logstash-patterns-core 4.3.0 → 4.3.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +13 -0
- data/Gemfile +0 -3
- data/README.md +1 -1
- data/logstash-patterns-core.gemspec +1 -1
- data/patterns/ecs-v1/aws +6 -1
- data/patterns/ecs-v1/bind +1 -1
- data/patterns/ecs-v1/firewalls +1 -1
- data/patterns/ecs-v1/linux-syslog +1 -1
- data/spec/patterns/aws_spec.rb +32 -0
- data/spec/patterns/bind_spec.rb +18 -4
- data/spec/patterns/core_spec.rb +8 -8
- data/spec/patterns/firewalls_spec.rb +38 -0
- data/spec/patterns/netscreen_spec.rb +1 -1
- data/spec/patterns/redis_spec.rb +51 -11
- data/spec/patterns/syslog_spec.rb +1 -1
- metadata +3 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: a140c63f36f693e1a77aa232ef7e86ace02819488195de75f3abf54efff6768a
|
4
|
+
data.tar.gz: 5fcdaec2903fedca22c9da735a417b16782bb8782a9e49cb07eedfbbba36bebf
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 639a5b7fdb5ee6f4e9d24d77f4dd790983c9b84211e999cc18facf361f8a3040c225c73b70ddbd1ab0ac6cb37c7c597ab5e2b72b589c6b0e578e331e13ad2543
|
7
|
+
data.tar.gz: e4c6b94985b3edf00e81dae22521c798a9f940f72912fded835b50dedf344fd2234146ca074e52602e3b03780db1fcbc935aac67d7be5a3ec287620e7fede7b7
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,16 @@
|
|
1
|
+
## 4.3.3
|
2
|
+
|
3
|
+
- Fix: parsing x-edge-location in CLOUDFRONT_ACCESS_LOG (ECS mode) [#311](https://github.com/logstash-plugins/logstash-patterns-core/pull/311)
|
4
|
+
|
5
|
+
## 4.3.2
|
6
|
+
|
7
|
+
- Fix: typo in BIN9_QUERYLOG pattern (in ECS mode) [#307](https://github.com/logstash-plugins/logstash-patterns-core/pull/307)
|
8
|
+
|
9
|
+
## 4.3.1
|
10
|
+
|
11
|
+
- Fix: incorrect syslog (priority) field name [#303](https://github.com/logstash-plugins/logstash-patterns-core/pull/303)
|
12
|
+
- Fix: missed `ciscotag` field ECS-ification (`cisco.asa.tag`) for the `CISCO_TAGGED_SYSLOG` pattern
|
13
|
+
|
1
14
|
## 4.3.0
|
2
15
|
|
3
16
|
With **4.3.0** we're introducing a new set of pattern definitions compliant with Elastic Common Schema (ECS), on numerous
|
data/Gemfile
CHANGED
@@ -9,6 +9,3 @@ if Dir.exist?(logstash_path) && use_logstash_source
|
|
9
9
|
gem 'logstash-core', :path => "#{logstash_path}/logstash-core"
|
10
10
|
gem 'logstash-core-plugin-api', :path => "#{logstash_path}/logstash-core-plugin-api"
|
11
11
|
end
|
12
|
-
|
13
|
-
# TODO till filter grok with ECS support is released :
|
14
|
-
gem 'logstash-filter-grok', git: 'https://github.com/kares/logstash-filter-grok.git', ref: 'ecs-1-support'
|
data/README.md
CHANGED
@@ -87,5 +87,5 @@ It is more important to the community that you are able to contribute.
|
|
87
87
|
|
88
88
|
For more information about contributing, see the [CONTRIBUTING](https://github.com/elastic/logstash/blob/master/CONTRIBUTING.md) file.
|
89
89
|
|
90
|
-
[1]: /tree/
|
90
|
+
[1]: https://github.com/logstash-plugins/logstash-patterns-core/tree/main/patterns
|
91
91
|
[2]: https://github.com/logstash-plugins/logstash-filter-grok
|
@@ -1,7 +1,7 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
2
|
|
3
3
|
s.name = 'logstash-patterns-core'
|
4
|
-
s.version = '4.3.
|
4
|
+
s.version = '4.3.3'
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
6
6
|
s.summary = "Patterns to be used in logstash"
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
data/patterns/ecs-v1/aws
CHANGED
@@ -19,8 +19,13 @@ ELB_V1_HTTP_LOG %{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:[aws][elb][name]} %{IP
|
|
19
19
|
|
20
20
|
ELB_ACCESS_LOG %{ELB_V1_HTTP_LOG}
|
21
21
|
|
22
|
+
# Each edge location is identified by a three-letter code and an arbitrarily assigned number.
|
23
|
+
# The three-letter IATA code typically represents an airport near the edge location.
|
24
|
+
# examples: "LHR62-C2", "SFO5-P1", ""IND6", "CPT50"
|
25
|
+
CLOUDFRONT_EDGE_LOCATION [A-Z]{3}[0-9]{1,2}(?:-[A-Z0-9]{2})?
|
26
|
+
|
22
27
|
# pattern used to match a shorted format, that's why we have the optional part (starting with *http.version*) at the end
|
23
|
-
CLOUDFRONT_ACCESS_LOG (?<timestamp>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}\t%{TIME})\t%{
|
28
|
+
CLOUDFRONT_ACCESS_LOG (?<timestamp>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}\t%{TIME})\t%{CLOUDFRONT_EDGE_LOCATION:[aws][cloudfront][x_edge_location]}\t(?:-|%{INT:[destination][bytes]:int})\t%{IPORHOST:[source][ip]}\t%{WORD:[http][request][method]}\t%{HOSTNAME:[url][domain]}\t%{NOTSPACE:[url][path]}\t(?:(?:000)|%{INT:[http][response][status_code]:int})\t(?:-|%{DATA:[http][request][referrer]})\t%{DATA:[user_agent][original]}\t(?:-|%{DATA:[url][query]})\t(?:-|%{DATA:[aws][cloudfront][http][request][cookie]})\t%{WORD:[aws][cloudfront][x_edge_result_type]}\t%{NOTSPACE:[aws][cloudfront][x_edge_request_id]}\t%{HOSTNAME:[aws][cloudfront][http][request][host]}\t%{URIPROTO:[network][protocol]}\t(?:-|%{INT:[source][bytes]:int})\t%{NUMBER:[aws][cloudfront][time_taken]:float}\t(?:-|%{IP:[network][forwarded_ip]})\t(?:-|%{DATA:[aws][cloudfront][ssl_protocol]})\t(?:-|%{NOTSPACE:[tls][cipher]})\t%{WORD:[aws][cloudfront][x_edge_response_result_type]}(?:\t(?:-|HTTP/%{NUMBER:[http][version]})\t(?:-|%{DATA:[aws][cloudfront][fle_status]})\t(?:-|%{DATA:[aws][cloudfront][fle_encrypted_fields]})\t%{INT:[source][port]:int}\t%{NUMBER:[aws][cloudfront][time_to_first_byte]:float}\t(?:-|%{DATA:[aws][cloudfront][x_edge_detailed_result_type]})\t(?:-|%{NOTSPACE:[http][request][mime_type]})\t(?:-|%{INT:[aws][cloudfront][http][request][size]:int})\t(?:-|%{INT:[aws][cloudfront][http][request][range][start]:int})\t(?:-|%{INT:[aws][cloudfront][http][request][range][end]:int}))?
|
24
29
|
# :long - %{INT:[destination][bytes]:int}
|
25
30
|
# :long - %{INT:[source][bytes]:int}
|
26
31
|
# :long - %{INT:[aws][cloudfront][http][request][size]:int}
|
data/patterns/ecs-v1/bind
CHANGED
@@ -8,6 +8,6 @@ BIND9_CATEGORY (?:queries)
|
|
8
8
|
BIND9_QUERYLOGBASE client(:? @0x(?:[0-9A-Fa-f]+))? %{IP:[client][ip]}#%{POSINT:[client][port]:int} \(%{GREEDYDATA:[bind][log][question][name]}\): query: %{GREEDYDATA:[dns][question][name]} (?<[dns][question][class]>IN) %{BIND9_DNSTYPE:[dns][question][type]}(:? %{DATA:[bind][log][question][flags]})? \(%{IP:[server][ip]}\)
|
9
9
|
|
10
10
|
# for query-logging category and severity are always fixed as "queries: info: "
|
11
|
-
BIND9_QUERYLOG %{BIND9_TIMESTAMP:timestamp} %{BIND9_CATEGORY:[
|
11
|
+
BIND9_QUERYLOG %{BIND9_TIMESTAMP:timestamp} %{BIND9_CATEGORY:[bind][log][category]}: %{LOGLEVEL:[log][level]}: %{BIND9_QUERYLOGBASE}
|
12
12
|
|
13
13
|
BIND9 %{BIND9_QUERYLOG}
|
data/patterns/ecs-v1/firewalls
CHANGED
@@ -4,7 +4,7 @@ NETSCREENSESSIONLOG %{SYSLOGTIMESTAMP:timestamp} %{IPORHOST:[observer][hostname]
|
|
4
4
|
# :long - %{INT:[destination][bytes]:int}
|
5
5
|
|
6
6
|
#== Cisco ASA ==
|
7
|
-
CISCO_TAGGED_SYSLOG ^<%{POSINT:[log][syslog][
|
7
|
+
CISCO_TAGGED_SYSLOG ^<%{POSINT:[log][syslog][priority]:int}>%{CISCOTIMESTAMP:timestamp}( %{SYSLOGHOST:[host][hostname]})? ?: %%{CISCOTAG:[cisco][asa][tag]}:
|
8
8
|
CISCOTIMESTAMP %{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME}
|
9
9
|
CISCOTAG [A-Z0-9]+-%{INT}-(?:[A-Z0-9_]+)
|
10
10
|
# Common Particles
|
@@ -9,7 +9,7 @@ CRONLOG %{SYSLOGBASE} \(%{USER:[user][name]}\) %{CRON_ACTION:[system][cron][acti
|
|
9
9
|
SYSLOGLINE %{SYSLOGBASE2} %{GREEDYDATA:message}
|
10
10
|
|
11
11
|
# IETF 5424 syslog(8) format (see http://www.rfc-editor.org/info/rfc5424)
|
12
|
-
SYSLOG5424PRI <%{NONNEGINT:[log][syslog][
|
12
|
+
SYSLOG5424PRI <%{NONNEGINT:[log][syslog][priority]:int}>
|
13
13
|
SYSLOG5424SD \[%{DATA}\]+
|
14
14
|
SYSLOG5424BASE %{SYSLOG5424PRI}%{NONNEGINT:[system][syslog][version]} +(?:-|%{TIMESTAMP_ISO8601:timestamp}) +(?:-|%{IPORHOST:[host][hostname]}) +(?:-|%{SYSLOG5424PRINTASCII:[process][name]}) +(?:-|%{POSINT:[process][pid]:int}) +(?:-|%{SYSLOG5424PRINTASCII:[event][code]}) +(?:-|%{SYSLOG5424SD:[system][syslog][structured_data]})?
|
15
15
|
|
data/spec/patterns/aws_spec.rb
CHANGED
@@ -390,6 +390,38 @@ describe_pattern "CLOUDFRONT_ACCESS_LOG", ['legacy', 'ecs-v1'] do
|
|
390
390
|
end
|
391
391
|
end
|
392
392
|
|
393
|
+
context 'GH-306' do
|
394
|
+
|
395
|
+
let(:message) do
|
396
|
+
#Version: 1.0
|
397
|
+
#Fields: date time x-edge-location sc-bytes c-ip cs-method cs(Host) cs-uri-stem sc-status cs(Referer) cs(User-Agent) cs-uri-query cs(Cookie) x-edge-result-type x-edge-request-id x-host-header cs-protocol cs-bytes time-taken x-forwarded-for ssl-protocol ssl-cipher x-edge-response-result-type cs-protocol-version fle-status fle-encrypted-fields c-port time-to-first-byte x-edge-detailed-result-type sc-content-type sc-content-len sc-range-start sc-range-end
|
398
|
+
"2021-08-24 00:24:40 LHR62-C3 33517 82.44.60.119 GET d1236u0ikuk2zt.cloudfront.net /p/101/thumbnail/entry_id/0_50xpj7v0/width/290/height/150/type/3 200 https://www.liverpoolfc.com/ Mozilla/5.0%20(iPhone;%20CPU%20iPhone%20OS%2014_7_1%20like%20Mac%20OS%20X)%20AppleWebKit/605.1.15%20(KHTML,%20like%20Gecko)%20Version/14.1.2%20Mobile/15E148%20Safari/604.1 - - Hit YoIRNxF4o0fam7eNcIJ_QG24jMjjMNBvWK0xoveWisgYoWVzvyYFvQ== open.http.mp.streamamg.com https 289 0.003 - TLSv1.3 TLS_AES_128_GCM_SHA256 Hit HTTP/2.0 - - 54902 0.003 Hit image/jpeg 33046 - -"
|
399
|
+
end
|
400
|
+
|
401
|
+
it 'matches' do
|
402
|
+
skip 'fixed in ECS mode only' unless ecs_compatibility?
|
403
|
+
|
404
|
+
should include("timestamp" => "2021-08-24\t00:24:40")
|
405
|
+
should include("url"=>{"domain"=>"d1236u0ikuk2zt.cloudfront.net", "path"=>"/p/101/thumbnail/entry_id/0_50xpj7v0/width/290/height/150/type/3"})
|
406
|
+
should include("http"=>{
|
407
|
+
"request"=>{"referrer"=>"https://www.liverpoolfc.com/", "mime_type"=>"image/jpeg", "method"=>"GET"},
|
408
|
+
"response"=>{"status_code"=>200}, "version"=>"2.0"
|
409
|
+
})
|
410
|
+
should include("tls"=>{"cipher"=>"TLS_AES_128_GCM_SHA256"})
|
411
|
+
should include("aws"=>{"cloudfront"=>{
|
412
|
+
"x_edge_location"=>"LHR62-C3",
|
413
|
+
"x_edge_response_result_type"=>"Hit",
|
414
|
+
"x_edge_detailed_result_type"=>"Hit",
|
415
|
+
"x_edge_result_type"=>"Hit",
|
416
|
+
"ssl_protocol"=>"TLSv1.3",
|
417
|
+
"http"=>{"request"=>{"size"=>33046, "host"=>"open.http.mp.streamamg.com"}},
|
418
|
+
"time_to_first_byte"=>0.003, "time_taken"=>0.003,
|
419
|
+
"x_edge_request_id"=>"YoIRNxF4o0fam7eNcIJ_QG24jMjjMNBvWK0xoveWisgYoWVzvyYFvQ=="
|
420
|
+
}})
|
421
|
+
end
|
422
|
+
|
423
|
+
end
|
424
|
+
|
393
425
|
end
|
394
426
|
|
395
427
|
end
|
data/spec/patterns/bind_spec.rb
CHANGED
@@ -14,10 +14,10 @@ describe_pattern "BIND9", ['legacy', 'ecs-v1'] do
|
|
14
14
|
should include("log" => hash_including("level" => "info"))
|
15
15
|
should include("client" => { "ip" => "172.26.0.1", "port" => 12345 })
|
16
16
|
should include("dns" => { "question" => { "name" => "test.example.com", "type" => 'A', "class" => 'IN' }})
|
17
|
-
should include("bind" => { "log" =>
|
17
|
+
should include("bind" => { "log" => hash_including("question" => hash_including("flags" => '+E(0)K'))})
|
18
18
|
should include("server" => { "ip" => "172.26.0.3" })
|
19
19
|
# NOTE: duplicate but still captured since we've been doing that before as well :
|
20
|
-
should include("bind" => { "log" =>
|
20
|
+
should include("bind" => { "log" => hash_including("question" => hash_including("name" => 'test.example.com'))})
|
21
21
|
else
|
22
22
|
should include("loglevel" => "info")
|
23
23
|
should include("clientip" => "172.26.0.1")
|
@@ -48,7 +48,7 @@ describe_pattern "BIND9", ['legacy', 'ecs-v1'] do
|
|
48
48
|
should include("log" => hash_including("level" => "info"))
|
49
49
|
should include("client" => { "ip" => "192.168.10.48", "port" => 60061 })
|
50
50
|
should include("dns" => { "question" => { "name" => "91.2.10.170.in-addr.internal", "type" => 'PTR', "class" => 'IN' }})
|
51
|
-
should include("bind" => { "log" =>
|
51
|
+
should include("bind" => { "log" => hash_including("question" => hash_including("flags" => '+')) })
|
52
52
|
should include("server" => { "ip" => "192.168.2.2" })
|
53
53
|
else
|
54
54
|
should include("loglevel" => "info")
|
@@ -72,7 +72,21 @@ describe_pattern "BIND9_QUERYLOGBASE", ['ecs-v1'] do
|
|
72
72
|
it 'matches' do
|
73
73
|
should include("client" => { "ip" => "127.0.0.1", "port" => 42520 })
|
74
74
|
should include("dns" => { "question" => { "name" => "ci.elastic.co", "type" => 'A', "class" => 'IN' }})
|
75
|
-
should include("bind" => { "log" =>
|
75
|
+
should include("bind" => { "log" => hash_including("question" => hash_including("flags" => '+E(0)K') )})
|
76
76
|
should include("server" => { "ip" => "35.193.103.164" })
|
77
77
|
end
|
78
78
|
end
|
79
|
+
|
80
|
+
describe_pattern "BIND9_QUERYLOG", ['ecs-v1'] do
|
81
|
+
let(:message) do
|
82
|
+
'01-May-2019 00:27:48.084 queries: info: client @0x7f82bc11d4e0 192.168.1.111#53995 (google.com): query: google.com IN A +E(0) (10.80.1.88)'
|
83
|
+
end
|
84
|
+
|
85
|
+
it 'matches' do
|
86
|
+
should include("client" => { "ip" => "192.168.1.111", "port" => 53995 })
|
87
|
+
should include("dns" => { "question" => { "name" => "google.com", "type" => 'A', "class" => 'IN' }})
|
88
|
+
should include("bind" => { "log" => hash_including("question" => { "flags" => '+E(0)', "name" => 'google.com' })})
|
89
|
+
should include("server" => { "ip" => "10.80.1.88" })
|
90
|
+
should include("log" => { "level" => "info" })
|
91
|
+
end
|
92
|
+
end
|
data/spec/patterns/core_spec.rb
CHANGED
@@ -2,20 +2,20 @@
|
|
2
2
|
require "spec_helper"
|
3
3
|
require "logstash/patterns/core"
|
4
4
|
|
5
|
-
|
5
|
+
describe_pattern "SYSLOGLINE", ['legacy', 'ecs-v1'] do
|
6
|
+
|
7
|
+
let(:message) { "Mar 16 00:01:25 evita postfix/smtpd[1713]: connect from camomile.cloud9.net[168.100.1.3]" }
|
6
8
|
|
7
|
-
let(:value) { "Mar 16 00:01:25 evita postfix/smtpd[1713]: connect from camomile.cloud9.net[168.100.1.3]" }
|
8
|
-
let(:grok) { grok_match(subject, value) }
|
9
9
|
it "a pattern pass the grok expression" do
|
10
10
|
expect(grok).to pass
|
11
11
|
end
|
12
12
|
|
13
|
-
it "matches a simple message" do
|
14
|
-
expect(subject).to match(value)
|
15
|
-
end
|
16
|
-
|
17
13
|
it "generates the program field" do
|
18
|
-
|
14
|
+
if ecs_compatibility?
|
15
|
+
expect(grok).to include("process" => hash_including('name' => 'postfix/smtpd'))
|
16
|
+
else
|
17
|
+
expect(grok).to include("program" => "postfix/smtpd")
|
18
|
+
end
|
19
19
|
end
|
20
20
|
|
21
21
|
end
|
@@ -595,6 +595,44 @@ describe_pattern "CISCOFW733100", ['legacy', 'ecs-v1'] do
|
|
595
595
|
|
596
596
|
end
|
597
597
|
|
598
|
+
describe_pattern "CISCO_TAGGED_SYSLOG", ['legacy', 'ecs-v1'] do
|
599
|
+
|
600
|
+
let(:message) { "<191>Jan 24 11:28:30.407: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down" }
|
601
|
+
|
602
|
+
it 'matches' do
|
603
|
+
expect(subject).to include("timestamp"=>'Jan 24 11:28:30.407')
|
604
|
+
if ecs_compatibility?
|
605
|
+
expect(subject).to include('log' => {'syslog' => {'priority' => 191}})
|
606
|
+
expect(subject).to include('cisco' => {'asa' => {'tag' => 'LINEPROTO-5-UPDOWN'}})
|
607
|
+
else
|
608
|
+
expect(subject).to include("syslog_pri"=>'191')
|
609
|
+
expect(subject).to include("ciscotag"=>'LINEPROTO-5-UPDOWN')
|
610
|
+
end
|
611
|
+
end
|
612
|
+
|
613
|
+
context 'with host' do
|
614
|
+
|
615
|
+
let(:message) do
|
616
|
+
'<191>Aug 1 14:01:20 abc-asa1: %ASA-6-302013: Built outbound TCP connection 906569140 for out-v1101:10.125.126.86/2010 (10.125.126.86/2010) to ent-v1124:100.100.100.111/51444 (10.125.1.11/37785)'
|
617
|
+
end
|
618
|
+
|
619
|
+
it 'matches' do
|
620
|
+
expect(subject).to include("timestamp"=>'Aug 1 14:01:20')
|
621
|
+
if ecs_compatibility?
|
622
|
+
expect(subject).to include('log' => {'syslog' => {'priority' => 191}})
|
623
|
+
expect(subject).to include('host' => {'hostname' => 'abc-asa1'})
|
624
|
+
expect(subject).to include('cisco' => {'asa' => {'tag' => 'ASA-6-302013'}})
|
625
|
+
else
|
626
|
+
expect(subject).to include("syslog_pri"=>'191')
|
627
|
+
expect(subject).to include("sysloghost"=>'abc-asa1')
|
628
|
+
expect(subject).to include("ciscotag"=>'ASA-6-302013')
|
629
|
+
end
|
630
|
+
end
|
631
|
+
|
632
|
+
end
|
633
|
+
|
634
|
+
end
|
635
|
+
|
598
636
|
|
599
637
|
describe_pattern 'SFW2', ['legacy', 'ecs-v1'] do
|
600
638
|
|
@@ -98,7 +98,7 @@ describe_pattern "NETSCREENSESSIONLOG", ['legacy', 'ecs-v1'] do
|
|
98
98
|
context "(with session id)" do
|
99
99
|
|
100
100
|
let(:message) do
|
101
|
-
super + ' session_id=0 reason=Traffic Denied'
|
101
|
+
super() + ' session_id=0 reason=Traffic Denied'
|
102
102
|
end
|
103
103
|
|
104
104
|
it 'matches (in ECS mode)' do
|
data/spec/patterns/redis_spec.rb
CHANGED
@@ -134,7 +134,7 @@ describe_pattern 'REDISMONLOG', [ 'legacy', 'ecs-v1' ] do
|
|
134
134
|
|
135
135
|
end
|
136
136
|
|
137
|
-
describe_pattern "REDISMONLOG" do
|
137
|
+
describe_pattern "REDISMONLOG", [ 'legacy', 'ecs-v1' ] do
|
138
138
|
|
139
139
|
context 'two param command' do
|
140
140
|
|
@@ -149,23 +149,43 @@ describe_pattern "REDISMONLOG" do
|
|
149
149
|
end
|
150
150
|
|
151
151
|
it "generates the database field" do
|
152
|
-
|
152
|
+
if ecs_compatibility?
|
153
|
+
expect(grok).to include("redis" => hash_including('database' => hash_including('id' => '0')))
|
154
|
+
else
|
155
|
+
expect(grok).to include("database" => "0")
|
156
|
+
end
|
153
157
|
end
|
154
158
|
|
155
159
|
it "generates the client field" do
|
156
|
-
|
160
|
+
if ecs_compatibility?
|
161
|
+
expect(grok).to include("client" => hash_including('ip' => '127.0.0.1'))
|
162
|
+
else
|
163
|
+
expect(grok).to include("client" => "127.0.0.1")
|
164
|
+
end
|
157
165
|
end
|
158
166
|
|
159
167
|
it "generates the port field" do
|
160
|
-
|
168
|
+
if ecs_compatibility?
|
169
|
+
expect(grok).to include("client" => hash_including('port' => 39404))
|
170
|
+
else
|
171
|
+
expect(grok).to include("port" => "39404")
|
172
|
+
end
|
161
173
|
end
|
162
174
|
|
163
175
|
it "generates the command field" do
|
164
|
-
|
176
|
+
if ecs_compatibility?
|
177
|
+
expect(grok).to include("redis" => hash_including('command' => hash_including('name' => 'rpush')))
|
178
|
+
else
|
179
|
+
expect(grok).to include("command" => "rpush")
|
180
|
+
end
|
165
181
|
end
|
166
182
|
|
167
183
|
it "generates the params field" do
|
168
|
-
|
184
|
+
if ecs_compatibility?
|
185
|
+
expect(grok).to include("redis" => hash_including('command' => hash_including('args' => "\"my:special:key\" \"{\\\"data\\\":\"cdr\\\",\\\"payload\\\":\\\"json\\\"}\"")))
|
186
|
+
else
|
187
|
+
expect(grok).to include("params" => "\"my:special:key\" \"{\\\"data\\\":\"cdr\\\",\\\"payload\\\":\\\"json\\\"}\"")
|
188
|
+
end
|
169
189
|
end
|
170
190
|
|
171
191
|
end
|
@@ -183,23 +203,43 @@ describe_pattern "REDISMONLOG" do
|
|
183
203
|
end
|
184
204
|
|
185
205
|
it "generates the database field" do
|
186
|
-
|
206
|
+
if ecs_compatibility?
|
207
|
+
expect(grok).to include("redis" => hash_including('database' => hash_including('id' => '15')))
|
208
|
+
else
|
209
|
+
expect(grok).to include("database" => "15")
|
210
|
+
end
|
187
211
|
end
|
188
212
|
|
189
213
|
it "generates the client field" do
|
190
|
-
|
214
|
+
if ecs_compatibility?
|
215
|
+
expect(grok).to include("client" => hash_including('ip' => '195.168.1.1'))
|
216
|
+
else
|
217
|
+
expect(grok).to include("client" => "195.168.1.1")
|
218
|
+
end
|
191
219
|
end
|
192
220
|
|
193
221
|
it "generates the port field" do
|
194
|
-
|
222
|
+
if ecs_compatibility?
|
223
|
+
expect(grok).to include("client" => hash_including('port' => 52500))
|
224
|
+
else
|
225
|
+
expect(grok).to include("port" => "52500")
|
226
|
+
end
|
195
227
|
end
|
196
228
|
|
197
229
|
it "generates the command field" do
|
198
|
-
|
230
|
+
if ecs_compatibility?
|
231
|
+
expect(grok).to include("redis" => hash_including('command' => hash_including('name' => 'intentionally')))
|
232
|
+
else
|
233
|
+
expect(grok).to include("command" => "intentionally")
|
234
|
+
end
|
199
235
|
end
|
200
236
|
|
201
237
|
it "generates the params field" do
|
202
|
-
|
238
|
+
if ecs_compatibility?
|
239
|
+
expect(grok).to include("redis" => hash_including('command' => hash_including('args' => "\"broken\" \"variadic\" \"log\" \"entry\"")))
|
240
|
+
else
|
241
|
+
expect(grok).to include("params" => "\"broken\" \"variadic\" \"log\" \"entry\"")
|
242
|
+
end
|
203
243
|
end
|
204
244
|
|
205
245
|
end
|
@@ -95,7 +95,7 @@ describe_pattern "SYSLOG5424LINE", ['legacy', 'ecs-v1'] do
|
|
95
95
|
message = "<174>1 2016-11-14T09:49:23+01:00 10.23.16.6 named 2255 - - info: client 10.23.56.93#63295 (i1.tmg.com): query: i1.tmg.com IN A + (10.23.4.13)"
|
96
96
|
match = grok_match pattern, message
|
97
97
|
if ecs_compatibility?
|
98
|
-
expect(match).to include("log" => { "syslog" => { "
|
98
|
+
expect(match).to include("log" => { "syslog" => { "priority" => 174 }})
|
99
99
|
expect(match).to include("host" => { "hostname" => "10.23.16.6"})
|
100
100
|
expect(match).to include("process" => { "name" => "named", "pid" => 2255 })
|
101
101
|
expect(match).to include("system" => { "syslog" => { "version" => "1" }})
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-patterns-core
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.3.
|
4
|
+
version: 4.3.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Elastic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2022-05-17 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
@@ -160,8 +160,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
160
160
|
- !ruby/object:Gem::Version
|
161
161
|
version: '0'
|
162
162
|
requirements: []
|
163
|
-
|
164
|
-
rubygems_version: 2.6.13
|
163
|
+
rubygems_version: 3.1.6
|
165
164
|
signing_key:
|
166
165
|
specification_version: 4
|
167
166
|
summary: Patterns to be used in logstash
|