logstash-patterns-core 4.2.0 → 4.3.0

data/spec/patterns/java_spec.rb

@@ -2,44 +2,374 @@
 require "spec_helper"
 require "logstash/patterns/core"
 
-describe "JAVA" do
-  describe "JAVACLASS" do
-    let(:example) { 'hudson.node_monitors.AbstractAsyncNodeMonitorDescriptor' }
-    it "matches a java class with underscores" do
-      expect(grok_match(subject, example, true)['tags']).to be_nil
-    end
+describe "JAVACLASS" do
+  let(:example) { 'hudson.node_monitors.AbstractAsyncNodeMonitorDescriptor' }
+  it "matches a java class with underscores" do
+    expect(grok_match(subject, example, true)['tags']).to be_nil
   end
-  describe "JAVAFILE" do
-    let(:example) { 'Native Method' }
-    it "matches a java file name with spaces" do
-      expect(grok_match(subject, example, true)['tags']).to be_nil
-    end
+end
+describe "JAVAFILE" do
+  let(:example) { 'Native Method' }
+  it "matches a java file name with spaces" do
+    expect(grok_match(subject, example, true)['tags']).to be_nil
   end
 end
 
-describe "JAVASTACKTRACEPART" do
-  let(:pattern) { 'JAVASTACKTRACEPART' }
+describe_pattern "JAVASTACKTRACEPART", [ 'legacy', 'ecs-v1' ] do
   let(:message) { '  at com.sample.stacktrace.StackTraceExample.aMethod(StackTraceExample.java:42)' }
+
   it "matches" do
-    grok = grok_match(pattern, message, true)
-    expect(grok).to include({
-                                "message"=>"  at com.sample.stacktrace.StackTraceExample.aMethod(StackTraceExample.java:42)",
-                                "method"=>"aMethod",
-                                "class"=>"com.sample.stacktrace.StackTraceExample",
-                                "file"=>"StackTraceExample.java",
-                                "line"=>"42"
-                            })
+    if ecs_compatibility?
+      expect(subject).to include(
+                          "log" => { "origin" => { "function" => 'aMethod', "file" => { "name" => 'StackTraceExample.java', "line" => 42 } } },
+                          "java" => { "log" => { "origin" => { "class" => { "name" => 'com.sample.stacktrace.StackTraceExample' } } } }
+                      )
+    else
+      expect(subject).to include(
+                          "message"=>"  at com.sample.stacktrace.StackTraceExample.aMethod(StackTraceExample.java:42)",
+                          "method"=>"aMethod",
+                          "class"=>"com.sample.stacktrace.StackTraceExample",
+                          "file"=>"StackTraceExample.java",
+                          "line"=>"42"
+                      )
+    end
   end
 
   context 'generated file' do
     let(:message) { '  at org.jruby.RubyMethod$INVOKER$i$call.call(RubyMethod$INVOKER$i$call.gen)' }
     it "matches" do
-      grok = grok_match(pattern, message, true)
-      expect(grok).to include({
-                                  "method"=>"call",
-                                  "class"=>"org.jruby.RubyMethod$INVOKER$i$call",
-                                  "file"=>"RubyMethod$INVOKER$i$call.gen",
-                              })
+      if ecs_compatibility?
+        expect(subject).to include(
+                               "log"=>{"origin"=>{"function"=>"call", "file"=>{"name"=>"RubyMethod$INVOKER$i$call.gen"}}},
+                               "java"=>{"log"=>{"origin"=>{"class"=>{"name"=>"org.jruby.RubyMethod$INVOKER$i$call"}}}}
+                           )
+      else
+        expect(subject).to include({
+                                    "method"=>"call",
+                                    "class"=>"org.jruby.RubyMethod$INVOKER$i$call",
+                                    "file"=>"RubyMethod$INVOKER$i$call.gen",
+                                })
+      end
+    end
+  end
+
+end
+
+describe_pattern "CATALINALOG", [ 'legacy', 'ecs-v1' ] do
+
+  context 'Tomcat 4.1' do
+
+    let(:message) do
+      "Dec 30, 2020 11:30:40 AM org.apache.struts.util.PropertyMessageResources <init>\n" +
+          "INFO: Initializing, config='org.apache.struts.util.LocalStrings', returnNull=true"
+    end
+
+    it "matches" do
+      expect(subject).to include "timestamp"=>"Dec 30, 2020 11:30:40 AM"
+      if ecs_compatibility?
+        expect(subject).to include "java"=>{"log"=>{"origin"=>{"class"=>{"name"=>"org.apache.struts.util.PropertyMessageResources"}}}},
+                                   "log"=>{"level"=>"INFO", "origin"=>{"function"=>"<init>"}}
+
+        expect(subject).to include "message"=>[message, "Initializing, config='org.apache.struts.util.LocalStrings', returnNull=true"]
+      else
+        expect(subject).to include "class"=>"org.apache.struts.util.PropertyMessageResources",
+                                   "logmessage"=>"<init>\nINFO: Initializing, config='org.apache.struts.util.LocalStrings', returnNull=true"
+      end
+    end
+
+  end
+
+  context 'Tomcat 6.0' do # ~ same for Tomcat 4.x - 7.x
+
+    let(:message) do
+      "Jul 30, 2020 3:00:21 PM org.apache.coyote.http11.Http11Protocol init\nINFO: Initializing Coyote HTTP/1.1 on http-8080"
+    end
+
+    it "matches" do
+      expect(subject).to include "timestamp"=>"Jul 30, 2020 3:00:21 PM"
+      if ecs_compatibility?
+        expect(subject).to include "java"=>{"log"=>{"origin"=>{"class"=>{"name"=>"org.apache.coyote.http11.Http11Protocol"}}}},
+                                   "log"=>{"level"=>"INFO", "origin"=>{"function"=>"init"}}
+
+        expect(subject).to include "message"=>[message, "Initializing Coyote HTTP/1.1 on http-8080"]
+      else
+        expect(subject).to include "class"=>"org.apache.coyote.http11.Http11Protocol",
+                                   "logmessage" => "init\nINFO: Initializing Coyote HTTP/1.1 on http-8080"
+      end
     end
+
+  end
+
+  context 'Tomcat 9.0' do # same for Tomcat 8.5
+
+    let(:message) do
+      "31-Jul-2020 16:40:38.505 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory " +
+          "Deployment of web application directory [/opt/temp/apache-tomcat-8.5.57/webapps/ROOT] has finished in [40] ms"
+    end
+
+    it "matches" do
+      if ecs_compatibility?
+        expect(subject).to include "timestamp"=>"31-Jul-2020 16:40:38.505"
+
+        expect(subject).to include "java"=>{"log"=>{"origin"=>{
+                                      "thread"=>{"name"=>"localhost-startStop-1"},
+                                      "class"=>{"name"=>"org.apache.catalina.startup.HostConfig"}}}},
+                                   "log"=>{"level"=>"INFO", "origin"=>{"function"=>"deployDirectory"}}
+
+        expect(subject).to include "message"=>[message, "Deployment of web application directory [/opt/temp/apache-tomcat-8.5.57/webapps/ROOT] has finished in [40] ms"]
+      else
+        # not supported in legacy mode
+      end
+    end
+
+  end
+
+  context 'multiline stack-trace' do
+
+    let(:message) do <<LINE
+30-Dec-2020 11:44:31.277 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-8080]]
+	org.apache.catalina.LifecycleException: Protocol handler initialization failed
+		at org.apache.catalina.connector.Connector.initInternal(Connector.java:1042)
+		at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
+		at org.apache.catalina.core.StandardService.initInternal(StandardService.java:533)
+		at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
+		at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1057)
+		at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
+		at org.apache.catalina.startup.Catalina.load(Catalina.java:690)
+		at org.apache.catalina.startup.Catalina.load(Catalina.java:712)
+		at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
+		at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
+		at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
+		at java.lang.reflect.Method.invoke(Method.java:498)
+		at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302)
+		at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472)
+	Caused by: java.net.BindException: Address already in use
+		at sun.nio.ch.Net.bind0(Native Method)
+		at sun.nio.ch.Net.bind(Net.java:433)
+		at sun.nio.ch.Net.bind(Net.java:425)
+		at sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:223)
+		at sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:74)
+		at org.apache.tomcat.util.net.NioEndpoint.initServerSocket(NioEndpoint.java:228)
+		at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:211)
+		at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141)
+		at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1154)
+		at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
+		at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
+		at org.apache.catalina.connector.Connector.initInternal(Connector.java:1039)
+		... 13 more
+LINE
+    end
+
+    it "matches" do
+      if ecs_compatibility?
+        expect(subject).to include "timestamp"=>"30-Dec-2020 11:44:31.277"
+
+        expect(subject).to include "java"=>{"log"=>{"origin"=>{
+                                      "thread"=>{"name"=>"main"},
+                                      "class"=>{"name"=>"org.apache.catalina.util.LifecycleBase"}}}},
+                                   "log"=>{"level"=>"SEVERE", "origin"=>{"function"=>"handleSubClassException"}}
+
+        expect(subject['message'][0]).to eql message
+        message = subject['message'][1]
+        expect(message).to start_with 'Failed to initialize component [Connector[HTTP/1.1-8080]]'
+        expect(message).to include 'Caused by: java.net.BindException: Address already in use'
+      else
+        # not supported in legacy mode
+      end
+    end
+
+  end
+
+end
+
+# describe_pattern "TOMCAT50_LOG", [ 'ecs-v1' ] do
+#
+#   context 'with message' do # Tomcat 4.1
+#
+#     let(:message) do
+#       '2020-12-30 11:30:40 StandardManager[/admin]: Seeding random number generator class java.security.SecureRandom'
+#     end
+#
+#     it "matches" do
+#       expect(subject).to include "timestamp"=>"2020-12-30 11:30:40",
+#                                  "message"=>[message, "Seeding random number generator class java.security.SecureRandom"],
+#                                  "tomcat"=>{"context"=>{"name"=>"/admin"}}
+#     end
+#
+#   end
+#
+#   context 'wout message' do # Tomcat 5.0
+#
+#     let(:message) do
+#       '2020-12-30 11:28:14 StandardContext[/jsp-examples]ContextListener: contextDestroyed()'
+#     end
+#
+#     it "matches" do
+#       expect(subject).to include "timestamp"=>"2020-12-30 11:28:14",
+#                                  "log"=>{"origin"=>{"function"=>"contextDestroyed"}},
+#                                  "java"=>{"log"=>{"origin"=>{"class"=>{"name"=>"ContextListener"}}}},
+#                                  "tomcat"=>{"context"=>{"name"=>"/jsp-examples"}}
+#     end
+#
+#   end
+#
+# end
+
+describe_pattern "TOMCATLOG", [ 'legacy', 'ecs-v1' ] do
+
+  context 'Tomcat 8.0 message' do # same for 8.5, 9.0
+
+    let(:message) do
+      "31-Jul-2020 16:40:38.451 INFO [localhost-startStop-1] org.apache.catalina.core.ApplicationContext.log " +
+          "ContextListener: attributeAdded('StockTicker', 'async.Stockticker@42dd551d')"
+    end
+
+    it "matches" do
+      if ecs_compatibility?
+        expect(subject).to include "timestamp"=>"31-Jul-2020 16:40:38.451"
+        expect(subject).to include "log"=>{"level"=>"INFO", "origin"=>{"function"=>"log"}},
+                                   "java"=>{"log"=>{"origin"=>{
+                                       "class"=>{"name"=>"org.apache.catalina.core.ApplicationContext"},
+                                       "thread"=>{"name"=>"localhost-startStop-1"}
+                                   }}}
+        expect(subject['message']).to eql [message, "ContextListener: attributeAdded('StockTicker', 'async.Stockticker@42dd551d')"]
+      else
+        # not supported
+      end
+    end
+
+  end
+
+  context 'Tomcat 7.0 message' do # same in Tomcat 6.0
+
+    let(:message) do
+      "Jul 31, 2020 4:40:20 PM org.apache.catalina.core.ApplicationContext log\n" +
+          "INFO: SessionListener: contextDestroyed()"
+    end
+
+    it "matches" do
+      if ecs_compatibility?
+        expect(subject).to include "timestamp"=>"Jul 31, 2020 4:40:20 PM"
+        expect(subject).to include "log"=>{"level"=>"INFO", "origin"=>{"function"=>"log"}},
+                                   "java"=>{"log"=>{"origin"=>{
+                                       "class"=>{"name"=>"org.apache.catalina.core.ApplicationContext"}
+                                   }}}
+        expect(subject['message']).to eql [message, "SessionListener: contextDestroyed()"]
+      else
+        # not supported
+      end
+    end
+
+  end
+
+  context 'multi-line trace' do # multi-line Tomcat 7.0 like format
+
+    let(:message) do <<LINE
+Oct 30, 2013 11:10:05 AM org.apache.catalina.core.StandardWrapperValve invoke
+SEVERE: Servlet.service() for servlet [jsp] in context with path [] threw exception [java.lang.ClassCastException: org.apache.jasper.runtime.ELContextImpl cannot be cast to org.apache.jasper.el.ELContextImpl] with root cause
+java.lang.ClassCastException: org.apache.jasper.runtime.ELContextImpl cannot be cast to org.apache.jasper.el.ELContextImpl
+    at org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate(PageContextImpl.java:1023)
+    at org.apache.jsp.index_jsp._jspService(index_jsp.java:85)
+    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
+    at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
+    at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432)
+    at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390)
+    at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334)
+    at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
+    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
+    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
+    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
+    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
+    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
+    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
+    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
+    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
+    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
+    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
+    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
+    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
+    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
+    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
+    at java.lang.Thread.run(Thread.java:724)
+LINE
+    end
+
+    it "matches" do
+      if ecs_compatibility?
+        expect(subject).to include "timestamp"=>"Oct 30, 2013 11:10:05 AM"
+
+        expect(subject).to include "java"=>{"log"=>{"origin"=>{
+                                      "class"=>{"name"=>"org.apache.catalina.core.StandardWrapperValve"}}
+                                    }},
+                                   "log"=>{"level"=>"SEVERE", "origin"=>{"function"=>"invoke"}}
+
+        message = subject['message'][1]
+        expect(message).to start_with 'Servlet.service() for servlet [jsp] in context with path [] threw exception [java.lang.ClassCastException: org.apache.jasper.runtime.ELContextImpl cannot be cast to org.apache.jasper.el.ELContextImpl] with root cause'
+        expect(message).to include('at java.lang.Thread.run(Thread.java')
+      else
+        # not supported in legacy mode
+      end
+    end
+
+  end
+
+  context '(weird) example format' do
+    # the format we've started - seems custom, Tomcat all the way back to 4.x did no use | separator by default
+    let(:message) do
+      '2014-01-09 20:03:28,269 -0800 | ERROR | com.example.service.ExampleService - something compeletely unexpected happened...'
+    end
+
+    it "matches" do
+      expect(subject).to include "timestamp"=>"2014-01-09 20:03:28,269 -0800"
+      if ecs_compatibility?
+        expect(subject).to include "log"=>{"level"=>"ERROR"},
+                                   "java"=>{"log"=>{"origin"=>{"class"=>{"name"=>"com.example.service.ExampleService"}}}}
+      else
+        expect(subject).to include "level"=>"ERROR"
+      end
+    end
+
+    it "'generates' the message field" do
+      if ecs_compatibility?
+        expect(subject).to include "message"=>[message, "something compeletely unexpected happened..."]
+      else
+        expect(subject).to include("logmessage" => "something compeletely unexpected happened...")
+      end
+    end
+
+  end
+
+end
+
+describe_pattern "TOMCAT_DATESTAMP", [ 'legacy', 'ecs-v1' ] do
+
+  context '<= 7.0 format' do
+
+    let(:message) { 'Jul 31, 2020 4:40:20 PM' }
+
+    it "matches" do
+      expect(grok_match(pattern, message, true)['tags']).to be nil if ecs_compatibility?
+    end
+
+  end
+
+  context '>= 8.0 format' do
+
+    let(:message) { '30-Jun-2020 16:40:38.451' }
+
+    it "matches" do
+      expect(grok_match(pattern, message, true)['tags']).to be nil if ecs_compatibility?
+    end
+
+  end
+
+  context 'legacy format' do
+
+    let(:message) { '2014-01-09 20:03:28,269 -0800' }
+
+    it "matches" do
+      expect(grok_match(pattern, message, true)['tags']).to be nil
+    end
+
   end
 end

data/spec/patterns/junos_spec.rb

@@ -0,0 +1,101 @@
+# encoding: utf-8
+require "spec_helper"
+require "logstash/patterns/core"
+
+# NOTE: we only support non-structured log formats for all RT_FLOW_
+
+describe_pattern "RT_FLOW1", ['legacy', 'ecs-v1'] do
+
+  let(:message) do
+    'Dec 17 08:05:30 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 10.10.10.2/53836->10.10.10.1/22 junos-ssh' +
+    ' 10.10.10.2/53836->10.10.10.1/22 None None 6 log-host-traffic untrust junos-host 5 78(6657) 122(13305) 45' +
+    ' UNKNOWN UNKNOWN N/A(N/A) ge-0/0/1.0 No '
+  end
+
+  it 'matches' do
+    if ecs_compatibility?
+      expect(subject).to include(
+                             "source"=>{"ip"=>"10.10.10.2", "port"=>53836, "nat"=>{"ip"=>"10.10.10.2", "port"=>53836}, "bytes"=>6657},
+                             "destination"=>{"ip"=>"10.10.10.1", "port"=>22, "nat"=>{"ip"=>"10.10.10.1", "port"=>22}, "bytes"=>13305},
+                             "observer"=>{"egress"=>{"zone"=>"junos-host"}, "ingress"=>{"zone"=>"untrust"}},
+                             "rule"=>{"name"=>"log-host-traffic"},
+                             "network"=>{"iana_number"=>"6"},
+                             "juniper"=>{"srx"=>{
+                                 "tag"=>"RT_FLOW_SESSION_CLOSE", "reason"=>"session closed TCP FIN",
+                                 "session_id"=>"5", "service_name"=>"junos-ssh", "elapsed_time"=>45
+                             }}
+                         )
+    else
+      should include("event"=>"RT_FLOW_SESSION_CLOSE", "close-reason"=>"session closed TCP FIN",
+                     "src-ip"=>"10.10.10.2", "src-port"=>"53836", "nat-src-ip"=>"10.10.10.2", "nat-src-port"=>"53836",
+                     "dst-ip"=>"10.10.10.1", "dst-port"=>"22", "nat-dst-ip"=>"10.10.10.1", "nat-dst-port"=>"22",
+                     "src-nat-rule-name"=>"None", "dst-nat-rule-name"=>"None",
+                     "protocol-id"=>"6", "policy-name"=>"log-host-traffic",
+                     "from-zone"=>"untrust", "to-zone"=>"junos-host",
+                     "service"=>"junos-ssh", "session-id"=>"5",
+                     "sent"=>"6657", "received"=>"13305", "elapsed-time"=>"45")
+    end
+  end
+
+end
+
+describe_pattern "RT_FLOW2", ['legacy', 'ecs-v1'] do
+
+  let(:message) do
+    'Dec 17 08:04:45 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.10.10.2/53836->10.10.10.1/22' +
+    ' junos-ssh 10.10.10.2/53836->10.10.10.1/22 None None 6 log-host-traffic untrust junos-host 5 N/A(N/A) ge-0/0/1.0'
+  end
+
+  it 'matches' do
+    if ecs_compatibility?
+      expect(subject).to include(
+                             "source"=>{"ip"=>"10.10.10.2", "port"=>53836, "nat"=>{"ip"=>"10.10.10.2", "port"=>53836}},
+                             "destination"=>{"ip" => "10.10.10.1", "port"=>22, "nat"=>{"ip"=>"10.10.10.1", "port"=>22}},
+                             "observer"=>{"ingress"=>{"zone"=>"untrust"}, "egress"=>{"zone"=>"junos-host"}},
+                             "network"=>{"iana_number"=>"6"},
+                             "juniper"=>{"srx"=>{"service_name"=>"junos-ssh", "session_id"=>"5", "tag"=>"RT_FLOW_SESSION_CREATE"}},
+                             "rule"=>{"name"=>"log-host-traffic"}
+                         )
+    else
+      should include("event"=>"RT_FLOW_SESSION_CREATE",
+                     "src-ip"=>"10.10.10.2", "src-port"=>"53836",
+                     "dst-ip"=>"10.10.10.1", "dst-port"=>"22",
+                     "service"=>"junos-ssh",
+                     "nat-src-ip"=>"10.10.10.2", "nat-src-port"=>"53836",
+                     "nat-dst-ip"=>"10.10.10.1", "nat-dst-port"=>"22",
+                     "src-nat-rule-name"=>"None", "dst-nat-rule-name"=>"None",
+                     "protocol-id"=>"6",
+                     "policy-name"=>"log-host-traffic",
+                     "from-zone"=>"untrust", "to-zone"=>"junos-host",
+                     "session-id"=>"5")
+    end
+  end
+
+end
+
+describe_pattern "RT_FLOW3", ['legacy', 'ecs-v1'] do
+
+  let(:message) do
+    'Sep 29 23:49:20 SRX-1 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.0.0.1/54924->192.168.1.1/53 junos-dns-udp ' +
+        '17(0) default-deny(global) trust trust UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN policy deny'
+  end
+
+  it 'matches' do
+    if ecs_compatibility?
+      expect(subject).to include(
+                             "source"=>{"ip"=>"10.0.0.1", "port"=>54924},
+                             "destination"=>{"ip"=>"192.168.1.1", "port"=>53},
+                             "juniper"=>{"srx"=>{"service_name"=>"junos-dns-udp", "tag"=>"RT_FLOW_SESSION_DENY"}},
+                             "network"=>{"iana_number"=>"17"},
+                             "observer"=>{"egress"=>{"zone"=>"trust"}, "ingress"=>{"zone"=>"trust"}},
+                             "rule"=>{"name"=>"default-deny(global)"}
+                         )
+    else
+      should include("event"=>"RT_FLOW_SESSION_DENY",
+                     "src-ip"=>"10.0.0.1", "dst-ip"=>"192.168.1.1", "src-port"=>"54924", "dst-port"=>"53",
+                     "protocol-id"=>"17", "from-zone"=>"trust", "to-zone"=>"trust",
+                     "service"=>"junos-dns-udp", "policy-name"=>"default-deny(global)")
+    end
+  end
+
+end