logstash-patterns-core 4.3.1 → 4.3.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e24f9461457c5093f38f2fb25a7c120581891be85e564fb0d9d9ec9980a73513
-  data.tar.gz: 449d4c10be87120391c73c967db042b9222659c880a3b6ce9f7ddd3fe416c088
+  metadata.gz: 8fd19e7a4b9cc9862e688c51424be2524c3a410acd3740da2b31f0c151d0b48d
+  data.tar.gz: 0f933c1abf8681f4417b88f5e605b99223dec2211be07a45c295d35776531a02
 SHA512:
-  metadata.gz: a859be036a74e5beabb757b8d4e51c3af6d483e351135c15e402878a7248c84af521885ef20c29e196d12c3cc311b50e3b4fa52558c7c57fbd468a5c9e69be03
-  data.tar.gz: 8ce3ccfe5ec02bc6bf9072e30b469318ccd820e795209acde85297f8bdba6290b694dd802b16c2e4a9b069fec8adffe66e66b9656a6da361efd27e027eff6e1d
+  metadata.gz: ff175b37722607f79d725d6422e530acd3141604d8af37e44d2c366b646bab424cc6936395a261b91994f1c9aa207cdfc4ce72678aff9b1b23e63e066e68856d
+  data.tar.gz: e04bac413798ca872f0bd1221449d6d39797b97e1049a6a60cc182062dbd2aba8b30b70ceeed2e8c86d4cf1a1f47f0f9fa829ce06170f8154acfe982a0d1122c

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 4.3.2
+
+- Fix: typo in BIN9_QUERYLOG pattern (in ECS mode) [#307](https://github.com/logstash-plugins/logstash-patterns-core/pull/307)
+
 ## 4.3.1
 
 - Fix: incorrect syslog (priority) field name [#303](https://github.com/logstash-plugins/logstash-patterns-core/pull/303)

data/README.md

@@ -87,5 +87,5 @@ It is more important to the community that you are able to contribute.
 
 For more information about contributing, see the [CONTRIBUTING](https://github.com/elastic/logstash/blob/master/CONTRIBUTING.md) file.
 
-[1]: /tree/master/patterns
+[1]: https://github.com/logstash-plugins/logstash-patterns-core/tree/main/patterns
 [2]: https://github.com/logstash-plugins/logstash-filter-grok

data/logstash-patterns-core.gemspec

@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
 
   s.name            = 'logstash-patterns-core'
-  s.version         = '4.3.1'
+  s.version         = '4.3.2'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "Patterns to be used in logstash"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"

data/patterns/ecs-v1/bind

@@ -8,6 +8,6 @@ BIND9_CATEGORY (?:queries)
 BIND9_QUERYLOGBASE client(:? @0x(?:[0-9A-Fa-f]+))? %{IP:[client][ip]}#%{POSINT:[client][port]:int} \(%{GREEDYDATA:[bind][log][question][name]}\): query: %{GREEDYDATA:[dns][question][name]} (?<[dns][question][class]>IN) %{BIND9_DNSTYPE:[dns][question][type]}(:? %{DATA:[bind][log][question][flags]})? \(%{IP:[server][ip]}\)
 
 # for query-logging category and severity are always fixed as "queries: info: "
-BIND9_QUERYLOG %{BIND9_TIMESTAMP:timestamp} %{BIND9_CATEGORY:[bing][log][category]}: %{LOGLEVEL:[log][level]}: %{BIND9_QUERYLOGBASE}
+BIND9_QUERYLOG %{BIND9_TIMESTAMP:timestamp} %{BIND9_CATEGORY:[bind][log][category]}: %{LOGLEVEL:[log][level]}: %{BIND9_QUERYLOGBASE}
 
 BIND9 %{BIND9_QUERYLOG}

data/spec/patterns/bind_spec.rb

@@ -14,10 +14,10 @@ describe_pattern "BIND9", ['legacy', 'ecs-v1'] do
       should include("log" => hash_including("level" => "info"))
       should include("client" => { "ip" => "172.26.0.1", "port" => 12345 })
       should include("dns" => { "question" => { "name" => "test.example.com", "type" => 'A', "class" => 'IN' }})
-      should include("bind" => { "log" => { "question" => hash_including("flags" => '+E(0)K')}})
+      should include("bind" => { "log" => hash_including("question" => hash_including("flags" => '+E(0)K'))})
       should include("server" => { "ip" => "172.26.0.3" })
       # NOTE: duplicate but still captured since we've been doing that before as well :
-      should include("bind" => { "log" => { "question" => hash_including("name" => 'test.example.com')}})
+      should include("bind" => { "log" => hash_including("question" => hash_including("name" => 'test.example.com'))})
     else
       should include("loglevel" => "info")
       should include("clientip" => "172.26.0.1")
@@ -48,7 +48,7 @@ describe_pattern "BIND9", ['legacy', 'ecs-v1'] do
         should include("log" => hash_including("level" => "info"))
         should include("client" => { "ip" => "192.168.10.48", "port" => 60061 })
         should include("dns" => { "question" => { "name" => "91.2.10.170.in-addr.internal", "type" => 'PTR', "class" => 'IN' }})
-        should include("bind" => { "log" => { "question" => hash_including("flags" => '+')}})
+        should include("bind" => { "log" => hash_including("question" => hash_including("flags" => '+')) })
         should include("server" => { "ip" => "192.168.2.2" })
       else
         should include("loglevel" => "info")
@@ -72,7 +72,21 @@ describe_pattern "BIND9_QUERYLOGBASE", ['ecs-v1'] do
   it 'matches' do
     should include("client" => { "ip" => "127.0.0.1", "port" => 42520 })
     should include("dns" => { "question" => { "name" => "ci.elastic.co", "type" => 'A', "class" => 'IN' }})
-    should include("bind" => { "log" => { "question" => hash_including("flags" => '+E(0)K') }})
+    should include("bind" => { "log" => hash_including("question" => hash_including("flags" => '+E(0)K') )})
     should include("server" => { "ip" => "35.193.103.164" })
   end
 end
+
+describe_pattern "BIND9_QUERYLOG", ['ecs-v1'] do
+  let(:message) do
+    '01-May-2019 00:27:48.084 queries: info: client @0x7f82bc11d4e0 192.168.1.111#53995 (google.com): query: google.com IN A +E(0) (10.80.1.88)'
+  end
+
+  it 'matches' do
+    should include("client" => { "ip" => "192.168.1.111", "port" => 53995 })
+    should include("dns" => { "question" => { "name" => "google.com", "type" => 'A', "class" => 'IN' }})
+    should include("bind" => { "log" => hash_including("question" => { "flags" => '+E(0)', "name" => 'google.com' })})
+    should include("server" => { "ip" => "10.80.1.88" })
+    should include("log" => { "level" => "info" })
+  end
+end

data/spec/patterns/core_spec.rb

@@ -2,20 +2,20 @@
 require "spec_helper"
 require "logstash/patterns/core"
 
-describe "SYSLOGLINE" do
+describe_pattern "SYSLOGLINE", ['legacy', 'ecs-v1'] do
+
+  let(:message) { "Mar 16 00:01:25 evita postfix/smtpd[1713]: connect from camomile.cloud9.net[168.100.1.3]" }
 
-  let(:value)   { "Mar 16 00:01:25 evita postfix/smtpd[1713]: connect from camomile.cloud9.net[168.100.1.3]" }
-  let(:grok)    { grok_match(subject, value) }
   it "a pattern pass the grok expression" do
     expect(grok).to pass
   end
 
-  it "matches a simple message" do
-    expect(subject).to match(value)
-  end
-
   it "generates the program field" do
-    expect(grok_match(subject, value)).to include("program" => "postfix/smtpd")
+    if ecs_compatibility?
+      expect(grok).to include("process" => hash_including('name' => 'postfix/smtpd'))
+    else
+      expect(grok).to include("program" => "postfix/smtpd")
+    end
   end
 
 end

data/spec/patterns/redis_spec.rb

@@ -134,7 +134,7 @@ describe_pattern 'REDISMONLOG', [ 'legacy', 'ecs-v1' ] do
 
 end
 
-describe_pattern "REDISMONLOG" do
+describe_pattern "REDISMONLOG", [ 'legacy', 'ecs-v1' ] do
 
   context 'two param command' do
 
@@ -149,23 +149,43 @@ describe_pattern "REDISMONLOG" do
     end
 
     it "generates the database field" do
-      expect(grok).to include("database" => "0")
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('database' => hash_including('id' => '0')))
+      else
+        expect(grok).to include("database" => "0")
+      end
     end
 
     it "generates the client field" do
-      expect(grok).to include("client" => "127.0.0.1")
+      if ecs_compatibility?
+        expect(grok).to include("client" => hash_including('ip' => '127.0.0.1'))
+      else
+        expect(grok).to include("client" => "127.0.0.1")
+      end
     end
 
     it "generates the port field" do
-      expect(grok).to include("port" => "39404")
+      if ecs_compatibility?
+        expect(grok).to include("client" => hash_including('port' => 39404))
+      else
+        expect(grok).to include("port" => "39404")
+      end
     end
 
     it "generates the command field" do
-      expect(grok).to include("command" => "rpush")
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('command' => hash_including('name' => 'rpush')))
+      else
+        expect(grok).to include("command" => "rpush")
+      end
     end
 
     it "generates the params field" do
-      expect(grok).to include("params" => "\"my:special:key\" \"{\\\"data\\\":\"cdr\\\",\\\"payload\\\":\\\"json\\\"}\"")
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('command' => hash_including('args' => "\"my:special:key\" \"{\\\"data\\\":\"cdr\\\",\\\"payload\\\":\\\"json\\\"}\"")))
+      else
+        expect(grok).to include("params" => "\"my:special:key\" \"{\\\"data\\\":\"cdr\\\",\\\"payload\\\":\\\"json\\\"}\"")
+      end
     end
 
   end
@@ -183,23 +203,43 @@ describe_pattern "REDISMONLOG" do
     end
 
     it "generates the database field" do
-      expect(grok).to include("database" => "15")
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('database' => hash_including('id' => '15')))
+      else
+        expect(grok).to include("database" => "15")
+      end
     end
 
     it "generates the client field" do
-      expect(grok).to include("client" => "195.168.1.1")
+      if ecs_compatibility?
+        expect(grok).to include("client" => hash_including('ip' => '195.168.1.1'))
+      else
+        expect(grok).to include("client" => "195.168.1.1")
+      end
     end
 
     it "generates the port field" do
-      expect(grok).to include("port" => "52500")
+      if ecs_compatibility?
+        expect(grok).to include("client" => hash_including('port' => 52500))
+      else
+        expect(grok).to include("port" => "52500")
+      end
     end
 
     it "generates the command field" do
-      expect(grok).to include("command" => "intentionally")
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('command' => hash_including('name' => 'intentionally')))
+      else
+        expect(grok).to include("command" => "intentionally")
+      end
     end
 
     it "generates the params field" do
-      expect(grok).to include("params" => "\"broken\" \"variadic\" \"log\" \"entry\"")
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('command' => hash_including('args' => "\"broken\" \"variadic\" \"log\" \"entry\"")))
+      else
+        expect(grok).to include("params" => "\"broken\" \"variadic\" \"log\" \"entry\"")
+      end
     end
 
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-patterns-core
 version: !ruby/object:Gem::Version
-  version: 4.3.1
+  version: 4.3.2
 platform: ruby
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-03-16 00:00:00.000000000 Z
+date: 2022-01-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -160,8 +160,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.6.13
+rubygems_version: 3.1.6
 signing_key:
 specification_version: 4
 summary: Patterns to be used in logstash