logstash-patterns-core 4.2.0 → 4.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +98 -0
- data/Gemfile +3 -0
- data/README.md +11 -18
- data/lib/logstash/patterns/core.rb +11 -3
- data/logstash-patterns-core.gemspec +1 -1
- data/patterns/ecs-v1/aws +28 -0
- data/patterns/ecs-v1/bacula +53 -0
- data/patterns/ecs-v1/bind +13 -0
- data/patterns/ecs-v1/bro +30 -0
- data/patterns/ecs-v1/exim +26 -0
- data/patterns/ecs-v1/firewalls +111 -0
- data/patterns/ecs-v1/grok-patterns +95 -0
- data/patterns/ecs-v1/haproxy +40 -0
- data/patterns/ecs-v1/httpd +17 -0
- data/patterns/ecs-v1/java +34 -0
- data/patterns/ecs-v1/junos +13 -0
- data/patterns/ecs-v1/linux-syslog +16 -0
- data/patterns/{maven → ecs-v1/maven} +0 -0
- data/patterns/ecs-v1/mcollective +4 -0
- data/patterns/ecs-v1/mongodb +7 -0
- data/patterns/ecs-v1/nagios +124 -0
- data/patterns/ecs-v1/postgresql +2 -0
- data/patterns/ecs-v1/rails +13 -0
- data/patterns/ecs-v1/redis +3 -0
- data/patterns/ecs-v1/ruby +2 -0
- data/patterns/ecs-v1/squid +6 -0
- data/patterns/ecs-v1/zeek +33 -0
- data/patterns/{aws → legacy/aws} +1 -1
- data/patterns/{bacula → legacy/bacula} +5 -5
- data/patterns/legacy/bind +3 -0
- data/patterns/{bro → legacy/bro} +0 -0
- data/patterns/{exim → legacy/exim} +8 -2
- data/patterns/{firewalls → legacy/firewalls} +2 -2
- data/patterns/{grok-patterns → legacy/grok-patterns} +0 -0
- data/patterns/{haproxy → legacy/haproxy} +0 -0
- data/patterns/{httpd → legacy/httpd} +1 -1
- data/patterns/{java → legacy/java} +0 -0
- data/patterns/{junos → legacy/junos} +0 -0
- data/patterns/{linux-syslog → legacy/linux-syslog} +0 -0
- data/patterns/legacy/maven +1 -0
- data/patterns/{mcollective → legacy/mcollective} +0 -0
- data/patterns/{mcollective-patterns → legacy/mcollective-patterns} +0 -0
- data/patterns/{mongodb → legacy/mongodb} +0 -0
- data/patterns/{nagios → legacy/nagios} +0 -0
- data/patterns/{postgresql → legacy/postgresql} +0 -0
- data/patterns/{rails → legacy/rails} +0 -0
- data/patterns/{redis → legacy/redis} +0 -0
- data/patterns/{ruby → legacy/ruby} +0 -0
- data/patterns/legacy/squid +4 -0
- data/spec/patterns/aws_spec.rb +395 -0
- data/spec/patterns/bacula_spec.rb +367 -0
- data/spec/patterns/bind_spec.rb +78 -0
- data/spec/patterns/bro_spec.rb +613 -0
- data/spec/patterns/core_spec.rb +51 -9
- data/spec/patterns/exim_spec.rb +201 -0
- data/spec/patterns/firewalls_spec.rb +669 -66
- data/spec/patterns/haproxy_spec.rb +246 -38
- data/spec/patterns/httpd_spec.rb +215 -94
- data/spec/patterns/java_spec.rb +357 -27
- data/spec/patterns/junos_spec.rb +101 -0
- data/spec/patterns/mcollective_spec.rb +35 -0
- data/spec/patterns/mongodb_spec.rb +170 -33
- data/spec/patterns/nagios_spec.rb +296 -79
- data/spec/patterns/netscreen_spec.rb +123 -0
- data/spec/patterns/rails3_spec.rb +87 -29
- data/spec/patterns/redis_spec.rb +157 -121
- data/spec/patterns/shorewall_spec.rb +85 -74
- data/spec/patterns/squid_spec.rb +139 -0
- data/spec/patterns/syslog_spec.rb +266 -22
- data/spec/spec_helper.rb +80 -6
- metadata +64 -28
- data/patterns/bind +0 -3
- data/patterns/squid +0 -4
- data/spec/patterns/bro.rb +0 -126
- data/spec/patterns/s3_spec.rb +0 -173
data/spec/spec_helper.rb
CHANGED
@@ -24,19 +24,55 @@ end
|
|
24
24
|
require "logstash/filters/grok"
|
25
25
|
|
26
26
|
module GrokHelpers
|
27
|
+
module PatternModeSupport
|
28
|
+
@@pattern_mode = nil
|
29
|
+
def pattern_mode
|
30
|
+
@@pattern_mode
|
31
|
+
end
|
32
|
+
module_function :pattern_mode
|
33
|
+
|
34
|
+
def pattern_mode=(mode)
|
35
|
+
@@pattern_mode = mode
|
36
|
+
end
|
37
|
+
end
|
38
|
+
|
39
|
+
def ecs_compatibility?
|
40
|
+
case ecs_compatibility
|
41
|
+
when :disabled then false
|
42
|
+
when nil then nil
|
43
|
+
else true
|
44
|
+
end
|
45
|
+
end
|
46
|
+
|
47
|
+
def ecs_compatibility
|
48
|
+
case mode = PatternModeSupport.pattern_mode
|
49
|
+
when 'legacy' then :disabled
|
50
|
+
when 'ecs-v1' then :v1
|
51
|
+
when nil then nil
|
52
|
+
else fail "pattern_mode: #{mode.inspect}"
|
53
|
+
end
|
54
|
+
end
|
55
|
+
|
27
56
|
def grok_match(label, message, exact_match = false)
|
57
|
+
grok_match_event(label, message, exact_match).to_hash
|
58
|
+
end
|
59
|
+
|
60
|
+
def grok_match_event(label, message, exact_match = false)
|
28
61
|
grok = build_grok(label, exact_match)
|
29
62
|
event = build_event(message)
|
30
63
|
grok.filter(event)
|
31
|
-
event
|
64
|
+
event
|
65
|
+
end
|
66
|
+
|
67
|
+
def grok_exact_match(label, message)
|
68
|
+
grok_match(label, message, true)
|
32
69
|
end
|
33
70
|
|
34
71
|
def build_grok(label, exact_match = false)
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
end
|
72
|
+
grok_opts = { "match" => [ "message", exact_match ? "^%{#{label}}$" : "%{#{label}}" ] }
|
73
|
+
ecs_compat = ecs_compatibility # if not set use the plugin default
|
74
|
+
grok_opts["ecs_compatibility"] = ecs_compat unless ecs_compat.nil?
|
75
|
+
grok = LogStash::Filters::Grok.new(grok_opts)
|
40
76
|
grok.register
|
41
77
|
grok
|
42
78
|
end
|
@@ -48,6 +84,31 @@ end
|
|
48
84
|
|
49
85
|
RSpec.configure do |c|
|
50
86
|
c.include GrokHelpers
|
87
|
+
c.include GrokHelpers::PatternModeSupport
|
88
|
+
c.extend GrokHelpers::PatternModeSupport
|
89
|
+
end
|
90
|
+
|
91
|
+
def describe_pattern(name, pattern_modes = [ nil ], &block)
|
92
|
+
pattern_modes.each do |mode|
|
93
|
+
RSpec.describe "#{name}#{mode ? " (#{mode})" : nil}" do
|
94
|
+
|
95
|
+
before(:each) do
|
96
|
+
@restore_pattern_mode = pattern_mode
|
97
|
+
self.pattern_mode = mode
|
98
|
+
end
|
99
|
+
after(:each) do
|
100
|
+
self.pattern_mode = @restore_pattern_mode
|
101
|
+
end
|
102
|
+
|
103
|
+
let(:pattern) { name }
|
104
|
+
let(:message) { raise 'let(:message) { ... } is missing' }
|
105
|
+
let(:event) { grok_match_event(pattern, message) }
|
106
|
+
let(:grok) { event.to_hash }
|
107
|
+
subject(:grok_result) { grok }
|
108
|
+
|
109
|
+
instance_eval(&block)
|
110
|
+
end
|
111
|
+
end
|
51
112
|
end
|
52
113
|
|
53
114
|
RSpec::Matchers.define :pass do |expected|
|
@@ -65,3 +126,16 @@ RSpec::Matchers.define :match do |value|
|
|
65
126
|
end
|
66
127
|
end
|
67
128
|
|
129
|
+
RSpec.shared_examples_for 'top-level namespaces' do |namespaces, opts|
|
130
|
+
let(:internal_keys) { ['@timestamp', '@version'] }
|
131
|
+
let(:allowed_keys) { namespaces }
|
132
|
+
it "event is expected to only use namespaces: #{namespaces.inspect}" do
|
133
|
+
if instance_exec &(opts[:if] || -> { true })
|
134
|
+
event_hash = subject.to_hash
|
135
|
+
(event_hash.keys - (internal_keys + ['message'])).each do |top_level_key|
|
136
|
+
fail_msg = "found event.get('#{top_level_key}') : #{event_hash[top_level_key].inspect}"
|
137
|
+
expect(allowed_keys).to include(top_level_key), fail_msg
|
138
|
+
end
|
139
|
+
end
|
140
|
+
end
|
141
|
+
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-patterns-core
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.
|
4
|
+
version: 4.3.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Elastic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-
|
11
|
+
date: 2021-02-17 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
@@ -74,41 +74,70 @@ files:
|
|
74
74
|
- README.md
|
75
75
|
- lib/logstash/patterns/core.rb
|
76
76
|
- logstash-patterns-core.gemspec
|
77
|
-
- patterns/aws
|
78
|
-
- patterns/bacula
|
79
|
-
- patterns/bind
|
80
|
-
- patterns/bro
|
81
|
-
- patterns/exim
|
82
|
-
- patterns/firewalls
|
83
|
-
- patterns/grok-patterns
|
84
|
-
- patterns/haproxy
|
85
|
-
- patterns/httpd
|
86
|
-
- patterns/java
|
87
|
-
- patterns/junos
|
88
|
-
- patterns/linux-syslog
|
89
|
-
- patterns/maven
|
90
|
-
- patterns/mcollective
|
91
|
-
- patterns/
|
92
|
-
- patterns/
|
93
|
-
- patterns/
|
94
|
-
- patterns/
|
95
|
-
- patterns/
|
96
|
-
- patterns/
|
97
|
-
- patterns/
|
98
|
-
- patterns/
|
99
|
-
-
|
77
|
+
- patterns/ecs-v1/aws
|
78
|
+
- patterns/ecs-v1/bacula
|
79
|
+
- patterns/ecs-v1/bind
|
80
|
+
- patterns/ecs-v1/bro
|
81
|
+
- patterns/ecs-v1/exim
|
82
|
+
- patterns/ecs-v1/firewalls
|
83
|
+
- patterns/ecs-v1/grok-patterns
|
84
|
+
- patterns/ecs-v1/haproxy
|
85
|
+
- patterns/ecs-v1/httpd
|
86
|
+
- patterns/ecs-v1/java
|
87
|
+
- patterns/ecs-v1/junos
|
88
|
+
- patterns/ecs-v1/linux-syslog
|
89
|
+
- patterns/ecs-v1/maven
|
90
|
+
- patterns/ecs-v1/mcollective
|
91
|
+
- patterns/ecs-v1/mongodb
|
92
|
+
- patterns/ecs-v1/nagios
|
93
|
+
- patterns/ecs-v1/postgresql
|
94
|
+
- patterns/ecs-v1/rails
|
95
|
+
- patterns/ecs-v1/redis
|
96
|
+
- patterns/ecs-v1/ruby
|
97
|
+
- patterns/ecs-v1/squid
|
98
|
+
- patterns/ecs-v1/zeek
|
99
|
+
- patterns/legacy/aws
|
100
|
+
- patterns/legacy/bacula
|
101
|
+
- patterns/legacy/bind
|
102
|
+
- patterns/legacy/bro
|
103
|
+
- patterns/legacy/exim
|
104
|
+
- patterns/legacy/firewalls
|
105
|
+
- patterns/legacy/grok-patterns
|
106
|
+
- patterns/legacy/haproxy
|
107
|
+
- patterns/legacy/httpd
|
108
|
+
- patterns/legacy/java
|
109
|
+
- patterns/legacy/junos
|
110
|
+
- patterns/legacy/linux-syslog
|
111
|
+
- patterns/legacy/maven
|
112
|
+
- patterns/legacy/mcollective
|
113
|
+
- patterns/legacy/mcollective-patterns
|
114
|
+
- patterns/legacy/mongodb
|
115
|
+
- patterns/legacy/nagios
|
116
|
+
- patterns/legacy/postgresql
|
117
|
+
- patterns/legacy/rails
|
118
|
+
- patterns/legacy/redis
|
119
|
+
- patterns/legacy/ruby
|
120
|
+
- patterns/legacy/squid
|
121
|
+
- spec/patterns/aws_spec.rb
|
122
|
+
- spec/patterns/bacula_spec.rb
|
123
|
+
- spec/patterns/bind_spec.rb
|
124
|
+
- spec/patterns/bro_spec.rb
|
100
125
|
- spec/patterns/core_spec.rb
|
126
|
+
- spec/patterns/exim_spec.rb
|
101
127
|
- spec/patterns/firewalls_spec.rb
|
102
128
|
- spec/patterns/haproxy_spec.rb
|
103
129
|
- spec/patterns/httpd_spec.rb
|
104
130
|
- spec/patterns/java_spec.rb
|
131
|
+
- spec/patterns/junos_spec.rb
|
105
132
|
- spec/patterns/maven_spec.rb
|
133
|
+
- spec/patterns/mcollective_spec.rb
|
106
134
|
- spec/patterns/mongodb_spec.rb
|
107
135
|
- spec/patterns/nagios_spec.rb
|
136
|
+
- spec/patterns/netscreen_spec.rb
|
108
137
|
- spec/patterns/rails3_spec.rb
|
109
138
|
- spec/patterns/redis_spec.rb
|
110
|
-
- spec/patterns/s3_spec.rb
|
111
139
|
- spec/patterns/shorewall_spec.rb
|
140
|
+
- spec/patterns/squid_spec.rb
|
112
141
|
- spec/patterns/syslog_spec.rb
|
113
142
|
- spec/spec_helper.rb
|
114
143
|
homepage: http://www.elastic.co/guide/en/logstash/current/index.html
|
@@ -137,18 +166,25 @@ signing_key:
|
|
137
166
|
specification_version: 4
|
138
167
|
summary: Patterns to be used in logstash
|
139
168
|
test_files:
|
140
|
-
- spec/patterns/
|
169
|
+
- spec/patterns/aws_spec.rb
|
170
|
+
- spec/patterns/bacula_spec.rb
|
171
|
+
- spec/patterns/bind_spec.rb
|
172
|
+
- spec/patterns/bro_spec.rb
|
141
173
|
- spec/patterns/core_spec.rb
|
174
|
+
- spec/patterns/exim_spec.rb
|
142
175
|
- spec/patterns/firewalls_spec.rb
|
143
176
|
- spec/patterns/haproxy_spec.rb
|
144
177
|
- spec/patterns/httpd_spec.rb
|
145
178
|
- spec/patterns/java_spec.rb
|
179
|
+
- spec/patterns/junos_spec.rb
|
146
180
|
- spec/patterns/maven_spec.rb
|
181
|
+
- spec/patterns/mcollective_spec.rb
|
147
182
|
- spec/patterns/mongodb_spec.rb
|
148
183
|
- spec/patterns/nagios_spec.rb
|
184
|
+
- spec/patterns/netscreen_spec.rb
|
149
185
|
- spec/patterns/rails3_spec.rb
|
150
186
|
- spec/patterns/redis_spec.rb
|
151
|
-
- spec/patterns/s3_spec.rb
|
152
187
|
- spec/patterns/shorewall_spec.rb
|
188
|
+
- spec/patterns/squid_spec.rb
|
153
189
|
- spec/patterns/syslog_spec.rb
|
154
190
|
- spec/spec_helper.rb
|
data/patterns/bind
DELETED
data/patterns/squid
DELETED
@@ -1,4 +0,0 @@
|
|
1
|
-
# Pattern squid3
|
2
|
-
# Documentation of squid3 logs formats can be found at the following link:
|
3
|
-
# http://wiki.squid-cache.org/Features/LogFormat
|
4
|
-
SQUID3 %{NUMBER:timestamp}\s+%{NUMBER:duration}\s%{IP:client_address}\s%{WORD:cache_result}/%{POSINT:status_code}\s%{NUMBER:bytes}\s%{WORD:request_method}\s%{NOTSPACE:url}\s(%{NOTSPACE:user}|-)\s%{WORD:hierarchy_code}/%{IPORHOST:server}\s%{NOTSPACE:content_type}
|
data/spec/patterns/bro.rb
DELETED
@@ -1,126 +0,0 @@
|
|
1
|
-
# encoding: utf-8
|
2
|
-
require "spec_helper"
|
3
|
-
require "logstash/patterns/core"
|
4
|
-
|
5
|
-
describe "HTTP" do
|
6
|
-
|
7
|
-
let(:value) { "1432555199.633017 COpk6E3vkURP8QQNKl 192.168.9.35 55281 178.236.7.146 80 4 POST www.amazon.it /xa/dealcontent/v2/GetDeals?nocache=1432555199326 http://www.amazon.it/ Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 223 1859 200 OK - - - (empty) - - - FrLEcY3AUPKdcYGf29 text/plain FOJpbGzIMh9syPxH8 text/plain" }
|
8
|
-
let(:grok) { grok_match(subject, value) }
|
9
|
-
|
10
|
-
it "a pattern pass the grok expression" do
|
11
|
-
expect(grok).to pass
|
12
|
-
end
|
13
|
-
|
14
|
-
it "matches a simple message" do
|
15
|
-
expect(subject).to match(value)
|
16
|
-
end
|
17
|
-
|
18
|
-
it "generates the ts field" do
|
19
|
-
expect(grok).to include("ts" => "1432555199.633017")
|
20
|
-
end
|
21
|
-
|
22
|
-
it "generates the uid field" do
|
23
|
-
expect(grok).to include("uid" => "COpk6E3vkURP8QQNKl")
|
24
|
-
end
|
25
|
-
|
26
|
-
it "generates the orig_h field" do
|
27
|
-
expect(grok).to include("orig_h" => "192.168.9.35")
|
28
|
-
end
|
29
|
-
|
30
|
-
it "generates the orig_p field" do
|
31
|
-
expect(grok).to include("orig_p" => "55281")
|
32
|
-
end
|
33
|
-
|
34
|
-
it "generates the resp_h field" do
|
35
|
-
expect(grok).to include("resp_h" => "178.236.7.146")
|
36
|
-
end
|
37
|
-
|
38
|
-
it "generates the resp_p field" do
|
39
|
-
expect(grok).to include("resp_p" => "80")
|
40
|
-
end
|
41
|
-
|
42
|
-
it "generates the trans_depth field" do
|
43
|
-
expect(grok).to include("trans_depth" => "4")
|
44
|
-
end
|
45
|
-
|
46
|
-
it "generates the method field" do
|
47
|
-
expect(grok).to include("method" => "POST")
|
48
|
-
end
|
49
|
-
|
50
|
-
it "generates the domain field" do
|
51
|
-
expect(grok).to include("domain" => "www.amazon.it")
|
52
|
-
end
|
53
|
-
|
54
|
-
it "generates the uri field" do
|
55
|
-
expect(grok).to include("uri" => "/xa/dealcontent/v2/GetDeals?nocache=1432555199326")
|
56
|
-
end
|
57
|
-
|
58
|
-
it "generates the referrer field" do
|
59
|
-
expect(grok).to include("referrer" => "http://www.amazon.it/")
|
60
|
-
end
|
61
|
-
|
62
|
-
it "generates the user_agent field" do
|
63
|
-
expect(grok).to include("user_agent" => "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36")
|
64
|
-
end
|
65
|
-
|
66
|
-
it "generates the request_body_len field" do
|
67
|
-
expect(grok).to include("request_body_len" => "223")
|
68
|
-
end
|
69
|
-
|
70
|
-
it "generates the response_body_len field" do
|
71
|
-
expect(grok).to include("response_body_len" => "1859")
|
72
|
-
end
|
73
|
-
|
74
|
-
it "generates the status_code field" do
|
75
|
-
expect(grok).to include("status_code" => "200")
|
76
|
-
end
|
77
|
-
|
78
|
-
it "generates the status_msg field" do
|
79
|
-
expect(grok).to include("status_msg" => "OK")
|
80
|
-
end
|
81
|
-
|
82
|
-
it "generates the info_code field" do
|
83
|
-
expect(grok).to include("info_code" => "-")
|
84
|
-
end
|
85
|
-
|
86
|
-
it "generates the info_msg field" do
|
87
|
-
expect(grok).to include("info_msg" => "-")
|
88
|
-
end
|
89
|
-
|
90
|
-
it "generates the filename field" do
|
91
|
-
expect(grok).to include("filename" => "-")
|
92
|
-
end
|
93
|
-
|
94
|
-
it "generates the bro_tags field" do
|
95
|
-
expect(grok).to include("bro_tags" => "(empty)")
|
96
|
-
end
|
97
|
-
|
98
|
-
it "generates the username field" do
|
99
|
-
expect(grok).to include("username" => "-")
|
100
|
-
end
|
101
|
-
|
102
|
-
it "generates the password field" do
|
103
|
-
expect(grok).to include("password" => "-")
|
104
|
-
end
|
105
|
-
|
106
|
-
it "generates the proxied field" do
|
107
|
-
expect(grok).to include("proxied" => "-")
|
108
|
-
end
|
109
|
-
|
110
|
-
it "generates the orig_fuids field" do
|
111
|
-
expect(grok).to include("orig_fuids" => "FrLEcY3AUPKdcYGf29")
|
112
|
-
end
|
113
|
-
|
114
|
-
it "generates the orig_mime_types field" do
|
115
|
-
expect(grok).to include("orig_mime_types" => "text/plain")
|
116
|
-
end
|
117
|
-
|
118
|
-
it "generates the resp_fuids field" do
|
119
|
-
expect(grok).to include("resp_fuids" => "FOJpbGzIMh9syPxH8")
|
120
|
-
end
|
121
|
-
|
122
|
-
it "generates the resp_mime_types field" do
|
123
|
-
expect(grok).to include("resp_mime_types" => "text/plain")
|
124
|
-
end
|
125
|
-
|
126
|
-
end
|
data/spec/patterns/s3_spec.rb
DELETED
@@ -1,173 +0,0 @@
|
|
1
|
-
# encoding: utf-8
|
2
|
-
require "spec_helper"
|
3
|
-
require "logstash/patterns/core"
|
4
|
-
|
5
|
-
|
6
|
-
describe "ELB_ACCESS_LOG" do
|
7
|
-
|
8
|
-
let(:pattern) { "ELB_ACCESS_LOG" }
|
9
|
-
|
10
|
-
context "parsing an access log" do
|
11
|
-
|
12
|
-
let(:value) { "2014-02-15T23:39:43.945958Z my-test-loadbalancer 192.168.131.39:2817 10.0.0.1:80 0.000073 0.001048 0.000057 200 200 0 29 \"GET http://www.example.com:80/ HTTP/1.1\"" }
|
13
|
-
|
14
|
-
subject { grok_match(pattern, value) }
|
15
|
-
|
16
|
-
it { should include("timestamp" => "2014-02-15T23:39:43.945958Z" ) }
|
17
|
-
it { should include("elb" => "my-test-loadbalancer" ) }
|
18
|
-
it { should include("clientip" => "192.168.131.39" ) }
|
19
|
-
it { should include("clientport" => 2817 ) }
|
20
|
-
it { should include("backendip" => "10.0.0.1" ) }
|
21
|
-
it { should include("backendport" => 80 ) }
|
22
|
-
it { should include("request_processing_time" => 0.000073 ) }
|
23
|
-
it { should include("backend_processing_time" => 0.001048 ) }
|
24
|
-
it { should include("response_processing_time" => 0.000057 ) }
|
25
|
-
it { should include("response" => 200 ) }
|
26
|
-
it { should include("backend_response" => 200 ) }
|
27
|
-
it { should include("received_bytes" => 0 ) }
|
28
|
-
it { should include("bytes" => 29 ) }
|
29
|
-
it { should include("verb" => "GET" ) }
|
30
|
-
it { should include("request" => "http://www.example.com:80/" ) }
|
31
|
-
it { should include("proto" => "http" ) }
|
32
|
-
it { should include("httpversion" => "1.1" ) }
|
33
|
-
it { should include("urihost" => "www.example.com:80" ) }
|
34
|
-
it { should include("path" => "/" ) }
|
35
|
-
|
36
|
-
["tags", "params"].each do |attribute|
|
37
|
-
it "have #{attribute} as nil" do
|
38
|
-
expect(subject[attribute]).to be_nil
|
39
|
-
end
|
40
|
-
end
|
41
|
-
end
|
42
|
-
|
43
|
-
context "parsing a PUT request access log with missing backend info" do
|
44
|
-
|
45
|
-
let(:value) { '2015-04-10T08:11:09.865823Z us-west-1-production-media 49.150.87.133:55128 - -1 -1 -1 408 0 1294336 0 "PUT https://media.xxxyyyzzz.com:443/videos/F4_M-T4X0MM6Hvy1PFHesw HTTP/1.1"' }
|
46
|
-
|
47
|
-
subject { grok_match(pattern, value) }
|
48
|
-
|
49
|
-
it "a pattern pass the grok expression" do
|
50
|
-
expect(subject).to pass
|
51
|
-
end
|
52
|
-
|
53
|
-
["backendip", "backendport"].each do |attribute|
|
54
|
-
it "have #{attribute} as nil" do
|
55
|
-
expect(subject[attribute]).to be_nil
|
56
|
-
end
|
57
|
-
end
|
58
|
-
end
|
59
|
-
end
|
60
|
-
|
61
|
-
describe "S3_ACCESS_LOG" do
|
62
|
-
|
63
|
-
let(:pattern) { "S3_ACCESS_LOG" }
|
64
|
-
|
65
|
-
context "parsing GET.VERSIONING message" do
|
66
|
-
|
67
|
-
let(:value) { "79a5 mybucket [06/Feb/2014:00:00:38 +0000] 192.0.2.3 79a5 3E57427F3EXAMPLE REST.GET.VERSIONING - \"GET /mybucket?versioning HTTP/1.1\" 200 - 113 - 7 - \"-\" \"S3Console/0.4\" -" }
|
68
|
-
|
69
|
-
subject { grok_match(pattern, value) }
|
70
|
-
|
71
|
-
it { should include("owner" => "79a5" ) }
|
72
|
-
it { should include("bucket" => "mybucket" ) }
|
73
|
-
it { should include("timestamp" => "06/Feb/2014:00:00:38 +0000" ) }
|
74
|
-
it { should include("clientip" => "192.0.2.3" ) }
|
75
|
-
it { should include("requester" => "79a5" ) }
|
76
|
-
it { should include("request_id" => "3E57427F3EXAMPLE" ) }
|
77
|
-
it { should include("operation" => "REST.GET.VERSIONING" ) }
|
78
|
-
it { should include("key" => "-" ) }
|
79
|
-
|
80
|
-
it { should include("verb" => "GET" ) }
|
81
|
-
it { should include("request" => "/mybucket?versioning" ) }
|
82
|
-
it { should include("httpversion" => "1.1" ) }
|
83
|
-
it { should include("response" => 200 ) }
|
84
|
-
it { should include("bytes" => 113 ) }
|
85
|
-
|
86
|
-
it { should include("request_time_ms" => 7 ) }
|
87
|
-
it { should include("referrer" => "\"-\"" ) }
|
88
|
-
it { should include("agent" => "\"S3Console/0.4\"" ) }
|
89
|
-
|
90
|
-
|
91
|
-
["tags", "error_code", "object_size", "turnaround_time_ms", "version_id"].each do |attribute|
|
92
|
-
it "have #{attribute} as nil" do
|
93
|
-
expect(subject[attribute]).to be_nil
|
94
|
-
end
|
95
|
-
end
|
96
|
-
|
97
|
-
end
|
98
|
-
|
99
|
-
context "parsing a GET.OBJECT message" do
|
100
|
-
|
101
|
-
let(:value) { "79a5 mybucket [12/May/2014:07:54:01 +0000] 10.0.1.2 - 7ACC4BE89EXAMPLE REST.GET.OBJECT foo/bar.html \"GET /foo/bar.html HTTP/1.1\" 304 - - 1718 10 - \"-\" \"Mozilla/5.0\" -" }
|
102
|
-
|
103
|
-
subject { grok_match(pattern, value) }
|
104
|
-
|
105
|
-
it { should include("owner" => "79a5" ) }
|
106
|
-
it { should include("bucket" => "mybucket" ) }
|
107
|
-
it { should include("timestamp" => "12/May/2014:07:54:01 +0000" ) }
|
108
|
-
it { should include("clientip" => "10.0.1.2" ) }
|
109
|
-
it { should include("requester" => "-" ) }
|
110
|
-
it { should include("request_id" => "7ACC4BE89EXAMPLE" ) }
|
111
|
-
it { should include("operation" => "REST.GET.OBJECT" ) }
|
112
|
-
it { should include("key" => "foo/bar.html" ) }
|
113
|
-
|
114
|
-
it { should include("verb" => "GET" ) }
|
115
|
-
it { should include("request" => "/foo/bar.html" ) }
|
116
|
-
it { should include("httpversion" => "1.1" ) }
|
117
|
-
it { should include("response" => 304 ) }
|
118
|
-
it { should include("object_size" => 1718 ) }
|
119
|
-
|
120
|
-
it { should include("request_time_ms" => 10 ) }
|
121
|
-
it { should include("referrer" => "\"-\"" ) }
|
122
|
-
it { should include("agent" => "\"Mozilla/5.0\"" ) }
|
123
|
-
|
124
|
-
|
125
|
-
["tags", "error_code", "turnaround_time_ms", "version_id", "bytes"].each do |attribute|
|
126
|
-
it "have #{attribute} as nil" do
|
127
|
-
expect(subject[attribute]).to be_nil
|
128
|
-
end
|
129
|
-
end
|
130
|
-
|
131
|
-
end
|
132
|
-
end
|
133
|
-
|
134
|
-
describe "CLOUDFRONT_ACCESS_LOG" do
|
135
|
-
|
136
|
-
let(:pattern) { "CLOUDFRONT_ACCESS_LOG" }
|
137
|
-
|
138
|
-
context "parsing a cloudfront access log" do
|
139
|
-
|
140
|
-
let(:value) { "2016-06-10 18:41:39 IAD53 224281 192.168.1.1 GET d27enomp470abc.cloudfront.net /content/sample/thing.pdf 200 https://example.com/ Mozilla/5.0%2520(Windows%2520NT%25206.1;%2520WOW64)%2520AppleWebKit/537.36%2520(KHTML,%2520like%2520Gecko)%2520Chrome/51.0.2704.79%2520Safari/537.36 - - Miss UGskZ6dUKY7b4C6Pt7wAWVsU2KO-vTRe-mR4r9H-WQMjhNvY6w1Xcg== host.example.com https 883 0.036 - TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Miss" }
|
141
|
-
|
142
|
-
subject { grok_match(pattern, value) }
|
143
|
-
|
144
|
-
it { should include("timestamp" => "2016-06-10 18:41:39" ) }
|
145
|
-
it { should include("x_edge_location" => "IAD53" ) }
|
146
|
-
it { should include("sc_bytes" => 224281 ) }
|
147
|
-
it { should include("clientip" => "192.168.1.1" ) }
|
148
|
-
it { should include("cs_method" => "GET" ) }
|
149
|
-
it { should include("cs_host" => "d27enomp470abc.cloudfront.net" ) }
|
150
|
-
it { should include("cs_uri_stem" => "/content/sample/thing.pdf" ) }
|
151
|
-
it { should include("sc_status" => 200 ) }
|
152
|
-
it { should include("referrer" => "https://example.com/" ) }
|
153
|
-
it { should include("agent" => "Mozilla/5.0%2520(Windows%2520NT%25206.1;%2520WOW64)%2520AppleWebKit/537.36%2520(KHTML,%2520like%2520Gecko)%2520Chrome/51.0.2704.79%2520Safari/537.36" ) }
|
154
|
-
it { should include("cs_uri_query" => "-" ) }
|
155
|
-
it { should include("cookies" => "-" ) }
|
156
|
-
it { should include("x_edge_result_type" => "Miss" ) }
|
157
|
-
it { should include("x_edge_request_id" => "UGskZ6dUKY7b4C6Pt7wAWVsU2KO-vTRe-mR4r9H-WQMjhNvY6w1Xcg==" ) }
|
158
|
-
it { should include("x_host_header" => "host.example.com" ) }
|
159
|
-
it { should include("cs_protocol" => "https" ) }
|
160
|
-
it { should include("cs_bytes" => 883 ) }
|
161
|
-
it { should include("time_taken" => 0.036 ) }
|
162
|
-
it { should include("x_forwarded_for" => "-" ) }
|
163
|
-
it { should include("ssl_protocol" => "TLSv1.2" ) }
|
164
|
-
it { should include("ssl_cipher" => "ECDHE-RSA-AES128-GCM-SHA256" ) }
|
165
|
-
it { should include("x_edge_response_result_type" => "Miss" ) }
|
166
|
-
|
167
|
-
["tags", "params"].each do |attribute|
|
168
|
-
it "have #{attribute} as nil" do
|
169
|
-
expect(subject[attribute]).to be_nil
|
170
|
-
end
|
171
|
-
end
|
172
|
-
end
|
173
|
-
end
|