logstash-patterns-core 4.3.2 → 4.3.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/logstash-patterns-core.gemspec +1 -1
- data/patterns/ecs-v1/aws +6 -1
- data/spec/patterns/aws_spec.rb +32 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a140c63f36f693e1a77aa232ef7e86ace02819488195de75f3abf54efff6768a
|
|
4
|
+
data.tar.gz: 5fcdaec2903fedca22c9da735a417b16782bb8782a9e49cb07eedfbbba36bebf
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 639a5b7fdb5ee6f4e9d24d77f4dd790983c9b84211e999cc18facf361f8a3040c225c73b70ddbd1ab0ac6cb37c7c597ab5e2b72b589c6b0e578e331e13ad2543
|
|
7
|
+
data.tar.gz: e4c6b94985b3edf00e81dae22521c798a9f940f72912fded835b50dedf344fd2234146ca074e52602e3b03780db1fcbc935aac67d7be5a3ec287620e7fede7b7
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,7 @@
|
|
|
1
|
+
## 4.3.3
|
|
2
|
+
|
|
3
|
+
- Fix: parsing x-edge-location in CLOUDFRONT_ACCESS_LOG (ECS mode) [#311](https://github.com/logstash-plugins/logstash-patterns-core/pull/311)
|
|
4
|
+
|
|
1
5
|
## 4.3.2
|
|
2
6
|
|
|
3
7
|
- Fix: typo in BIN9_QUERYLOG pattern (in ECS mode) [#307](https://github.com/logstash-plugins/logstash-patterns-core/pull/307)
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
Gem::Specification.new do |s|
|
|
2
2
|
|
|
3
3
|
s.name = 'logstash-patterns-core'
|
|
4
|
-
s.version = '4.3.
|
|
4
|
+
s.version = '4.3.3'
|
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
|
6
6
|
s.summary = "Patterns to be used in logstash"
|
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
data/patterns/ecs-v1/aws
CHANGED
|
@@ -19,8 +19,13 @@ ELB_V1_HTTP_LOG %{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:[aws][elb][name]} %{IP
|
|
|
19
19
|
|
|
20
20
|
ELB_ACCESS_LOG %{ELB_V1_HTTP_LOG}
|
|
21
21
|
|
|
22
|
+
# Each edge location is identified by a three-letter code and an arbitrarily assigned number.
|
|
23
|
+
# The three-letter IATA code typically represents an airport near the edge location.
|
|
24
|
+
# examples: "LHR62-C2", "SFO5-P1", ""IND6", "CPT50"
|
|
25
|
+
CLOUDFRONT_EDGE_LOCATION [A-Z]{3}[0-9]{1,2}(?:-[A-Z0-9]{2})?
|
|
26
|
+
|
|
22
27
|
# pattern used to match a shorted format, that's why we have the optional part (starting with *http.version*) at the end
|
|
23
|
-
CLOUDFRONT_ACCESS_LOG (?<timestamp>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}\t%{TIME})\t%{
|
|
28
|
+
CLOUDFRONT_ACCESS_LOG (?<timestamp>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}\t%{TIME})\t%{CLOUDFRONT_EDGE_LOCATION:[aws][cloudfront][x_edge_location]}\t(?:-|%{INT:[destination][bytes]:int})\t%{IPORHOST:[source][ip]}\t%{WORD:[http][request][method]}\t%{HOSTNAME:[url][domain]}\t%{NOTSPACE:[url][path]}\t(?:(?:000)|%{INT:[http][response][status_code]:int})\t(?:-|%{DATA:[http][request][referrer]})\t%{DATA:[user_agent][original]}\t(?:-|%{DATA:[url][query]})\t(?:-|%{DATA:[aws][cloudfront][http][request][cookie]})\t%{WORD:[aws][cloudfront][x_edge_result_type]}\t%{NOTSPACE:[aws][cloudfront][x_edge_request_id]}\t%{HOSTNAME:[aws][cloudfront][http][request][host]}\t%{URIPROTO:[network][protocol]}\t(?:-|%{INT:[source][bytes]:int})\t%{NUMBER:[aws][cloudfront][time_taken]:float}\t(?:-|%{IP:[network][forwarded_ip]})\t(?:-|%{DATA:[aws][cloudfront][ssl_protocol]})\t(?:-|%{NOTSPACE:[tls][cipher]})\t%{WORD:[aws][cloudfront][x_edge_response_result_type]}(?:\t(?:-|HTTP/%{NUMBER:[http][version]})\t(?:-|%{DATA:[aws][cloudfront][fle_status]})\t(?:-|%{DATA:[aws][cloudfront][fle_encrypted_fields]})\t%{INT:[source][port]:int}\t%{NUMBER:[aws][cloudfront][time_to_first_byte]:float}\t(?:-|%{DATA:[aws][cloudfront][x_edge_detailed_result_type]})\t(?:-|%{NOTSPACE:[http][request][mime_type]})\t(?:-|%{INT:[aws][cloudfront][http][request][size]:int})\t(?:-|%{INT:[aws][cloudfront][http][request][range][start]:int})\t(?:-|%{INT:[aws][cloudfront][http][request][range][end]:int}))?
|
|
24
29
|
# :long - %{INT:[destination][bytes]:int}
|
|
25
30
|
# :long - %{INT:[source][bytes]:int}
|
|
26
31
|
# :long - %{INT:[aws][cloudfront][http][request][size]:int}
|
data/spec/patterns/aws_spec.rb
CHANGED
|
@@ -390,6 +390,38 @@ describe_pattern "CLOUDFRONT_ACCESS_LOG", ['legacy', 'ecs-v1'] do
|
|
|
390
390
|
end
|
|
391
391
|
end
|
|
392
392
|
|
|
393
|
+
context 'GH-306' do
|
|
394
|
+
|
|
395
|
+
let(:message) do
|
|
396
|
+
#Version: 1.0
|
|
397
|
+
#Fields: date time x-edge-location sc-bytes c-ip cs-method cs(Host) cs-uri-stem sc-status cs(Referer) cs(User-Agent) cs-uri-query cs(Cookie) x-edge-result-type x-edge-request-id x-host-header cs-protocol cs-bytes time-taken x-forwarded-for ssl-protocol ssl-cipher x-edge-response-result-type cs-protocol-version fle-status fle-encrypted-fields c-port time-to-first-byte x-edge-detailed-result-type sc-content-type sc-content-len sc-range-start sc-range-end
|
|
398
|
+
"2021-08-24 00:24:40 LHR62-C3 33517 82.44.60.119 GET d1236u0ikuk2zt.cloudfront.net /p/101/thumbnail/entry_id/0_50xpj7v0/width/290/height/150/type/3 200 https://www.liverpoolfc.com/ Mozilla/5.0%20(iPhone;%20CPU%20iPhone%20OS%2014_7_1%20like%20Mac%20OS%20X)%20AppleWebKit/605.1.15%20(KHTML,%20like%20Gecko)%20Version/14.1.2%20Mobile/15E148%20Safari/604.1 - - Hit YoIRNxF4o0fam7eNcIJ_QG24jMjjMNBvWK0xoveWisgYoWVzvyYFvQ== open.http.mp.streamamg.com https 289 0.003 - TLSv1.3 TLS_AES_128_GCM_SHA256 Hit HTTP/2.0 - - 54902 0.003 Hit image/jpeg 33046 - -"
|
|
399
|
+
end
|
|
400
|
+
|
|
401
|
+
it 'matches' do
|
|
402
|
+
skip 'fixed in ECS mode only' unless ecs_compatibility?
|
|
403
|
+
|
|
404
|
+
should include("timestamp" => "2021-08-24\t00:24:40")
|
|
405
|
+
should include("url"=>{"domain"=>"d1236u0ikuk2zt.cloudfront.net", "path"=>"/p/101/thumbnail/entry_id/0_50xpj7v0/width/290/height/150/type/3"})
|
|
406
|
+
should include("http"=>{
|
|
407
|
+
"request"=>{"referrer"=>"https://www.liverpoolfc.com/", "mime_type"=>"image/jpeg", "method"=>"GET"},
|
|
408
|
+
"response"=>{"status_code"=>200}, "version"=>"2.0"
|
|
409
|
+
})
|
|
410
|
+
should include("tls"=>{"cipher"=>"TLS_AES_128_GCM_SHA256"})
|
|
411
|
+
should include("aws"=>{"cloudfront"=>{
|
|
412
|
+
"x_edge_location"=>"LHR62-C3",
|
|
413
|
+
"x_edge_response_result_type"=>"Hit",
|
|
414
|
+
"x_edge_detailed_result_type"=>"Hit",
|
|
415
|
+
"x_edge_result_type"=>"Hit",
|
|
416
|
+
"ssl_protocol"=>"TLSv1.3",
|
|
417
|
+
"http"=>{"request"=>{"size"=>33046, "host"=>"open.http.mp.streamamg.com"}},
|
|
418
|
+
"time_to_first_byte"=>0.003, "time_taken"=>0.003,
|
|
419
|
+
"x_edge_request_id"=>"YoIRNxF4o0fam7eNcIJ_QG24jMjjMNBvWK0xoveWisgYoWVzvyYFvQ=="
|
|
420
|
+
}})
|
|
421
|
+
end
|
|
422
|
+
|
|
423
|
+
end
|
|
424
|
+
|
|
393
425
|
end
|
|
394
426
|
|
|
395
427
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-patterns-core
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.3.
|
|
4
|
+
version: 4.3.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Elastic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-
|
|
11
|
+
date: 2022-05-17 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|