logstash-patterns-core 4.2.0 → 4.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +98 -0
- data/Gemfile +3 -0
- data/README.md +11 -18
- data/lib/logstash/patterns/core.rb +11 -3
- data/logstash-patterns-core.gemspec +1 -1
- data/patterns/ecs-v1/aws +28 -0
- data/patterns/ecs-v1/bacula +53 -0
- data/patterns/ecs-v1/bind +13 -0
- data/patterns/ecs-v1/bro +30 -0
- data/patterns/ecs-v1/exim +26 -0
- data/patterns/ecs-v1/firewalls +111 -0
- data/patterns/ecs-v1/grok-patterns +95 -0
- data/patterns/ecs-v1/haproxy +40 -0
- data/patterns/ecs-v1/httpd +17 -0
- data/patterns/ecs-v1/java +34 -0
- data/patterns/ecs-v1/junos +13 -0
- data/patterns/ecs-v1/linux-syslog +16 -0
- data/patterns/{maven → ecs-v1/maven} +0 -0
- data/patterns/ecs-v1/mcollective +4 -0
- data/patterns/ecs-v1/mongodb +7 -0
- data/patterns/ecs-v1/nagios +124 -0
- data/patterns/ecs-v1/postgresql +2 -0
- data/patterns/ecs-v1/rails +13 -0
- data/patterns/ecs-v1/redis +3 -0
- data/patterns/ecs-v1/ruby +2 -0
- data/patterns/ecs-v1/squid +6 -0
- data/patterns/ecs-v1/zeek +33 -0
- data/patterns/{aws → legacy/aws} +1 -1
- data/patterns/{bacula → legacy/bacula} +5 -5
- data/patterns/legacy/bind +3 -0
- data/patterns/{bro → legacy/bro} +0 -0
- data/patterns/{exim → legacy/exim} +8 -2
- data/patterns/{firewalls → legacy/firewalls} +2 -2
- data/patterns/{grok-patterns → legacy/grok-patterns} +0 -0
- data/patterns/{haproxy → legacy/haproxy} +0 -0
- data/patterns/{httpd → legacy/httpd} +1 -1
- data/patterns/{java → legacy/java} +0 -0
- data/patterns/{junos → legacy/junos} +0 -0
- data/patterns/{linux-syslog → legacy/linux-syslog} +0 -0
- data/patterns/legacy/maven +1 -0
- data/patterns/{mcollective → legacy/mcollective} +0 -0
- data/patterns/{mcollective-patterns → legacy/mcollective-patterns} +0 -0
- data/patterns/{mongodb → legacy/mongodb} +0 -0
- data/patterns/{nagios → legacy/nagios} +0 -0
- data/patterns/{postgresql → legacy/postgresql} +0 -0
- data/patterns/{rails → legacy/rails} +0 -0
- data/patterns/{redis → legacy/redis} +0 -0
- data/patterns/{ruby → legacy/ruby} +0 -0
- data/patterns/legacy/squid +4 -0
- data/spec/patterns/aws_spec.rb +395 -0
- data/spec/patterns/bacula_spec.rb +367 -0
- data/spec/patterns/bind_spec.rb +78 -0
- data/spec/patterns/bro_spec.rb +613 -0
- data/spec/patterns/core_spec.rb +51 -9
- data/spec/patterns/exim_spec.rb +201 -0
- data/spec/patterns/firewalls_spec.rb +669 -66
- data/spec/patterns/haproxy_spec.rb +246 -38
- data/spec/patterns/httpd_spec.rb +215 -94
- data/spec/patterns/java_spec.rb +357 -27
- data/spec/patterns/junos_spec.rb +101 -0
- data/spec/patterns/mcollective_spec.rb +35 -0
- data/spec/patterns/mongodb_spec.rb +170 -33
- data/spec/patterns/nagios_spec.rb +296 -79
- data/spec/patterns/netscreen_spec.rb +123 -0
- data/spec/patterns/rails3_spec.rb +87 -29
- data/spec/patterns/redis_spec.rb +157 -121
- data/spec/patterns/shorewall_spec.rb +85 -74
- data/spec/patterns/squid_spec.rb +139 -0
- data/spec/patterns/syslog_spec.rb +266 -22
- data/spec/spec_helper.rb +80 -6
- metadata +64 -28
- data/patterns/bind +0 -3
- data/patterns/squid +0 -4
- data/spec/patterns/bro.rb +0 -126
- data/spec/patterns/s3_spec.rb +0 -173
data/spec/spec_helper.rb
CHANGED
@@ -24,19 +24,55 @@ end
|
|
24
24
|
require "logstash/filters/grok"
|
25
25
|
|
26
26
|
module GrokHelpers
|
27
|
+
module PatternModeSupport
|
28
|
+
@@pattern_mode = nil
|
29
|
+
def pattern_mode
|
30
|
+
@@pattern_mode
|
31
|
+
end
|
32
|
+
module_function :pattern_mode
|
33
|
+
|
34
|
+
def pattern_mode=(mode)
|
35
|
+
@@pattern_mode = mode
|
36
|
+
end
|
37
|
+
end
|
38
|
+
|
39
|
+
def ecs_compatibility?
|
40
|
+
case ecs_compatibility
|
41
|
+
when :disabled then false
|
42
|
+
when nil then nil
|
43
|
+
else true
|
44
|
+
end
|
45
|
+
end
|
46
|
+
|
47
|
+
def ecs_compatibility
|
48
|
+
case mode = PatternModeSupport.pattern_mode
|
49
|
+
when 'legacy' then :disabled
|
50
|
+
when 'ecs-v1' then :v1
|
51
|
+
when nil then nil
|
52
|
+
else fail "pattern_mode: #{mode.inspect}"
|
53
|
+
end
|
54
|
+
end
|
55
|
+
|
27
56
|
def grok_match(label, message, exact_match = false)
|
57
|
+
grok_match_event(label, message, exact_match).to_hash
|
58
|
+
end
|
59
|
+
|
60
|
+
def grok_match_event(label, message, exact_match = false)
|
28
61
|
grok = build_grok(label, exact_match)
|
29
62
|
event = build_event(message)
|
30
63
|
grok.filter(event)
|
31
|
-
event
|
64
|
+
event
|
65
|
+
end
|
66
|
+
|
67
|
+
def grok_exact_match(label, message)
|
68
|
+
grok_match(label, message, true)
|
32
69
|
end
|
33
70
|
|
34
71
|
def build_grok(label, exact_match = false)
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
end
|
72
|
+
grok_opts = { "match" => [ "message", exact_match ? "^%{#{label}}$" : "%{#{label}}" ] }
|
73
|
+
ecs_compat = ecs_compatibility # if not set use the plugin default
|
74
|
+
grok_opts["ecs_compatibility"] = ecs_compat unless ecs_compat.nil?
|
75
|
+
grok = LogStash::Filters::Grok.new(grok_opts)
|
40
76
|
grok.register
|
41
77
|
grok
|
42
78
|
end
|
@@ -48,6 +84,31 @@ end
|
|
48
84
|
|
49
85
|
RSpec.configure do |c|
|
50
86
|
c.include GrokHelpers
|
87
|
+
c.include GrokHelpers::PatternModeSupport
|
88
|
+
c.extend GrokHelpers::PatternModeSupport
|
89
|
+
end
|
90
|
+
|
91
|
+
def describe_pattern(name, pattern_modes = [ nil ], &block)
|
92
|
+
pattern_modes.each do |mode|
|
93
|
+
RSpec.describe "#{name}#{mode ? " (#{mode})" : nil}" do
|
94
|
+
|
95
|
+
before(:each) do
|
96
|
+
@restore_pattern_mode = pattern_mode
|
97
|
+
self.pattern_mode = mode
|
98
|
+
end
|
99
|
+
after(:each) do
|
100
|
+
self.pattern_mode = @restore_pattern_mode
|
101
|
+
end
|
102
|
+
|
103
|
+
let(:pattern) { name }
|
104
|
+
let(:message) { raise 'let(:message) { ... } is missing' }
|
105
|
+
let(:event) { grok_match_event(pattern, message) }
|
106
|
+
let(:grok) { event.to_hash }
|
107
|
+
subject(:grok_result) { grok }
|
108
|
+
|
109
|
+
instance_eval(&block)
|
110
|
+
end
|
111
|
+
end
|
51
112
|
end
|
52
113
|
|
53
114
|
RSpec::Matchers.define :pass do |expected|
|
@@ -65,3 +126,16 @@ RSpec::Matchers.define :match do |value|
|
|
65
126
|
end
|
66
127
|
end
|
67
128
|
|
129
|
+
RSpec.shared_examples_for 'top-level namespaces' do |namespaces, opts|
|
130
|
+
let(:internal_keys) { ['@timestamp', '@version'] }
|
131
|
+
let(:allowed_keys) { namespaces }
|
132
|
+
it "event is expected to only use namespaces: #{namespaces.inspect}" do
|
133
|
+
if instance_exec &(opts[:if] || -> { true })
|
134
|
+
event_hash = subject.to_hash
|
135
|
+
(event_hash.keys - (internal_keys + ['message'])).each do |top_level_key|
|
136
|
+
fail_msg = "found event.get('#{top_level_key}') : #{event_hash[top_level_key].inspect}"
|
137
|
+
expect(allowed_keys).to include(top_level_key), fail_msg
|
138
|
+
end
|
139
|
+
end
|
140
|
+
end
|
141
|
+
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-patterns-core
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.
|
4
|
+
version: 4.3.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Elastic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-
|
11
|
+
date: 2021-02-17 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
@@ -74,41 +74,70 @@ files:
|
|
74
74
|
- README.md
|
75
75
|
- lib/logstash/patterns/core.rb
|
76
76
|
- logstash-patterns-core.gemspec
|
77
|
-
- patterns/aws
|
78
|
-
- patterns/bacula
|
79
|
-
- patterns/bind
|
80
|
-
- patterns/bro
|
81
|
-
- patterns/exim
|
82
|
-
- patterns/firewalls
|
83
|
-
- patterns/grok-patterns
|
84
|
-
- patterns/haproxy
|
85
|
-
- patterns/httpd
|
86
|
-
- patterns/java
|
87
|
-
- patterns/junos
|
88
|
-
- patterns/linux-syslog
|
89
|
-
- patterns/maven
|
90
|
-
- patterns/mcollective
|
91
|
-
- patterns/
|
92
|
-
- patterns/
|
93
|
-
- patterns/
|
94
|
-
- patterns/
|
95
|
-
- patterns/
|
96
|
-
- patterns/
|
97
|
-
- patterns/
|
98
|
-
- patterns/
|
99
|
-
-
|
77
|
+
- patterns/ecs-v1/aws
|
78
|
+
- patterns/ecs-v1/bacula
|
79
|
+
- patterns/ecs-v1/bind
|
80
|
+
- patterns/ecs-v1/bro
|
81
|
+
- patterns/ecs-v1/exim
|
82
|
+
- patterns/ecs-v1/firewalls
|
83
|
+
- patterns/ecs-v1/grok-patterns
|
84
|
+
- patterns/ecs-v1/haproxy
|
85
|
+
- patterns/ecs-v1/httpd
|
86
|
+
- patterns/ecs-v1/java
|
87
|
+
- patterns/ecs-v1/junos
|
88
|
+
- patterns/ecs-v1/linux-syslog
|
89
|
+
- patterns/ecs-v1/maven
|
90
|
+
- patterns/ecs-v1/mcollective
|
91
|
+
- patterns/ecs-v1/mongodb
|
92
|
+
- patterns/ecs-v1/nagios
|
93
|
+
- patterns/ecs-v1/postgresql
|
94
|
+
- patterns/ecs-v1/rails
|
95
|
+
- patterns/ecs-v1/redis
|
96
|
+
- patterns/ecs-v1/ruby
|
97
|
+
- patterns/ecs-v1/squid
|
98
|
+
- patterns/ecs-v1/zeek
|
99
|
+
- patterns/legacy/aws
|
100
|
+
- patterns/legacy/bacula
|
101
|
+
- patterns/legacy/bind
|
102
|
+
- patterns/legacy/bro
|
103
|
+
- patterns/legacy/exim
|
104
|
+
- patterns/legacy/firewalls
|
105
|
+
- patterns/legacy/grok-patterns
|
106
|
+
- patterns/legacy/haproxy
|
107
|
+
- patterns/legacy/httpd
|
108
|
+
- patterns/legacy/java
|
109
|
+
- patterns/legacy/junos
|
110
|
+
- patterns/legacy/linux-syslog
|
111
|
+
- patterns/legacy/maven
|
112
|
+
- patterns/legacy/mcollective
|
113
|
+
- patterns/legacy/mcollective-patterns
|
114
|
+
- patterns/legacy/mongodb
|
115
|
+
- patterns/legacy/nagios
|
116
|
+
- patterns/legacy/postgresql
|
117
|
+
- patterns/legacy/rails
|
118
|
+
- patterns/legacy/redis
|
119
|
+
- patterns/legacy/ruby
|
120
|
+
- patterns/legacy/squid
|
121
|
+
- spec/patterns/aws_spec.rb
|
122
|
+
- spec/patterns/bacula_spec.rb
|
123
|
+
- spec/patterns/bind_spec.rb
|
124
|
+
- spec/patterns/bro_spec.rb
|
100
125
|
- spec/patterns/core_spec.rb
|
126
|
+
- spec/patterns/exim_spec.rb
|
101
127
|
- spec/patterns/firewalls_spec.rb
|
102
128
|
- spec/patterns/haproxy_spec.rb
|
103
129
|
- spec/patterns/httpd_spec.rb
|
104
130
|
- spec/patterns/java_spec.rb
|
131
|
+
- spec/patterns/junos_spec.rb
|
105
132
|
- spec/patterns/maven_spec.rb
|
133
|
+
- spec/patterns/mcollective_spec.rb
|
106
134
|
- spec/patterns/mongodb_spec.rb
|
107
135
|
- spec/patterns/nagios_spec.rb
|
136
|
+
- spec/patterns/netscreen_spec.rb
|
108
137
|
- spec/patterns/rails3_spec.rb
|
109
138
|
- spec/patterns/redis_spec.rb
|
110
|
-
- spec/patterns/s3_spec.rb
|
111
139
|
- spec/patterns/shorewall_spec.rb
|
140
|
+
- spec/patterns/squid_spec.rb
|
112
141
|
- spec/patterns/syslog_spec.rb
|
113
142
|
- spec/spec_helper.rb
|
114
143
|
homepage: http://www.elastic.co/guide/en/logstash/current/index.html
|
@@ -137,18 +166,25 @@ signing_key:
|
|
137
166
|
specification_version: 4
|
138
167
|
summary: Patterns to be used in logstash
|
139
168
|
test_files:
|
140
|
-
- spec/patterns/
|
169
|
+
- spec/patterns/aws_spec.rb
|
170
|
+
- spec/patterns/bacula_spec.rb
|
171
|
+
- spec/patterns/bind_spec.rb
|
172
|
+
- spec/patterns/bro_spec.rb
|
141
173
|
- spec/patterns/core_spec.rb
|
174
|
+
- spec/patterns/exim_spec.rb
|
142
175
|
- spec/patterns/firewalls_spec.rb
|
143
176
|
- spec/patterns/haproxy_spec.rb
|
144
177
|
- spec/patterns/httpd_spec.rb
|
145
178
|
- spec/patterns/java_spec.rb
|
179
|
+
- spec/patterns/junos_spec.rb
|
146
180
|
- spec/patterns/maven_spec.rb
|
181
|
+
- spec/patterns/mcollective_spec.rb
|
147
182
|
- spec/patterns/mongodb_spec.rb
|
148
183
|
- spec/patterns/nagios_spec.rb
|
184
|
+
- spec/patterns/netscreen_spec.rb
|
149
185
|
- spec/patterns/rails3_spec.rb
|
150
186
|
- spec/patterns/redis_spec.rb
|
151
|
-
- spec/patterns/s3_spec.rb
|
152
187
|
- spec/patterns/shorewall_spec.rb
|
188
|
+
- spec/patterns/squid_spec.rb
|
153
189
|
- spec/patterns/syslog_spec.rb
|
154
190
|
- spec/spec_helper.rb
|
data/patterns/bind
DELETED
data/patterns/squid
DELETED
@@ -1,4 +0,0 @@
|
|
1
|
-
# Pattern squid3
|
2
|
-
# Documentation of squid3 logs formats can be found at the following link:
|
3
|
-
# http://wiki.squid-cache.org/Features/LogFormat
|
4
|
-
SQUID3 %{NUMBER:timestamp}\s+%{NUMBER:duration}\s%{IP:client_address}\s%{WORD:cache_result}/%{POSINT:status_code}\s%{NUMBER:bytes}\s%{WORD:request_method}\s%{NOTSPACE:url}\s(%{NOTSPACE:user}|-)\s%{WORD:hierarchy_code}/%{IPORHOST:server}\s%{NOTSPACE:content_type}
|
data/spec/patterns/bro.rb
DELETED
@@ -1,126 +0,0 @@
|
|
1
|
-
# encoding: utf-8
|
2
|
-
require "spec_helper"
|
3
|
-
require "logstash/patterns/core"
|
4
|
-
|
5
|
-
describe "HTTP" do
|
6
|
-
|
7
|
-
let(:value) { "1432555199.633017 COpk6E3vkURP8QQNKl 192.168.9.35 55281 178.236.7.146 80 4 POST www.amazon.it /xa/dealcontent/v2/GetDeals?nocache=1432555199326 http://www.amazon.it/ Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 223 1859 200 OK - - - (empty) - - - FrLEcY3AUPKdcYGf29 text/plain FOJpbGzIMh9syPxH8 text/plain" }
|
8
|
-
let(:grok) { grok_match(subject, value) }
|
9
|
-
|
10
|
-
it "a pattern pass the grok expression" do
|
11
|
-
expect(grok).to pass
|
12
|
-
end
|
13
|
-
|
14
|
-
it "matches a simple message" do
|
15
|
-
expect(subject).to match(value)
|
16
|
-
end
|
17
|
-
|
18
|
-
it "generates the ts field" do
|
19
|
-
expect(grok).to include("ts" => "1432555199.633017")
|
20
|
-
end
|
21
|
-
|
22
|
-
it "generates the uid field" do
|
23
|
-
expect(grok).to include("uid" => "COpk6E3vkURP8QQNKl")
|
24
|
-
end
|
25
|
-
|
26
|
-
it "generates the orig_h field" do
|
27
|
-
expect(grok).to include("orig_h" => "192.168.9.35")
|
28
|
-
end
|
29
|
-
|
30
|
-
it "generates the orig_p field" do
|
31
|
-
expect(grok).to include("orig_p" => "55281")
|
32
|
-
end
|
33
|
-
|
34
|
-
it "generates the resp_h field" do
|
35
|
-
expect(grok).to include("resp_h" => "178.236.7.146")
|
36
|
-
end
|
37
|
-
|
38
|
-
it "generates the resp_p field" do
|
39
|
-
expect(grok).to include("resp_p" => "80")
|
40
|
-
end
|
41
|
-
|
42
|
-
it "generates the trans_depth field" do
|
43
|
-
expect(grok).to include("trans_depth" => "4")
|
44
|
-
end
|
45
|
-
|
46
|
-
it "generates the method field" do
|
47
|
-
expect(grok).to include("method" => "POST")
|
48
|
-
end
|
49
|
-
|
50
|
-
it "generates the domain field" do
|
51
|
-
expect(grok).to include("domain" => "www.amazon.it")
|
52
|
-
end
|
53
|
-
|
54
|
-
it "generates the uri field" do
|
55
|
-
expect(grok).to include("uri" => "/xa/dealcontent/v2/GetDeals?nocache=1432555199326")
|
56
|
-
end
|
57
|
-
|
58
|
-
it "generates the referrer field" do
|
59
|
-
expect(grok).to include("referrer" => "http://www.amazon.it/")
|
60
|
-
end
|
61
|
-
|
62
|
-
it "generates the user_agent field" do
|
63
|
-
expect(grok).to include("user_agent" => "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36")
|
64
|
-
end
|
65
|
-
|
66
|
-
it "generates the request_body_len field" do
|
67
|
-
expect(grok).to include("request_body_len" => "223")
|
68
|
-
end
|
69
|
-
|
70
|
-
it "generates the response_body_len field" do
|
71
|
-
expect(grok).to include("response_body_len" => "1859")
|
72
|
-
end
|
73
|
-
|
74
|
-
it "generates the status_code field" do
|
75
|
-
expect(grok).to include("status_code" => "200")
|
76
|
-
end
|
77
|
-
|
78
|
-
it "generates the status_msg field" do
|
79
|
-
expect(grok).to include("status_msg" => "OK")
|
80
|
-
end
|
81
|
-
|
82
|
-
it "generates the info_code field" do
|
83
|
-
expect(grok).to include("info_code" => "-")
|
84
|
-
end
|
85
|
-
|
86
|
-
it "generates the info_msg field" do
|
87
|
-
expect(grok).to include("info_msg" => "-")
|
88
|
-
end
|
89
|
-
|
90
|
-
it "generates the filename field" do
|
91
|
-
expect(grok).to include("filename" => "-")
|
92
|
-
end
|
93
|
-
|
94
|
-
it "generates the bro_tags field" do
|
95
|
-
expect(grok).to include("bro_tags" => "(empty)")
|
96
|
-
end
|
97
|
-
|
98
|
-
it "generates the username field" do
|
99
|
-
expect(grok).to include("username" => "-")
|
100
|
-
end
|
101
|
-
|
102
|
-
it "generates the password field" do
|
103
|
-
expect(grok).to include("password" => "-")
|
104
|
-
end
|
105
|
-
|
106
|
-
it "generates the proxied field" do
|
107
|
-
expect(grok).to include("proxied" => "-")
|
108
|
-
end
|
109
|
-
|
110
|
-
it "generates the orig_fuids field" do
|
111
|
-
expect(grok).to include("orig_fuids" => "FrLEcY3AUPKdcYGf29")
|
112
|
-
end
|
113
|
-
|
114
|
-
it "generates the orig_mime_types field" do
|
115
|
-
expect(grok).to include("orig_mime_types" => "text/plain")
|
116
|
-
end
|
117
|
-
|
118
|
-
it "generates the resp_fuids field" do
|
119
|
-
expect(grok).to include("resp_fuids" => "FOJpbGzIMh9syPxH8")
|
120
|
-
end
|
121
|
-
|
122
|
-
it "generates the resp_mime_types field" do
|
123
|
-
expect(grok).to include("resp_mime_types" => "text/plain")
|
124
|
-
end
|
125
|
-
|
126
|
-
end
|
data/spec/patterns/s3_spec.rb
DELETED
@@ -1,173 +0,0 @@
|
|
1
|
-
# encoding: utf-8
|
2
|
-
require "spec_helper"
|
3
|
-
require "logstash/patterns/core"
|
4
|
-
|
5
|
-
|
6
|
-
describe "ELB_ACCESS_LOG" do
|
7
|
-
|
8
|
-
let(:pattern) { "ELB_ACCESS_LOG" }
|
9
|
-
|
10
|
-
context "parsing an access log" do
|
11
|
-
|
12
|
-
let(:value) { "2014-02-15T23:39:43.945958Z my-test-loadbalancer 192.168.131.39:2817 10.0.0.1:80 0.000073 0.001048 0.000057 200 200 0 29 \"GET http://www.example.com:80/ HTTP/1.1\"" }
|
13
|
-
|
14
|
-
subject { grok_match(pattern, value) }
|
15
|
-
|
16
|
-
it { should include("timestamp" => "2014-02-15T23:39:43.945958Z" ) }
|
17
|
-
it { should include("elb" => "my-test-loadbalancer" ) }
|
18
|
-
it { should include("clientip" => "192.168.131.39" ) }
|
19
|
-
it { should include("clientport" => 2817 ) }
|
20
|
-
it { should include("backendip" => "10.0.0.1" ) }
|
21
|
-
it { should include("backendport" => 80 ) }
|
22
|
-
it { should include("request_processing_time" => 0.000073 ) }
|
23
|
-
it { should include("backend_processing_time" => 0.001048 ) }
|
24
|
-
it { should include("response_processing_time" => 0.000057 ) }
|
25
|
-
it { should include("response" => 200 ) }
|
26
|
-
it { should include("backend_response" => 200 ) }
|
27
|
-
it { should include("received_bytes" => 0 ) }
|
28
|
-
it { should include("bytes" => 29 ) }
|
29
|
-
it { should include("verb" => "GET" ) }
|
30
|
-
it { should include("request" => "http://www.example.com:80/" ) }
|
31
|
-
it { should include("proto" => "http" ) }
|
32
|
-
it { should include("httpversion" => "1.1" ) }
|
33
|
-
it { should include("urihost" => "www.example.com:80" ) }
|
34
|
-
it { should include("path" => "/" ) }
|
35
|
-
|
36
|
-
["tags", "params"].each do |attribute|
|
37
|
-
it "have #{attribute} as nil" do
|
38
|
-
expect(subject[attribute]).to be_nil
|
39
|
-
end
|
40
|
-
end
|
41
|
-
end
|
42
|
-
|
43
|
-
context "parsing a PUT request access log with missing backend info" do
|
44
|
-
|
45
|
-
let(:value) { '2015-04-10T08:11:09.865823Z us-west-1-production-media 49.150.87.133:55128 - -1 -1 -1 408 0 1294336 0 "PUT https://media.xxxyyyzzz.com:443/videos/F4_M-T4X0MM6Hvy1PFHesw HTTP/1.1"' }
|
46
|
-
|
47
|
-
subject { grok_match(pattern, value) }
|
48
|
-
|
49
|
-
it "a pattern pass the grok expression" do
|
50
|
-
expect(subject).to pass
|
51
|
-
end
|
52
|
-
|
53
|
-
["backendip", "backendport"].each do |attribute|
|
54
|
-
it "have #{attribute} as nil" do
|
55
|
-
expect(subject[attribute]).to be_nil
|
56
|
-
end
|
57
|
-
end
|
58
|
-
end
|
59
|
-
end
|
60
|
-
|
61
|
-
describe "S3_ACCESS_LOG" do
|
62
|
-
|
63
|
-
let(:pattern) { "S3_ACCESS_LOG" }
|
64
|
-
|
65
|
-
context "parsing GET.VERSIONING message" do
|
66
|
-
|
67
|
-
let(:value) { "79a5 mybucket [06/Feb/2014:00:00:38 +0000] 192.0.2.3 79a5 3E57427F3EXAMPLE REST.GET.VERSIONING - \"GET /mybucket?versioning HTTP/1.1\" 200 - 113 - 7 - \"-\" \"S3Console/0.4\" -" }
|
68
|
-
|
69
|
-
subject { grok_match(pattern, value) }
|
70
|
-
|
71
|
-
it { should include("owner" => "79a5" ) }
|
72
|
-
it { should include("bucket" => "mybucket" ) }
|
73
|
-
it { should include("timestamp" => "06/Feb/2014:00:00:38 +0000" ) }
|
74
|
-
it { should include("clientip" => "192.0.2.3" ) }
|
75
|
-
it { should include("requester" => "79a5" ) }
|
76
|
-
it { should include("request_id" => "3E57427F3EXAMPLE" ) }
|
77
|
-
it { should include("operation" => "REST.GET.VERSIONING" ) }
|
78
|
-
it { should include("key" => "-" ) }
|
79
|
-
|
80
|
-
it { should include("verb" => "GET" ) }
|
81
|
-
it { should include("request" => "/mybucket?versioning" ) }
|
82
|
-
it { should include("httpversion" => "1.1" ) }
|
83
|
-
it { should include("response" => 200 ) }
|
84
|
-
it { should include("bytes" => 113 ) }
|
85
|
-
|
86
|
-
it { should include("request_time_ms" => 7 ) }
|
87
|
-
it { should include("referrer" => "\"-\"" ) }
|
88
|
-
it { should include("agent" => "\"S3Console/0.4\"" ) }
|
89
|
-
|
90
|
-
|
91
|
-
["tags", "error_code", "object_size", "turnaround_time_ms", "version_id"].each do |attribute|
|
92
|
-
it "have #{attribute} as nil" do
|
93
|
-
expect(subject[attribute]).to be_nil
|
94
|
-
end
|
95
|
-
end
|
96
|
-
|
97
|
-
end
|
98
|
-
|
99
|
-
context "parsing a GET.OBJECT message" do
|
100
|
-
|
101
|
-
let(:value) { "79a5 mybucket [12/May/2014:07:54:01 +0000] 10.0.1.2 - 7ACC4BE89EXAMPLE REST.GET.OBJECT foo/bar.html \"GET /foo/bar.html HTTP/1.1\" 304 - - 1718 10 - \"-\" \"Mozilla/5.0\" -" }
|
102
|
-
|
103
|
-
subject { grok_match(pattern, value) }
|
104
|
-
|
105
|
-
it { should include("owner" => "79a5" ) }
|
106
|
-
it { should include("bucket" => "mybucket" ) }
|
107
|
-
it { should include("timestamp" => "12/May/2014:07:54:01 +0000" ) }
|
108
|
-
it { should include("clientip" => "10.0.1.2" ) }
|
109
|
-
it { should include("requester" => "-" ) }
|
110
|
-
it { should include("request_id" => "7ACC4BE89EXAMPLE" ) }
|
111
|
-
it { should include("operation" => "REST.GET.OBJECT" ) }
|
112
|
-
it { should include("key" => "foo/bar.html" ) }
|
113
|
-
|
114
|
-
it { should include("verb" => "GET" ) }
|
115
|
-
it { should include("request" => "/foo/bar.html" ) }
|
116
|
-
it { should include("httpversion" => "1.1" ) }
|
117
|
-
it { should include("response" => 304 ) }
|
118
|
-
it { should include("object_size" => 1718 ) }
|
119
|
-
|
120
|
-
it { should include("request_time_ms" => 10 ) }
|
121
|
-
it { should include("referrer" => "\"-\"" ) }
|
122
|
-
it { should include("agent" => "\"Mozilla/5.0\"" ) }
|
123
|
-
|
124
|
-
|
125
|
-
["tags", "error_code", "turnaround_time_ms", "version_id", "bytes"].each do |attribute|
|
126
|
-
it "have #{attribute} as nil" do
|
127
|
-
expect(subject[attribute]).to be_nil
|
128
|
-
end
|
129
|
-
end
|
130
|
-
|
131
|
-
end
|
132
|
-
end
|
133
|
-
|
134
|
-
describe "CLOUDFRONT_ACCESS_LOG" do
|
135
|
-
|
136
|
-
let(:pattern) { "CLOUDFRONT_ACCESS_LOG" }
|
137
|
-
|
138
|
-
context "parsing a cloudfront access log" do
|
139
|
-
|
140
|
-
let(:value) { "2016-06-10 18:41:39 IAD53 224281 192.168.1.1 GET d27enomp470abc.cloudfront.net /content/sample/thing.pdf 200 https://example.com/ Mozilla/5.0%2520(Windows%2520NT%25206.1;%2520WOW64)%2520AppleWebKit/537.36%2520(KHTML,%2520like%2520Gecko)%2520Chrome/51.0.2704.79%2520Safari/537.36 - - Miss UGskZ6dUKY7b4C6Pt7wAWVsU2KO-vTRe-mR4r9H-WQMjhNvY6w1Xcg== host.example.com https 883 0.036 - TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Miss" }
|
141
|
-
|
142
|
-
subject { grok_match(pattern, value) }
|
143
|
-
|
144
|
-
it { should include("timestamp" => "2016-06-10 18:41:39" ) }
|
145
|
-
it { should include("x_edge_location" => "IAD53" ) }
|
146
|
-
it { should include("sc_bytes" => 224281 ) }
|
147
|
-
it { should include("clientip" => "192.168.1.1" ) }
|
148
|
-
it { should include("cs_method" => "GET" ) }
|
149
|
-
it { should include("cs_host" => "d27enomp470abc.cloudfront.net" ) }
|
150
|
-
it { should include("cs_uri_stem" => "/content/sample/thing.pdf" ) }
|
151
|
-
it { should include("sc_status" => 200 ) }
|
152
|
-
it { should include("referrer" => "https://example.com/" ) }
|
153
|
-
it { should include("agent" => "Mozilla/5.0%2520(Windows%2520NT%25206.1;%2520WOW64)%2520AppleWebKit/537.36%2520(KHTML,%2520like%2520Gecko)%2520Chrome/51.0.2704.79%2520Safari/537.36" ) }
|
154
|
-
it { should include("cs_uri_query" => "-" ) }
|
155
|
-
it { should include("cookies" => "-" ) }
|
156
|
-
it { should include("x_edge_result_type" => "Miss" ) }
|
157
|
-
it { should include("x_edge_request_id" => "UGskZ6dUKY7b4C6Pt7wAWVsU2KO-vTRe-mR4r9H-WQMjhNvY6w1Xcg==" ) }
|
158
|
-
it { should include("x_host_header" => "host.example.com" ) }
|
159
|
-
it { should include("cs_protocol" => "https" ) }
|
160
|
-
it { should include("cs_bytes" => 883 ) }
|
161
|
-
it { should include("time_taken" => 0.036 ) }
|
162
|
-
it { should include("x_forwarded_for" => "-" ) }
|
163
|
-
it { should include("ssl_protocol" => "TLSv1.2" ) }
|
164
|
-
it { should include("ssl_cipher" => "ECDHE-RSA-AES128-GCM-SHA256" ) }
|
165
|
-
it { should include("x_edge_response_result_type" => "Miss" ) }
|
166
|
-
|
167
|
-
["tags", "params"].each do |attribute|
|
168
|
-
it "have #{attribute} as nil" do
|
169
|
-
expect(subject[attribute]).to be_nil
|
170
|
-
end
|
171
|
-
end
|
172
|
-
end
|
173
|
-
end
|