logstash-patterns-core 4.2.0 → 4.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (76) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +98 -0
  3. data/Gemfile +3 -0
  4. data/README.md +11 -18
  5. data/lib/logstash/patterns/core.rb +11 -3
  6. data/logstash-patterns-core.gemspec +1 -1
  7. data/patterns/ecs-v1/aws +28 -0
  8. data/patterns/ecs-v1/bacula +53 -0
  9. data/patterns/ecs-v1/bind +13 -0
  10. data/patterns/ecs-v1/bro +30 -0
  11. data/patterns/ecs-v1/exim +26 -0
  12. data/patterns/ecs-v1/firewalls +111 -0
  13. data/patterns/ecs-v1/grok-patterns +95 -0
  14. data/patterns/ecs-v1/haproxy +40 -0
  15. data/patterns/ecs-v1/httpd +17 -0
  16. data/patterns/ecs-v1/java +34 -0
  17. data/patterns/ecs-v1/junos +13 -0
  18. data/patterns/ecs-v1/linux-syslog +16 -0
  19. data/patterns/{maven → ecs-v1/maven} +0 -0
  20. data/patterns/ecs-v1/mcollective +4 -0
  21. data/patterns/ecs-v1/mongodb +7 -0
  22. data/patterns/ecs-v1/nagios +124 -0
  23. data/patterns/ecs-v1/postgresql +2 -0
  24. data/patterns/ecs-v1/rails +13 -0
  25. data/patterns/ecs-v1/redis +3 -0
  26. data/patterns/ecs-v1/ruby +2 -0
  27. data/patterns/ecs-v1/squid +6 -0
  28. data/patterns/ecs-v1/zeek +33 -0
  29. data/patterns/{aws → legacy/aws} +1 -1
  30. data/patterns/{bacula → legacy/bacula} +5 -5
  31. data/patterns/legacy/bind +3 -0
  32. data/patterns/{bro → legacy/bro} +0 -0
  33. data/patterns/{exim → legacy/exim} +8 -2
  34. data/patterns/{firewalls → legacy/firewalls} +2 -2
  35. data/patterns/{grok-patterns → legacy/grok-patterns} +0 -0
  36. data/patterns/{haproxy → legacy/haproxy} +0 -0
  37. data/patterns/{httpd → legacy/httpd} +1 -1
  38. data/patterns/{java → legacy/java} +0 -0
  39. data/patterns/{junos → legacy/junos} +0 -0
  40. data/patterns/{linux-syslog → legacy/linux-syslog} +0 -0
  41. data/patterns/legacy/maven +1 -0
  42. data/patterns/{mcollective → legacy/mcollective} +0 -0
  43. data/patterns/{mcollective-patterns → legacy/mcollective-patterns} +0 -0
  44. data/patterns/{mongodb → legacy/mongodb} +0 -0
  45. data/patterns/{nagios → legacy/nagios} +0 -0
  46. data/patterns/{postgresql → legacy/postgresql} +0 -0
  47. data/patterns/{rails → legacy/rails} +0 -0
  48. data/patterns/{redis → legacy/redis} +0 -0
  49. data/patterns/{ruby → legacy/ruby} +0 -0
  50. data/patterns/legacy/squid +4 -0
  51. data/spec/patterns/aws_spec.rb +395 -0
  52. data/spec/patterns/bacula_spec.rb +367 -0
  53. data/spec/patterns/bind_spec.rb +78 -0
  54. data/spec/patterns/bro_spec.rb +613 -0
  55. data/spec/patterns/core_spec.rb +51 -9
  56. data/spec/patterns/exim_spec.rb +201 -0
  57. data/spec/patterns/firewalls_spec.rb +669 -66
  58. data/spec/patterns/haproxy_spec.rb +246 -38
  59. data/spec/patterns/httpd_spec.rb +215 -94
  60. data/spec/patterns/java_spec.rb +357 -27
  61. data/spec/patterns/junos_spec.rb +101 -0
  62. data/spec/patterns/mcollective_spec.rb +35 -0
  63. data/spec/patterns/mongodb_spec.rb +170 -33
  64. data/spec/patterns/nagios_spec.rb +296 -79
  65. data/spec/patterns/netscreen_spec.rb +123 -0
  66. data/spec/patterns/rails3_spec.rb +87 -29
  67. data/spec/patterns/redis_spec.rb +157 -121
  68. data/spec/patterns/shorewall_spec.rb +85 -74
  69. data/spec/patterns/squid_spec.rb +139 -0
  70. data/spec/patterns/syslog_spec.rb +266 -22
  71. data/spec/spec_helper.rb +80 -6
  72. metadata +64 -28
  73. data/patterns/bind +0 -3
  74. data/patterns/squid +0 -4
  75. data/spec/patterns/bro.rb +0 -126
  76. data/spec/patterns/s3_spec.rb +0 -173
data/spec/spec_helper.rb CHANGED
@@ -24,19 +24,55 @@ end
24
24
  require "logstash/filters/grok"
25
25
 
26
26
  module GrokHelpers
27
+ module PatternModeSupport
28
+ @@pattern_mode = nil
29
+ def pattern_mode
30
+ @@pattern_mode
31
+ end
32
+ module_function :pattern_mode
33
+
34
+ def pattern_mode=(mode)
35
+ @@pattern_mode = mode
36
+ end
37
+ end
38
+
39
+ def ecs_compatibility?
40
+ case ecs_compatibility
41
+ when :disabled then false
42
+ when nil then nil
43
+ else true
44
+ end
45
+ end
46
+
47
+ def ecs_compatibility
48
+ case mode = PatternModeSupport.pattern_mode
49
+ when 'legacy' then :disabled
50
+ when 'ecs-v1' then :v1
51
+ when nil then nil
52
+ else fail "pattern_mode: #{mode.inspect}"
53
+ end
54
+ end
55
+
27
56
  def grok_match(label, message, exact_match = false)
57
+ grok_match_event(label, message, exact_match).to_hash
58
+ end
59
+
60
+ def grok_match_event(label, message, exact_match = false)
28
61
  grok = build_grok(label, exact_match)
29
62
  event = build_event(message)
30
63
  grok.filter(event)
31
- event.to_hash
64
+ event
65
+ end
66
+
67
+ def grok_exact_match(label, message)
68
+ grok_match(label, message, true)
32
69
  end
33
70
 
34
71
  def build_grok(label, exact_match = false)
35
- if exact_match
36
- grok = LogStash::Filters::Grok.new("match" => ["message", "^%{#{label}}$"])
37
- else
38
- grok = LogStash::Filters::Grok.new("match" => ["message", "%{#{label}}"])
39
- end
72
+ grok_opts = { "match" => [ "message", exact_match ? "^%{#{label}}$" : "%{#{label}}" ] }
73
+ ecs_compat = ecs_compatibility # if not set use the plugin default
74
+ grok_opts["ecs_compatibility"] = ecs_compat unless ecs_compat.nil?
75
+ grok = LogStash::Filters::Grok.new(grok_opts)
40
76
  grok.register
41
77
  grok
42
78
  end
@@ -48,6 +84,31 @@ end
48
84
 
49
85
  RSpec.configure do |c|
50
86
  c.include GrokHelpers
87
+ c.include GrokHelpers::PatternModeSupport
88
+ c.extend GrokHelpers::PatternModeSupport
89
+ end
90
+
91
+ def describe_pattern(name, pattern_modes = [ nil ], &block)
92
+ pattern_modes.each do |mode|
93
+ RSpec.describe "#{name}#{mode ? " (#{mode})" : nil}" do
94
+
95
+ before(:each) do
96
+ @restore_pattern_mode = pattern_mode
97
+ self.pattern_mode = mode
98
+ end
99
+ after(:each) do
100
+ self.pattern_mode = @restore_pattern_mode
101
+ end
102
+
103
+ let(:pattern) { name }
104
+ let(:message) { raise 'let(:message) { ... } is missing' }
105
+ let(:event) { grok_match_event(pattern, message) }
106
+ let(:grok) { event.to_hash }
107
+ subject(:grok_result) { grok }
108
+
109
+ instance_eval(&block)
110
+ end
111
+ end
51
112
  end
52
113
 
53
114
  RSpec::Matchers.define :pass do |expected|
@@ -65,3 +126,16 @@ RSpec::Matchers.define :match do |value|
65
126
  end
66
127
  end
67
128
 
129
+ RSpec.shared_examples_for 'top-level namespaces' do |namespaces, opts|
130
+ let(:internal_keys) { ['@timestamp', '@version'] }
131
+ let(:allowed_keys) { namespaces }
132
+ it "event is expected to only use namespaces: #{namespaces.inspect}" do
133
+ if instance_exec &(opts[:if] || -> { true })
134
+ event_hash = subject.to_hash
135
+ (event_hash.keys - (internal_keys + ['message'])).each do |top_level_key|
136
+ fail_msg = "found event.get('#{top_level_key}') : #{event_hash[top_level_key].inspect}"
137
+ expect(allowed_keys).to include(top_level_key), fail_msg
138
+ end
139
+ end
140
+ end
141
+ end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: logstash-patterns-core
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.2.0
4
+ version: 4.3.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Elastic
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-01-28 00:00:00.000000000 Z
11
+ date: 2021-02-17 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  requirement: !ruby/object:Gem::Requirement
@@ -74,41 +74,70 @@ files:
74
74
  - README.md
75
75
  - lib/logstash/patterns/core.rb
76
76
  - logstash-patterns-core.gemspec
77
- - patterns/aws
78
- - patterns/bacula
79
- - patterns/bind
80
- - patterns/bro
81
- - patterns/exim
82
- - patterns/firewalls
83
- - patterns/grok-patterns
84
- - patterns/haproxy
85
- - patterns/httpd
86
- - patterns/java
87
- - patterns/junos
88
- - patterns/linux-syslog
89
- - patterns/maven
90
- - patterns/mcollective
91
- - patterns/mcollective-patterns
92
- - patterns/mongodb
93
- - patterns/nagios
94
- - patterns/postgresql
95
- - patterns/rails
96
- - patterns/redis
97
- - patterns/ruby
98
- - patterns/squid
99
- - spec/patterns/bro.rb
77
+ - patterns/ecs-v1/aws
78
+ - patterns/ecs-v1/bacula
79
+ - patterns/ecs-v1/bind
80
+ - patterns/ecs-v1/bro
81
+ - patterns/ecs-v1/exim
82
+ - patterns/ecs-v1/firewalls
83
+ - patterns/ecs-v1/grok-patterns
84
+ - patterns/ecs-v1/haproxy
85
+ - patterns/ecs-v1/httpd
86
+ - patterns/ecs-v1/java
87
+ - patterns/ecs-v1/junos
88
+ - patterns/ecs-v1/linux-syslog
89
+ - patterns/ecs-v1/maven
90
+ - patterns/ecs-v1/mcollective
91
+ - patterns/ecs-v1/mongodb
92
+ - patterns/ecs-v1/nagios
93
+ - patterns/ecs-v1/postgresql
94
+ - patterns/ecs-v1/rails
95
+ - patterns/ecs-v1/redis
96
+ - patterns/ecs-v1/ruby
97
+ - patterns/ecs-v1/squid
98
+ - patterns/ecs-v1/zeek
99
+ - patterns/legacy/aws
100
+ - patterns/legacy/bacula
101
+ - patterns/legacy/bind
102
+ - patterns/legacy/bro
103
+ - patterns/legacy/exim
104
+ - patterns/legacy/firewalls
105
+ - patterns/legacy/grok-patterns
106
+ - patterns/legacy/haproxy
107
+ - patterns/legacy/httpd
108
+ - patterns/legacy/java
109
+ - patterns/legacy/junos
110
+ - patterns/legacy/linux-syslog
111
+ - patterns/legacy/maven
112
+ - patterns/legacy/mcollective
113
+ - patterns/legacy/mcollective-patterns
114
+ - patterns/legacy/mongodb
115
+ - patterns/legacy/nagios
116
+ - patterns/legacy/postgresql
117
+ - patterns/legacy/rails
118
+ - patterns/legacy/redis
119
+ - patterns/legacy/ruby
120
+ - patterns/legacy/squid
121
+ - spec/patterns/aws_spec.rb
122
+ - spec/patterns/bacula_spec.rb
123
+ - spec/patterns/bind_spec.rb
124
+ - spec/patterns/bro_spec.rb
100
125
  - spec/patterns/core_spec.rb
126
+ - spec/patterns/exim_spec.rb
101
127
  - spec/patterns/firewalls_spec.rb
102
128
  - spec/patterns/haproxy_spec.rb
103
129
  - spec/patterns/httpd_spec.rb
104
130
  - spec/patterns/java_spec.rb
131
+ - spec/patterns/junos_spec.rb
105
132
  - spec/patterns/maven_spec.rb
133
+ - spec/patterns/mcollective_spec.rb
106
134
  - spec/patterns/mongodb_spec.rb
107
135
  - spec/patterns/nagios_spec.rb
136
+ - spec/patterns/netscreen_spec.rb
108
137
  - spec/patterns/rails3_spec.rb
109
138
  - spec/patterns/redis_spec.rb
110
- - spec/patterns/s3_spec.rb
111
139
  - spec/patterns/shorewall_spec.rb
140
+ - spec/patterns/squid_spec.rb
112
141
  - spec/patterns/syslog_spec.rb
113
142
  - spec/spec_helper.rb
114
143
  homepage: http://www.elastic.co/guide/en/logstash/current/index.html
@@ -137,18 +166,25 @@ signing_key:
137
166
  specification_version: 4
138
167
  summary: Patterns to be used in logstash
139
168
  test_files:
140
- - spec/patterns/bro.rb
169
+ - spec/patterns/aws_spec.rb
170
+ - spec/patterns/bacula_spec.rb
171
+ - spec/patterns/bind_spec.rb
172
+ - spec/patterns/bro_spec.rb
141
173
  - spec/patterns/core_spec.rb
174
+ - spec/patterns/exim_spec.rb
142
175
  - spec/patterns/firewalls_spec.rb
143
176
  - spec/patterns/haproxy_spec.rb
144
177
  - spec/patterns/httpd_spec.rb
145
178
  - spec/patterns/java_spec.rb
179
+ - spec/patterns/junos_spec.rb
146
180
  - spec/patterns/maven_spec.rb
181
+ - spec/patterns/mcollective_spec.rb
147
182
  - spec/patterns/mongodb_spec.rb
148
183
  - spec/patterns/nagios_spec.rb
184
+ - spec/patterns/netscreen_spec.rb
149
185
  - spec/patterns/rails3_spec.rb
150
186
  - spec/patterns/redis_spec.rb
151
- - spec/patterns/s3_spec.rb
152
187
  - spec/patterns/shorewall_spec.rb
188
+ - spec/patterns/squid_spec.rb
153
189
  - spec/patterns/syslog_spec.rb
154
190
  - spec/spec_helper.rb
data/patterns/bind DELETED
@@ -1,3 +0,0 @@
1
- BIND9_TIMESTAMP %{MONTHDAY}[-]%{MONTH}[-]%{YEAR} %{TIME}
2
-
3
- BIND9 %{BIND9_TIMESTAMP:timestamp} queries: %{LOGLEVEL:loglevel}: client %{IP:clientip}#%{POSINT:clientport} \(%{GREEDYDATA:query}\): query: %{GREEDYDATA:query} IN %{GREEDYDATA:querytype} \(%{IP:dns}\)
data/patterns/squid DELETED
@@ -1,4 +0,0 @@
1
- # Pattern squid3
2
- # Documentation of squid3 logs formats can be found at the following link:
3
- # http://wiki.squid-cache.org/Features/LogFormat
4
- SQUID3 %{NUMBER:timestamp}\s+%{NUMBER:duration}\s%{IP:client_address}\s%{WORD:cache_result}/%{POSINT:status_code}\s%{NUMBER:bytes}\s%{WORD:request_method}\s%{NOTSPACE:url}\s(%{NOTSPACE:user}|-)\s%{WORD:hierarchy_code}/%{IPORHOST:server}\s%{NOTSPACE:content_type}
data/spec/patterns/bro.rb DELETED
@@ -1,126 +0,0 @@
1
- # encoding: utf-8
2
- require "spec_helper"
3
- require "logstash/patterns/core"
4
-
5
- describe "HTTP" do
6
-
7
- let(:value) { "1432555199.633017 COpk6E3vkURP8QQNKl 192.168.9.35 55281 178.236.7.146 80 4 POST www.amazon.it /xa/dealcontent/v2/GetDeals?nocache=1432555199326 http://www.amazon.it/ Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 223 1859 200 OK - - - (empty) - - - FrLEcY3AUPKdcYGf29 text/plain FOJpbGzIMh9syPxH8 text/plain" }
8
- let(:grok) { grok_match(subject, value) }
9
-
10
- it "a pattern pass the grok expression" do
11
- expect(grok).to pass
12
- end
13
-
14
- it "matches a simple message" do
15
- expect(subject).to match(value)
16
- end
17
-
18
- it "generates the ts field" do
19
- expect(grok).to include("ts" => "1432555199.633017")
20
- end
21
-
22
- it "generates the uid field" do
23
- expect(grok).to include("uid" => "COpk6E3vkURP8QQNKl")
24
- end
25
-
26
- it "generates the orig_h field" do
27
- expect(grok).to include("orig_h" => "192.168.9.35")
28
- end
29
-
30
- it "generates the orig_p field" do
31
- expect(grok).to include("orig_p" => "55281")
32
- end
33
-
34
- it "generates the resp_h field" do
35
- expect(grok).to include("resp_h" => "178.236.7.146")
36
- end
37
-
38
- it "generates the resp_p field" do
39
- expect(grok).to include("resp_p" => "80")
40
- end
41
-
42
- it "generates the trans_depth field" do
43
- expect(grok).to include("trans_depth" => "4")
44
- end
45
-
46
- it "generates the method field" do
47
- expect(grok).to include("method" => "POST")
48
- end
49
-
50
- it "generates the domain field" do
51
- expect(grok).to include("domain" => "www.amazon.it")
52
- end
53
-
54
- it "generates the uri field" do
55
- expect(grok).to include("uri" => "/xa/dealcontent/v2/GetDeals?nocache=1432555199326")
56
- end
57
-
58
- it "generates the referrer field" do
59
- expect(grok).to include("referrer" => "http://www.amazon.it/")
60
- end
61
-
62
- it "generates the user_agent field" do
63
- expect(grok).to include("user_agent" => "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36")
64
- end
65
-
66
- it "generates the request_body_len field" do
67
- expect(grok).to include("request_body_len" => "223")
68
- end
69
-
70
- it "generates the response_body_len field" do
71
- expect(grok).to include("response_body_len" => "1859")
72
- end
73
-
74
- it "generates the status_code field" do
75
- expect(grok).to include("status_code" => "200")
76
- end
77
-
78
- it "generates the status_msg field" do
79
- expect(grok).to include("status_msg" => "OK")
80
- end
81
-
82
- it "generates the info_code field" do
83
- expect(grok).to include("info_code" => "-")
84
- end
85
-
86
- it "generates the info_msg field" do
87
- expect(grok).to include("info_msg" => "-")
88
- end
89
-
90
- it "generates the filename field" do
91
- expect(grok).to include("filename" => "-")
92
- end
93
-
94
- it "generates the bro_tags field" do
95
- expect(grok).to include("bro_tags" => "(empty)")
96
- end
97
-
98
- it "generates the username field" do
99
- expect(grok).to include("username" => "-")
100
- end
101
-
102
- it "generates the password field" do
103
- expect(grok).to include("password" => "-")
104
- end
105
-
106
- it "generates the proxied field" do
107
- expect(grok).to include("proxied" => "-")
108
- end
109
-
110
- it "generates the orig_fuids field" do
111
- expect(grok).to include("orig_fuids" => "FrLEcY3AUPKdcYGf29")
112
- end
113
-
114
- it "generates the orig_mime_types field" do
115
- expect(grok).to include("orig_mime_types" => "text/plain")
116
- end
117
-
118
- it "generates the resp_fuids field" do
119
- expect(grok).to include("resp_fuids" => "FOJpbGzIMh9syPxH8")
120
- end
121
-
122
- it "generates the resp_mime_types field" do
123
- expect(grok).to include("resp_mime_types" => "text/plain")
124
- end
125
-
126
- end
@@ -1,173 +0,0 @@
1
- # encoding: utf-8
2
- require "spec_helper"
3
- require "logstash/patterns/core"
4
-
5
-
6
- describe "ELB_ACCESS_LOG" do
7
-
8
- let(:pattern) { "ELB_ACCESS_LOG" }
9
-
10
- context "parsing an access log" do
11
-
12
- let(:value) { "2014-02-15T23:39:43.945958Z my-test-loadbalancer 192.168.131.39:2817 10.0.0.1:80 0.000073 0.001048 0.000057 200 200 0 29 \"GET http://www.example.com:80/ HTTP/1.1\"" }
13
-
14
- subject { grok_match(pattern, value) }
15
-
16
- it { should include("timestamp" => "2014-02-15T23:39:43.945958Z" ) }
17
- it { should include("elb" => "my-test-loadbalancer" ) }
18
- it { should include("clientip" => "192.168.131.39" ) }
19
- it { should include("clientport" => 2817 ) }
20
- it { should include("backendip" => "10.0.0.1" ) }
21
- it { should include("backendport" => 80 ) }
22
- it { should include("request_processing_time" => 0.000073 ) }
23
- it { should include("backend_processing_time" => 0.001048 ) }
24
- it { should include("response_processing_time" => 0.000057 ) }
25
- it { should include("response" => 200 ) }
26
- it { should include("backend_response" => 200 ) }
27
- it { should include("received_bytes" => 0 ) }
28
- it { should include("bytes" => 29 ) }
29
- it { should include("verb" => "GET" ) }
30
- it { should include("request" => "http://www.example.com:80/" ) }
31
- it { should include("proto" => "http" ) }
32
- it { should include("httpversion" => "1.1" ) }
33
- it { should include("urihost" => "www.example.com:80" ) }
34
- it { should include("path" => "/" ) }
35
-
36
- ["tags", "params"].each do |attribute|
37
- it "have #{attribute} as nil" do
38
- expect(subject[attribute]).to be_nil
39
- end
40
- end
41
- end
42
-
43
- context "parsing a PUT request access log with missing backend info" do
44
-
45
- let(:value) { '2015-04-10T08:11:09.865823Z us-west-1-production-media 49.150.87.133:55128 - -1 -1 -1 408 0 1294336 0 "PUT https://media.xxxyyyzzz.com:443/videos/F4_M-T4X0MM6Hvy1PFHesw HTTP/1.1"' }
46
-
47
- subject { grok_match(pattern, value) }
48
-
49
- it "a pattern pass the grok expression" do
50
- expect(subject).to pass
51
- end
52
-
53
- ["backendip", "backendport"].each do |attribute|
54
- it "have #{attribute} as nil" do
55
- expect(subject[attribute]).to be_nil
56
- end
57
- end
58
- end
59
- end
60
-
61
- describe "S3_ACCESS_LOG" do
62
-
63
- let(:pattern) { "S3_ACCESS_LOG" }
64
-
65
- context "parsing GET.VERSIONING message" do
66
-
67
- let(:value) { "79a5 mybucket [06/Feb/2014:00:00:38 +0000] 192.0.2.3 79a5 3E57427F3EXAMPLE REST.GET.VERSIONING - \"GET /mybucket?versioning HTTP/1.1\" 200 - 113 - 7 - \"-\" \"S3Console/0.4\" -" }
68
-
69
- subject { grok_match(pattern, value) }
70
-
71
- it { should include("owner" => "79a5" ) }
72
- it { should include("bucket" => "mybucket" ) }
73
- it { should include("timestamp" => "06/Feb/2014:00:00:38 +0000" ) }
74
- it { should include("clientip" => "192.0.2.3" ) }
75
- it { should include("requester" => "79a5" ) }
76
- it { should include("request_id" => "3E57427F3EXAMPLE" ) }
77
- it { should include("operation" => "REST.GET.VERSIONING" ) }
78
- it { should include("key" => "-" ) }
79
-
80
- it { should include("verb" => "GET" ) }
81
- it { should include("request" => "/mybucket?versioning" ) }
82
- it { should include("httpversion" => "1.1" ) }
83
- it { should include("response" => 200 ) }
84
- it { should include("bytes" => 113 ) }
85
-
86
- it { should include("request_time_ms" => 7 ) }
87
- it { should include("referrer" => "\"-\"" ) }
88
- it { should include("agent" => "\"S3Console/0.4\"" ) }
89
-
90
-
91
- ["tags", "error_code", "object_size", "turnaround_time_ms", "version_id"].each do |attribute|
92
- it "have #{attribute} as nil" do
93
- expect(subject[attribute]).to be_nil
94
- end
95
- end
96
-
97
- end
98
-
99
- context "parsing a GET.OBJECT message" do
100
-
101
- let(:value) { "79a5 mybucket [12/May/2014:07:54:01 +0000] 10.0.1.2 - 7ACC4BE89EXAMPLE REST.GET.OBJECT foo/bar.html \"GET /foo/bar.html HTTP/1.1\" 304 - - 1718 10 - \"-\" \"Mozilla/5.0\" -" }
102
-
103
- subject { grok_match(pattern, value) }
104
-
105
- it { should include("owner" => "79a5" ) }
106
- it { should include("bucket" => "mybucket" ) }
107
- it { should include("timestamp" => "12/May/2014:07:54:01 +0000" ) }
108
- it { should include("clientip" => "10.0.1.2" ) }
109
- it { should include("requester" => "-" ) }
110
- it { should include("request_id" => "7ACC4BE89EXAMPLE" ) }
111
- it { should include("operation" => "REST.GET.OBJECT" ) }
112
- it { should include("key" => "foo/bar.html" ) }
113
-
114
- it { should include("verb" => "GET" ) }
115
- it { should include("request" => "/foo/bar.html" ) }
116
- it { should include("httpversion" => "1.1" ) }
117
- it { should include("response" => 304 ) }
118
- it { should include("object_size" => 1718 ) }
119
-
120
- it { should include("request_time_ms" => 10 ) }
121
- it { should include("referrer" => "\"-\"" ) }
122
- it { should include("agent" => "\"Mozilla/5.0\"" ) }
123
-
124
-
125
- ["tags", "error_code", "turnaround_time_ms", "version_id", "bytes"].each do |attribute|
126
- it "have #{attribute} as nil" do
127
- expect(subject[attribute]).to be_nil
128
- end
129
- end
130
-
131
- end
132
- end
133
-
134
- describe "CLOUDFRONT_ACCESS_LOG" do
135
-
136
- let(:pattern) { "CLOUDFRONT_ACCESS_LOG" }
137
-
138
- context "parsing a cloudfront access log" do
139
-
140
- let(:value) { "2016-06-10 18:41:39 IAD53 224281 192.168.1.1 GET d27enomp470abc.cloudfront.net /content/sample/thing.pdf 200 https://example.com/ Mozilla/5.0%2520(Windows%2520NT%25206.1;%2520WOW64)%2520AppleWebKit/537.36%2520(KHTML,%2520like%2520Gecko)%2520Chrome/51.0.2704.79%2520Safari/537.36 - - Miss UGskZ6dUKY7b4C6Pt7wAWVsU2KO-vTRe-mR4r9H-WQMjhNvY6w1Xcg== host.example.com https 883 0.036 - TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Miss" }
141
-
142
- subject { grok_match(pattern, value) }
143
-
144
- it { should include("timestamp" => "2016-06-10 18:41:39" ) }
145
- it { should include("x_edge_location" => "IAD53" ) }
146
- it { should include("sc_bytes" => 224281 ) }
147
- it { should include("clientip" => "192.168.1.1" ) }
148
- it { should include("cs_method" => "GET" ) }
149
- it { should include("cs_host" => "d27enomp470abc.cloudfront.net" ) }
150
- it { should include("cs_uri_stem" => "/content/sample/thing.pdf" ) }
151
- it { should include("sc_status" => 200 ) }
152
- it { should include("referrer" => "https://example.com/" ) }
153
- it { should include("agent" => "Mozilla/5.0%2520(Windows%2520NT%25206.1;%2520WOW64)%2520AppleWebKit/537.36%2520(KHTML,%2520like%2520Gecko)%2520Chrome/51.0.2704.79%2520Safari/537.36" ) }
154
- it { should include("cs_uri_query" => "-" ) }
155
- it { should include("cookies" => "-" ) }
156
- it { should include("x_edge_result_type" => "Miss" ) }
157
- it { should include("x_edge_request_id" => "UGskZ6dUKY7b4C6Pt7wAWVsU2KO-vTRe-mR4r9H-WQMjhNvY6w1Xcg==" ) }
158
- it { should include("x_host_header" => "host.example.com" ) }
159
- it { should include("cs_protocol" => "https" ) }
160
- it { should include("cs_bytes" => 883 ) }
161
- it { should include("time_taken" => 0.036 ) }
162
- it { should include("x_forwarded_for" => "-" ) }
163
- it { should include("ssl_protocol" => "TLSv1.2" ) }
164
- it { should include("ssl_cipher" => "ECDHE-RSA-AES128-GCM-SHA256" ) }
165
- it { should include("x_edge_response_result_type" => "Miss" ) }
166
-
167
- ["tags", "params"].each do |attribute|
168
- it "have #{attribute} as nil" do
169
- expect(subject[attribute]).to be_nil
170
- end
171
- end
172
- end
173
- end