logstash-patterns-core 4.2.0 → 4.3.0

data/spec/patterns/mcollective_spec.rb

@@ -0,0 +1,35 @@
+# encoding: utf-8
+require "spec_helper"
+require "logstash/patterns/core"
+
+describe_pattern "MCOLLECTIVE", ['legacy', 'ecs-v1'] do
+
+  let(:message) { "I, [2010-12-29T11:15:32.321744 #11479]  INFO -- : mcollectived:33 The Marionette Collective 1.1.0 started logging at info level" }
+
+  it do
+    should include("timestamp" => "2010-12-29T11:15:32.321744")
+  end
+
+  it do
+    if ecs_compatibility?
+      should include("process" => { "pid" => 11479 })
+    else
+      should include("pid" => "11479")
+    end
+  end
+
+  it do
+    if ecs_compatibility?
+      should include("log" => hash_including("level" => "INFO"))
+    else
+      should include("event_level" => "INFO")
+    end
+  end
+
+  # NOTE: pattern seems unfinished - missing match of remaining message
+  it 'should have extracted message' do
+    # but did not :
+    expect( subject['message'] ).to eql message
+  end
+
+end

data/spec/patterns/mongodb_spec.rb

@@ -2,83 +2,220 @@
 require "spec_helper"
 require "logstash/patterns/core"
 
-describe "MONGO3_LOG" do
-
-  let(:pattern)    { "MONGO3_LOG" }
+describe_pattern "MONGO3_LOG", ['legacy', 'ecs-v1'] do
 
   context "parsing an standard/basic message" do
 
-    let(:value) { "2014-11-03T18:28:32.450-0500 I NETWORK [initandlisten] waiting for connections on port 27017" }
-
-    subject     { grok_match(pattern, value) }
+    let(:message) { "2014-11-03T18:28:32.450-0500 I NETWORK [initandlisten] waiting for connections on port 27017" }
 
     it { should include("timestamp" => "2014-11-03T18:28:32.450-0500") }
 
-    it { should include("severity" => "I") }
+    it do
+      if ecs_compatibility?
+        should include("log" => { 'level' => "I" })
+      else
+        should include("severity" => "I")
+      end
+    end
 
-    it { should include("component" => "NETWORK") }
+    it do
+      if ecs_compatibility?
+        should include("mongodb" => hash_including("component" => "NETWORK"))
+      else
+        should include("component" => "NETWORK")
+      end
+    end
 
-    it { should include("context" => "initandlisten") }
+    it do
+      if ecs_compatibility?
+        should include("mongodb" => hash_including("context" => "initandlisten"))
+      else
+        should include("context" => "initandlisten")
+      end
+    end
 
     it "generates a message field" do
-      expect(subject["message"]).to include("waiting for connections on port 27017")
+      expect(subject["message"]).to eql [ message, "waiting for connections on port 27017" ]
     end
   end
 
   context "parsing a message with a missing component" do
 
-    let(:value) { "2015-02-24T18:17:47.148+0000 F -        [conn11] Got signal: 11 (Segmentation fault)." }
+    let(:message) { "2015-02-24T18:17:47.148+0000 F -        [conn11] Got signal: 11 (Segmentation fault)." }
 
-    subject     { grok_match(pattern, value) }
+    it 'matches' do
+      should include("timestamp" => "2015-02-24T18:17:47.148+0000")
 
-    it { should include("timestamp" => "2015-02-24T18:17:47.148+0000") }
+      if ecs_compatibility?
+        expect( grok_result['mongodb'].keys ).to_not include("component")
+      else
+        should include("component" => "-")
+      end
 
-    it { should include("severity" => "F") }
+      if ecs_compatibility?
+        should include("log" => { 'level' => "F" })
+      else
+        should include("severity" => "F")
+      end
 
-    it { should include("component" => "-") }
-
-    it { should include("context" => "conn11") }
+      if ecs_compatibility?
+        should include("mongodb" => hash_including("context" => "conn11"))
+      else
+        should include("context" => "conn11")
+      end
+    end
 
     it "generates a message field" do
-      expect(subject["message"]).to include("Got signal: 11 (Segmentation fault).")
+      expect(subject["message"]).to eql [ message, "Got signal: 11 (Segmentation fault)." ]
     end
   end
 
   context "parsing a message with a multiwords context" do
 
-    let(:value) { "2015-04-23T06:57:28.256+0200 I JOURNAL  [journal writer] Journal writer thread started" }
-
-    subject     { grok_match(pattern, value) }
+    let(:message) { "2015-04-23T06:57:28.256+0200 I JOURNAL  [journal writer] Journal writer thread started" }
 
-    it { should include("timestamp" => "2015-04-23T06:57:28.256+0200") }
+    it 'matches' do
+      should include("timestamp" => "2015-04-23T06:57:28.256+0200")
 
-    it { should include("severity" => "I") }
+      if ecs_compatibility?
+        should include("log" => { 'level' => "I" })
+      else
+        should include("severity" => "I")
+      end
 
-    it { should include("component" => "JOURNAL") }
+      if ecs_compatibility?
+        should include("mongodb" => hash_including("component" => "JOURNAL"))
+      else
+        should include("component" => "JOURNAL")
+      end
 
-    it { should include("context" => "journal writer") }
+      if ecs_compatibility?
+        should include("mongodb" => hash_including("context" => "journal writer"))
+      else
+        should include("context" => "journal writer")
+      end
+    end
 
     it "generates a message field" do
       expect(subject["message"]).to include("Journal writer thread started")
     end
+
+    context '3.6 simple log line' do
+
+      let(:message) do
+        '2020-08-13T11:58:09.672+0200 I NETWORK  [conn2] end connection 127.0.0.1:41258 (1 connection now open)'
+      end
+
+      it 'matches' do
+        should include("timestamp" => "2020-08-13T11:58:09.672+0200")
+
+        if ecs_compatibility?
+          should include("mongodb" => hash_including("component" => "NETWORK"))
+        else
+          should include("component" => "NETWORK")
+        end
+
+        if ecs_compatibility?
+          should include("mongodb" => hash_including("context" => "conn2"))
+        else
+          should include("context" => "conn2")
+        end
+
+        expect(subject["message"]).to include("end connection 127.0.0.1:41258 (1 connection now open)")
+      end
+
+    end
+
+    context '3.6 long log line' do
+
+      let(:command) do
+        'command config.$cmd command: createIndexes { createIndexes: "system.sessions", ' +
+            'indexes: [ { key: { lastUse: 1 }, name: "lsidTTLIndex", expireAfterSeconds: 1800 } ], $db: "config" } ' +
+            'numYields:0 reslen:101 locks:{ Global: { acquireCount: { r: 2, w: 2 } }, Database: { acquireCount: { w: 2 } }, ' +
+            'Collection: { acquireCount: { w: 1 } } } protocol:op_msg 0ms'
+      end
+
+      let(:message) do
+        '2020-08-13T11:57:45.259+0200 I COMMAND  [LogicalSessionCacheRefresh] ' + command
+      end
+
+      it 'matches' do
+        should include("timestamp" => "2020-08-13T11:57:45.259+0200")
+
+        if ecs_compatibility?
+          should include("mongodb" => hash_including("component" => "COMMAND"))
+        else
+          should include("component" => "COMMAND")
+        end
+
+        if ecs_compatibility?
+          should include("mongodb" => hash_including("context" => "LogicalSessionCacheRefresh"))
+        else
+          should include("context" => "LogicalSessionCacheRefresh")
+        end
+
+        expect(subject["message"]).to eql [message, command]
+      end
+
+    end
+
   end
 
   context "parsing a message without context" do
 
-    let(:value) { "2015-04-23T07:00:13.864+0200 I CONTROL  Ctrl-C signal" }
-
-    subject     { grok_match(pattern, value) }
+    let(:message) { "2015-04-23T07:00:13.864+0200 I CONTROL  Ctrl-C signal" }
 
-    it { should include("timestamp" => "2015-04-23T07:00:13.864+0200") }
+    it 'matches' do
+      should include("timestamp" => "2015-04-23T07:00:13.864+0200")
 
-    it { should include("severity" => "I") }
+      if ecs_compatibility?
+        should include("log" => { 'level' => "I" })
+      else
+        should include("severity" => "I")
+      end
 
-    it { should include("component" => "CONTROL") }
+      if ecs_compatibility?
+        should include("mongodb" => hash_including("component" => "CONTROL"))
+      else
+        should include("component" => "CONTROL")
+      end
 
-    it { should_not have_key("context") }
+      if ecs_compatibility?
+        expect( grok_result['mongodb'].keys ).to_not include("context")
+      else
+        should_not have_key("context")
+      end
+    end
 
     it "generates a message field" do
-      expect(subject["message"]).to include("Ctrl-C signal")
+      expect(subject["message"]).to eql [ message, "Ctrl-C signal" ]
     end
   end
 end
+
+describe_pattern "MONGO_SLOWQUERY", ['legacy', 'ecs-v1'] do
+
+  let(:message) do
+    "[conn11485496] query sample.User query: { clientId: 12345 } ntoreturn:0 ntoskip:0 nscanned:287011 keyUpdates:0 numYields: 2 locks(micros) r:4187700 nreturned:18 reslen:14019 2340ms"
+  end
+
+  it do
+    if ecs_compatibility?
+      should include("mongodb" => {
+          "database" => "sample", "collection" => "User",
+          "query" => { "original"=>"{ clientId: 12345 }" },
+          "profile" => {
+              "op" => "query",
+              "ntoreturn" => 0, "ntoskip" => 0, "nscanned" => 287011, "nreturned" => 18,
+              "duration" => 2340
+          }
+      })
+    else
+      should include("database" => "sample", "collection" => "User")
+      should include("ntoreturn" => '0', "ntoskip" => '0', "nscanned" => "287011", "nreturned" => "18")
+      should include("query" => "{ clientId: 12345 }")
+      should include("duration" => "2340")
+    end
+  end
+
+end

data/spec/patterns/nagios_spec.rb

@@ -2,246 +2,463 @@
 require "spec_helper"
 require "logstash/patterns/core"
 
-describe "NAGIOSLOGLINE - CURRENT HOST STATE" do
+describe_pattern "NAGIOSLOGLINE - CURRENT HOST STATE", [ 'legacy', 'ecs-v1' ] do
 
-  let(:value)   { "[1427925600] CURRENT HOST STATE: nagioshost;UP;HARD;1;PING OK - Packet loss = 0%, RTA = 2.24 ms" }
-  let(:grok)    { grok_match(subject, value) }
+  let(:message) { "[1427925600] CURRENT HOST STATE: nagioshost;UP;HARD;1;PING OK - Packet loss = 0%, RTA = 2.24 ms" }
 
   it "a pattern pass the grok expression" do
     expect(grok).to pass
   end
 
   it "matches a simple message" do
-    expect(subject).to match(value)
+    expect(pattern).to match(message)
   end
 
   it "generates the nagios_epoch field" do
-    expect(grok).to include("nagios_epoch" => "1427925600")
+    if ecs_compatibility?
+      expect(grok).to include("timestamp" => "1427925600")
+    else
+      expect(grok).to include("nagios_epoch" => "1427925600")
+    end
   end
 
   it "generates the nagios_message field" do
-    expect(grok).to include("nagios_message" => "PING OK - Packet loss = 0%, RTA = 2.24 ms")
+    if ecs_compatibility?
+      expect(grok).to include("message" => [message, "PING OK - Packet loss = 0%, RTA = 2.24 ms"])
+    else
+      expect(grok).to include("nagios_message" => "PING OK - Packet loss = 0%, RTA = 2.24 ms")
+    end
   end
 
   it "generates the nagios_hostname field" do
-    expect(grok).to include("nagios_hostname" => "nagioshost")
+    if ecs_compatibility?
+      expect(grok).to include("host" => { "hostname" => "nagioshost" })
+    else
+      expect(grok).to include("nagios_hostname" => "nagioshost")
+    end
   end
 
   it "generates the nagios_state field" do
-    expect(grok).to include("nagios_state" => "UP")
+    if ecs_compatibility?
+      expect(grok).to include("service" => hash_including("state" => "UP"))
+    else
+      expect(grok).to include("nagios_state" => "UP")
+    end
   end
 
   it "generates the nagios_statetype field" do
-    expect(grok).to include("nagios_statetype" => "HARD")
+    if ecs_compatibility?
+      expect(grok).to include("nagios" => hash_including("log" => hash_including("state_type" => "HARD")))
+    else
+      expect(grok).to include("nagios_statetype" => "HARD")
+    end
   end
 
 end
 
-describe "NAGIOSLOGLINE - CURRENT SERVICE STATE" do
+describe_pattern "NAGIOSLOGLINE - CURRENT SERVICE STATE", [ 'legacy', 'ecs-v1' ] do
 
-  let(:value)   { "[1427925600] CURRENT SERVICE STATE: nagioshost;nagiosservice;OK;HARD;1;nagiosmessage" }
-  let(:grok)    { grok_match(subject, value) }
+  let(:message) { "[1427925600] CURRENT SERVICE STATE: nagioshost;SSH;OK;HARD;1;nagiosmessage" }
 
   it "a pattern pass the grok expression" do
     expect(grok).to pass
   end
 
   it "matches a simple message" do
-    expect(subject).to match(value)
+    expect(pattern).to match(message)
   end
 
   it "generates the nagios_type field" do
-    expect(grok).to include("nagios_type" => "CURRENT SERVICE STATE")
+    if ecs_compatibility?
+      expect(grok).to include("nagios" => hash_including("log" => hash_including("type" => "CURRENT SERVICE STATE")))
+    else
+      expect(grok).to include("nagios_type" => "CURRENT SERVICE STATE")
+    end
   end
 
   it "generates the nagios_epoch field" do
-    expect(grok).to include("nagios_epoch" => "1427925600")
+    if ecs_compatibility?
+      expect(grok).to include("timestamp" => "1427925600")
+    else
+      expect(grok).to include("nagios_epoch" => "1427925600")
+    end
   end
 
   it "generates the nagios_message field" do
-    expect(grok).to include("nagios_message" => "nagiosmessage")
+    if ecs_compatibility?
+      expect(grok).to include("message" => [message, "nagiosmessage"])
+    else
+      expect(grok).to include("nagios_message" => "nagiosmessage")
+    end
   end
 
-  it "generates the nagios_hostname field" do
-    expect(grok).to include("nagios_hostname" => "nagioshost")
+  it "generates the hostname field" do
+    if ecs_compatibility?
+      expect(grok).to include("host" => { "hostname" => "nagioshost" })
+    else
+      expect(grok).to include("nagios_hostname" => "nagioshost")
+    end
   end
 
-  it "generates the nagios_service field" do
-    expect(grok).to include("nagios_service" => "nagiosservice")
+  it "generates the service field" do
+    if ecs_compatibility?
+      expect(grok).to include("service" => hash_including("name" => "SSH"))
+    else
+      expect(grok).to include("nagios_service" => "SSH")
+    end
   end
 
   it "generates the nagios_state field" do
-    expect(grok).to include("nagios_state" => "OK")
+    if ecs_compatibility?
+      expect(grok).to include("service" => hash_including("state" => "OK"))
+    else
+      expect(grok).to include("nagios_state" => "OK")
+    end
   end
 
   it "generates the nagios_statetype field" do
-    expect(grok).to include("nagios_statetype" => "HARD")
-  end
+    if ecs_compatibility?
+      expect(grok).to include("nagios" => hash_including("log" => hash_including("state_type" => "HARD")))
+    else
+      expect(grok).to include("nagios_statetype" => "HARD")
+    end
+  end
+
+  it "generates the nagios_statecode field" do
+    if ecs_compatibility?
+      expect(grok).to include("nagios" => hash_including("log" => hash_including("attempt" => 1)))
+    else
+      # NOTE: (legacy) nagios_statecode corresponds to current_attempt (according to Nagios' source)
+      expect(grok).to include("nagios_statecode" => "1")
+    end
+  end
+
+  context 'real-world example' do
+
+    let(:message) do
+      '[1427956600] CURRENT SERVICE STATE: prod-virtual-ESz06;check_vmfs_prod-PvDC2;CRITICAL;HARD;3;CRITICAL - /vmfs/volumes/prod-vsRoot - total: 8191.75 Gb - used: 7859.84 Gb (95%)- free: 331.90 Gb (5%)'
+    end
+
+    it 'matches' do
+      if ecs_compatibility?
+        expect(grok).to include(
+          "host" => { "hostname" => "prod-virtual-ESz06" },
+          "service" => { "name" => "check_vmfs_prod-PvDC2", "state" => 'CRITICAL' },
+          "nagios" => { "log" => {
+              "type" => "CURRENT SERVICE STATE",
+              "state_type" => "HARD",
+              "attempt" => 3
+          }},
+          "message" => [message, "CRITICAL - /vmfs/volumes/prod-vsRoot - total: 8191.75 Gb - used: 7859.84 Gb (95%)- free: 331.90 Gb (5%)"]
+        )
+      else
+        expect(grok).to include(
+          "nagios_type"=>"CURRENT SERVICE STATE",
+          "nagios_state"=>"CRITICAL",
+          "nagios_statetype"=>"HARD",
+          "nagios_hostname"=>"prod-virtual-ESz06",
+          "nagios_statecode"=>"3", # NOTE: "incorrect" - corresponds to current_attempt (according to Nagios' source)
+          "nagios_message"=>"CRITICAL - /vmfs/volumes/prod-vsRoot - total: 8191.75 Gb - used: 7859.84 Gb (95%)- free: 331.90 Gb (5%)"
+        )
+      end
+    end
 
+  end
 end
 
-describe "NAGIOSLOGLINE - TIMEPERIOD TRANSITION" do
+describe_pattern "NAGIOSLOGLINE - TIMEPERIOD TRANSITION", [ 'legacy', 'ecs-v1' ] do
 
-  let(:value)   { "[1427925600] TIMEPERIOD TRANSITION: 24X7;-1;1" }
-  let(:grok)    { grok_match(subject, value) }
-
-  it "a pattern pass the grok expression" do
-    expect(grok).to pass
-  end
+  let(:message) { "[1427925600] TIMEPERIOD TRANSITION: 24X7;-1;1" }
 
-  it "matches a simple message" do
-    expect(subject).to match(value)
+  it "matches the message" do
+    expect(pattern).to match(message)
   end
 
   it "generates the nagios_type field" do
-    expect(grok).to include("nagios_type" => "TIMEPERIOD TRANSITION")
+    if ecs_compatibility?
+      expect(grok).to include("nagios" => hash_including("log" => hash_including("type" => 'TIMEPERIOD TRANSITION')))
+    else
+      expect(grok).to include("nagios_type" => "TIMEPERIOD TRANSITION")
+    end
   end
 
   it "generates the nagios_epoch field" do
-    expect(grok).to include("nagios_epoch" => "1427925600")
+    expect(grok).to include("nagios_epoch" => "1427925600") unless ecs_compatibility?
   end
 
-  it "generates the nagios_esrvice field" do
-    expect(grok).to include("nagios_service" => "24X7")
+  it "generates the service field" do
+    if ecs_compatibility?
+      expect(grok).to include("service" => hash_including("name" => '24X7'))
+    else
+      expect(grok).to include("nagios_service" => "24X7")
+    end
   end
 
   it "generates the period from/to fields" do
-    expect(grok).to include("nagios_unknown1" => "-1", "nagios_unknown2" => "1")
+    if ecs_compatibility?
+      expect(grok).to include("nagios" => hash_including("log" => hash_including("period_from" => -1, "period_to" => 1)))
+    else
+      expect(grok).to include("nagios_unknown1" => "-1", "nagios_unknown2" => "1")
+    end
   end
 
   # Regression test for but fixed in Nagios patterns #30
   it "doesn't end in a semi-colon" do
-    expect(grok['message']).to_not end_with(";")
+    message = grok['message']
+    message = message.last if message.is_a?(Array)
+    expect(message).to_not end_with(";")
   end
 
 end
 
-describe "NAGIOSLOGLINE - SERVICE ALERT" do
+describe_pattern "NAGIOSLOGLINE - SERVICE ALERT", [ 'legacy', 'ecs-v1' ] do
 
-  let(:value)   { "[1427925689] SERVICE ALERT: varnish;Varnish Backend Connections;CRITICAL;SOFT;1;Current value: 154.0, warn threshold: 10.0, crit threshold: 20.0" }
-  let(:grok)    { grok_match(subject, value) }
+  let(:message) { "[1427925689] SERVICE ALERT: varnish;Varnish Backend Connections;CRITICAL;SOFT;1;Current value: 154.0, warn threshold: 10.0, crit threshold: 20.0" }
 
   it "a pattern pass the grok expression" do
     expect(grok).to pass
   end
 
   it "matches a simple message" do
-    expect(subject).to match(value)
+    expect(pattern).to match(message)
   end
 
   it "generates the nagios_type field" do
-    expect(grok).to include("nagios_type" => "SERVICE ALERT")
+    if ecs_compatibility?
+      expect(grok).to include("nagios" => hash_including("log" => hash_including("type" => 'SERVICE ALERT')))
+    else
+      expect(grok).to include("nagios_type" => "SERVICE ALERT")
+    end
   end
 
   it "generates the nagios_epoch field" do
-    expect(grok).to include("nagios_epoch" => "1427925689")
+    if ecs_compatibility?
+      expect(grok).to include("timestamp" => "1427925689")
+    else
+      expect(grok).to include("nagios_epoch" => "1427925689")
+    end
   end
 
-  it "generates the nagios_hostname field" do
-    expect(grok).to include("nagios_hostname" => "varnish")
+  it "generates the hostname field" do
+    if ecs_compatibility?
+      expect(grok).to include("host" => { "hostname" => "varnish" })
+    else
+      expect(grok).to include("nagios_hostname" => "varnish")
+    end
   end
 
-  it "generates the nagios_service field" do
-    expect(grok).to include("nagios_service" => "Varnish Backend Connections")
+  it "generates the service field" do
+    if ecs_compatibility?
+      expect(grok).to include("service" => hash_including("name" => 'Varnish Backend Connections'))
+    else
+      expect(grok).to include("nagios_service" => "Varnish Backend Connections")
+    end
   end
 
   it "generates the nagios_state field" do
-    expect(grok).to include("nagios_state" => "CRITICAL")
+    if ecs_compatibility?
+      expect(grok).to include("service" => hash_including("state" => "CRITICAL"))
+    else
+      expect(grok).to include("nagios_state" => "CRITICAL")
+    end
   end
 
   it "generates the nagios_statelevel field" do
-    expect(grok).to include("nagios_statelevel" => "SOFT")
+    if ecs_compatibility?
+      expect(grok).to include("nagios" => hash_including("log" => hash_including("state_type" => "SOFT")))
+    else
+      expect(grok).to include("nagios_statelevel" => "SOFT")
+    end
+  end
+
+  it "generates the nagios_attempt field" do
+    if ecs_compatibility?
+      pending "TODO: are we hitting a grok bug here ?!?"
+      # [nagios][log][attempt]:int is clearly there (changing to :float gets this passing)
+      # ... but in this particular case we still get the raw "1" string back
+      expect(grok).to include("nagios" => hash_including("log" => hash_including("attempt" => 1)))
+    else
+      expect(grok).to include("nagios_attempt" => "1")
+    end
   end
 
   it "generates the nagios_message field" do
-    expect(grok).to include("nagios_message" => "Current value: 154.0, warn threshold: 10.0, crit threshold: 20.0")
+    if ecs_compatibility?
+      expect(grok['message'].last).to eql "Current value: 154.0, warn threshold: 10.0, crit threshold: 20.0"
+    else
+      expect(grok).to include("nagios_message" => "Current value: 154.0, warn threshold: 10.0, crit threshold: 20.0")
+    end
   end
 
 end
 
-describe "NAGIOSLOGLINE - SERVICE NOTIFICATION" do
+describe_pattern "NAGIOSLOGLINE - SERVICE NOTIFICATION", [ 'legacy', 'ecs-v1' ] do
 
-  let(:value)   { "[1427950229] SERVICE NOTIFICATION: nagiosadmin;varnish;Varnish Backend Connections;CRITICAL;notify-service-by-email;Current value: 337.0, warn threshold: 10.0, crit threshold: 20.0" }
-  let(:grok)    { grok_match(subject, value) }
+  let(:message) { "[1427950229] SERVICE NOTIFICATION: nagiosadmin;varnish;Varnish Backend Connections;CRITICAL;notify-service-by-email;Current value: 337.0, warn threshold: 10.0, crit threshold: 20.0" }
 
   it "a pattern pass the grok expression" do
     expect(grok).to pass
   end
 
   it "matches a simple message" do
-    expect(subject).to match(value)
+    expect(pattern).to match(message)
   end
 
   it "generates the nagios_type field" do
-    expect(grok).to include("nagios_type" => "SERVICE NOTIFICATION")
+    if ecs_compatibility?
+      expect(grok).to include("nagios" => hash_including("log" => hash_including("type" => 'SERVICE NOTIFICATION')))
+    else
+      expect(grok).to include("nagios_type" => "SERVICE NOTIFICATION")
+    end
   end
 
   it "generates the nagios_epoch field" do
-    expect(grok).to include("nagios_epoch" => "1427950229")
+    if ecs_compatibility?
+      expect(grok).to include("timestamp" => "1427950229")
+    else
+      expect(grok).to include("nagios_epoch" => "1427950229")
+    end
   end
 
   it "generates the nagios_notifyname field" do
-    expect(grok).to include("nagios_notifyname" => "nagiosadmin")
+    if ecs_compatibility?
+      expect(grok).to include("user" => { "name" => "nagiosadmin" }) # Nagios contact's contact_name
+    else
+      expect(grok).to include("nagios_notifyname" => "nagiosadmin")
+    end
   end
 
-  it "generates the nagios_hostname field" do
-    expect(grok).to include("nagios_hostname" => "varnish")
+  it "generates the hostname field" do
+    if ecs_compatibility?
+      expect(grok).to include("host" => { "hostname" => "varnish" })
+    else
+      expect(grok).to include("nagios_hostname" => "varnish")
+    end
   end
 
-  it "generates the nagios_service field" do
-    expect(grok).to include("nagios_service" => "Varnish Backend Connections")
+  it "generates the service field" do
+    if ecs_compatibility?
+      expect(grok).to include("service" => hash_including("name" => 'Varnish Backend Connections'))
+    else
+      expect(grok).to include("nagios_service" => "Varnish Backend Connections")
+    end
   end
 
   it "generates the nagios_state field" do
-    expect(grok).to include("nagios_state" => "CRITICAL")
+    if ecs_compatibility?
+      expect(grok).to include("service" => hash_including("state" => "CRITICAL"))
+    else
+      expect(grok).to include("nagios_state" => "CRITICAL")
+    end
   end
 
   it "generates the nagios_contact field" do
-    expect(grok).to include("nagios_contact" => "notify-service-by-email")
+    if ecs_compatibility?
+      expect(grok).to include("nagios" => hash_including("log" => hash_including("notification_command" => "notify-service-by-email")))
+    else
+      expect(grok).to include("nagios_contact" => "notify-service-by-email")
+    end
   end
 
   it "generates the nagios_message field" do
-    expect(grok).to include("nagios_message" => "Current value: 337.0, warn threshold: 10.0, crit threshold: 20.0")
+    if ecs_compatibility?
+      expect(grok['message'].last).to eql "Current value: 337.0, warn threshold: 10.0, crit threshold: 20.0"
+    else
+      expect(grok).to include("nagios_message" => "Current value: 337.0, warn threshold: 10.0, crit threshold: 20.0")
+    end
   end
 
 end
 
 
-describe "NAGIOSLOGLINE - HOST NOTIFICATION" do
+describe_pattern "NAGIOSLOGLINE - HOST NOTIFICATION", [ 'legacy', 'ecs-v1' ] do
 
-  let(:value)   { "[1429878690] HOST NOTIFICATION: nagiosadmin;nagioshost;DOWN;notify-host-by-email;CRITICAL - Socket timeout after 10 seconds" }
-  let(:grok)    { grok_match(subject, value) }
-
-  it "a pattern pass the grok expression" do
-    expect(grok).to pass
-  end
+  let(:message) { "[1429878690] HOST NOTIFICATION: nagiosadmin;127.0.0.1;DOWN;host-notify-by-email;CRITICAL - Socket timeout after 10 seconds" }
 
   it "matches a simple message" do
-    expect(subject).to match(value)
+    expect(pattern).to match(message)
   end
 
   it "generates the nagios_type field" do
-    expect(grok).to include("nagios_type" => "HOST NOTIFICATION")
+    if ecs_compatibility?
+      expect(grok).to include("nagios" => hash_including("log" => hash_including("type" => "HOST NOTIFICATION")))
+    else
+      expect(grok).to include("nagios_type" => "HOST NOTIFICATION")
+    end
   end
 
   it "generates the nagios_epoch field" do
-    expect(grok).to include("nagios_epoch" => "1429878690")
+    expect(grok).to include("nagios_epoch" => "1429878690") unless ecs_compatibility?
   end
 
   it "generates the nagios_notifyname field" do
-    expect(grok).to include("nagios_notifyname" => "nagiosadmin")
+    if ecs_compatibility?
+      expect(grok).to include("user" => { "name" => "nagiosadmin" }) # Nagios contact's contact_name
+    else
+      expect(grok).to include("nagios_notifyname" => "nagiosadmin")
+    end
   end
 
   it "generates the nagios_hostname field" do
-    expect(grok).to include("nagios_hostname" => "nagioshost")
+    if ecs_compatibility?
+      expect(grok).to include("host" => { "hostname" => "127.0.0.1" })
+    else
+      expect(grok).to include("nagios_hostname" => "127.0.0.1")
+    end
   end
 
   it "generates the nagios_contact field" do
-    expect(grok).to include("nagios_contact" => "notify-host-by-email")
+    if ecs_compatibility?
+      expect(grok).to include("nagios" => hash_including("log" => hash_including("notification_command" => "host-notify-by-email")))
+    else
+      expect(grok).to include("nagios_contact" => "host-notify-by-email")
+    end
   end
 
   it "generates the nagios_message field" do
-    expect(grok).to include("nagios_message" => "CRITICAL - Socket timeout after 10 seconds")
+    if ecs_compatibility?
+      expect(grok['message'].last).to eql "CRITICAL - Socket timeout after 10 seconds"
+    else
+      expect(grok).to include("nagios_message" => "CRITICAL - Socket timeout after 10 seconds")
+    end
   end
 
 end
+
+describe_pattern "NAGIOSLOGLINE - SCHEDULE_HOST_DOWNTIME", [ 'legacy', 'ecs-v1' ] do
+
+  let(:message) { "[1334609999] EXTERNAL COMMAND: SCHEDULE_HOST_DOWNTIME;sputnik;1334665800;1334553600;1;0;120;nagiosadmin;test;" }
+
+  it "matches" do
+    if ecs_compatibility?
+      expect(grok).to include(
+                          "host" => { "hostname" => "sputnik" },
+                          "nagios" => { "log" => {
+                              "type" => "EXTERNAL COMMAND",
+                              "command" => "SCHEDULE_HOST_DOWNTIME",
+                              "start_time" => "1334665800",
+                              "end_time" => "1334553600",
+                              "fixed" => '1',
+                              "trigger_id" => '0',
+                              "duration" => 120,
+
+                          }},
+                          "user" => { "name" => 'nagiosadmin' },
+                          "message" => message
+                      )
+    else
+      expect(grok).to include(
+                          "nagios_epoch"=>"1334609999",
+                          "nagios_type"=>"EXTERNAL COMMAND",
+                          "nagios_command"=>"SCHEDULE_HOST_DOWNTIME",
+                          "nagios_hostname"=>"sputnik",
+                          "nagios_duration"=>"120",
+                          "nagios_fixed"=>"1",
+                          "nagios_trigger_id"=>"0",
+                          "nagios_start_time"=>"1334665800",
+                          "nagios_end_time"=>"1334553600",
+                          "author"=>"nagiosadmin"
+      )
+    end
+  end
+end