logstash-patterns-core 4.3.1 → 4.3.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +11 -0
- data/README.md +1 -1
- data/logstash-patterns-core.gemspec +1 -1
- data/patterns/ecs-v1/aws +6 -1
- data/patterns/ecs-v1/bind +1 -1
- data/patterns/ecs-v1/firewalls +1 -1
- data/spec/patterns/aws_spec.rb +32 -0
- data/spec/patterns/bind_spec.rb +18 -4
- data/spec/patterns/core_spec.rb +8 -8
- data/spec/patterns/firewalls_spec.rb +2 -2
- data/spec/patterns/redis_spec.rb +51 -11
- metadata +3 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 4280b348effacb1216e9cba777f6e5c5eb04b7edaf12ec95be063ff62979116a
|
4
|
+
data.tar.gz: 6fcccf691a162a0e1a6daafe4dce7db2b5139f8b883b6177fa61dc41308dd2aa
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 21e83a559b2c001c3b011876b2586894da17d719c41f30bbb210a1d9055f9f89fba3e34db29f0a492f1f982891ed860615bfc86370321253f34584899aecc4ed
|
7
|
+
data.tar.gz: bb2ef8278f68be61bb77dae3c04bd8bd6a84ad7f0eef61228969e50490d00a2646192ffcc874a8557643fe5f102daada0ea2b00e985ab228c10153ce2874eb04
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,14 @@
|
|
1
|
+
## 4.3.4
|
2
|
+
- Fix: typo in CISCOFW302013_302014_302015_302016 grok pattern [#313](https://github.com/logstash-plugins/logstash-patterns-core/pull/313)
|
3
|
+
|
4
|
+
## 4.3.3
|
5
|
+
|
6
|
+
- Fix: parsing x-edge-location in CLOUDFRONT_ACCESS_LOG (ECS mode) [#311](https://github.com/logstash-plugins/logstash-patterns-core/pull/311)
|
7
|
+
|
8
|
+
## 4.3.2
|
9
|
+
|
10
|
+
- Fix: typo in BIN9_QUERYLOG pattern (in ECS mode) [#307](https://github.com/logstash-plugins/logstash-patterns-core/pull/307)
|
11
|
+
|
1
12
|
## 4.3.1
|
2
13
|
|
3
14
|
- Fix: incorrect syslog (priority) field name [#303](https://github.com/logstash-plugins/logstash-patterns-core/pull/303)
|
data/README.md
CHANGED
@@ -87,5 +87,5 @@ It is more important to the community that you are able to contribute.
|
|
87
87
|
|
88
88
|
For more information about contributing, see the [CONTRIBUTING](https://github.com/elastic/logstash/blob/master/CONTRIBUTING.md) file.
|
89
89
|
|
90
|
-
[1]: /tree/
|
90
|
+
[1]: https://github.com/logstash-plugins/logstash-patterns-core/tree/main/patterns
|
91
91
|
[2]: https://github.com/logstash-plugins/logstash-filter-grok
|
@@ -1,7 +1,7 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
2
|
|
3
3
|
s.name = 'logstash-patterns-core'
|
4
|
-
s.version = '4.3.
|
4
|
+
s.version = '4.3.4'
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
6
6
|
s.summary = "Patterns to be used in logstash"
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
data/patterns/ecs-v1/aws
CHANGED
@@ -19,8 +19,13 @@ ELB_V1_HTTP_LOG %{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:[aws][elb][name]} %{IP
|
|
19
19
|
|
20
20
|
ELB_ACCESS_LOG %{ELB_V1_HTTP_LOG}
|
21
21
|
|
22
|
+
# Each edge location is identified by a three-letter code and an arbitrarily assigned number.
|
23
|
+
# The three-letter IATA code typically represents an airport near the edge location.
|
24
|
+
# examples: "LHR62-C2", "SFO5-P1", ""IND6", "CPT50"
|
25
|
+
CLOUDFRONT_EDGE_LOCATION [A-Z]{3}[0-9]{1,2}(?:-[A-Z0-9]{2})?
|
26
|
+
|
22
27
|
# pattern used to match a shorted format, that's why we have the optional part (starting with *http.version*) at the end
|
23
|
-
CLOUDFRONT_ACCESS_LOG (?<timestamp>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}\t%{TIME})\t%{
|
28
|
+
CLOUDFRONT_ACCESS_LOG (?<timestamp>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}\t%{TIME})\t%{CLOUDFRONT_EDGE_LOCATION:[aws][cloudfront][x_edge_location]}\t(?:-|%{INT:[destination][bytes]:int})\t%{IPORHOST:[source][ip]}\t%{WORD:[http][request][method]}\t%{HOSTNAME:[url][domain]}\t%{NOTSPACE:[url][path]}\t(?:(?:000)|%{INT:[http][response][status_code]:int})\t(?:-|%{DATA:[http][request][referrer]})\t%{DATA:[user_agent][original]}\t(?:-|%{DATA:[url][query]})\t(?:-|%{DATA:[aws][cloudfront][http][request][cookie]})\t%{WORD:[aws][cloudfront][x_edge_result_type]}\t%{NOTSPACE:[aws][cloudfront][x_edge_request_id]}\t%{HOSTNAME:[aws][cloudfront][http][request][host]}\t%{URIPROTO:[network][protocol]}\t(?:-|%{INT:[source][bytes]:int})\t%{NUMBER:[aws][cloudfront][time_taken]:float}\t(?:-|%{IP:[network][forwarded_ip]})\t(?:-|%{DATA:[aws][cloudfront][ssl_protocol]})\t(?:-|%{NOTSPACE:[tls][cipher]})\t%{WORD:[aws][cloudfront][x_edge_response_result_type]}(?:\t(?:-|HTTP/%{NUMBER:[http][version]})\t(?:-|%{DATA:[aws][cloudfront][fle_status]})\t(?:-|%{DATA:[aws][cloudfront][fle_encrypted_fields]})\t%{INT:[source][port]:int}\t%{NUMBER:[aws][cloudfront][time_to_first_byte]:float}\t(?:-|%{DATA:[aws][cloudfront][x_edge_detailed_result_type]})\t(?:-|%{NOTSPACE:[http][request][mime_type]})\t(?:-|%{INT:[aws][cloudfront][http][request][size]:int})\t(?:-|%{INT:[aws][cloudfront][http][request][range][start]:int})\t(?:-|%{INT:[aws][cloudfront][http][request][range][end]:int}))?
|
24
29
|
# :long - %{INT:[destination][bytes]:int}
|
25
30
|
# :long - %{INT:[source][bytes]:int}
|
26
31
|
# :long - %{INT:[aws][cloudfront][http][request][size]:int}
|
data/patterns/ecs-v1/bind
CHANGED
@@ -8,6 +8,6 @@ BIND9_CATEGORY (?:queries)
|
|
8
8
|
BIND9_QUERYLOGBASE client(:? @0x(?:[0-9A-Fa-f]+))? %{IP:[client][ip]}#%{POSINT:[client][port]:int} \(%{GREEDYDATA:[bind][log][question][name]}\): query: %{GREEDYDATA:[dns][question][name]} (?<[dns][question][class]>IN) %{BIND9_DNSTYPE:[dns][question][type]}(:? %{DATA:[bind][log][question][flags]})? \(%{IP:[server][ip]}\)
|
9
9
|
|
10
10
|
# for query-logging category and severity are always fixed as "queries: info: "
|
11
|
-
BIND9_QUERYLOG %{BIND9_TIMESTAMP:timestamp} %{BIND9_CATEGORY:[
|
11
|
+
BIND9_QUERYLOG %{BIND9_TIMESTAMP:timestamp} %{BIND9_CATEGORY:[bind][log][category]}: %{LOGLEVEL:[log][level]}: %{BIND9_QUERYLOGBASE}
|
12
12
|
|
13
13
|
BIND9 %{BIND9_QUERYLOG}
|
data/patterns/ecs-v1/firewalls
CHANGED
@@ -60,7 +60,7 @@ CISCOFW110002 %{CISCO_REASON:[event][reason]} for %{WORD:[cisco][asa][network][t
|
|
60
60
|
# ASA-6-302010
|
61
61
|
CISCOFW302010 %{INT:[cisco][asa][connections][in_use]:int} in use, %{INT:[cisco][asa][connections][most_used]:int} most used
|
62
62
|
# ASA-6-302013, ASA-6-302014, ASA-6-302015, ASA-6-302016
|
63
|
-
CISCOFW302013_302014_302015_302016 %{CISCO_ACTION:[cisco][asa][outcome]}(?: %{CISCO_DIRECTION:[cisco][asa][network][direction]})? %{WORD:[cisco][asa][network][transport]} connection %{INT:[cisco][asa][connection_id]} for %{NOTSPACE:[observer][ingress][interface][name]}:%{IP:[source][ip]}/%{INT:[source][port]:int}(?: \(%{IP:[source][nat][ip]}/%{INT:[source][nat][port]:int}\))?(?:\(%{DATA:[source][user][name
|
63
|
+
CISCOFW302013_302014_302015_302016 %{CISCO_ACTION:[cisco][asa][outcome]}(?: %{CISCO_DIRECTION:[cisco][asa][network][direction]})? %{WORD:[cisco][asa][network][transport]} connection %{INT:[cisco][asa][connection_id]} for %{NOTSPACE:[observer][ingress][interface][name]}:%{IP:[source][ip]}/%{INT:[source][port]:int}(?: \(%{IP:[source][nat][ip]}/%{INT:[source][nat][port]:int}\))?(?:\(%{DATA:[source][user][name]}\))? to %{NOTSPACE:[observer][egress][interface][name]}:%{IP:[destination][ip]}/%{INT:[destination][port]:int}( \(%{IP:[destination][nat][ip]}/%{INT:[destination][nat][port]:int}\))?(?:\(%{DATA:[destination][user][name]}\))?( duration %{TIME:[cisco][asa][duration]} bytes %{INT:[network][bytes]:int})?(?: %{CISCO_REASON:[event][reason]})?(?: \(%{DATA:[user][name]}\))?
|
64
64
|
# :long - %{INT:[network][bytes]:int}
|
65
65
|
# ASA-6-302020, ASA-6-302021
|
66
66
|
CISCOFW302020_302021 %{CISCO_ACTION:[cisco][asa][outcome]}(?: %{CISCO_DIRECTION:[cisco][asa][network][direction]})? %{WORD:[cisco][asa][network][transport]} connection for faddr %{IP:[destination][ip]}/%{INT:[cisco][asa][icmp_seq]:int}(?:\(%{DATA:[destination][user][name]}\))? gaddr %{IP:[source][nat][ip]}/%{INT:[cisco][asa][icmp_type]:int} laddr %{IP:[source][ip]}/%{INT}(?: \(%{DATA:[source][user][name]}\))?
|
data/spec/patterns/aws_spec.rb
CHANGED
@@ -390,6 +390,38 @@ describe_pattern "CLOUDFRONT_ACCESS_LOG", ['legacy', 'ecs-v1'] do
|
|
390
390
|
end
|
391
391
|
end
|
392
392
|
|
393
|
+
context 'GH-306' do
|
394
|
+
|
395
|
+
let(:message) do
|
396
|
+
#Version: 1.0
|
397
|
+
#Fields: date time x-edge-location sc-bytes c-ip cs-method cs(Host) cs-uri-stem sc-status cs(Referer) cs(User-Agent) cs-uri-query cs(Cookie) x-edge-result-type x-edge-request-id x-host-header cs-protocol cs-bytes time-taken x-forwarded-for ssl-protocol ssl-cipher x-edge-response-result-type cs-protocol-version fle-status fle-encrypted-fields c-port time-to-first-byte x-edge-detailed-result-type sc-content-type sc-content-len sc-range-start sc-range-end
|
398
|
+
"2021-08-24 00:24:40 LHR62-C3 33517 82.44.60.119 GET d1236u0ikuk2zt.cloudfront.net /p/101/thumbnail/entry_id/0_50xpj7v0/width/290/height/150/type/3 200 https://www.liverpoolfc.com/ Mozilla/5.0%20(iPhone;%20CPU%20iPhone%20OS%2014_7_1%20like%20Mac%20OS%20X)%20AppleWebKit/605.1.15%20(KHTML,%20like%20Gecko)%20Version/14.1.2%20Mobile/15E148%20Safari/604.1 - - Hit YoIRNxF4o0fam7eNcIJ_QG24jMjjMNBvWK0xoveWisgYoWVzvyYFvQ== open.http.mp.streamamg.com https 289 0.003 - TLSv1.3 TLS_AES_128_GCM_SHA256 Hit HTTP/2.0 - - 54902 0.003 Hit image/jpeg 33046 - -"
|
399
|
+
end
|
400
|
+
|
401
|
+
it 'matches' do
|
402
|
+
skip 'fixed in ECS mode only' unless ecs_compatibility?
|
403
|
+
|
404
|
+
should include("timestamp" => "2021-08-24\t00:24:40")
|
405
|
+
should include("url"=>{"domain"=>"d1236u0ikuk2zt.cloudfront.net", "path"=>"/p/101/thumbnail/entry_id/0_50xpj7v0/width/290/height/150/type/3"})
|
406
|
+
should include("http"=>{
|
407
|
+
"request"=>{"referrer"=>"https://www.liverpoolfc.com/", "mime_type"=>"image/jpeg", "method"=>"GET"},
|
408
|
+
"response"=>{"status_code"=>200}, "version"=>"2.0"
|
409
|
+
})
|
410
|
+
should include("tls"=>{"cipher"=>"TLS_AES_128_GCM_SHA256"})
|
411
|
+
should include("aws"=>{"cloudfront"=>{
|
412
|
+
"x_edge_location"=>"LHR62-C3",
|
413
|
+
"x_edge_response_result_type"=>"Hit",
|
414
|
+
"x_edge_detailed_result_type"=>"Hit",
|
415
|
+
"x_edge_result_type"=>"Hit",
|
416
|
+
"ssl_protocol"=>"TLSv1.3",
|
417
|
+
"http"=>{"request"=>{"size"=>33046, "host"=>"open.http.mp.streamamg.com"}},
|
418
|
+
"time_to_first_byte"=>0.003, "time_taken"=>0.003,
|
419
|
+
"x_edge_request_id"=>"YoIRNxF4o0fam7eNcIJ_QG24jMjjMNBvWK0xoveWisgYoWVzvyYFvQ=="
|
420
|
+
}})
|
421
|
+
end
|
422
|
+
|
423
|
+
end
|
424
|
+
|
393
425
|
end
|
394
426
|
|
395
427
|
end
|
data/spec/patterns/bind_spec.rb
CHANGED
@@ -14,10 +14,10 @@ describe_pattern "BIND9", ['legacy', 'ecs-v1'] do
|
|
14
14
|
should include("log" => hash_including("level" => "info"))
|
15
15
|
should include("client" => { "ip" => "172.26.0.1", "port" => 12345 })
|
16
16
|
should include("dns" => { "question" => { "name" => "test.example.com", "type" => 'A', "class" => 'IN' }})
|
17
|
-
should include("bind" => { "log" =>
|
17
|
+
should include("bind" => { "log" => hash_including("question" => hash_including("flags" => '+E(0)K'))})
|
18
18
|
should include("server" => { "ip" => "172.26.0.3" })
|
19
19
|
# NOTE: duplicate but still captured since we've been doing that before as well :
|
20
|
-
should include("bind" => { "log" =>
|
20
|
+
should include("bind" => { "log" => hash_including("question" => hash_including("name" => 'test.example.com'))})
|
21
21
|
else
|
22
22
|
should include("loglevel" => "info")
|
23
23
|
should include("clientip" => "172.26.0.1")
|
@@ -48,7 +48,7 @@ describe_pattern "BIND9", ['legacy', 'ecs-v1'] do
|
|
48
48
|
should include("log" => hash_including("level" => "info"))
|
49
49
|
should include("client" => { "ip" => "192.168.10.48", "port" => 60061 })
|
50
50
|
should include("dns" => { "question" => { "name" => "91.2.10.170.in-addr.internal", "type" => 'PTR', "class" => 'IN' }})
|
51
|
-
should include("bind" => { "log" =>
|
51
|
+
should include("bind" => { "log" => hash_including("question" => hash_including("flags" => '+')) })
|
52
52
|
should include("server" => { "ip" => "192.168.2.2" })
|
53
53
|
else
|
54
54
|
should include("loglevel" => "info")
|
@@ -72,7 +72,21 @@ describe_pattern "BIND9_QUERYLOGBASE", ['ecs-v1'] do
|
|
72
72
|
it 'matches' do
|
73
73
|
should include("client" => { "ip" => "127.0.0.1", "port" => 42520 })
|
74
74
|
should include("dns" => { "question" => { "name" => "ci.elastic.co", "type" => 'A', "class" => 'IN' }})
|
75
|
-
should include("bind" => { "log" =>
|
75
|
+
should include("bind" => { "log" => hash_including("question" => hash_including("flags" => '+E(0)K') )})
|
76
76
|
should include("server" => { "ip" => "35.193.103.164" })
|
77
77
|
end
|
78
78
|
end
|
79
|
+
|
80
|
+
describe_pattern "BIND9_QUERYLOG", ['ecs-v1'] do
|
81
|
+
let(:message) do
|
82
|
+
'01-May-2019 00:27:48.084 queries: info: client @0x7f82bc11d4e0 192.168.1.111#53995 (google.com): query: google.com IN A +E(0) (10.80.1.88)'
|
83
|
+
end
|
84
|
+
|
85
|
+
it 'matches' do
|
86
|
+
should include("client" => { "ip" => "192.168.1.111", "port" => 53995 })
|
87
|
+
should include("dns" => { "question" => { "name" => "google.com", "type" => 'A', "class" => 'IN' }})
|
88
|
+
should include("bind" => { "log" => hash_including("question" => { "flags" => '+E(0)', "name" => 'google.com' })})
|
89
|
+
should include("server" => { "ip" => "10.80.1.88" })
|
90
|
+
should include("log" => { "level" => "info" })
|
91
|
+
end
|
92
|
+
end
|
data/spec/patterns/core_spec.rb
CHANGED
@@ -2,20 +2,20 @@
|
|
2
2
|
require "spec_helper"
|
3
3
|
require "logstash/patterns/core"
|
4
4
|
|
5
|
-
|
5
|
+
describe_pattern "SYSLOGLINE", ['legacy', 'ecs-v1'] do
|
6
|
+
|
7
|
+
let(:message) { "Mar 16 00:01:25 evita postfix/smtpd[1713]: connect from camomile.cloud9.net[168.100.1.3]" }
|
6
8
|
|
7
|
-
let(:value) { "Mar 16 00:01:25 evita postfix/smtpd[1713]: connect from camomile.cloud9.net[168.100.1.3]" }
|
8
|
-
let(:grok) { grok_match(subject, value) }
|
9
9
|
it "a pattern pass the grok expression" do
|
10
10
|
expect(grok).to pass
|
11
11
|
end
|
12
12
|
|
13
|
-
it "matches a simple message" do
|
14
|
-
expect(subject).to match(value)
|
15
|
-
end
|
16
|
-
|
17
13
|
it "generates the program field" do
|
18
|
-
|
14
|
+
if ecs_compatibility?
|
15
|
+
expect(grok).to include("process" => hash_including('name' => 'postfix/smtpd'))
|
16
|
+
else
|
17
|
+
expect(grok).to include("program" => "postfix/smtpd")
|
18
|
+
end
|
19
19
|
end
|
20
20
|
|
21
21
|
end
|
@@ -278,13 +278,13 @@ end
|
|
278
278
|
|
279
279
|
describe_pattern "CISCOFW302013_302014_302015_302016", ['legacy', 'ecs-v1'] do
|
280
280
|
|
281
|
-
let(:message) { "ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)" }
|
281
|
+
let(:message) { "ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80)(some.user) to inside:172.31.98.44/1772 (172.31.98.44/1772)" }
|
282
282
|
|
283
283
|
include_examples 'top-level namespaces', CISCOFW_ALLOWED_TOP_LEVEL_NAMESPACES, if: -> { ecs_compatibility? }
|
284
284
|
|
285
285
|
it 'matches' do
|
286
286
|
if ecs_compatibility?
|
287
|
-
expect(subject).to include "source"=>{"ip"=>"100.66.205.104", "port"=>80, "nat"=>{"ip"=>"100.66.205.104", "port"=>80}}
|
287
|
+
expect(subject).to include "source"=>{"ip"=>"100.66.205.104", "port"=>80, "nat"=>{"ip"=>"100.66.205.104", "port"=>80}, "user"=>{"name"=> "some.user"}}
|
288
288
|
expect(subject).to include "cisco"=>{"asa"=>{"network"=>{"direction"=>"outbound", "transport"=>"TCP"}, "outcome"=>"Built", "connection_id"=>"11757"}}
|
289
289
|
expect(subject).to include "observer"=>{"egress"=>{"interface"=>{"name"=>"inside"}}, "ingress"=>{"interface"=>{"name"=>"outside"}}}
|
290
290
|
else
|
data/spec/patterns/redis_spec.rb
CHANGED
@@ -134,7 +134,7 @@ describe_pattern 'REDISMONLOG', [ 'legacy', 'ecs-v1' ] do
|
|
134
134
|
|
135
135
|
end
|
136
136
|
|
137
|
-
describe_pattern "REDISMONLOG" do
|
137
|
+
describe_pattern "REDISMONLOG", [ 'legacy', 'ecs-v1' ] do
|
138
138
|
|
139
139
|
context 'two param command' do
|
140
140
|
|
@@ -149,23 +149,43 @@ describe_pattern "REDISMONLOG" do
|
|
149
149
|
end
|
150
150
|
|
151
151
|
it "generates the database field" do
|
152
|
-
|
152
|
+
if ecs_compatibility?
|
153
|
+
expect(grok).to include("redis" => hash_including('database' => hash_including('id' => '0')))
|
154
|
+
else
|
155
|
+
expect(grok).to include("database" => "0")
|
156
|
+
end
|
153
157
|
end
|
154
158
|
|
155
159
|
it "generates the client field" do
|
156
|
-
|
160
|
+
if ecs_compatibility?
|
161
|
+
expect(grok).to include("client" => hash_including('ip' => '127.0.0.1'))
|
162
|
+
else
|
163
|
+
expect(grok).to include("client" => "127.0.0.1")
|
164
|
+
end
|
157
165
|
end
|
158
166
|
|
159
167
|
it "generates the port field" do
|
160
|
-
|
168
|
+
if ecs_compatibility?
|
169
|
+
expect(grok).to include("client" => hash_including('port' => 39404))
|
170
|
+
else
|
171
|
+
expect(grok).to include("port" => "39404")
|
172
|
+
end
|
161
173
|
end
|
162
174
|
|
163
175
|
it "generates the command field" do
|
164
|
-
|
176
|
+
if ecs_compatibility?
|
177
|
+
expect(grok).to include("redis" => hash_including('command' => hash_including('name' => 'rpush')))
|
178
|
+
else
|
179
|
+
expect(grok).to include("command" => "rpush")
|
180
|
+
end
|
165
181
|
end
|
166
182
|
|
167
183
|
it "generates the params field" do
|
168
|
-
|
184
|
+
if ecs_compatibility?
|
185
|
+
expect(grok).to include("redis" => hash_including('command' => hash_including('args' => "\"my:special:key\" \"{\\\"data\\\":\"cdr\\\",\\\"payload\\\":\\\"json\\\"}\"")))
|
186
|
+
else
|
187
|
+
expect(grok).to include("params" => "\"my:special:key\" \"{\\\"data\\\":\"cdr\\\",\\\"payload\\\":\\\"json\\\"}\"")
|
188
|
+
end
|
169
189
|
end
|
170
190
|
|
171
191
|
end
|
@@ -183,23 +203,43 @@ describe_pattern "REDISMONLOG" do
|
|
183
203
|
end
|
184
204
|
|
185
205
|
it "generates the database field" do
|
186
|
-
|
206
|
+
if ecs_compatibility?
|
207
|
+
expect(grok).to include("redis" => hash_including('database' => hash_including('id' => '15')))
|
208
|
+
else
|
209
|
+
expect(grok).to include("database" => "15")
|
210
|
+
end
|
187
211
|
end
|
188
212
|
|
189
213
|
it "generates the client field" do
|
190
|
-
|
214
|
+
if ecs_compatibility?
|
215
|
+
expect(grok).to include("client" => hash_including('ip' => '195.168.1.1'))
|
216
|
+
else
|
217
|
+
expect(grok).to include("client" => "195.168.1.1")
|
218
|
+
end
|
191
219
|
end
|
192
220
|
|
193
221
|
it "generates the port field" do
|
194
|
-
|
222
|
+
if ecs_compatibility?
|
223
|
+
expect(grok).to include("client" => hash_including('port' => 52500))
|
224
|
+
else
|
225
|
+
expect(grok).to include("port" => "52500")
|
226
|
+
end
|
195
227
|
end
|
196
228
|
|
197
229
|
it "generates the command field" do
|
198
|
-
|
230
|
+
if ecs_compatibility?
|
231
|
+
expect(grok).to include("redis" => hash_including('command' => hash_including('name' => 'intentionally')))
|
232
|
+
else
|
233
|
+
expect(grok).to include("command" => "intentionally")
|
234
|
+
end
|
199
235
|
end
|
200
236
|
|
201
237
|
it "generates the params field" do
|
202
|
-
|
238
|
+
if ecs_compatibility?
|
239
|
+
expect(grok).to include("redis" => hash_including('command' => hash_including('args' => "\"broken\" \"variadic\" \"log\" \"entry\"")))
|
240
|
+
else
|
241
|
+
expect(grok).to include("params" => "\"broken\" \"variadic\" \"log\" \"entry\"")
|
242
|
+
end
|
203
243
|
end
|
204
244
|
|
205
245
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-patterns-core
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.3.
|
4
|
+
version: 4.3.4
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Elastic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2022-06-17 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
@@ -160,8 +160,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
160
160
|
- !ruby/object:Gem::Version
|
161
161
|
version: '0'
|
162
162
|
requirements: []
|
163
|
-
|
164
|
-
rubygems_version: 2.6.13
|
163
|
+
rubygems_version: 3.1.6
|
165
164
|
signing_key:
|
166
165
|
specification_version: 4
|
167
166
|
summary: Patterns to be used in logstash
|