logstash-patterns-core 4.3.1 → 4.3.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e24f9461457c5093f38f2fb25a7c120581891be85e564fb0d9d9ec9980a73513
-  data.tar.gz: 449d4c10be87120391c73c967db042b9222659c880a3b6ce9f7ddd3fe416c088
+  metadata.gz: 4280b348effacb1216e9cba777f6e5c5eb04b7edaf12ec95be063ff62979116a
+  data.tar.gz: 6fcccf691a162a0e1a6daafe4dce7db2b5139f8b883b6177fa61dc41308dd2aa
 SHA512:
-  metadata.gz: a859be036a74e5beabb757b8d4e51c3af6d483e351135c15e402878a7248c84af521885ef20c29e196d12c3cc311b50e3b4fa52558c7c57fbd468a5c9e69be03
-  data.tar.gz: 8ce3ccfe5ec02bc6bf9072e30b469318ccd820e795209acde85297f8bdba6290b694dd802b16c2e4a9b069fec8adffe66e66b9656a6da361efd27e027eff6e1d
+  metadata.gz: 21e83a559b2c001c3b011876b2586894da17d719c41f30bbb210a1d9055f9f89fba3e34db29f0a492f1f982891ed860615bfc86370321253f34584899aecc4ed
+  data.tar.gz: bb2ef8278f68be61bb77dae3c04bd8bd6a84ad7f0eef61228969e50490d00a2646192ffcc874a8557643fe5f102daada0ea2b00e985ab228c10153ce2874eb04

data/CHANGELOG.md

@@ -1,3 +1,14 @@
+## 4.3.4
+  - Fix: typo in CISCOFW302013_302014_302015_302016 grok pattern [#313](https://github.com/logstash-plugins/logstash-patterns-core/pull/313)
+
+## 4.3.3
+
+- Fix: parsing x-edge-location in CLOUDFRONT_ACCESS_LOG (ECS mode) [#311](https://github.com/logstash-plugins/logstash-patterns-core/pull/311)
+
+## 4.3.2
+
+- Fix: typo in BIN9_QUERYLOG pattern (in ECS mode) [#307](https://github.com/logstash-plugins/logstash-patterns-core/pull/307)
+
 ## 4.3.1
 
 - Fix: incorrect syslog (priority) field name [#303](https://github.com/logstash-plugins/logstash-patterns-core/pull/303)

data/README.md

@@ -87,5 +87,5 @@ It is more important to the community that you are able to contribute.
 
 For more information about contributing, see the [CONTRIBUTING](https://github.com/elastic/logstash/blob/master/CONTRIBUTING.md) file.
 
-[1]: /tree/master/patterns
+[1]: https://github.com/logstash-plugins/logstash-patterns-core/tree/main/patterns
 [2]: https://github.com/logstash-plugins/logstash-filter-grok

data/logstash-patterns-core.gemspec

@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
 
   s.name            = 'logstash-patterns-core'
-  s.version         = '4.3.1'
+  s.version         = '4.3.4'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "Patterns to be used in logstash"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"

data/patterns/ecs-v1/aws

@@ -19,8 +19,13 @@ ELB_V1_HTTP_LOG %{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:[aws][elb][name]} %{IP
 
 ELB_ACCESS_LOG %{ELB_V1_HTTP_LOG}
 
+# Each edge location is identified by a three-letter code and an arbitrarily assigned number.
+# The three-letter IATA code typically represents an airport near the edge location.
+# examples: "LHR62-C2", "SFO5-P1", ""IND6", "CPT50"
+CLOUDFRONT_EDGE_LOCATION [A-Z]{3}[0-9]{1,2}(?:-[A-Z0-9]{2})?
+
 # pattern used to match a shorted format, that's why we have the optional part (starting with *http.version*) at the end
-CLOUDFRONT_ACCESS_LOG (?<timestamp>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}\t%{TIME})\t%{WORD:[aws][cloudfront][x_edge_location]}\t(?:-|%{INT:[destination][bytes]:int})\t%{IPORHOST:[source][ip]}\t%{WORD:[http][request][method]}\t%{HOSTNAME:[url][domain]}\t%{NOTSPACE:[url][path]}\t(?:(?:000)|%{INT:[http][response][status_code]:int})\t(?:-|%{DATA:[http][request][referrer]})\t%{DATA:[user_agent][original]}\t(?:-|%{DATA:[url][query]})\t(?:-|%{DATA:[aws][cloudfront][http][request][cookie]})\t%{WORD:[aws][cloudfront][x_edge_result_type]}\t%{NOTSPACE:[aws][cloudfront][x_edge_request_id]}\t%{HOSTNAME:[aws][cloudfront][http][request][host]}\t%{URIPROTO:[network][protocol]}\t(?:-|%{INT:[source][bytes]:int})\t%{NUMBER:[aws][cloudfront][time_taken]:float}\t(?:-|%{IP:[network][forwarded_ip]})\t(?:-|%{DATA:[aws][cloudfront][ssl_protocol]})\t(?:-|%{NOTSPACE:[tls][cipher]})\t%{WORD:[aws][cloudfront][x_edge_response_result_type]}(?:\t(?:-|HTTP/%{NUMBER:[http][version]})\t(?:-|%{DATA:[aws][cloudfront][fle_status]})\t(?:-|%{DATA:[aws][cloudfront][fle_encrypted_fields]})\t%{INT:[source][port]:int}\t%{NUMBER:[aws][cloudfront][time_to_first_byte]:float}\t(?:-|%{DATA:[aws][cloudfront][x_edge_detailed_result_type]})\t(?:-|%{NOTSPACE:[http][request][mime_type]})\t(?:-|%{INT:[aws][cloudfront][http][request][size]:int})\t(?:-|%{INT:[aws][cloudfront][http][request][range][start]:int})\t(?:-|%{INT:[aws][cloudfront][http][request][range][end]:int}))?
+CLOUDFRONT_ACCESS_LOG (?<timestamp>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}\t%{TIME})\t%{CLOUDFRONT_EDGE_LOCATION:[aws][cloudfront][x_edge_location]}\t(?:-|%{INT:[destination][bytes]:int})\t%{IPORHOST:[source][ip]}\t%{WORD:[http][request][method]}\t%{HOSTNAME:[url][domain]}\t%{NOTSPACE:[url][path]}\t(?:(?:000)|%{INT:[http][response][status_code]:int})\t(?:-|%{DATA:[http][request][referrer]})\t%{DATA:[user_agent][original]}\t(?:-|%{DATA:[url][query]})\t(?:-|%{DATA:[aws][cloudfront][http][request][cookie]})\t%{WORD:[aws][cloudfront][x_edge_result_type]}\t%{NOTSPACE:[aws][cloudfront][x_edge_request_id]}\t%{HOSTNAME:[aws][cloudfront][http][request][host]}\t%{URIPROTO:[network][protocol]}\t(?:-|%{INT:[source][bytes]:int})\t%{NUMBER:[aws][cloudfront][time_taken]:float}\t(?:-|%{IP:[network][forwarded_ip]})\t(?:-|%{DATA:[aws][cloudfront][ssl_protocol]})\t(?:-|%{NOTSPACE:[tls][cipher]})\t%{WORD:[aws][cloudfront][x_edge_response_result_type]}(?:\t(?:-|HTTP/%{NUMBER:[http][version]})\t(?:-|%{DATA:[aws][cloudfront][fle_status]})\t(?:-|%{DATA:[aws][cloudfront][fle_encrypted_fields]})\t%{INT:[source][port]:int}\t%{NUMBER:[aws][cloudfront][time_to_first_byte]:float}\t(?:-|%{DATA:[aws][cloudfront][x_edge_detailed_result_type]})\t(?:-|%{NOTSPACE:[http][request][mime_type]})\t(?:-|%{INT:[aws][cloudfront][http][request][size]:int})\t(?:-|%{INT:[aws][cloudfront][http][request][range][start]:int})\t(?:-|%{INT:[aws][cloudfront][http][request][range][end]:int}))?
 # :long - %{INT:[destination][bytes]:int}
 # :long - %{INT:[source][bytes]:int}
 # :long - %{INT:[aws][cloudfront][http][request][size]:int}

data/patterns/ecs-v1/bind

@@ -8,6 +8,6 @@ BIND9_CATEGORY (?:queries)
 BIND9_QUERYLOGBASE client(:? @0x(?:[0-9A-Fa-f]+))? %{IP:[client][ip]}#%{POSINT:[client][port]:int} \(%{GREEDYDATA:[bind][log][question][name]}\): query: %{GREEDYDATA:[dns][question][name]} (?<[dns][question][class]>IN) %{BIND9_DNSTYPE:[dns][question][type]}(:? %{DATA:[bind][log][question][flags]})? \(%{IP:[server][ip]}\)
 
 # for query-logging category and severity are always fixed as "queries: info: "
-BIND9_QUERYLOG %{BIND9_TIMESTAMP:timestamp} %{BIND9_CATEGORY:[bing][log][category]}: %{LOGLEVEL:[log][level]}: %{BIND9_QUERYLOGBASE}
+BIND9_QUERYLOG %{BIND9_TIMESTAMP:timestamp} %{BIND9_CATEGORY:[bind][log][category]}: %{LOGLEVEL:[log][level]}: %{BIND9_QUERYLOGBASE}
 
 BIND9 %{BIND9_QUERYLOG}

data/patterns/ecs-v1/firewalls

@@ -60,7 +60,7 @@ CISCOFW110002 %{CISCO_REASON:[event][reason]} for %{WORD:[cisco][asa][network][t
 # ASA-6-302010
 CISCOFW302010 %{INT:[cisco][asa][connections][in_use]:int} in use, %{INT:[cisco][asa][connections][most_used]:int} most used
 # ASA-6-302013, ASA-6-302014, ASA-6-302015, ASA-6-302016
-CISCOFW302013_302014_302015_302016 %{CISCO_ACTION:[cisco][asa][outcome]}(?: %{CISCO_DIRECTION:[cisco][asa][network][direction]})? %{WORD:[cisco][asa][network][transport]} connection %{INT:[cisco][asa][connection_id]} for %{NOTSPACE:[observer][ingress][interface][name]}:%{IP:[source][ip]}/%{INT:[source][port]:int}(?: \(%{IP:[source][nat][ip]}/%{INT:[source][nat][port]:int}\))?(?:\(%{DATA:[source][user][name?]}\))? to %{NOTSPACE:[observer][egress][interface][name]}:%{IP:[destination][ip]}/%{INT:[destination][port]:int}( \(%{IP:[destination][nat][ip]}/%{INT:[destination][nat][port]:int}\))?(?:\(%{DATA:[destination][user][name]}\))?( duration %{TIME:[cisco][asa][duration]} bytes %{INT:[network][bytes]:int})?(?: %{CISCO_REASON:[event][reason]})?(?: \(%{DATA:[user][name]}\))?
+CISCOFW302013_302014_302015_302016 %{CISCO_ACTION:[cisco][asa][outcome]}(?: %{CISCO_DIRECTION:[cisco][asa][network][direction]})? %{WORD:[cisco][asa][network][transport]} connection %{INT:[cisco][asa][connection_id]} for %{NOTSPACE:[observer][ingress][interface][name]}:%{IP:[source][ip]}/%{INT:[source][port]:int}(?: \(%{IP:[source][nat][ip]}/%{INT:[source][nat][port]:int}\))?(?:\(%{DATA:[source][user][name]}\))? to %{NOTSPACE:[observer][egress][interface][name]}:%{IP:[destination][ip]}/%{INT:[destination][port]:int}( \(%{IP:[destination][nat][ip]}/%{INT:[destination][nat][port]:int}\))?(?:\(%{DATA:[destination][user][name]}\))?( duration %{TIME:[cisco][asa][duration]} bytes %{INT:[network][bytes]:int})?(?: %{CISCO_REASON:[event][reason]})?(?: \(%{DATA:[user][name]}\))?
 # :long - %{INT:[network][bytes]:int}
 # ASA-6-302020, ASA-6-302021
 CISCOFW302020_302021 %{CISCO_ACTION:[cisco][asa][outcome]}(?: %{CISCO_DIRECTION:[cisco][asa][network][direction]})? %{WORD:[cisco][asa][network][transport]} connection for faddr %{IP:[destination][ip]}/%{INT:[cisco][asa][icmp_seq]:int}(?:\(%{DATA:[destination][user][name]}\))? gaddr %{IP:[source][nat][ip]}/%{INT:[cisco][asa][icmp_type]:int} laddr %{IP:[source][ip]}/%{INT}(?: \(%{DATA:[source][user][name]}\))?

data/spec/patterns/aws_spec.rb

@@ -390,6 +390,38 @@ describe_pattern "CLOUDFRONT_ACCESS_LOG", ['legacy', 'ecs-v1'] do
       end
     end
 
+    context 'GH-306' do
+
+      let(:message) do
+        #Version: 1.0
+        #Fields: date time x-edge-location sc-bytes c-ip cs-method cs(Host) cs-uri-stem sc-status cs(Referer) cs(User-Agent) cs-uri-query cs(Cookie) x-edge-result-type x-edge-request-id x-host-header cs-protocol cs-bytes time-taken x-forwarded-for ssl-protocol ssl-cipher x-edge-response-result-type cs-protocol-version fle-status fle-encrypted-fields c-port time-to-first-byte x-edge-detailed-result-type sc-content-type sc-content-len sc-range-start sc-range-end
+        "2021-08-24	00:24:40	LHR62-C3	33517	82.44.60.119	GET	d1236u0ikuk2zt.cloudfront.net	/p/101/thumbnail/entry_id/0_50xpj7v0/width/290/height/150/type/3	200	https://www.liverpoolfc.com/	Mozilla/5.0%20(iPhone;%20CPU%20iPhone%20OS%2014_7_1%20like%20Mac%20OS%20X)%20AppleWebKit/605.1.15%20(KHTML,%20like%20Gecko)%20Version/14.1.2%20Mobile/15E148%20Safari/604.1	-	-	Hit	YoIRNxF4o0fam7eNcIJ_QG24jMjjMNBvWK0xoveWisgYoWVzvyYFvQ==	open.http.mp.streamamg.com	https	289	0.003	-	TLSv1.3	TLS_AES_128_GCM_SHA256	Hit	HTTP/2.0	-	-	54902	0.003	Hit	image/jpeg	33046	-	-"
+      end
+
+      it 'matches' do
+        skip 'fixed in ECS mode only' unless ecs_compatibility?
+
+        should include("timestamp" => "2021-08-24\t00:24:40")
+        should include("url"=>{"domain"=>"d1236u0ikuk2zt.cloudfront.net", "path"=>"/p/101/thumbnail/entry_id/0_50xpj7v0/width/290/height/150/type/3"})
+        should include("http"=>{
+            "request"=>{"referrer"=>"https://www.liverpoolfc.com/", "mime_type"=>"image/jpeg", "method"=>"GET"},
+            "response"=>{"status_code"=>200}, "version"=>"2.0"
+        })
+        should include("tls"=>{"cipher"=>"TLS_AES_128_GCM_SHA256"})
+        should include("aws"=>{"cloudfront"=>{
+            "x_edge_location"=>"LHR62-C3",
+            "x_edge_response_result_type"=>"Hit",
+            "x_edge_detailed_result_type"=>"Hit",
+            "x_edge_result_type"=>"Hit",
+            "ssl_protocol"=>"TLSv1.3",
+            "http"=>{"request"=>{"size"=>33046, "host"=>"open.http.mp.streamamg.com"}},
+            "time_to_first_byte"=>0.003, "time_taken"=>0.003,
+            "x_edge_request_id"=>"YoIRNxF4o0fam7eNcIJ_QG24jMjjMNBvWK0xoveWisgYoWVzvyYFvQ=="
+        }})
+      end
+
+    end
+
   end
 
 end

data/spec/patterns/bind_spec.rb

@@ -14,10 +14,10 @@ describe_pattern "BIND9", ['legacy', 'ecs-v1'] do
       should include("log" => hash_including("level" => "info"))
       should include("client" => { "ip" => "172.26.0.1", "port" => 12345 })
       should include("dns" => { "question" => { "name" => "test.example.com", "type" => 'A', "class" => 'IN' }})
-      should include("bind" => { "log" => { "question" => hash_including("flags" => '+E(0)K')}})
+      should include("bind" => { "log" => hash_including("question" => hash_including("flags" => '+E(0)K'))})
       should include("server" => { "ip" => "172.26.0.3" })
       # NOTE: duplicate but still captured since we've been doing that before as well :
-      should include("bind" => { "log" => { "question" => hash_including("name" => 'test.example.com')}})
+      should include("bind" => { "log" => hash_including("question" => hash_including("name" => 'test.example.com'))})
     else
       should include("loglevel" => "info")
       should include("clientip" => "172.26.0.1")
@@ -48,7 +48,7 @@ describe_pattern "BIND9", ['legacy', 'ecs-v1'] do
         should include("log" => hash_including("level" => "info"))
         should include("client" => { "ip" => "192.168.10.48", "port" => 60061 })
         should include("dns" => { "question" => { "name" => "91.2.10.170.in-addr.internal", "type" => 'PTR', "class" => 'IN' }})
-        should include("bind" => { "log" => { "question" => hash_including("flags" => '+')}})
+        should include("bind" => { "log" => hash_including("question" => hash_including("flags" => '+')) })
         should include("server" => { "ip" => "192.168.2.2" })
       else
         should include("loglevel" => "info")
@@ -72,7 +72,21 @@ describe_pattern "BIND9_QUERYLOGBASE", ['ecs-v1'] do
   it 'matches' do
     should include("client" => { "ip" => "127.0.0.1", "port" => 42520 })
     should include("dns" => { "question" => { "name" => "ci.elastic.co", "type" => 'A', "class" => 'IN' }})
-    should include("bind" => { "log" => { "question" => hash_including("flags" => '+E(0)K') }})
+    should include("bind" => { "log" => hash_including("question" => hash_including("flags" => '+E(0)K') )})
     should include("server" => { "ip" => "35.193.103.164" })
   end
 end
+
+describe_pattern "BIND9_QUERYLOG", ['ecs-v1'] do
+  let(:message) do
+    '01-May-2019 00:27:48.084 queries: info: client @0x7f82bc11d4e0 192.168.1.111#53995 (google.com): query: google.com IN A +E(0) (10.80.1.88)'
+  end
+
+  it 'matches' do
+    should include("client" => { "ip" => "192.168.1.111", "port" => 53995 })
+    should include("dns" => { "question" => { "name" => "google.com", "type" => 'A', "class" => 'IN' }})
+    should include("bind" => { "log" => hash_including("question" => { "flags" => '+E(0)', "name" => 'google.com' })})
+    should include("server" => { "ip" => "10.80.1.88" })
+    should include("log" => { "level" => "info" })
+  end
+end

data/spec/patterns/core_spec.rb

@@ -2,20 +2,20 @@
 require "spec_helper"
 require "logstash/patterns/core"
 
-describe "SYSLOGLINE" do
+describe_pattern "SYSLOGLINE", ['legacy', 'ecs-v1'] do
+
+  let(:message) { "Mar 16 00:01:25 evita postfix/smtpd[1713]: connect from camomile.cloud9.net[168.100.1.3]" }
 
-  let(:value)   { "Mar 16 00:01:25 evita postfix/smtpd[1713]: connect from camomile.cloud9.net[168.100.1.3]" }
-  let(:grok)    { grok_match(subject, value) }
   it "a pattern pass the grok expression" do
     expect(grok).to pass
   end
 
-  it "matches a simple message" do
-    expect(subject).to match(value)
-  end
-
   it "generates the program field" do
-    expect(grok_match(subject, value)).to include("program" => "postfix/smtpd")
+    if ecs_compatibility?
+      expect(grok).to include("process" => hash_including('name' => 'postfix/smtpd'))
+    else
+      expect(grok).to include("program" => "postfix/smtpd")
+    end
   end
 
 end

data/spec/patterns/firewalls_spec.rb

@@ -278,13 +278,13 @@ end
 
 describe_pattern "CISCOFW302013_302014_302015_302016", ['legacy', 'ecs-v1'] do
 
-  let(:message) { "ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)" }
+  let(:message) { "ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80)(some.user) to inside:172.31.98.44/1772 (172.31.98.44/1772)" }
 
   include_examples 'top-level namespaces', CISCOFW_ALLOWED_TOP_LEVEL_NAMESPACES, if: -> { ecs_compatibility? }
 
   it 'matches' do
     if ecs_compatibility?
-      expect(subject).to include "source"=>{"ip"=>"100.66.205.104", "port"=>80, "nat"=>{"ip"=>"100.66.205.104", "port"=>80}}
+      expect(subject).to include "source"=>{"ip"=>"100.66.205.104", "port"=>80, "nat"=>{"ip"=>"100.66.205.104", "port"=>80}, "user"=>{"name"=> "some.user"}}
       expect(subject).to include "cisco"=>{"asa"=>{"network"=>{"direction"=>"outbound", "transport"=>"TCP"}, "outcome"=>"Built", "connection_id"=>"11757"}}
       expect(subject).to include "observer"=>{"egress"=>{"interface"=>{"name"=>"inside"}}, "ingress"=>{"interface"=>{"name"=>"outside"}}}
     else

data/spec/patterns/redis_spec.rb

@@ -134,7 +134,7 @@ describe_pattern 'REDISMONLOG', [ 'legacy', 'ecs-v1' ] do
 
 end
 
-describe_pattern "REDISMONLOG" do
+describe_pattern "REDISMONLOG", [ 'legacy', 'ecs-v1' ] do
 
   context 'two param command' do
 
@@ -149,23 +149,43 @@ describe_pattern "REDISMONLOG" do
     end
 
     it "generates the database field" do
-      expect(grok).to include("database" => "0")
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('database' => hash_including('id' => '0')))
+      else
+        expect(grok).to include("database" => "0")
+      end
     end
 
     it "generates the client field" do
-      expect(grok).to include("client" => "127.0.0.1")
+      if ecs_compatibility?
+        expect(grok).to include("client" => hash_including('ip' => '127.0.0.1'))
+      else
+        expect(grok).to include("client" => "127.0.0.1")
+      end
     end
 
     it "generates the port field" do
-      expect(grok).to include("port" => "39404")
+      if ecs_compatibility?
+        expect(grok).to include("client" => hash_including('port' => 39404))
+      else
+        expect(grok).to include("port" => "39404")
+      end
     end
 
     it "generates the command field" do
-      expect(grok).to include("command" => "rpush")
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('command' => hash_including('name' => 'rpush')))
+      else
+        expect(grok).to include("command" => "rpush")
+      end
     end
 
     it "generates the params field" do
-      expect(grok).to include("params" => "\"my:special:key\" \"{\\\"data\\\":\"cdr\\\",\\\"payload\\\":\\\"json\\\"}\"")
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('command' => hash_including('args' => "\"my:special:key\" \"{\\\"data\\\":\"cdr\\\",\\\"payload\\\":\\\"json\\\"}\"")))
+      else
+        expect(grok).to include("params" => "\"my:special:key\" \"{\\\"data\\\":\"cdr\\\",\\\"payload\\\":\\\"json\\\"}\"")
+      end
     end
 
   end
@@ -183,23 +203,43 @@ describe_pattern "REDISMONLOG" do
     end
 
     it "generates the database field" do
-      expect(grok).to include("database" => "15")
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('database' => hash_including('id' => '15')))
+      else
+        expect(grok).to include("database" => "15")
+      end
     end
 
     it "generates the client field" do
-      expect(grok).to include("client" => "195.168.1.1")
+      if ecs_compatibility?
+        expect(grok).to include("client" => hash_including('ip' => '195.168.1.1'))
+      else
+        expect(grok).to include("client" => "195.168.1.1")
+      end
     end
 
     it "generates the port field" do
-      expect(grok).to include("port" => "52500")
+      if ecs_compatibility?
+        expect(grok).to include("client" => hash_including('port' => 52500))
+      else
+        expect(grok).to include("port" => "52500")
+      end
     end
 
     it "generates the command field" do
-      expect(grok).to include("command" => "intentionally")
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('command' => hash_including('name' => 'intentionally')))
+      else
+        expect(grok).to include("command" => "intentionally")
+      end
     end
 
     it "generates the params field" do
-      expect(grok).to include("params" => "\"broken\" \"variadic\" \"log\" \"entry\"")
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('command' => hash_including('args' => "\"broken\" \"variadic\" \"log\" \"entry\"")))
+      else
+        expect(grok).to include("params" => "\"broken\" \"variadic\" \"log\" \"entry\"")
+      end
     end
 
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-patterns-core
 version: !ruby/object:Gem::Version
-  version: 4.3.1
+  version: 4.3.4
 platform: ruby
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-03-16 00:00:00.000000000 Z
+date: 2022-06-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -160,8 +160,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.6.13
+rubygems_version: 3.1.6
 signing_key:
 specification_version: 4
 summary: Patterns to be used in logstash