logstash-patterns-core 4.2.0 → 4.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +98 -0
- data/Gemfile +3 -0
- data/README.md +11 -18
- data/lib/logstash/patterns/core.rb +11 -3
- data/logstash-patterns-core.gemspec +1 -1
- data/patterns/ecs-v1/aws +28 -0
- data/patterns/ecs-v1/bacula +53 -0
- data/patterns/ecs-v1/bind +13 -0
- data/patterns/ecs-v1/bro +30 -0
- data/patterns/ecs-v1/exim +26 -0
- data/patterns/ecs-v1/firewalls +111 -0
- data/patterns/ecs-v1/grok-patterns +95 -0
- data/patterns/ecs-v1/haproxy +40 -0
- data/patterns/ecs-v1/httpd +17 -0
- data/patterns/ecs-v1/java +34 -0
- data/patterns/ecs-v1/junos +13 -0
- data/patterns/ecs-v1/linux-syslog +16 -0
- data/patterns/{maven → ecs-v1/maven} +0 -0
- data/patterns/ecs-v1/mcollective +4 -0
- data/patterns/ecs-v1/mongodb +7 -0
- data/patterns/ecs-v1/nagios +124 -0
- data/patterns/ecs-v1/postgresql +2 -0
- data/patterns/ecs-v1/rails +13 -0
- data/patterns/ecs-v1/redis +3 -0
- data/patterns/ecs-v1/ruby +2 -0
- data/patterns/ecs-v1/squid +6 -0
- data/patterns/ecs-v1/zeek +33 -0
- data/patterns/{aws → legacy/aws} +1 -1
- data/patterns/{bacula → legacy/bacula} +5 -5
- data/patterns/legacy/bind +3 -0
- data/patterns/{bro → legacy/bro} +0 -0
- data/patterns/{exim → legacy/exim} +8 -2
- data/patterns/{firewalls → legacy/firewalls} +2 -2
- data/patterns/{grok-patterns → legacy/grok-patterns} +0 -0
- data/patterns/{haproxy → legacy/haproxy} +0 -0
- data/patterns/{httpd → legacy/httpd} +1 -1
- data/patterns/{java → legacy/java} +0 -0
- data/patterns/{junos → legacy/junos} +0 -0
- data/patterns/{linux-syslog → legacy/linux-syslog} +0 -0
- data/patterns/legacy/maven +1 -0
- data/patterns/{mcollective → legacy/mcollective} +0 -0
- data/patterns/{mcollective-patterns → legacy/mcollective-patterns} +0 -0
- data/patterns/{mongodb → legacy/mongodb} +0 -0
- data/patterns/{nagios → legacy/nagios} +0 -0
- data/patterns/{postgresql → legacy/postgresql} +0 -0
- data/patterns/{rails → legacy/rails} +0 -0
- data/patterns/{redis → legacy/redis} +0 -0
- data/patterns/{ruby → legacy/ruby} +0 -0
- data/patterns/legacy/squid +4 -0
- data/spec/patterns/aws_spec.rb +395 -0
- data/spec/patterns/bacula_spec.rb +367 -0
- data/spec/patterns/bind_spec.rb +78 -0
- data/spec/patterns/bro_spec.rb +613 -0
- data/spec/patterns/core_spec.rb +51 -9
- data/spec/patterns/exim_spec.rb +201 -0
- data/spec/patterns/firewalls_spec.rb +669 -66
- data/spec/patterns/haproxy_spec.rb +246 -38
- data/spec/patterns/httpd_spec.rb +215 -94
- data/spec/patterns/java_spec.rb +357 -27
- data/spec/patterns/junos_spec.rb +101 -0
- data/spec/patterns/mcollective_spec.rb +35 -0
- data/spec/patterns/mongodb_spec.rb +170 -33
- data/spec/patterns/nagios_spec.rb +296 -79
- data/spec/patterns/netscreen_spec.rb +123 -0
- data/spec/patterns/rails3_spec.rb +87 -29
- data/spec/patterns/redis_spec.rb +157 -121
- data/spec/patterns/shorewall_spec.rb +85 -74
- data/spec/patterns/squid_spec.rb +139 -0
- data/spec/patterns/syslog_spec.rb +266 -22
- data/spec/spec_helper.rb +80 -6
- metadata +64 -28
- data/patterns/bind +0 -3
- data/patterns/squid +0 -4
- data/spec/patterns/bro.rb +0 -126
- data/spec/patterns/s3_spec.rb +0 -173
data/spec/patterns/java_spec.rb
CHANGED
@@ -2,44 +2,374 @@
|
|
2
2
|
require "spec_helper"
|
3
3
|
require "logstash/patterns/core"
|
4
4
|
|
5
|
-
describe "
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
expect(grok_match(subject, example, true)['tags']).to be_nil
|
10
|
-
end
|
5
|
+
describe "JAVACLASS" do
|
6
|
+
let(:example) { 'hudson.node_monitors.AbstractAsyncNodeMonitorDescriptor' }
|
7
|
+
it "matches a java class with underscores" do
|
8
|
+
expect(grok_match(subject, example, true)['tags']).to be_nil
|
11
9
|
end
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
10
|
+
end
|
11
|
+
describe "JAVAFILE" do
|
12
|
+
let(:example) { 'Native Method' }
|
13
|
+
it "matches a java file name with spaces" do
|
14
|
+
expect(grok_match(subject, example, true)['tags']).to be_nil
|
17
15
|
end
|
18
16
|
end
|
19
17
|
|
20
|
-
|
21
|
-
let(:pattern) { 'JAVASTACKTRACEPART' }
|
18
|
+
describe_pattern "JAVASTACKTRACEPART", [ 'legacy', 'ecs-v1' ] do
|
22
19
|
let(:message) { ' at com.sample.stacktrace.StackTraceExample.aMethod(StackTraceExample.java:42)' }
|
20
|
+
|
23
21
|
it "matches" do
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
22
|
+
if ecs_compatibility?
|
23
|
+
expect(subject).to include(
|
24
|
+
"log" => { "origin" => { "function" => 'aMethod', "file" => { "name" => 'StackTraceExample.java', "line" => 42 } } },
|
25
|
+
"java" => { "log" => { "origin" => { "class" => { "name" => 'com.sample.stacktrace.StackTraceExample' } } } }
|
26
|
+
)
|
27
|
+
else
|
28
|
+
expect(subject).to include(
|
29
|
+
"message"=>" at com.sample.stacktrace.StackTraceExample.aMethod(StackTraceExample.java:42)",
|
30
|
+
"method"=>"aMethod",
|
31
|
+
"class"=>"com.sample.stacktrace.StackTraceExample",
|
32
|
+
"file"=>"StackTraceExample.java",
|
33
|
+
"line"=>"42"
|
34
|
+
)
|
35
|
+
end
|
32
36
|
end
|
33
37
|
|
34
38
|
context 'generated file' do
|
35
39
|
let(:message) { ' at org.jruby.RubyMethod$INVOKER$i$call.call(RubyMethod$INVOKER$i$call.gen)' }
|
36
40
|
it "matches" do
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
41
|
+
if ecs_compatibility?
|
42
|
+
expect(subject).to include(
|
43
|
+
"log"=>{"origin"=>{"function"=>"call", "file"=>{"name"=>"RubyMethod$INVOKER$i$call.gen"}}},
|
44
|
+
"java"=>{"log"=>{"origin"=>{"class"=>{"name"=>"org.jruby.RubyMethod$INVOKER$i$call"}}}}
|
45
|
+
)
|
46
|
+
else
|
47
|
+
expect(subject).to include({
|
48
|
+
"method"=>"call",
|
49
|
+
"class"=>"org.jruby.RubyMethod$INVOKER$i$call",
|
50
|
+
"file"=>"RubyMethod$INVOKER$i$call.gen",
|
51
|
+
})
|
52
|
+
end
|
53
|
+
end
|
54
|
+
end
|
55
|
+
|
56
|
+
end
|
57
|
+
|
58
|
+
describe_pattern "CATALINALOG", [ 'legacy', 'ecs-v1' ] do
|
59
|
+
|
60
|
+
context 'Tomcat 4.1' do
|
61
|
+
|
62
|
+
let(:message) do
|
63
|
+
"Dec 30, 2020 11:30:40 AM org.apache.struts.util.PropertyMessageResources <init>\n" +
|
64
|
+
"INFO: Initializing, config='org.apache.struts.util.LocalStrings', returnNull=true"
|
65
|
+
end
|
66
|
+
|
67
|
+
it "matches" do
|
68
|
+
expect(subject).to include "timestamp"=>"Dec 30, 2020 11:30:40 AM"
|
69
|
+
if ecs_compatibility?
|
70
|
+
expect(subject).to include "java"=>{"log"=>{"origin"=>{"class"=>{"name"=>"org.apache.struts.util.PropertyMessageResources"}}}},
|
71
|
+
"log"=>{"level"=>"INFO", "origin"=>{"function"=>"<init>"}}
|
72
|
+
|
73
|
+
expect(subject).to include "message"=>[message, "Initializing, config='org.apache.struts.util.LocalStrings', returnNull=true"]
|
74
|
+
else
|
75
|
+
expect(subject).to include "class"=>"org.apache.struts.util.PropertyMessageResources",
|
76
|
+
"logmessage"=>"<init>\nINFO: Initializing, config='org.apache.struts.util.LocalStrings', returnNull=true"
|
77
|
+
end
|
78
|
+
end
|
79
|
+
|
80
|
+
end
|
81
|
+
|
82
|
+
context 'Tomcat 6.0' do # ~ same for Tomcat 4.x - 7.x
|
83
|
+
|
84
|
+
let(:message) do
|
85
|
+
"Jul 30, 2020 3:00:21 PM org.apache.coyote.http11.Http11Protocol init\nINFO: Initializing Coyote HTTP/1.1 on http-8080"
|
86
|
+
end
|
87
|
+
|
88
|
+
it "matches" do
|
89
|
+
expect(subject).to include "timestamp"=>"Jul 30, 2020 3:00:21 PM"
|
90
|
+
if ecs_compatibility?
|
91
|
+
expect(subject).to include "java"=>{"log"=>{"origin"=>{"class"=>{"name"=>"org.apache.coyote.http11.Http11Protocol"}}}},
|
92
|
+
"log"=>{"level"=>"INFO", "origin"=>{"function"=>"init"}}
|
93
|
+
|
94
|
+
expect(subject).to include "message"=>[message, "Initializing Coyote HTTP/1.1 on http-8080"]
|
95
|
+
else
|
96
|
+
expect(subject).to include "class"=>"org.apache.coyote.http11.Http11Protocol",
|
97
|
+
"logmessage" => "init\nINFO: Initializing Coyote HTTP/1.1 on http-8080"
|
98
|
+
end
|
43
99
|
end
|
100
|
+
|
101
|
+
end
|
102
|
+
|
103
|
+
context 'Tomcat 9.0' do # same for Tomcat 8.5
|
104
|
+
|
105
|
+
let(:message) do
|
106
|
+
"31-Jul-2020 16:40:38.505 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory " +
|
107
|
+
"Deployment of web application directory [/opt/temp/apache-tomcat-8.5.57/webapps/ROOT] has finished in [40] ms"
|
108
|
+
end
|
109
|
+
|
110
|
+
it "matches" do
|
111
|
+
if ecs_compatibility?
|
112
|
+
expect(subject).to include "timestamp"=>"31-Jul-2020 16:40:38.505"
|
113
|
+
|
114
|
+
expect(subject).to include "java"=>{"log"=>{"origin"=>{
|
115
|
+
"thread"=>{"name"=>"localhost-startStop-1"},
|
116
|
+
"class"=>{"name"=>"org.apache.catalina.startup.HostConfig"}}}},
|
117
|
+
"log"=>{"level"=>"INFO", "origin"=>{"function"=>"deployDirectory"}}
|
118
|
+
|
119
|
+
expect(subject).to include "message"=>[message, "Deployment of web application directory [/opt/temp/apache-tomcat-8.5.57/webapps/ROOT] has finished in [40] ms"]
|
120
|
+
else
|
121
|
+
# not supported in legacy mode
|
122
|
+
end
|
123
|
+
end
|
124
|
+
|
125
|
+
end
|
126
|
+
|
127
|
+
context 'multiline stack-trace' do
|
128
|
+
|
129
|
+
let(:message) do <<LINE
|
130
|
+
30-Dec-2020 11:44:31.277 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-8080]]
|
131
|
+
org.apache.catalina.LifecycleException: Protocol handler initialization failed
|
132
|
+
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1042)
|
133
|
+
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
|
134
|
+
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:533)
|
135
|
+
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
|
136
|
+
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1057)
|
137
|
+
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
|
138
|
+
at org.apache.catalina.startup.Catalina.load(Catalina.java:690)
|
139
|
+
at org.apache.catalina.startup.Catalina.load(Catalina.java:712)
|
140
|
+
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
|
141
|
+
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
|
142
|
+
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
|
143
|
+
at java.lang.reflect.Method.invoke(Method.java:498)
|
144
|
+
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302)
|
145
|
+
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472)
|
146
|
+
Caused by: java.net.BindException: Address already in use
|
147
|
+
at sun.nio.ch.Net.bind0(Native Method)
|
148
|
+
at sun.nio.ch.Net.bind(Net.java:433)
|
149
|
+
at sun.nio.ch.Net.bind(Net.java:425)
|
150
|
+
at sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:223)
|
151
|
+
at sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:74)
|
152
|
+
at org.apache.tomcat.util.net.NioEndpoint.initServerSocket(NioEndpoint.java:228)
|
153
|
+
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:211)
|
154
|
+
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141)
|
155
|
+
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1154)
|
156
|
+
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
|
157
|
+
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
|
158
|
+
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1039)
|
159
|
+
... 13 more
|
160
|
+
LINE
|
161
|
+
end
|
162
|
+
|
163
|
+
it "matches" do
|
164
|
+
if ecs_compatibility?
|
165
|
+
expect(subject).to include "timestamp"=>"30-Dec-2020 11:44:31.277"
|
166
|
+
|
167
|
+
expect(subject).to include "java"=>{"log"=>{"origin"=>{
|
168
|
+
"thread"=>{"name"=>"main"},
|
169
|
+
"class"=>{"name"=>"org.apache.catalina.util.LifecycleBase"}}}},
|
170
|
+
"log"=>{"level"=>"SEVERE", "origin"=>{"function"=>"handleSubClassException"}}
|
171
|
+
|
172
|
+
expect(subject['message'][0]).to eql message
|
173
|
+
message = subject['message'][1]
|
174
|
+
expect(message).to start_with 'Failed to initialize component [Connector[HTTP/1.1-8080]]'
|
175
|
+
expect(message).to include 'Caused by: java.net.BindException: Address already in use'
|
176
|
+
else
|
177
|
+
# not supported in legacy mode
|
178
|
+
end
|
179
|
+
end
|
180
|
+
|
181
|
+
end
|
182
|
+
|
183
|
+
end
|
184
|
+
|
185
|
+
# describe_pattern "TOMCAT50_LOG", [ 'ecs-v1' ] do
|
186
|
+
#
|
187
|
+
# context 'with message' do # Tomcat 4.1
|
188
|
+
#
|
189
|
+
# let(:message) do
|
190
|
+
# '2020-12-30 11:30:40 StandardManager[/admin]: Seeding random number generator class java.security.SecureRandom'
|
191
|
+
# end
|
192
|
+
#
|
193
|
+
# it "matches" do
|
194
|
+
# expect(subject).to include "timestamp"=>"2020-12-30 11:30:40",
|
195
|
+
# "message"=>[message, "Seeding random number generator class java.security.SecureRandom"],
|
196
|
+
# "tomcat"=>{"context"=>{"name"=>"/admin"}}
|
197
|
+
# end
|
198
|
+
#
|
199
|
+
# end
|
200
|
+
#
|
201
|
+
# context 'wout message' do # Tomcat 5.0
|
202
|
+
#
|
203
|
+
# let(:message) do
|
204
|
+
# '2020-12-30 11:28:14 StandardContext[/jsp-examples]ContextListener: contextDestroyed()'
|
205
|
+
# end
|
206
|
+
#
|
207
|
+
# it "matches" do
|
208
|
+
# expect(subject).to include "timestamp"=>"2020-12-30 11:28:14",
|
209
|
+
# "log"=>{"origin"=>{"function"=>"contextDestroyed"}},
|
210
|
+
# "java"=>{"log"=>{"origin"=>{"class"=>{"name"=>"ContextListener"}}}},
|
211
|
+
# "tomcat"=>{"context"=>{"name"=>"/jsp-examples"}}
|
212
|
+
# end
|
213
|
+
#
|
214
|
+
# end
|
215
|
+
#
|
216
|
+
# end
|
217
|
+
|
218
|
+
describe_pattern "TOMCATLOG", [ 'legacy', 'ecs-v1' ] do
|
219
|
+
|
220
|
+
context 'Tomcat 8.0 message' do # same for 8.5, 9.0
|
221
|
+
|
222
|
+
let(:message) do
|
223
|
+
"31-Jul-2020 16:40:38.451 INFO [localhost-startStop-1] org.apache.catalina.core.ApplicationContext.log " +
|
224
|
+
"ContextListener: attributeAdded('StockTicker', 'async.Stockticker@42dd551d')"
|
225
|
+
end
|
226
|
+
|
227
|
+
it "matches" do
|
228
|
+
if ecs_compatibility?
|
229
|
+
expect(subject).to include "timestamp"=>"31-Jul-2020 16:40:38.451"
|
230
|
+
expect(subject).to include "log"=>{"level"=>"INFO", "origin"=>{"function"=>"log"}},
|
231
|
+
"java"=>{"log"=>{"origin"=>{
|
232
|
+
"class"=>{"name"=>"org.apache.catalina.core.ApplicationContext"},
|
233
|
+
"thread"=>{"name"=>"localhost-startStop-1"}
|
234
|
+
}}}
|
235
|
+
expect(subject['message']).to eql [message, "ContextListener: attributeAdded('StockTicker', 'async.Stockticker@42dd551d')"]
|
236
|
+
else
|
237
|
+
# not supported
|
238
|
+
end
|
239
|
+
end
|
240
|
+
|
241
|
+
end
|
242
|
+
|
243
|
+
context 'Tomcat 7.0 message' do # same in Tomcat 6.0
|
244
|
+
|
245
|
+
let(:message) do
|
246
|
+
"Jul 31, 2020 4:40:20 PM org.apache.catalina.core.ApplicationContext log\n" +
|
247
|
+
"INFO: SessionListener: contextDestroyed()"
|
248
|
+
end
|
249
|
+
|
250
|
+
it "matches" do
|
251
|
+
if ecs_compatibility?
|
252
|
+
expect(subject).to include "timestamp"=>"Jul 31, 2020 4:40:20 PM"
|
253
|
+
expect(subject).to include "log"=>{"level"=>"INFO", "origin"=>{"function"=>"log"}},
|
254
|
+
"java"=>{"log"=>{"origin"=>{
|
255
|
+
"class"=>{"name"=>"org.apache.catalina.core.ApplicationContext"}
|
256
|
+
}}}
|
257
|
+
expect(subject['message']).to eql [message, "SessionListener: contextDestroyed()"]
|
258
|
+
else
|
259
|
+
# not supported
|
260
|
+
end
|
261
|
+
end
|
262
|
+
|
263
|
+
end
|
264
|
+
|
265
|
+
context 'multi-line trace' do # multi-line Tomcat 7.0 like format
|
266
|
+
|
267
|
+
let(:message) do <<LINE
|
268
|
+
Oct 30, 2013 11:10:05 AM org.apache.catalina.core.StandardWrapperValve invoke
|
269
|
+
SEVERE: Servlet.service() for servlet [jsp] in context with path [] threw exception [java.lang.ClassCastException: org.apache.jasper.runtime.ELContextImpl cannot be cast to org.apache.jasper.el.ELContextImpl] with root cause
|
270
|
+
java.lang.ClassCastException: org.apache.jasper.runtime.ELContextImpl cannot be cast to org.apache.jasper.el.ELContextImpl
|
271
|
+
at org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate(PageContextImpl.java:1023)
|
272
|
+
at org.apache.jsp.index_jsp._jspService(index_jsp.java:85)
|
273
|
+
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
|
274
|
+
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
|
275
|
+
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432)
|
276
|
+
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390)
|
277
|
+
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334)
|
278
|
+
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
|
279
|
+
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
|
280
|
+
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
|
281
|
+
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
|
282
|
+
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
|
283
|
+
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
|
284
|
+
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
|
285
|
+
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
|
286
|
+
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
|
287
|
+
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
|
288
|
+
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
|
289
|
+
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
|
290
|
+
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
|
291
|
+
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
|
292
|
+
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
|
293
|
+
at java.lang.Thread.run(Thread.java:724)
|
294
|
+
LINE
|
295
|
+
end
|
296
|
+
|
297
|
+
it "matches" do
|
298
|
+
if ecs_compatibility?
|
299
|
+
expect(subject).to include "timestamp"=>"Oct 30, 2013 11:10:05 AM"
|
300
|
+
|
301
|
+
expect(subject).to include "java"=>{"log"=>{"origin"=>{
|
302
|
+
"class"=>{"name"=>"org.apache.catalina.core.StandardWrapperValve"}}
|
303
|
+
}},
|
304
|
+
"log"=>{"level"=>"SEVERE", "origin"=>{"function"=>"invoke"}}
|
305
|
+
|
306
|
+
message = subject['message'][1]
|
307
|
+
expect(message).to start_with 'Servlet.service() for servlet [jsp] in context with path [] threw exception [java.lang.ClassCastException: org.apache.jasper.runtime.ELContextImpl cannot be cast to org.apache.jasper.el.ELContextImpl] with root cause'
|
308
|
+
expect(message).to include('at java.lang.Thread.run(Thread.java')
|
309
|
+
else
|
310
|
+
# not supported in legacy mode
|
311
|
+
end
|
312
|
+
end
|
313
|
+
|
314
|
+
end
|
315
|
+
|
316
|
+
context '(weird) example format' do
|
317
|
+
# the format we've started - seems custom, Tomcat all the way back to 4.x did no use | separator by default
|
318
|
+
let(:message) do
|
319
|
+
'2014-01-09 20:03:28,269 -0800 | ERROR | com.example.service.ExampleService - something compeletely unexpected happened...'
|
320
|
+
end
|
321
|
+
|
322
|
+
it "matches" do
|
323
|
+
expect(subject).to include "timestamp"=>"2014-01-09 20:03:28,269 -0800"
|
324
|
+
if ecs_compatibility?
|
325
|
+
expect(subject).to include "log"=>{"level"=>"ERROR"},
|
326
|
+
"java"=>{"log"=>{"origin"=>{"class"=>{"name"=>"com.example.service.ExampleService"}}}}
|
327
|
+
else
|
328
|
+
expect(subject).to include "level"=>"ERROR"
|
329
|
+
end
|
330
|
+
end
|
331
|
+
|
332
|
+
it "'generates' the message field" do
|
333
|
+
if ecs_compatibility?
|
334
|
+
expect(subject).to include "message"=>[message, "something compeletely unexpected happened..."]
|
335
|
+
else
|
336
|
+
expect(subject).to include("logmessage" => "something compeletely unexpected happened...")
|
337
|
+
end
|
338
|
+
end
|
339
|
+
|
340
|
+
end
|
341
|
+
|
342
|
+
end
|
343
|
+
|
344
|
+
describe_pattern "TOMCAT_DATESTAMP", [ 'legacy', 'ecs-v1' ] do
|
345
|
+
|
346
|
+
context '<= 7.0 format' do
|
347
|
+
|
348
|
+
let(:message) { 'Jul 31, 2020 4:40:20 PM' }
|
349
|
+
|
350
|
+
it "matches" do
|
351
|
+
expect(grok_match(pattern, message, true)['tags']).to be nil if ecs_compatibility?
|
352
|
+
end
|
353
|
+
|
354
|
+
end
|
355
|
+
|
356
|
+
context '>= 8.0 format' do
|
357
|
+
|
358
|
+
let(:message) { '30-Jun-2020 16:40:38.451' }
|
359
|
+
|
360
|
+
it "matches" do
|
361
|
+
expect(grok_match(pattern, message, true)['tags']).to be nil if ecs_compatibility?
|
362
|
+
end
|
363
|
+
|
364
|
+
end
|
365
|
+
|
366
|
+
context 'legacy format' do
|
367
|
+
|
368
|
+
let(:message) { '2014-01-09 20:03:28,269 -0800' }
|
369
|
+
|
370
|
+
it "matches" do
|
371
|
+
expect(grok_match(pattern, message, true)['tags']).to be nil
|
372
|
+
end
|
373
|
+
|
44
374
|
end
|
45
375
|
end
|
@@ -0,0 +1,101 @@
|
|
1
|
+
# encoding: utf-8
|
2
|
+
require "spec_helper"
|
3
|
+
require "logstash/patterns/core"
|
4
|
+
|
5
|
+
# NOTE: we only support non-structured log formats for all RT_FLOW_
|
6
|
+
|
7
|
+
describe_pattern "RT_FLOW1", ['legacy', 'ecs-v1'] do
|
8
|
+
|
9
|
+
let(:message) do
|
10
|
+
'Dec 17 08:05:30 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 10.10.10.2/53836->10.10.10.1/22 junos-ssh' +
|
11
|
+
' 10.10.10.2/53836->10.10.10.1/22 None None 6 log-host-traffic untrust junos-host 5 78(6657) 122(13305) 45' +
|
12
|
+
' UNKNOWN UNKNOWN N/A(N/A) ge-0/0/1.0 No '
|
13
|
+
end
|
14
|
+
|
15
|
+
it 'matches' do
|
16
|
+
if ecs_compatibility?
|
17
|
+
expect(subject).to include(
|
18
|
+
"source"=>{"ip"=>"10.10.10.2", "port"=>53836, "nat"=>{"ip"=>"10.10.10.2", "port"=>53836}, "bytes"=>6657},
|
19
|
+
"destination"=>{"ip"=>"10.10.10.1", "port"=>22, "nat"=>{"ip"=>"10.10.10.1", "port"=>22}, "bytes"=>13305},
|
20
|
+
"observer"=>{"egress"=>{"zone"=>"junos-host"}, "ingress"=>{"zone"=>"untrust"}},
|
21
|
+
"rule"=>{"name"=>"log-host-traffic"},
|
22
|
+
"network"=>{"iana_number"=>"6"},
|
23
|
+
"juniper"=>{"srx"=>{
|
24
|
+
"tag"=>"RT_FLOW_SESSION_CLOSE", "reason"=>"session closed TCP FIN",
|
25
|
+
"session_id"=>"5", "service_name"=>"junos-ssh", "elapsed_time"=>45
|
26
|
+
}}
|
27
|
+
)
|
28
|
+
else
|
29
|
+
should include("event"=>"RT_FLOW_SESSION_CLOSE", "close-reason"=>"session closed TCP FIN",
|
30
|
+
"src-ip"=>"10.10.10.2", "src-port"=>"53836", "nat-src-ip"=>"10.10.10.2", "nat-src-port"=>"53836",
|
31
|
+
"dst-ip"=>"10.10.10.1", "dst-port"=>"22", "nat-dst-ip"=>"10.10.10.1", "nat-dst-port"=>"22",
|
32
|
+
"src-nat-rule-name"=>"None", "dst-nat-rule-name"=>"None",
|
33
|
+
"protocol-id"=>"6", "policy-name"=>"log-host-traffic",
|
34
|
+
"from-zone"=>"untrust", "to-zone"=>"junos-host",
|
35
|
+
"service"=>"junos-ssh", "session-id"=>"5",
|
36
|
+
"sent"=>"6657", "received"=>"13305", "elapsed-time"=>"45")
|
37
|
+
end
|
38
|
+
end
|
39
|
+
|
40
|
+
end
|
41
|
+
|
42
|
+
describe_pattern "RT_FLOW2", ['legacy', 'ecs-v1'] do
|
43
|
+
|
44
|
+
let(:message) do
|
45
|
+
'Dec 17 08:04:45 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.10.10.2/53836->10.10.10.1/22' +
|
46
|
+
' junos-ssh 10.10.10.2/53836->10.10.10.1/22 None None 6 log-host-traffic untrust junos-host 5 N/A(N/A) ge-0/0/1.0'
|
47
|
+
end
|
48
|
+
|
49
|
+
it 'matches' do
|
50
|
+
if ecs_compatibility?
|
51
|
+
expect(subject).to include(
|
52
|
+
"source"=>{"ip"=>"10.10.10.2", "port"=>53836, "nat"=>{"ip"=>"10.10.10.2", "port"=>53836}},
|
53
|
+
"destination"=>{"ip" => "10.10.10.1", "port"=>22, "nat"=>{"ip"=>"10.10.10.1", "port"=>22}},
|
54
|
+
"observer"=>{"ingress"=>{"zone"=>"untrust"}, "egress"=>{"zone"=>"junos-host"}},
|
55
|
+
"network"=>{"iana_number"=>"6"},
|
56
|
+
"juniper"=>{"srx"=>{"service_name"=>"junos-ssh", "session_id"=>"5", "tag"=>"RT_FLOW_SESSION_CREATE"}},
|
57
|
+
"rule"=>{"name"=>"log-host-traffic"}
|
58
|
+
)
|
59
|
+
else
|
60
|
+
should include("event"=>"RT_FLOW_SESSION_CREATE",
|
61
|
+
"src-ip"=>"10.10.10.2", "src-port"=>"53836",
|
62
|
+
"dst-ip"=>"10.10.10.1", "dst-port"=>"22",
|
63
|
+
"service"=>"junos-ssh",
|
64
|
+
"nat-src-ip"=>"10.10.10.2", "nat-src-port"=>"53836",
|
65
|
+
"nat-dst-ip"=>"10.10.10.1", "nat-dst-port"=>"22",
|
66
|
+
"src-nat-rule-name"=>"None", "dst-nat-rule-name"=>"None",
|
67
|
+
"protocol-id"=>"6",
|
68
|
+
"policy-name"=>"log-host-traffic",
|
69
|
+
"from-zone"=>"untrust", "to-zone"=>"junos-host",
|
70
|
+
"session-id"=>"5")
|
71
|
+
end
|
72
|
+
end
|
73
|
+
|
74
|
+
end
|
75
|
+
|
76
|
+
describe_pattern "RT_FLOW3", ['legacy', 'ecs-v1'] do
|
77
|
+
|
78
|
+
let(:message) do
|
79
|
+
'Sep 29 23:49:20 SRX-1 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.0.0.1/54924->192.168.1.1/53 junos-dns-udp ' +
|
80
|
+
'17(0) default-deny(global) trust trust UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN policy deny'
|
81
|
+
end
|
82
|
+
|
83
|
+
it 'matches' do
|
84
|
+
if ecs_compatibility?
|
85
|
+
expect(subject).to include(
|
86
|
+
"source"=>{"ip"=>"10.0.0.1", "port"=>54924},
|
87
|
+
"destination"=>{"ip"=>"192.168.1.1", "port"=>53},
|
88
|
+
"juniper"=>{"srx"=>{"service_name"=>"junos-dns-udp", "tag"=>"RT_FLOW_SESSION_DENY"}},
|
89
|
+
"network"=>{"iana_number"=>"17"},
|
90
|
+
"observer"=>{"egress"=>{"zone"=>"trust"}, "ingress"=>{"zone"=>"trust"}},
|
91
|
+
"rule"=>{"name"=>"default-deny(global)"}
|
92
|
+
)
|
93
|
+
else
|
94
|
+
should include("event"=>"RT_FLOW_SESSION_DENY",
|
95
|
+
"src-ip"=>"10.0.0.1", "dst-ip"=>"192.168.1.1", "src-port"=>"54924", "dst-port"=>"53",
|
96
|
+
"protocol-id"=>"17", "from-zone"=>"trust", "to-zone"=>"trust",
|
97
|
+
"service"=>"junos-dns-udp", "policy-name"=>"default-deny(global)")
|
98
|
+
end
|
99
|
+
end
|
100
|
+
|
101
|
+
end
|