Nov/2015:06:25:25.105] services~ def/api 4599/0/0/428/5027 304 320 - - ---- 1/1/0/1/0 0/0 "GET /component---src-pages-index-js-4b15624544f97cf0bb8f.js HTTP/1.1"'
|
70
|
+
end
|
29
71
|
|
30
|
-
it
|
31
|
-
|
32
|
-
|
33
|
-
|
72
|
+
it "matches" do
|
73
|
+
if ecs_compatibility?
|
74
|
+
expect(subject).to include("timestamp"=>"2015-08-26T02:09:48+02:00")
|
75
|
+
expect(subject).to include("host"=>{"hostname"=>"localhost"})
|
76
|
+
expect(subject).to include("process"=>{"pid"=>14389, "name"=>"haproxy"})
|
34
77
|
|
35
|
-
|
36
|
-
|
78
|
+
expect(subject).to include("haproxy" => hash_including("connections"=>{"active"=>1, "frontend"=>1, "backend"=>0, "server"=>1, "retries"=>0}))
|
79
|
+
expect(subject).to include("haproxy" => hash_including("backend_queue"=>0, "server_queue"=>0))
|
80
|
+
|
81
|
+
expect(subject).to include("haproxy" => hash_including("frontend_name"=>"services~"))
|
82
|
+
|
83
|
+
expect(subject).to include("http"=>{"response"=>{"status_code"=>304}, "version"=>"1.1", "request"=>{"method"=>"GET"}})
|
84
|
+
expect(subject).to include("url"=>hash_including("path"=>"/component---src-pages-index-js-4b15624544f97cf0bb8f.js"))
|
85
|
+
else
|
86
|
+
expect(subject).to include("program" => "haproxy")
|
87
|
+
expect(subject).to include("client_ip" => "5.196.2.38")
|
88
|
+
expect(subject).to include("http_verb" => "GET")
|
89
|
+
expect(subject).to include("server_name" => "api")
|
90
|
+
end
|
91
|
+
end
|
92
|
+
|
93
|
+
it "has no header captures" do
|
94
|
+
if ecs_compatibility?
|
95
|
+
expect((subject['haproxy']['http']['request'] || {}).keys).to_not include('captured_headers')
|
96
|
+
expect((subject['haproxy']['http']['response'] || {}).keys).to_not include('captured_headers')
|
97
|
+
end
|
37
98
|
end
|
38
99
|
|
39
100
|
end
|
40
101
|
|
41
|
-
|
102
|
+
context 'log line with both request/response headers' do
|
42
103
|
|
43
|
-
|
104
|
+
let(:message) do
|
105
|
+
'Jul 30 09:03:52 home.host haproxy[32450]: 1.2.3.4:38862 [30/Jul/2018:09:03:52.726] incoming~ docs_microservice/docs 0/0/1/0/2 304 168 - - ---- 6/6/0/0/0 0/0 {docs.example.internal||} {|||} "GET http://192.168.0.12:8080/serv/login.php?lang=en&profile=2 HTTP/1.1"'
|
106
|
+
end
|
44
107
|
|
45
|
-
|
46
|
-
|
108
|
+
it "matches" do
|
109
|
+
if ecs_compatibility?
|
110
|
+
expect(subject).to include("timestamp"=>"Jul 30 09:03:52")
|
111
|
+
expect(subject).to include("host"=>{"hostname"=>"home.host"})
|
47
112
|
|
48
|
-
|
49
|
-
it { should include("client_ip" => "127.0.0.1") }
|
50
|
-
it { should include("http_verb" => "GET") }
|
51
|
-
it { should include("server_name" => "instance8") }
|
113
|
+
expect(subject).to include("haproxy" => hash_including("frontend_name"=>"incoming~"))
|
52
114
|
|
53
|
-
|
54
|
-
|
115
|
+
expect(subject).to include("http"=>{"response"=>{"status_code"=>304}, "version"=>"1.1", "request"=>{"method"=>"GET"}})
|
116
|
+
expect(subject).to include("url"=>hash_including("scheme"=>"http", "domain"=>"192.168.0.12", "port"=>8080,
|
117
|
+
"path"=>"/serv/login.php", "query"=>"lang=en&profile=2",
|
118
|
+
"original"=>"http://192.168.0.12:8080/serv/login.php?lang=en&profile=2"))
|
119
|
+
else
|
120
|
+
expect(subject).to include("client_ip" => "1.2.3.4")
|
121
|
+
expect(subject).to include("http_verb" => "GET")
|
122
|
+
end
|
123
|
+
end
|
124
|
+
|
125
|
+
it "has header captures" do
|
126
|
+
if ecs_compatibility?
|
127
|
+
expect((subject['haproxy']['http']['request'])).to include('captured_headers' => 'docs.example.internal||')
|
128
|
+
expect((subject['haproxy']['http']['response'])).to include('captured_headers' => '|||')
|
129
|
+
end
|
130
|
+
end
|
131
|
+
|
132
|
+
end
|
133
|
+
|
134
|
+
context 'BADREQ/NOSRV log line' do
|
135
|
+
|
136
|
+
let(:message) do
|
137
|
+
'Jul 18 17:05:30 localhost haproxy[8247]: 188.223.50.7:51940 [18/Jul/2011:17:05:24.339] http_proxy_ads http_proxy_ads/<NOSRV> -1/-1/-1/-1/6001 408 212 - - cR-- 100/89/0/0/0 0/0 "<BADREQ>"'
|
138
|
+
end
|
139
|
+
|
140
|
+
it "matches" do
|
141
|
+
if ecs_compatibility?
|
142
|
+
expect(subject).to include("timestamp"=>"Jul 18 17:05:30")
|
143
|
+
|
144
|
+
expect(subject).to include("haproxy" => hash_including("frontend_name"=>"http_proxy_ads"))
|
145
|
+
expect(subject).to include("haproxy" => hash_including("backend_name"=>"http_proxy_ads"))
|
146
|
+
expect(subject['haproxy'].keys).to_not include('server_name')
|
147
|
+
expect(subject).to include("http"=>{"response"=>{"status_code"=>408}})
|
148
|
+
expect(subject['haproxy'].keys).to_not include("total_waiting_time_ms", "connection_wait_time_ms")
|
149
|
+
expect(subject).to include("haproxy" => hash_including("total_time_ms"=>"6001"))
|
150
|
+
expect(subject).to include("source" => hash_including("bytes"=>212))
|
151
|
+
expect(subject).to include("haproxy" => hash_including("termination_state"=>"cR--"))
|
152
|
+
expect(subject.keys).to_not include("url")
|
153
|
+
else
|
154
|
+
expect(subject).to include("backend_name"=>"http_proxy_ads", "frontend_name"=>"http_proxy_ads", "server_name"=>"<NOSRV>")
|
155
|
+
expect(subject).to include("http_status_code"=>"408")
|
156
|
+
expect(subject).to include("time_backend_connect"=>"-1", "time_queue"=>"-1", "time_backend_response"=>"-1")
|
157
|
+
expect(subject).to include("captured_request_cookie"=>"-", "captured_response_cookie"=>"-")
|
158
|
+
expect(subject).to include("bytes_read"=>"212")
|
159
|
+
expect(subject).to include("termination_state"=>"cR--")
|
160
|
+
end
|
161
|
+
end
|
162
|
+
|
163
|
+
end
|
164
|
+
|
165
|
+
end
|
166
|
+
|
167
|
+
describe_pattern "HAPROXYHTTPBASE", ['ecs-v1', 'legacy'] do
|
168
|
+
|
169
|
+
context "log line without syslog specific entries" do # This mimics an event coming from a syslog input.
|
170
|
+
|
171
|
+
let(:message) do
|
172
|
+
'127.0.0.1:39759 [09/Dec/2013:12:59:46.633] loadbalancer default/instance8 0/51536/1/48082/+99627 200 83285 - - ---- 87/87/87/1/0 0/67 {77.24.148.74} "GET / HTTP/1.1"'
|
173
|
+
end
|
174
|
+
|
175
|
+
it 'matches' do
|
176
|
+
if ecs_compatibility?
|
177
|
+
expect(subject).to include("source"=>{"port"=>39759, "address"=>"127.0.0.1", "bytes"=>83285})
|
178
|
+
expect(subject).to include("haproxy"=>hash_including("server_queue"=>0,
|
179
|
+
"http"=>{
|
180
|
+
"request"=>{"time_wait_ms"=>0, "captured_headers"=>"77.24.148.74", "time_wait_without_data_ms"=>48082}
|
181
|
+
},
|
182
|
+
|
183
|
+
# NOTE: this is why we do not type-cast to :int
|
184
|
+
# a '+' sign is prepended before the value, indicating that the final one will be larger
|
185
|
+
"total_time_ms" => "+99627"
|
186
|
+
))
|
187
|
+
expect(subject).to include("url"=>{"path"=>"/", "original"=>"/"})
|
188
|
+
else
|
189
|
+
# Assume 'program' would be matched by the syslog input.
|
190
|
+
expect(subject).to include("client_ip" => "127.0.0.1")
|
191
|
+
expect(subject).to include("server_name" => "instance8")
|
192
|
+
expect(subject).to include("http_verb" => "GET", "http_request"=>"/", "http_version" => '1.1')
|
193
|
+
expect(subject).to include("time_duration" => "+99627")
|
194
|
+
end
|
195
|
+
end
|
196
|
+
|
197
|
+
end
|
198
|
+
|
199
|
+
context "(incomplete) log line that is truncated and thus not ending with a double quote or HTTP version" do
|
200
|
+
|
201
|
+
let(:message) do
|
202
|
+
'Jul 31 22:20:22 loadbalancer haproxy[1190]: 203.0.113.54:59968 [31/Jul/2017:22:20:22.447] loadbalancer default/instance8 135/0/1/19/156 200 1015 - - --VR 8/8/0/0/0 0/0 "GET /path/to/request/that/exceeds/more/than/1024/characterssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss'
|
203
|
+
end
|
204
|
+
|
205
|
+
it 'matches' do
|
206
|
+
if ecs_compatibility?
|
207
|
+
# due compatibility with the legacy pattern we match the incomplete "REQUEST LINE ... (wout the ending '"')
|
208
|
+
expect(subject).to include("http"=>{"response"=>{"status_code"=>200}, "request"=>{"method"=>"GET"}})
|
209
|
+
expect(subject).to include("url"=>hash_including("original"=>"/path/to/request/that/exceeds/more/than/1024/characterssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss"))
|
210
|
+
else
|
211
|
+
expect(subject).to include("client_ip" => "203.0.113.54")
|
212
|
+
expect(subject).to include("http_verb" => "GET")
|
213
|
+
expect(subject).to include("server_name" => "instance8")
|
214
|
+
expect(subject).to include("http_request" => "/path/to/request/that/exceeds/more/than/1024/characterssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss")
|
215
|
+
expect(subject).to_not have_key("http_version")
|
216
|
+
end
|
217
|
+
end
|
218
|
+
|
219
|
+
end
|
220
|
+
|
221
|
+
|
222
|
+
context "connect line with host:port url" do
|
223
|
+
|
224
|
+
let(:message) do
|
225
|
+
'Nov 4 08:32:18 debian10 haproxy[3666]: 127.0.0.1:34500 [04/Nov/2020:08:32:18.194] samplefrontend backendnodes/node1 0/0/0/0/0 405 501 - - ---- 1/1/0/1/0 0/0 "CONNECT localhost:8080 HTTP/1.1"'
|
226
|
+
end
|
227
|
+
|
228
|
+
it 'matches' do
|
229
|
+
if ecs_compatibility?
|
230
|
+
expect(subject).to include("http"=>hash_including("request"=>{"method"=>"CONNECT"}))
|
231
|
+
expect(subject).to include("url"=>{"port"=>8080, "original"=>"localhost:8080", "domain"=>"localhost"})
|
232
|
+
else
|
233
|
+
expect(subject).to include("http_verb" => "CONNECT")
|
234
|
+
expect(subject).to include("http_host" => "localhost:8080")
|
235
|
+
end
|
55
236
|
end
|
56
237
|
|
57
238
|
end
|
58
239
|
|
59
240
|
end
|
241
|
+
|
242
|
+
describe_pattern "HAPROXYTCP", ['legacy', 'ecs-v1'] do
|
243
|
+
|
244
|
+
let(:message) do
|
245
|
+
'Sep 20 15:44:23 127.0.0.1 haproxy[25457]: 127.0.0.1:40962 [20/Sep/2018:15:44:23.285] main app/<NOSRV> -1/-1/1 212 SC 1/1/0/0/0 0/0'
|
246
|
+
end
|
247
|
+
|
248
|
+
it 'matches' do
|
249
|
+
if ecs_compatibility?
|
250
|
+
expect(subject).to include(
|
251
|
+
"timestamp"=>"Sep 20 15:44:23",
|
252
|
+
"host"=>{"hostname"=>"127.0.0.1"},
|
253
|
+
"process"=>{"pid"=>25457, "name"=>"haproxy"},
|
254
|
+
"source"=>{"port"=>40962, "address"=>"127.0.0.1", "bytes"=>212},
|
255
|
+
"haproxy"=>{
|
256
|
+
"request_date"=>"20/Sep/2018:15:44:23.285",
|
257
|
+
"frontend_name"=>"main", "backend_name"=>"app",
|
258
|
+
"total_time_ms"=>"1",
|
259
|
+
"termination_state"=>"SC",
|
260
|
+
"connections"=>{"active"=>1, "backend"=>0, "retries"=>0, "server"=>0, "frontend"=>1},
|
261
|
+
"server_queue"=>0, "backend_queue"=>0
|
262
|
+
})
|
263
|
+
else
|
264
|
+
expect(subject).to include(
|
265
|
+
"syslog_timestamp"=>"Sep 20 15:44:23",
|
266
|
+
"syslog_server"=>"127.0.0.1",
|
267
|
+
"program"=>"haproxy", "pid"=>"25457",
|
268
|
+
"client_ip"=>"127.0.0.1", "client_port"=>"40962",
|
269
|
+
"accept_date"=>"20/Sep/2018:15:44:23.285",
|
270
|
+
"frontend_name"=>"main",
|
271
|
+
"backend_name"=>"app",
|
272
|
+
"server_name"=>"<NOSRV>",
|
273
|
+
"time_backend_connect"=>"-1",
|
274
|
+
"time_queue"=>"-1",
|
275
|
+
"time_duration"=>"1",
|
276
|
+
"bytes_read"=>"212",
|
277
|
+
"termination_state"=>"SC",
|
278
|
+
"actconn"=>"1", "feconn"=>"1", "beconn"=>"0", "backend_queue"=>"0", "retries"=>"0",
|
279
|
+
"srv_queue"=>"0", "srvconn"=>"0",
|
280
|
+
)
|
281
|
+
end
|
282
|
+
end
|
283
|
+
|
284
|
+
end
|