logstash-patterns-core 4.2.0 → 4.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +98 -0
- data/Gemfile +3 -0
- data/README.md +11 -18
- data/lib/logstash/patterns/core.rb +11 -3
- data/logstash-patterns-core.gemspec +1 -1
- data/patterns/ecs-v1/aws +28 -0
- data/patterns/ecs-v1/bacula +53 -0
- data/patterns/ecs-v1/bind +13 -0
- data/patterns/ecs-v1/bro +30 -0
- data/patterns/ecs-v1/exim +26 -0
- data/patterns/ecs-v1/firewalls +111 -0
- data/patterns/ecs-v1/grok-patterns +95 -0
- data/patterns/ecs-v1/haproxy +40 -0
- data/patterns/ecs-v1/httpd +17 -0
- data/patterns/ecs-v1/java +34 -0
- data/patterns/ecs-v1/junos +13 -0
- data/patterns/ecs-v1/linux-syslog +16 -0
- data/patterns/{maven → ecs-v1/maven} +0 -0
- data/patterns/ecs-v1/mcollective +4 -0
- data/patterns/ecs-v1/mongodb +7 -0
- data/patterns/ecs-v1/nagios +124 -0
- data/patterns/ecs-v1/postgresql +2 -0
- data/patterns/ecs-v1/rails +13 -0
- data/patterns/ecs-v1/redis +3 -0
- data/patterns/ecs-v1/ruby +2 -0
- data/patterns/ecs-v1/squid +6 -0
- data/patterns/ecs-v1/zeek +33 -0
- data/patterns/{aws → legacy/aws} +1 -1
- data/patterns/{bacula → legacy/bacula} +5 -5
- data/patterns/legacy/bind +3 -0
- data/patterns/{bro → legacy/bro} +0 -0
- data/patterns/{exim → legacy/exim} +8 -2
- data/patterns/{firewalls → legacy/firewalls} +2 -2
- data/patterns/{grok-patterns → legacy/grok-patterns} +0 -0
- data/patterns/{haproxy → legacy/haproxy} +0 -0
- data/patterns/{httpd → legacy/httpd} +1 -1
- data/patterns/{java → legacy/java} +0 -0
- data/patterns/{junos → legacy/junos} +0 -0
- data/patterns/{linux-syslog → legacy/linux-syslog} +0 -0
- data/patterns/legacy/maven +1 -0
- data/patterns/{mcollective → legacy/mcollective} +0 -0
- data/patterns/{mcollective-patterns → legacy/mcollective-patterns} +0 -0
- data/patterns/{mongodb → legacy/mongodb} +0 -0
- data/patterns/{nagios → legacy/nagios} +0 -0
- data/patterns/{postgresql → legacy/postgresql} +0 -0
- data/patterns/{rails → legacy/rails} +0 -0
- data/patterns/{redis → legacy/redis} +0 -0
- data/patterns/{ruby → legacy/ruby} +0 -0
- data/patterns/legacy/squid +4 -0
- data/spec/patterns/aws_spec.rb +395 -0
- data/spec/patterns/bacula_spec.rb +367 -0
- data/spec/patterns/bind_spec.rb +78 -0
- data/spec/patterns/bro_spec.rb +613 -0
- data/spec/patterns/core_spec.rb +51 -9
- data/spec/patterns/exim_spec.rb +201 -0
- data/spec/patterns/firewalls_spec.rb +669 -66
- data/spec/patterns/haproxy_spec.rb +246 -38
- data/spec/patterns/httpd_spec.rb +215 -94
- data/spec/patterns/java_spec.rb +357 -27
- data/spec/patterns/junos_spec.rb +101 -0
- data/spec/patterns/mcollective_spec.rb +35 -0
- data/spec/patterns/mongodb_spec.rb +170 -33
- data/spec/patterns/nagios_spec.rb +296 -79
- data/spec/patterns/netscreen_spec.rb +123 -0
- data/spec/patterns/rails3_spec.rb +87 -29
- data/spec/patterns/redis_spec.rb +157 -121
- data/spec/patterns/shorewall_spec.rb +85 -74
- data/spec/patterns/squid_spec.rb +139 -0
- data/spec/patterns/syslog_spec.rb +266 -22
- data/spec/spec_helper.rb +80 -6
- metadata +64 -28
- data/patterns/bind +0 -3
- data/patterns/squid +0 -4
- data/spec/patterns/bro.rb +0 -126
- data/spec/patterns/s3_spec.rb +0 -173
@@ -0,0 +1,123 @@
|
|
1
|
+
# encoding: utf-8
|
2
|
+
require "spec_helper"
|
3
|
+
require "logstash/patterns/core"
|
4
|
+
|
5
|
+
describe_pattern "NETSCREENSESSIONLOG", ['legacy', 'ecs-v1'] do
|
6
|
+
|
7
|
+
context "traffic denied (Juniper)" do
|
8
|
+
|
9
|
+
let(:message) do
|
10
|
+
'Jun 2 14:53:31 sample-host isg1000-A2: NetScreen device_id=0000011001000011 [Root]system-notification-00257(traffic): ' +
|
11
|
+
'start_time="2015-11-11 10:02:10" duration=0 policy_id=244 service=https proto=6 src zone=Untrust dst zone=Trust ' +
|
12
|
+
'action=Permit sent=0 rcvd=0 src=74.168.138.252 dst=72.72.72.72 src_port=1732 dst_port=443 ' +
|
13
|
+
'src-xlated ip=1.255.20.1 port=22041 dst-xlated ip=1.244.136.50 port=443 session_id=488451 reason=Creation'
|
14
|
+
end
|
15
|
+
|
16
|
+
it 'matches' do
|
17
|
+
if ecs_compatibility?
|
18
|
+
expect(subject).to include("timestamp" => "Jun 2 14:53:31")
|
19
|
+
expect(subject).to include("netscreen"=>{
|
20
|
+
"session"=>{"id"=>"488451", "start_time"=>"2015-11-11 10:02:10", "duration"=>0, "type"=>"traffic", "reason"=>"Creation"},
|
21
|
+
"policy_id"=>"244", "service"=>"https", "protocol_number"=>6, "device_id"=>"0000011001000011"
|
22
|
+
})
|
23
|
+
expect(subject).to include("event"=>{"code"=>"00257", "action"=>"Permit"})
|
24
|
+
# expect(subject).to include("network"=>{"protocol"=>"https"})
|
25
|
+
expect(subject).to include("source"=>{"bytes"=>0, "nat"=>{"port"=>22041, "ip"=>"1.255.20.1"}, "port"=>1732, "address"=>"74.168.138.252"})
|
26
|
+
expect(subject).to include("destination"=>{"bytes"=>0, "nat"=>{"port"=>443, "ip"=>"1.244.136.50"}, "port"=>443, "address"=>"72.72.72.72"})
|
27
|
+
expect(subject).to include("observer"=>{
|
28
|
+
"ingress"=>{"zone"=>"Untrust"}, "hostname"=>"sample-host", "name"=>"isg1000-A2", "product"=>"NetScreen",
|
29
|
+
"egress"=>{"zone"=>"Trust"}
|
30
|
+
})
|
31
|
+
else
|
32
|
+
expect(subject).to include("date" => "Jun 2 14:53:31")
|
33
|
+
expect(subject).to include(
|
34
|
+
"device"=>"sample-host",
|
35
|
+
"device_id"=>"0000011001000011",
|
36
|
+
"start_time"=>"\"2015-11-11 10:02:10\"",
|
37
|
+
"duration"=>"0",
|
38
|
+
"policy_id"=>"244",
|
39
|
+
"service"=>"https",
|
40
|
+
"proto"=>"6",
|
41
|
+
"src_zone"=>"Untrust", "dst_zone"=>"Trust",
|
42
|
+
"action"=>"Permit",
|
43
|
+
"sent"=>"0", "rcvd"=>"0",
|
44
|
+
"src_ip"=>"74.168.138.252", "dst_ip"=>"72.72.72.72",
|
45
|
+
"src_port"=>"1732", "dst_port"=>"443",
|
46
|
+
"src_xlated_ip"=>"1.255.20.1", "src_xlated_port"=>"22041",
|
47
|
+
"dst_xlated_ip"=>"1.244.136.50", "dst_xlated_port"=>"443",
|
48
|
+
"session_id"=>"488451", "reason"=>"Creation",
|
49
|
+
)
|
50
|
+
end
|
51
|
+
end
|
52
|
+
|
53
|
+
end
|
54
|
+
|
55
|
+
context "traffic denied (without port/xlated/session_id/reason suffix)" do
|
56
|
+
|
57
|
+
let(:message) do
|
58
|
+
'Mar 18 17:56:52 192.168.56.11 lowly_lizard: NetScreen device_id=netscreen2 [Root]system-notification-00257(traffic): ' +
|
59
|
+
'start_time="2009-03-18 16:07:06" duration=0 policy_id=320001 service=msrpc Endpoint Mapper(tcp) proto=6 ' +
|
60
|
+
'src zone=Null dst zone=self action=Deny sent=0 rcvd=16384 src=21.10.90.125 dst=23.16.1.1'
|
61
|
+
end
|
62
|
+
|
63
|
+
it 'matches in ECS mode' do
|
64
|
+
if ecs_compatibility?
|
65
|
+
expect(subject).to include("timestamp" => "Mar 18 17:56:52")
|
66
|
+
expect(subject).to include("netscreen"=>{
|
67
|
+
"device_id"=>"netscreen2",
|
68
|
+
"policy_id"=>"320001",
|
69
|
+
"service"=>"msrpc Endpoint Mapper(tcp)",
|
70
|
+
"protocol_number"=>6,
|
71
|
+
"session"=>{"start_time"=>"2009-03-18 16:07:06", "type"=>"traffic", "duration"=>0}
|
72
|
+
})
|
73
|
+
expect(subject).to include("source"=>{"address"=>"21.10.90.125", "bytes"=>0})
|
74
|
+
expect(subject).to include("destination"=>{"address"=>"23.16.1.1", "bytes"=>16384})
|
75
|
+
else
|
76
|
+
expect(grok['tags']).to include('_grokparsefailure')
|
77
|
+
end
|
78
|
+
end
|
79
|
+
end
|
80
|
+
|
81
|
+
context "'standard' traffic denied" do
|
82
|
+
|
83
|
+
let(:message) do
|
84
|
+
'Jun 2 14:53:31 fire00 aka1: NetScreen device_id=aka1 [Root]system-notification-00257(traffic): start_time="2006-06-02 14:53:30" ' +
|
85
|
+
'duration=0 policy_id=120 service=udp/port:17210 proto=17 src zone=Trust dst zone=DMZ action=Deny sent=0 rcvd=0 ' +
|
86
|
+
'src=192.168.2.2 dst=1.2.3.4 src_port=53 dst_port=17210'
|
87
|
+
end
|
88
|
+
|
89
|
+
it 'matches (in ECS mode)' do
|
90
|
+
if ecs_compatibility?
|
91
|
+
expect(subject).to include("event"=>{"action"=>"Deny", "code"=>"00257"})
|
92
|
+
else
|
93
|
+
expect(grok['tags']).to include('_grokparsefailure')
|
94
|
+
expect(subject).to_not include("date" => "Jun 2 14:53:31")
|
95
|
+
end
|
96
|
+
end
|
97
|
+
|
98
|
+
context "(with session id)" do
|
99
|
+
|
100
|
+
let(:message) do
|
101
|
+
super + ' session_id=0 reason=Traffic Denied'
|
102
|
+
end
|
103
|
+
|
104
|
+
it 'matches (in ECS mode)' do
|
105
|
+
if ecs_compatibility?
|
106
|
+
expect(subject).to include("netscreen"=>hash_including("device_id"=>"aka1", "service"=>"udp/port:17210",
|
107
|
+
"session"=>hash_including("reason"=>"Traffic Denied")))
|
108
|
+
expect(subject).to include("observer"=>{
|
109
|
+
"ingress"=>{"zone"=>"Trust"},
|
110
|
+
"egress"=>{"zone"=>"DMZ"}, "hostname"=>"fire00", "name"=>"aka1",
|
111
|
+
"product"=>"NetScreen"
|
112
|
+
})
|
113
|
+
else
|
114
|
+
expect(grok['tags']).to include('_grokparsefailure')
|
115
|
+
expect(subject).to_not include("date" => "Jun 2 14:53:31")
|
116
|
+
end
|
117
|
+
end
|
118
|
+
|
119
|
+
end
|
120
|
+
|
121
|
+
end
|
122
|
+
|
123
|
+
end
|
@@ -2,55 +2,113 @@
|
|
2
2
|
require "spec_helper"
|
3
3
|
require "logstash/patterns/core"
|
4
4
|
|
5
|
-
|
6
|
-
let(:rails3_pattern) { "RAILS3" }
|
5
|
+
describe_pattern "RAILS3", ['legacy', 'ecs-v1'] do
|
7
6
|
|
8
|
-
context "
|
7
|
+
context "single-line log" do
|
9
8
|
|
10
|
-
let(:
|
11
|
-
|
12
|
-
subject { grok_match(rails3_pattern, value) }
|
9
|
+
let(:message) { 'Started POST "/api/v3/internal/allowed" for 127.0.0.1 at 2015-08-05 11:37:01 +0200' }
|
13
10
|
|
14
11
|
# Started
|
15
|
-
it
|
16
|
-
|
12
|
+
it do
|
13
|
+
if ecs_compatibility?
|
14
|
+
should include("http" => hash_including("request" => { "method" => "POST" }))
|
15
|
+
else
|
16
|
+
should include("verb" => "POST")
|
17
|
+
end
|
18
|
+
end
|
19
|
+
|
20
|
+
it do
|
21
|
+
if ecs_compatibility?
|
22
|
+
else
|
23
|
+
should include("request" => "/api/v3/internal/allowed")
|
24
|
+
end
|
25
|
+
end
|
17
26
|
# for
|
18
|
-
it
|
27
|
+
it do
|
28
|
+
if ecs_compatibility?
|
29
|
+
should include("source" => { "address" => "127.0.0.1" })
|
30
|
+
else
|
31
|
+
should include("clientip" => "127.0.0.1")
|
32
|
+
end
|
33
|
+
end
|
19
34
|
# at
|
20
35
|
it { should include("timestamp" => "2015-08-05 11:37:01 +0200" ) }
|
21
36
|
end
|
22
37
|
|
23
|
-
context "
|
38
|
+
context "multi-line log" do
|
24
39
|
|
25
|
-
let(:
|
40
|
+
let(:message) { 'Started GET "/puppet/postfix/notes?target_id=162&target_type=issue&last_fetched_at=1438695732" for 127.0.0.1 at 2015-08-05 07:40:22 +0200
|
26
41
|
Processing by Projects::NotesController#index as JSON
|
27
42
|
Parameters: {"target_id"=>"162", "target_type"=>"issue", "last_fetched_at"=>"1438695732", "namespace_id"=>"puppet", "project_id"=>"postfix"}
|
28
|
-
Completed 200 OK in 640ms (Views: 1.7ms | ActiveRecord: 91.0ms)' }
|
29
|
-
subject { grok_match(rails3_pattern, value) }
|
43
|
+
Completed 200 OK in 640ms (Views: 1.7ms | ActiveRecord: 91.0ms)' }
|
30
44
|
|
31
45
|
# started
|
32
|
-
it
|
33
|
-
|
46
|
+
it do
|
47
|
+
if ecs_compatibility?
|
48
|
+
should include("http" => hash_including("request" => { "method" => "GET" }))
|
49
|
+
else
|
50
|
+
should include("verb" => "GET")
|
51
|
+
end
|
52
|
+
end
|
53
|
+
|
54
|
+
it do
|
55
|
+
if ecs_compatibility?
|
56
|
+
should include("url" => {"original"=>"/puppet/postfix/notes?target_id=162&target_type=issue&last_fetched_at=1438695732"})
|
57
|
+
else
|
58
|
+
should include("request" => "/puppet/postfix/notes?target_id=162&target_type=issue&last_fetched_at=1438695732" )
|
59
|
+
end
|
60
|
+
end
|
34
61
|
# for
|
35
|
-
it
|
62
|
+
it do
|
63
|
+
if ecs_compatibility?
|
64
|
+
should include("source" => { "address" => "127.0.0.1" })
|
65
|
+
else
|
66
|
+
should include("clientip" => "127.0.0.1")
|
67
|
+
end
|
68
|
+
end
|
36
69
|
# at
|
37
|
-
it { should include("timestamp" => "2015-08-05 07:40:22 +0200"
|
70
|
+
it { should include("timestamp" => "2015-08-05 07:40:22 +0200") }
|
38
71
|
# Processing by
|
39
|
-
it
|
40
|
-
|
72
|
+
it do
|
73
|
+
if ecs_compatibility?
|
74
|
+
should include("rails" => hash_including("controller" => { "class"=>"Projects::NotesController", "action"=>"index" }))
|
75
|
+
else
|
76
|
+
should include("controller" => "Projects::NotesController")
|
77
|
+
should include("action" => "index")
|
78
|
+
end
|
79
|
+
end
|
41
80
|
# as
|
42
|
-
it
|
81
|
+
it do
|
82
|
+
if ecs_compatibility?
|
83
|
+
should include("rails" => hash_including("request" => hash_including("format" => 'JSON')))
|
84
|
+
else
|
85
|
+
should include("format" => "JSON" )
|
86
|
+
end
|
87
|
+
end
|
43
88
|
# Parameters
|
44
|
-
it
|
89
|
+
it do
|
90
|
+
params = '"target_id"=>"162", "target_type"=>"issue", "last_fetched_at"=>"1438695732", "namespace_id"=>"puppet", "project_id"=>"postfix"'
|
91
|
+
if ecs_compatibility?
|
92
|
+
should include("rails" => hash_including("request" => hash_including("params" => params)))
|
93
|
+
else
|
94
|
+
should include("params" => params)
|
95
|
+
end
|
96
|
+
end
|
45
97
|
# Completed
|
46
|
-
it
|
98
|
+
it do
|
99
|
+
if ecs_compatibility?
|
100
|
+
should include("http" => hash_including("response" => { "status_code" => 200 }))
|
101
|
+
else
|
102
|
+
should include("response" => "200" )
|
103
|
+
end
|
104
|
+
end
|
47
105
|
# in
|
48
|
-
it
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
106
|
+
it do
|
107
|
+
if ecs_compatibility?
|
108
|
+
should include("rails" => hash_including("request" => hash_including("duration" => { "total" => 640.0, "view" => 1.7, "active_record" => 91.0 })))
|
109
|
+
else
|
110
|
+
should include("totalms" => "640", "viewms" => "1.7", "activerecordms" => "91.0")
|
111
|
+
end
|
112
|
+
end
|
54
113
|
end
|
55
|
-
|
56
114
|
end
|
data/spec/patterns/redis_spec.rb
CHANGED
@@ -2,170 +2,206 @@
|
|
2
2
|
require "spec_helper"
|
3
3
|
require "logstash/patterns/core"
|
4
4
|
|
5
|
-
|
5
|
+
describe_pattern 'REDISTIMESTAMP', [ 'legacy', 'ecs-v1' ] do
|
6
6
|
|
7
|
-
let(:
|
8
|
-
let(:pattern) { "REDISTIMESTAMP" }
|
7
|
+
let(:message) { '14 Nov 07:01:22.119'}
|
9
8
|
|
10
9
|
it "a pattern pass the grok expression" do
|
11
|
-
expect(grok_match(pattern,
|
10
|
+
expect(grok_match(pattern, message)).to pass
|
12
11
|
end
|
13
12
|
|
14
13
|
end
|
15
14
|
|
16
|
-
|
15
|
+
describe_pattern 'REDISLOG', [ 'legacy', 'ecs-v1' ] do
|
17
16
|
|
18
|
-
let(:
|
19
|
-
let(:pattern) { "REDISLOG" }
|
20
|
-
let(:grok) { grok_match(pattern, value) }
|
17
|
+
let(:message) { "[4018] 14 Nov 07:01:22.119 * Background saving terminated with success" }
|
21
18
|
|
22
19
|
it "a pattern pass the grok expression" do
|
23
20
|
expect(grok).to pass
|
24
21
|
end
|
25
22
|
|
26
23
|
it "generates the pid field" do
|
27
|
-
|
24
|
+
if ecs_compatibility?
|
25
|
+
expect(grok).to include("process" => { 'pid' => 4018 })
|
26
|
+
else
|
27
|
+
expect(grok).to include("pid" => "4018")
|
28
|
+
end
|
28
29
|
end
|
29
30
|
|
30
31
|
end
|
31
32
|
|
33
|
+
describe_pattern 'REDISMONLOG', [ 'legacy', 'ecs-v1' ] do
|
34
|
+
|
35
|
+
context "simple command" do
|
36
|
+
|
37
|
+
let(:message) { "1470637867.953466 [0 195.168.1.1:52500] \"info\"" }
|
38
|
+
|
39
|
+
it "a pattern pass the grok expression" do
|
40
|
+
expect(grok).to pass
|
41
|
+
end
|
42
|
+
|
43
|
+
it "generates the timestamp field" do
|
44
|
+
expect(grok).to include("timestamp" => "1470637867.953466")
|
45
|
+
end
|
46
|
+
|
47
|
+
it "generates the database field" do
|
48
|
+
if ecs_compatibility?
|
49
|
+
expect(grok).to include("redis" => hash_including('database' => { 'id' => '0' }))
|
50
|
+
else
|
51
|
+
expect(grok).to include("database" => "0")
|
52
|
+
end
|
53
|
+
end
|
54
|
+
|
55
|
+
it "generates the client field" do
|
56
|
+
if ecs_compatibility?
|
57
|
+
expect(grok).to include("client" => hash_including('ip' => '195.168.1.1'))
|
58
|
+
else
|
59
|
+
expect(grok).to include("client" => "195.168.1.1")
|
60
|
+
end
|
61
|
+
end
|
62
|
+
|
63
|
+
it "generates the port field" do
|
64
|
+
if ecs_compatibility?
|
65
|
+
expect(grok).to include("client" => hash_including('port' => 52500))
|
66
|
+
else
|
67
|
+
expect(grok).to include("port" => "52500")
|
68
|
+
end
|
69
|
+
end
|
70
|
+
|
71
|
+
it "generates the command field" do
|
72
|
+
if ecs_compatibility?
|
73
|
+
expect(grok).to include("redis" => hash_including('command' => { 'name' => 'info' }))
|
74
|
+
else
|
75
|
+
expect(grok).to include("command" => "info")
|
76
|
+
end
|
77
|
+
end
|
78
|
+
|
79
|
+
end
|
80
|
+
|
81
|
+
context "one param command" do
|
82
|
+
|
83
|
+
let(:message) { "1339518083.107412 [0 127.0.0.1:60866] \"keys\" \"*\"" }
|
84
|
+
|
85
|
+
it "a pattern pass the grok expression" do
|
86
|
+
expect(grok).to pass
|
87
|
+
end
|
88
|
+
|
89
|
+
it "generates the timestamp field" do
|
90
|
+
expect(grok).to include("timestamp" => "1339518083.107412")
|
91
|
+
end
|
92
|
+
|
93
|
+
it "generates the database field" do
|
94
|
+
if ecs_compatibility?
|
95
|
+
expect(grok).to include("redis" => hash_including('database' => { 'id' => '0' }))
|
96
|
+
else
|
97
|
+
expect(grok).to include("database" => "0")
|
98
|
+
end
|
99
|
+
end
|
100
|
+
|
101
|
+
it "generates the client field" do
|
102
|
+
if ecs_compatibility?
|
103
|
+
expect(grok).to include("client" => hash_including('ip' => '127.0.0.1'))
|
104
|
+
else
|
105
|
+
expect(grok).to include("client" => "127.0.0.1")
|
106
|
+
end
|
107
|
+
end
|
108
|
+
|
109
|
+
it "generates the port field" do
|
110
|
+
if ecs_compatibility?
|
111
|
+
expect(grok).to include("client" => hash_including('port' => 60866))
|
112
|
+
else
|
113
|
+
expect(grok).to include("port" => "60866")
|
114
|
+
end
|
115
|
+
end
|
116
|
+
|
117
|
+
it "generates the command field" do
|
118
|
+
if ecs_compatibility?
|
119
|
+
expect(grok).to include("redis" => hash_including('command' => hash_including('name' => 'keys')))
|
120
|
+
else
|
121
|
+
expect(grok).to include("command" => "keys")
|
122
|
+
end
|
123
|
+
end
|
124
|
+
|
125
|
+
it "generates the params field" do
|
126
|
+
if ecs_compatibility?
|
127
|
+
expect(grok).to include("redis" => hash_including('command' => hash_including('args' => '"*"')))
|
128
|
+
else
|
129
|
+
expect(grok).to include("params" => "\"*\"")
|
130
|
+
end
|
131
|
+
end
|
32
132
|
|
33
|
-
describe "REDISMONLOG - SIMPLE COMMAND" do
|
34
|
-
|
35
|
-
let(:value) { "1470637867.953466 [0 195.168.1.1:52500] \"info\"" }
|
36
|
-
let(:pattern) { "REDISMONLOG" }
|
37
|
-
let(:grok) { grok_match(pattern, value) }
|
38
|
-
|
39
|
-
it "a pattern pass the grok expression" do
|
40
|
-
expect(grok).to pass
|
41
|
-
end
|
42
|
-
|
43
|
-
it "generates the timestamp field" do
|
44
|
-
expect(grok).to include("timestamp" => "1470637867.953466")
|
45
|
-
end
|
46
|
-
|
47
|
-
it "generates the database field" do
|
48
|
-
expect(grok).to include("database" => "0")
|
49
|
-
end
|
50
|
-
|
51
|
-
it "generates the client field" do
|
52
|
-
expect(grok).to include("client" => "195.168.1.1")
|
53
|
-
end
|
54
|
-
|
55
|
-
it "generates the port field" do
|
56
|
-
expect(grok).to include("port" => "52500")
|
57
|
-
end
|
58
|
-
|
59
|
-
it "generates the command field" do
|
60
|
-
expect(grok).to include("command" => "info")
|
61
133
|
end
|
62
134
|
|
63
135
|
end
|
64
136
|
|
65
|
-
|
66
|
-
|
67
|
-
let(:value) { "1339518083.107412 [0 127.0.0.1:60866] \"keys\" \"*\"" }
|
68
|
-
let(:pattern) { "REDISMONLOG" }
|
69
|
-
let(:grok) { grok_match(pattern, value) }
|
70
|
-
|
71
|
-
it "a pattern pass the grok expression" do
|
72
|
-
expect(grok).to pass
|
73
|
-
end
|
74
|
-
|
75
|
-
it "generates the timestamp field" do
|
76
|
-
expect(grok).to include("timestamp" => "1339518083.107412")
|
77
|
-
end
|
78
|
-
|
79
|
-
it "generates the database field" do
|
80
|
-
expect(grok).to include("database" => "0")
|
81
|
-
end
|
82
|
-
|
83
|
-
it "generates the client field" do
|
84
|
-
expect(grok).to include("client" => "127.0.0.1")
|
85
|
-
end
|
86
|
-
|
87
|
-
it "generates the port field" do
|
88
|
-
expect(grok).to include("port" => "60866")
|
89
|
-
end
|
137
|
+
describe_pattern "REDISMONLOG" do
|
90
138
|
|
91
|
-
|
92
|
-
expect(grok).to include("command" => "keys")
|
93
|
-
end
|
139
|
+
context 'two param command' do
|
94
140
|
|
95
|
-
|
96
|
-
expect(grok).to include("params" => "\"*\"")
|
97
|
-
end
|
141
|
+
let(:message) { "1470637925.186681 [0 127.0.0.1:39404] \"rpush\" \"my:special:key\" \"{\\\"data\\\":\"cdr\\\",\\\"payload\\\":\\\"json\\\"}\"" }
|
98
142
|
|
99
|
-
|
143
|
+
it "a pattern pass the grok expression" do
|
144
|
+
expect(grok).to pass
|
145
|
+
end
|
100
146
|
|
101
|
-
|
147
|
+
it "generates the timestamp field" do
|
148
|
+
expect(grok).to include("timestamp" => "1470637925.186681")
|
149
|
+
end
|
102
150
|
|
103
|
-
|
104
|
-
|
105
|
-
|
151
|
+
it "generates the database field" do
|
152
|
+
expect(grok).to include("database" => "0")
|
153
|
+
end
|
106
154
|
|
107
|
-
|
108
|
-
|
109
|
-
|
155
|
+
it "generates the client field" do
|
156
|
+
expect(grok).to include("client" => "127.0.0.1")
|
157
|
+
end
|
110
158
|
|
111
|
-
|
112
|
-
|
113
|
-
|
159
|
+
it "generates the port field" do
|
160
|
+
expect(grok).to include("port" => "39404")
|
161
|
+
end
|
114
162
|
|
115
|
-
|
116
|
-
|
117
|
-
|
163
|
+
it "generates the command field" do
|
164
|
+
expect(grok).to include("command" => "rpush")
|
165
|
+
end
|
118
166
|
|
119
|
-
|
120
|
-
|
121
|
-
|
167
|
+
it "generates the params field" do
|
168
|
+
expect(grok).to include("params" => "\"my:special:key\" \"{\\\"data\\\":\"cdr\\\",\\\"payload\\\":\\\"json\\\"}\"")
|
169
|
+
end
|
122
170
|
|
123
|
-
it "generates the port field" do
|
124
|
-
expect(grok).to include("port" => "39404")
|
125
171
|
end
|
126
172
|
|
127
|
-
|
128
|
-
expect(grok).to include("command" => "rpush")
|
129
|
-
end
|
173
|
+
context "variadic command" do
|
130
174
|
|
131
|
-
|
132
|
-
expect(grok).to include("params" => "\"my:special:key\" \"{\\\"data\\\":\"cdr\\\",\\\"payload\\\":\\\"json\\\"}\"")
|
133
|
-
end
|
175
|
+
let(:message) { "1470637875.777457 [15 195.168.1.1:52500] \"intentionally\" \"broken\" \"variadic\" \"log\" \"entry\"" }
|
134
176
|
|
135
|
-
|
136
|
-
|
137
|
-
|
138
|
-
|
139
|
-
let(:value) { "1470637875.777457 [15 195.168.1.1:52500] \"intentionally\" \"broken\" \"variadic\" \"log\" \"entry\"" }
|
140
|
-
let(:pattern) { "REDISMONLOG" }
|
141
|
-
let(:grok) { grok_match(pattern, value) }
|
177
|
+
it "a pattern pass the grok expression" do
|
178
|
+
expect(grok).to pass
|
179
|
+
end
|
142
180
|
|
143
|
-
|
144
|
-
|
145
|
-
|
181
|
+
it "generates the timestamp field" do
|
182
|
+
expect(grok).to include("timestamp" => "1470637875.777457")
|
183
|
+
end
|
146
184
|
|
147
|
-
|
148
|
-
|
149
|
-
|
185
|
+
it "generates the database field" do
|
186
|
+
expect(grok).to include("database" => "15")
|
187
|
+
end
|
150
188
|
|
151
|
-
|
152
|
-
|
153
|
-
|
189
|
+
it "generates the client field" do
|
190
|
+
expect(grok).to include("client" => "195.168.1.1")
|
191
|
+
end
|
154
192
|
|
155
|
-
|
156
|
-
|
157
|
-
|
193
|
+
it "generates the port field" do
|
194
|
+
expect(grok).to include("port" => "52500")
|
195
|
+
end
|
158
196
|
|
159
|
-
|
160
|
-
|
161
|
-
|
197
|
+
it "generates the command field" do
|
198
|
+
expect(grok).to include("command" => "intentionally")
|
199
|
+
end
|
162
200
|
|
163
|
-
|
164
|
-
|
165
|
-
|
201
|
+
it "generates the params field" do
|
202
|
+
expect(grok).to include("params" => "\"broken\" \"variadic\" \"log\" \"entry\"")
|
203
|
+
end
|
166
204
|
|
167
|
-
it "generates the params field" do
|
168
|
-
expect(grok).to include("params" => "\"broken\" \"variadic\" \"log\" \"entry\"")
|
169
205
|
end
|
170
206
|
|
171
|
-
end
|
207
|
+
end
|