logstash-patterns-core 0.1.10 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: fb94df5ab3f3e8ee6e7204b1c6f6b44055b40d26
-  data.tar.gz: 5f6edd7688daf729dfad7b17a40f98744f36ea48
+  metadata.gz: 1d76c75e17f367e1289a5523405de72dd14229b0
+  data.tar.gz: 6625c91537bf4a556681664510d33908b0b6645d
 SHA512:
-  metadata.gz: 08a6bd3187a03e03f277b6c17bf2a78084a68271a0958cda6f1cae0f3679e7b8873f797048be49788d8039ac2456a6556947b78316e8a0d1a41b959e5dfe9c27
-  data.tar.gz: 4d7784a60f00fa548feb0946d71abe36c2cffb7249cbbf306dbb773950735ead55b501fd074392de6e633296c1f16f59aadb3bdc68c05469a2eda3355ff65194
+  metadata.gz: e7a69562203c00b4546523ae154789279ccf05e80af4c77fae2ae9ab573b5079d8d4c84f36b3934b9dbf77e6f06f20e4f8d1261622d1e36e618af90ebc099701
+  data.tar.gz: 68f1f9f483723eece2b6fa015f27c57b8c1f2538cea86a76484a0fcee6c9bc13c101d60f09391c765dc0c84336fcbb117376db0aed8e97412613d6dabeee5978

data/.gitignore

@@ -1,3 +1,5 @@
 *.gem
 Gemfile.lock
 .bundle
+/.buildpath
+/.project

data/CHANGELOG.md

@@ -0,0 +1,14 @@
+# 0.3.0
+ - Updated the AWS S3 patterns
+ - Added patterns for rails 3
+ - Added patterns for haproxy
+ - Added patterns for bro http.log
+ - Added shorewall patterns
+# 0.2.0
+ - Added patterns for S3 and ELB access logs amazon services
+# 0.1.12
+ - add some missing Cisco ASA firewall system log patterns
+ - fix cisco firewall policy_id regex for policies with '-' in the name
+# 0.1.11
+ - Added Catalina and Tomcat patterns
+ - Added German month names

data/CONTRIBUTORS

@@ -8,6 +8,7 @@ Contributors:
 * Brad Fritz (bfritz)
 * Brian DeFreitas (briandef)
 * Chris Mague (maguec)
+* Christian Häussler (cniweb)
 * Colin Surprenant (colinsurprenant)
 * Corry Haines (tabletcorry)
 * Dimitri Tischenko (timidri)

data/NOTICE.TXT

@@ -0,0 +1,5 @@
+Elasticsearch
+Copyright 2012-2015 Elasticsearch
+
+This product includes software developed by The Apache Software
+Foundation (http://www.apache.org/).

data/README.md

@@ -13,7 +13,7 @@ Logstash provides infrastructure to automatically generate documentation for thi
 
 ## Need Help?
 
-Need help? Try #logstash on freenode IRC or the logstash-users@googlegroups.com mailing list.
+Need help? Try #logstash on freenode IRC or the https://discuss.elastic.co/c/logstash discussion forum.
 
 ## Developing
 

data/logstash-patterns-core.gemspec

@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
 
   s.name            = 'logstash-patterns-core'
-  s.version         = '0.1.10'
+  s.version         = '0.3.0'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "Patterns to be used in logstash"
   s.description     = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program"
@@ -24,5 +24,6 @@ Gem::Specification.new do |s|
 
   s.add_development_dependency 'logstash-filter-grok'
   s.add_development_dependency 'logstash-devutils'
+  s.add_development_dependency 'logstash-filter-grok'
 end
 

data/patterns/aws

@@ -0,0 +1,11 @@
+S3_REQUEST_LINE (?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})
+
+S3_ACCESS_LOG %{WORD:owner} %{NOTSPACE:bucket} \[%{HTTPDATE:timestamp}\] %{IP:clientip} %{NOTSPACE:requester} %{NOTSPACE:request_id} %{NOTSPACE:operation} %{NOTSPACE:key} (?:"%{S3_REQUEST_LINE}"|-) (?:%{INT:response:int}|-) (?:-|%{NOTSPACE:error_code}) (?:%{INT:bytes:int}|-) (?:%{INT:object_size:int}|-) (?:%{INT:request_time_ms:int}|-) (?:%{INT:turnaround_time_ms:int}|-) (?:%{QS:referrer}|-) (?:"?%{QS:agent}"?|-) (?:-|%{NOTSPACE:version_id})
+
+ELB_URIPATHPARAM %{URIPATH:path}(?:%{URIPARAM:params})?
+
+ELB_URI %{URIPROTO:proto}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST:urihost})?(?:%{ELB_URIPATHPARAM})?
+
+ELB_REQUEST_LINE (?:%{WORD:verb} %{ELB_URI:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})
+
+ELB_ACCESS_LOG %{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:elb} %{IP:clientip}:%{INT:clientport:int} (?:(%{IP:backendip}:?:%{INT:backendport:int})|-) %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{INT:response:int} %{INT:backend_response:int} %{INT:received_bytes:int} %{INT:bytes:int} "%{ELB_REQUEST_LINE}"

data/patterns/bro

@@ -0,0 +1,13 @@
+# https://www.bro.org/sphinx/script-reference/log-files.html
+
+# http.log
+BRO_HTTP %{NUMBER:ts}\t%{NOTSPACE:uid}\t%{IP:orig_h}\t%{INT:orig_p}\t%{IP:resp_h}\t%{INT:resp_p}\t%{INT:trans_depth}\t%{GREEDYDATA:method}\t%{GREEDYDATA:domain}\t%{GREEDYDATA:uri}\t%{GREEDYDATA:referrer}\t%{GREEDYDATA:user_agent}\t%{NUMBER:request_body_len}\t%{NUMBER:response_body_len}\t%{GREEDYDATA:status_code}\t%{GREEDYDATA:status_msg}\t%{GREEDYDATA:info_code}\t%{GREEDYDATA:info_msg}\t%{GREEDYDATA:filename}\t%{GREEDYDATA:bro_tags}\t%{GREEDYDATA:username}\t%{GREEDYDATA:password}\t%{GREEDYDATA:proxied}\t%{GREEDYDATA:orig_fuids}\t%{GREEDYDATA:orig_mime_types}\t%{GREEDYDATA:resp_fuids}\t%{GREEDYDATA:resp_mime_types}
+
+# dns.log
+BRO_DNS %{NUMBER:ts}\t%{NOTSPACE:uid}\t%{IP:orig_h}\t%{INT:orig_p}\t%{IP:resp_h}\t%{INT:resp_p}\t%{WORD:proto}\t%{INT:trans_id}\t%{GREEDYDATA:query}\t%{GREEDYDATA:qclass}\t%{GREEDYDATA:qclass_name}\t%{GREEDYDATA:qtype}\t%{GREEDYDATA:qtype_name}\t%{GREEDYDATA:rcode}\t%{GREEDYDATA:rcode_name}\t%{GREEDYDATA:AA}\t%{GREEDYDATA:TC}\t%{GREEDYDATA:RD}\t%{GREEDYDATA:RA}\t%{GREEDYDATA:Z}\t%{GREEDYDATA:answers}\t%{GREEDYDATA:TTLs}\t%{GREEDYDATA:rejected}
+
+# conn.log
+BRO_CONN %{NUMBER:ts}\t%{NOTSPACE:uid}\t%{IP:orig_h}\t%{INT:orig_p}\t%{IP:resp_h}\t%{INT:resp_p}\t%{WORD:proto}\t%{GREEDYDATA:service}\t%{NUMBER:duration}\t%{NUMBER:orig_bytes}\t%{NUMBER:resp_bytes}\t%{GREEDYDATA:conn_state}\t%{GREEDYDATA:local_orig}\t%{GREEDYDATA:missed_bytes}\t%{GREEDYDATA:history}\t%{GREEDYDATA:orig_pkts}\t%{GREEDYDATA:orig_ip_bytes}\t%{GREEDYDATA:resp_pkts}\t%{GREEDYDATA:resp_ip_bytes}\t%{GREEDYDATA:tunnel_parents}
+
+# files.log
+BRO_FILES %{NUMBER:ts}\t%{NOTSPACE:fuid}\t%{IP:tx_hosts}\t%{IP:rx_hosts}\t%{NOTSPACE:conn_uids}\t%{GREEDYDATA:source}\t%{GREEDYDATA:depth}\t%{GREEDYDATA:analyzers}\t%{GREEDYDATA:mime_type}\t%{GREEDYDATA:filename}\t%{GREEDYDATA:duration}\t%{GREEDYDATA:local_orig}\t%{GREEDYDATA:is_orig}\t%{GREEDYDATA:seen_bytes}\t%{GREEDYDATA:total_bytes}\t%{GREEDYDATA:missing_bytes}\t%{GREEDYDATA:overflow_bytes}\t%{GREEDYDATA:timedout}\t%{GREEDYDATA:parent_fuid}\t%{GREEDYDATA:md5}\t%{GREEDYDATA:sha1}\t%{GREEDYDATA:sha256}\t%{GREEDYDATA:extracted}

data/patterns/firewalls

@@ -11,6 +11,24 @@ CISCO_REASON Duplicate TCP SYN|Failed to locate egress interface|Invalid transpo
 CISCO_DIRECTION Inbound|inbound|Outbound|outbound
 CISCO_INTERVAL first hit|%{INT}-second interval
 CISCO_XLATE_TYPE static|dynamic
+# ASA-1-104001
+CISCOFW104001 \((?:Primary|Secondary)\) Switching to ACTIVE - %{GREEDYDATA:switch_reason}
+# ASA-1-104002
+CISCOFW104002 \((?:Primary|Secondary)\) Switching to STANDBY - %{GREEDYDATA:switch_reason}
+# ASA-1-104003
+CISCOFW104003 \((?:Primary|Secondary)\) Switching to FAILED\.
+# ASA-1-104004
+CISCOFW104004 \((?:Primary|Secondary)\) Switching to OK\.
+# ASA-1-105003
+CISCOFW105003 \((?:Primary|Secondary)\) Monitoring on [Ii]nterface %{GREEDYDATA:interface_name} waiting
+# ASA-1-105004
+CISCOFW105004 \((?:Primary|Secondary)\) Monitoring on [Ii]nterface %{GREEDYDATA:interface_name} normal
+# ASA-1-105005
+CISCOFW105005 \((?:Primary|Secondary)\) Lost Failover communications with mate on [Ii]nterface %{GREEDYDATA:interface_name}
+# ASA-1-105008
+CISCOFW105008 \((?:Primary|Secondary)\) Testing [Ii]nterface %{GREEDYDATA:interface_name}
+# ASA-1-105009
+CISCOFW105009 \((?:Primary|Secondary)\) Testing on [Ii]nterface %{GREEDYDATA:interface_name} (?:Passed|Failed)
 # ASA-2-106001
 CISCOFW106001 %{CISCO_DIRECTION:direction} %{WORD:protocol} connection %{CISCO_ACTION:action} from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags %{GREEDYDATA:tcp_flags} on interface %{GREEDYDATA:interface}
 # ASA-2-106006, ASA-2-106007, ASA-2-106010
@@ -22,9 +40,9 @@ CISCOFW106015 %{CISCO_ACTION:action} %{WORD:protocol} \(%{DATA:policy_id}\) from
 # ASA-1-106021
 CISCOFW106021 %{CISCO_ACTION:action} %{WORD:protocol} reverse path check from %{IP:src_ip} to %{IP:dst_ip} on interface %{GREEDYDATA:interface}
 # ASA-4-106023
-CISCOFW106023 %{CISCO_ACTION:action} %{WORD:protocol} src %{DATA:src_interface}:%{IP:src_ip}(/%{INT:src_port})?(\(%{DATA:src_fwuser}\))? dst %{DATA:dst_interface}:%{IP:dst_ip}(/%{INT:dst_port})?(\(%{DATA:dst_fwuser}\))?( \(type %{INT:icmp_type}, code %{INT:icmp_code}\))? by access-group %{DATA:policy_id} \[%{DATA:hashcode1}, %{DATA:hashcode2}\]
+CISCOFW106023 %{CISCO_ACTION:action} %{WORD:protocol} src %{DATA:src_interface}:%{IP:src_ip}(/%{INT:src_port})?(\(%{DATA:src_fwuser}\))? dst %{DATA:dst_interface}:%{IP:dst_ip}(/%{INT:dst_port})?(\(%{DATA:dst_fwuser}\))?( \(type %{INT:icmp_type}, code %{INT:icmp_code}\))? by access-group %{NOTSPACE:policy_id} \[%{DATA:hashcode1}, %{DATA:hashcode2}\]
 # ASA-5-106100
-CISCOFW106100 access-list %{WORD:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} %{DATA:src_interface}/%{IP:src_ip}\(%{INT:src_port}\)(\(%{DATA:src_fwuser}\))? -> %{DATA:dst_interface}/%{IP:dst_ip}\(%{INT:dst_port}\)(\(%{DATA:src_fwuser}\))? hit-cnt %{INT:hit_count} %{CISCO_INTERVAL:interval} \[%{DATA:hashcode1}, %{DATA:hashcode2}\]
+CISCOFW106100 access-list %{NOTSPACE:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} %{DATA:src_interface}/%{IP:src_ip}\(%{INT:src_port}\)(\(%{DATA:src_fwuser}\))? -> %{DATA:dst_interface}/%{IP:dst_ip}\(%{INT:dst_port}\)(\(%{DATA:src_fwuser}\))? hit-cnt %{INT:hit_count} %{CISCO_INTERVAL:interval} \[%{DATA:hashcode1}, %{DATA:hashcode2}\]
 # ASA-6-110002
 CISCOFW110002 %{CISCO_REASON:reason} for %{WORD:protocol} from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}
 # ASA-6-302010
@@ -39,6 +57,8 @@ CISCOFW305011 %{CISCO_ACTION:action} %{CISCO_XLATE_TYPE:xlate_type} %{WORD:proto
 CISCOFW313001_313004_313008 %{CISCO_ACTION:action} %{WORD:protocol} type=%{INT:icmp_type}, code=%{INT:icmp_code} from %{IP:src_ip} on interface %{DATA:interface}( to %{IP:dst_ip})?
 # ASA-4-313005
 CISCOFW313005 %{CISCO_REASON:reason} for %{WORD:protocol} error message: %{WORD:err_protocol} src %{DATA:err_src_interface}:%{IP:err_src_ip}(\(%{DATA:err_src_fwuser}\))? dst %{DATA:err_dst_interface}:%{IP:err_dst_ip}(\(%{DATA:err_dst_fwuser}\))? \(type %{INT:err_icmp_type}, code %{INT:err_icmp_code}\) on %{DATA:interface} interface\.  Original IP payload: %{WORD:protocol} src %{IP:orig_src_ip}/%{INT:orig_src_port}(\(%{DATA:orig_src_fwuser}\))? dst %{IP:orig_dst_ip}/%{INT:orig_dst_port}(\(%{DATA:orig_dst_fwuser}\))?
+# ASA-5-321001
+CISCOFW321001 Resource '%{WORD:resource_name}' limit of %{POSINT:resource_limit} reached for system
 # ASA-4-402117
 CISCOFW402117 %{WORD:protocol}: Received a non-IPSec packet \(protocol= %{WORD:orig_protocol}\) from %{IP:src_ip} to %{IP:dst_ip}
 # ASA-4-402119
@@ -58,3 +78,7 @@ CISCOFW713172 Group = %{GREEDYDATA:group}, IP = %{IP:src_ip}, Automatic NAT Dete
 # ASA-4-733100
 CISCOFW733100 \[\s*%{DATA:drop_type}\s*\] drop %{DATA:drop_rate_id} exceeded. Current burst rate is %{INT:drop_rate_current_burst} per second, max configured rate is %{INT:drop_rate_max_burst}; Current average rate is %{INT:drop_rate_current_avg} per second, max configured rate is %{INT:drop_rate_max_avg}; Cumulative total count is %{INT:drop_total_count}
 #== End Cisco ASA ==
+
+# Shorewall firewall logs
+SHOREWALL (%{SYSLOGTIMESTAMP:timestamp}) (%{WORD:nf_host}) kernel:.*Shorewall:(%{WORD:nf_action1})?:(%{WORD:nf_action2})?.*IN=(%{USERNAME:nf_in_interface})?.*(OUT= *MAC=(%{COMMONMAC:nf_dst_mac}):(%{COMMONMAC:nf_src_mac})?|OUT=%{USERNAME:nf_out_interface}).*SRC=(%{IPV4:nf_src_ip}).*DST=(%{IPV4:nf_dst_ip}).*LEN=(%{WORD:nf_len}).?*TOS=(%{WORD:nf_tos}).?*PREC=(%{WORD:nf_prec}).?*TTL=(%{INT:nf_ttl}).?*ID=(%{INT:nf_id}).?*PROTO=(%{WORD:nf_protocol}).?*SPT=(%{INT:nf_src_port}?.*DPT=%{INT:nf_dst_port}?.*)
+#== End Shorewall

data/patterns/grok-patterns

@@ -45,7 +45,7 @@ URIPATHPARAM %{URIPATH}(?:%{URIPARAM})?
 URI %{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})?
 
 # Months: January, Feb, 3, 03, 12, December
-MONTH \b(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\b
+MONTH \b(?:Jan(?:uary|uar)?|Feb(?:ruary|ruar)?|M(?:a|ä)?r(?:ch|z)?|Apr(?:il)?|Ma(?:y|i)?|Jun(?:e|i)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|O(?:c|k)?t(?:ober)?|Nov(?:ember)?|De(?:c|z)(?:ember)?)\b
 MONTHNUM (?:0?[1-9]|1[0-2])
 MONTHNUM2 (?:0[1-9]|1[0-2])
 MONTHDAY (?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])
@@ -76,7 +76,7 @@ DATESTAMP_EVENTLOG %{YEAR}%{MONTHNUM2}%{MONTHDAY}%{HOUR}%{MINUTE}%{SECOND}
 
 # Syslog Dates: Month Day HH:MM:SS
 SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME}
-PROG (?:[\w._/%-]+)
+PROG [\x21-\x5a\x5c\x5e-\x7e]+
 SYSLOGPROG %{PROG:program}(?:\[%{POSINT:pid}\])?
 SYSLOGHOST %{IPORHOST}
 SYSLOGFACILITY <%{NONNEGINT:facility}.%{NONNEGINT:priority}>

data/patterns/haproxy

@@ -31,7 +31,9 @@ HAPROXYCAPTUREDRESPONSEHEADERS %{DATA:captured_response_headers}
 # HAPROXYCAPTUREDRESPONSEHEADERS %{DATA:response_header_content_type}\|%{DATA:response_header_content_encoding}\|%{DATA:response_header_cache_control}\|%{DATA:response_header_last_modified}
 
 # parse a haproxy 'httplog' line 
-HAPROXYHTTP %{SYSLOGTIMESTAMP:syslog_timestamp} %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{IP:client_ip}:%{INT:client_port} \[%{HAPROXYDATE:accept_date}\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_request}/%{INT:time_queue}/%{INT:time_backend_connect}/%{INT:time_backend_response}/%{NOTSPACE:time_duration} %{INT:http_status_code} %{NOTSPACE:bytes_read} %{DATA:captured_request_cookie} %{DATA:captured_response_cookie} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue} (\{%{HAPROXYCAPTUREDREQUESTHEADERS}\})?( )?(\{%{HAPROXYCAPTUREDRESPONSEHEADERS}\})?( )?"(<BADREQ>|(%{WORD:http_verb} (%{URIPROTO:http_proto}://)?(?:%{USER:http_user}(?::[^@]*)?@)?(?:%{URIHOST:http_host})?(?:%{URIPATHPARAM:http_request})?( HTTP/%{NUMBER:http_version})?))?"
+HAPROXYHTTPBASE %{IP:client_ip}:%{INT:client_port} \[%{HAPROXYDATE:accept_date}\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_request}/%{INT:time_queue}/%{INT:time_backend_connect}/%{INT:time_backend_response}/%{NOTSPACE:time_duration} %{INT:http_status_code} %{NOTSPACE:bytes_read} %{DATA:captured_request_cookie} %{DATA:captured_response_cookie} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue} (\{%{HAPROXYCAPTUREDREQUESTHEADERS}\})?( )?(\{%{HAPROXYCAPTUREDRESPONSEHEADERS}\})?( )?"(<BADREQ>|(%{WORD:http_verb} (%{URIPROTO:http_proto}://)?(?:%{USER:http_user}(?::[^@]*)?@)?(?:%{URIHOST:http_host})?(?:%{URIPATHPARAM:http_request})?( HTTP/%{NUMBER:http_version})?))?"
+
+HAPROXYHTTP %{SYSLOGTIMESTAMP:syslog_timestamp} %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{HAPROXYHTTPBASE}
 
 # parse a haproxy 'tcplog' line
 HAPROXYTCP %{SYSLOGTIMESTAMP:syslog_timestamp} %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{IP:client_ip}:%{INT:client_port} \[%{HAPROXYDATE:accept_date}\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_queue}/%{INT:time_backend_connect}/%{NOTSPACE:time_duration} %{NOTSPACE:bytes_read} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue}

data/patterns/java

@@ -5,3 +5,16 @@ JAVAFILE (?:[A-Za-z0-9_. -]+)
 JAVAMETHOD (?:(<init>)|[a-zA-Z$_][a-zA-Z$_0-9]*)
 #Line number is optional in special cases 'Native method' or 'Unknown source'
 JAVASTACKTRACEPART %{SPACE}at %{JAVACLASS:class}\.%{JAVAMETHOD:method}\(%{JAVAFILE:file}(?::%{NUMBER:line})?\)
+# Java Logs
+JAVATHREAD (?:[A-Z]{2}-Processor[\d]+)
+JAVACLASS (?:[a-zA-Z0-9-]+\.)+[A-Za-z0-9$]+
+JAVAFILE (?:[A-Za-z0-9_.-]+)
+JAVASTACKTRACEPART at %{JAVACLASS:class}\.%{WORD:method}\(%{JAVAFILE:file}:%{NUMBER:line}\)
+JAVALOGMESSAGE (.*)
+# MMM dd, yyyy HH:mm:ss eg: Jan 9, 2014 7:13:13 AM
+CATALINA_DATESTAMP %{MONTH} %{MONTHDAY}, 20%{YEAR} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) (?:AM|PM)
+# yyyy-MM-dd HH:mm:ss,SSS ZZZ eg: 2014-01-09 17:32:25,527 -0800
+TOMCAT_DATESTAMP 20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) %{ISO8601_TIMEZONE}
+CATALINALOG %{CATALINA_DATESTAMP:timestamp} %{JAVACLASS:class} %{JAVALOGMESSAGE:logmessage}
+# 2014-01-09 20:03:28,269 -0800 | ERROR | com.example.service.ExampleService - something compeletely unexpected happened...
+TOMCATLOG %{TOMCAT_DATESTAMP:timestamp} \| %{LOGLEVEL:level} \| %{JAVACLASS:class} - %{JAVALOGMESSAGE:logmessage}

data/patterns/rails

@@ -0,0 +1,13 @@
+RUUID \h{32}
+# rails controller with action
+RCONTROLLER (?<controller>[^#]+)#(?<action>\w+)
+
+# this will often be the only line:
+RAILS3HEAD (?m)Started %{WORD:verb} "%{URIPATHPARAM:request}" for %{IPORHOST:clientip} at (?<timestamp>%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND} %{ISO8601_TIMEZONE})
+# for some a strange reason, params are stripped of {} - not sure that's a good idea.
+RPROCESSING \W*Processing by %{RCONTROLLER} as (?<format>\S+)(?:\W*Parameters: {%{DATA:params}}\W*)?
+RAILS3FOOT Completed %{NUMBER:response}%{DATA} in %{NUMBER:totalms}ms %{RAILS3PROFILE}%{GREEDYDATA}
+RAILS3PROFILE (?:\(Views: %{NUMBER:viewms}ms \| ActiveRecord: %{NUMBER:activerecordms}ms|\(ActiveRecord: %{NUMBER:activerecordms}ms)?
+
+# putting it all together
+RAILS3 %{RAILS3HEAD}(?:%{RPROCESSING})?(?<context>(?:%{DATA}\n)*)(?:%{RAILS3FOOT})?

data/spec/patterns/bro.rb

@@ -0,0 +1,126 @@
+# encoding: utf-8
+require "spec_helper"
+require "logstash/patterns/core"
+
+describe "HTTP" do
+
+  let(:value)   { "1432555199.633017	COpk6E3vkURP8QQNKl	192.168.9.35	55281	178.236.7.146	80	4	POST	www.amazon.it	/xa/dealcontent/v2/GetDeals?nocache=1432555199326	http://www.amazon.it/	Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36	223	1859	200	OK	-	-	-	(empty)	-	-	-	FrLEcY3AUPKdcYGf29	text/plain	FOJpbGzIMh9syPxH8	text/plain" }
+  let(:grok)    { grok_match(subject, value) }
+
+  it "a pattern pass the grok expression" do
+    expect(grok).to pass
+  end
+
+  it "matches a simple message" do
+    expect(subject).to match(value)
+  end
+  
+  it "generates the ts field" do
+    expect(grok).to include("ts" => "1432555199.633017")
+  end
+
+  it "generates the uid field" do
+    expect(grok).to include("uid" => "COpk6E3vkURP8QQNKl")
+  end
+
+  it "generates the orig_h field" do
+    expect(grok).to include("orig_h" => "192.168.9.35")
+  end
+
+  it "generates the orig_p field" do
+    expect(grok).to include("orig_p" => "55281")
+  end
+
+  it "generates the resp_h field" do
+    expect(grok).to include("resp_h" => "178.236.7.146")
+  end
+
+  it "generates the resp_p field" do
+    expect(grok).to include("resp_p" => "80")
+  end
+
+  it "generates the trans_depth field" do
+    expect(grok).to include("trans_depth" => "4")
+  end
+
+  it "generates the method field" do
+    expect(grok).to include("method" => "POST")
+  end
+
+  it "generates the domain field" do
+    expect(grok).to include("domain" => "www.amazon.it")
+  end
+
+  it "generates the uri field" do
+    expect(grok).to include("uri" => "/xa/dealcontent/v2/GetDeals?nocache=1432555199326")
+  end
+
+  it "generates the referrer field" do
+    expect(grok).to include("referrer" => "http://www.amazon.it/")
+  end
+
+  it "generates the user_agent field" do
+    expect(grok).to include("user_agent" => "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36")
+  end
+
+  it "generates the request_body_len field" do
+    expect(grok).to include("request_body_len" => "223")
+  end
+
+  it "generates the response_body_len field" do
+    expect(grok).to include("response_body_len" => "1859")
+  end
+
+  it "generates the status_code field" do
+    expect(grok).to include("status_code" => "200")
+  end
+
+  it "generates the status_msg field" do
+    expect(grok).to include("status_msg" => "OK")
+  end
+
+  it "generates the info_code field" do
+    expect(grok).to include("info_code" => "-")
+  end
+
+  it "generates the info_msg field" do
+    expect(grok).to include("info_msg" => "-")
+  end
+
+  it "generates the filename field" do
+    expect(grok).to include("filename" => "-")
+  end
+
+  it "generates the bro_tags field" do
+    expect(grok).to include("bro_tags" => "(empty)")
+  end
+
+  it "generates the username field" do
+    expect(grok).to include("username" => "-")
+  end
+
+  it "generates the password field" do
+    expect(grok).to include("password" => "-")
+  end
+
+  it "generates the proxied field" do
+    expect(grok).to include("proxied" => "-")
+  end
+
+  it "generates the orig_fuids field" do
+    expect(grok).to include("orig_fuids" => "FrLEcY3AUPKdcYGf29")
+  end
+
+  it "generates the orig_mime_types field" do
+    expect(grok).to include("orig_mime_types" => "text/plain")
+  end
+
+  it "generates the resp_fuids field" do
+    expect(grok).to include("resp_fuids" => "FOJpbGzIMh9syPxH8")
+  end
+
+  it "generates the resp_mime_types field" do
+    expect(grok).to include("resp_mime_types" => "text/plain")
+  end
+
+end

data/spec/patterns/core_spec.rb

@@ -29,3 +29,46 @@ describe "COMMONAPACHELOG" do
   end
 
 end
+
+describe "HTTP DATE parsing" do
+
+  context "HTTPDATE", "when having a German month" do
+
+    let(:value) { '[04/Mai/2015:13:17:15 +0200]'}
+
+    it "generates the month field" do
+      expect(grok_match(subject, value)).to pass
+    end
+
+  end
+
+  context "HTTPDATE", "when having a English month" do
+
+    let(:value) { '[04/March/2015:13:17:15 +0200]'}
+
+    it "generates the month field" do
+      expect(grok_match(subject, value)).to pass
+    end
+
+  end
+
+  context "HTTPDATE", "when having a wrong months" do
+
+    let(:value) { '[04/Map/2015:13:17:15 +0200]'}
+
+    it "generates the month field" do
+      expect(grok_match(subject, value)).not_to pass
+    end
+
+  end
+
+end
+
+describe "TOMCATLOG" do
+
+  let(:value) { '2014-01-09 20:03:28,269 -0800 | ERROR | com.example.service.ExampleService - something compeletely unexpected happened...'}
+
+  it "generates the logmessage field" do
+    expect(grok_match(subject, value)).to include("logmessage" => "something compeletely unexpected happened...")
+  end
+end

data/spec/patterns/firewalls_spec.rb

@@ -0,0 +1,53 @@
+# encoding: utf-8
+require "spec_helper"
+require "logstash/patterns/core"
+
+describe "FIREWALLS" do
+
+
+  let(:pattern104001)    { "CISCOFW104001" }
+
+  context "parsing a 104001 message" do
+
+    let(:value) { "(Secondary) Switching to ACTIVE - Service card in other unit has failed" }
+
+    subject     { grok_match(pattern104001, value) }
+
+    it { should include("switch_reason" => "Service card in other unit has failed") }
+
+    it "generates a message field" do
+      expect(subject["message"]).to include("(Secondary) Switching to ACTIVE - Service card in other unit has failed")
+    end
+  end
+
+  let(:pattern106100)    { "CISCOFW106100" }
+
+  context "parsing a 106100 message" do
+
+    let(:value) { "access-list inside permitted tcp inside/10.10.123.45(51763) -> outside/192.168.67.89(80) hit-cnt 1 first hit [0x62c4905, 0x0]" }
+
+    subject     { grok_match(pattern106100, value) }
+
+    it { should include("policy_id" => "inside") }
+
+    it "generates a message field" do
+      expect(subject["message"]).to include("access-list inside permitted tcp inside/10.10.123.45(51763) -> outside/192.168.67.89(80) hit-cnt 1 first hit [0x62c4905, 0x0]")
+    end
+  end
+
+  let(:pattern106100)    { "CISCOFW106100" }
+
+  context "parsing a 106100 message with hypen in acl name" do
+
+    let(:value) { "access-list outside-entry permitted tcp outside/10.11.12.13(54726) -> inside/192.168.17.18(80) hit-cnt 1 300-second interval [0x32b3835, 0x0]" }
+
+    subject     { grok_match(pattern106100, value) }
+
+    it { should include("policy_id" => "outside-entry") }
+
+    it "generates a message field" do
+      expect(subject["message"]).to include("access-list outside-entry permitted tcp outside/10.11.12.13(54726) -> inside/192.168.17.18(80) hit-cnt 1 300-second interval [0x32b3835, 0x0]")
+    end
+  end
+
+end

data/spec/patterns/haproxy_spec.rb

@@ -0,0 +1,43 @@
+# encoding: utf-8
+require "spec_helper"
+require "logstash/patterns/core"
+
+describe "HAPROXY" do
+
+  let(:haproxyhttp_pattern)  { "HAPROXYHTTP" }
+
+  context "Parsing HAPROXY log line from raw syslog line" do
+
+    let(:value) { 'Dec  9 13:01:26 localhost haproxy[28029]: 127.0.0.1:39759 [09/Dec/2013:12:59:46.633] loadbalancer default/instance8 0/51536/1/48082/99627 200 83285 - - ---- 87/87/87/1/0 0/67 {77.24.148.74} "GET /path/to/image HTTP/1.1"' } 
+    subject     { grok_match(haproxyhttp_pattern, value) }
+
+    it { should include("program" => "haproxy") }
+    it { should include("client_ip" => "127.0.0.1") }
+    it { should include("http_verb" => "GET") }
+    it { should include("server_name" => "instance8") }
+
+    it "generates a message field" do
+      expect(subject["message"]).to include("loadbalancer default/instance8")
+    end
+
+  end
+
+  let(:haproxyhttpbase_pattern)  { "HAPROXYHTTPBASE" }
+
+  context "Parsing HAPROXY log line without syslog specific enteries.  This mimics an event coming from a syslog input." do
+
+    let(:value) { '127.0.0.1:39759 [09/Dec/2013:12:59:46.633] loadbalancer default/instance8 0/51536/1/48082/99627 200 83285 - - ---- 87/87/87/1/0 0/67 {77.24.148.74} "GET /path/to/image HTTP/1.1"' } 
+    subject     { grok_match(haproxyhttpbase_pattern, value) }
+
+    # Assume 'program' would be matched by the syslog input.
+    it { should include("client_ip" => "127.0.0.1") }
+    it { should include("http_verb" => "GET") }
+    it { should include("server_name" => "instance8") }
+
+    it "generates a message field" do
+      expect(subject["message"]).to include("loadbalancer default/instance8")
+    end
+
+  end
+
+end

data/spec/patterns/rails3_spec.rb

@@ -0,0 +1,56 @@
+# encoding: utf-8
+require "spec_helper"
+require "logstash/patterns/core"
+
+describe "RAILS" do
+  let(:rails3_pattern)  { "RAILS3" }
+
+  context "Parsing RAILS3 single-line log from raw log file" do
+
+    let(:value) { 'Started POST "/api/v3/internal/allowed" for 127.0.0.1 at 2015-08-05 11:37:01 +0200' } 
+
+    subject     { grok_match(rails3_pattern, value) }
+
+    # Started
+    it { should include("verb" => "POST" ) }
+    it { should include("request" => "/api/v3/internal/allowed" ) }
+    # for
+    it { should include("clientip" => "127.0.0.1" ) }
+    # at
+    it { should include("timestamp" => "2015-08-05 11:37:01 +0200" ) }
+  end
+
+  context "Parsing RAILS3 multi-line log from raw log file" do
+
+    let(:value) { 'Started GET "/puppet/postfix/notes?target_id=162&target_type=issue&last_fetched_at=1438695732" for 127.0.0.1 at 2015-08-05 07:40:22 +0200
+Processing by Projects::NotesController#index as JSON
+  Parameters: {"target_id"=>"162", "target_type"=>"issue", "last_fetched_at"=>"1438695732", "namespace_id"=>"puppet", "project_id"=>"postfix"}
+Completed 200 OK in 640ms (Views: 1.7ms | ActiveRecord: 91.0ms)' } 
+    subject     { grok_match(rails3_pattern, value) }
+
+    # started
+    it { should include("verb" => "GET" ) }
+    it { should include("request" => "/puppet/postfix/notes?target_id=162&target_type=issue&last_fetched_at=1438695732" ) }
+    # for
+    it { should include("clientip" => "127.0.0.1" ) }
+    # at
+    it { should include("timestamp" => "2015-08-05 07:40:22 +0200" ) }
+    # Processing by
+    it { should include("controller" => "Projects::NotesController" ) }
+    it { should include("action" => "index" ) }
+    # as
+    it { should include("format" => "JSON" ) }
+    # Parameters
+    it { should include("params" => '"target_id"=>"162", "target_type"=>"issue", "last_fetched_at"=>"1438695732", "namespace_id"=>"puppet", "project_id"=>"postfix"' ) }
+    # Completed
+    it { should include("response" => "200" ) }
+    # in
+    it { should include("totalms" =>  "640" ) }
+    # (Views: 
+    it { should include("viewms" =>  "1.7" ) }
+    # | ActiveRecord:
+    it { should include("activerecordms" =>  "91.0" ) }
+
+  end
+
+end

data/spec/patterns/s3_spec.rb

@@ -0,0 +1,132 @@
+# encoding: utf-8
+require "spec_helper"
+require "logstash/patterns/core"
+
+
+describe "ELB_ACCESS_LOG" do
+
+  let(:pattern) { "ELB_ACCESS_LOG" }
+
+  context "parsing an access log" do
+
+    let(:value) { "2014-02-15T23:39:43.945958Z my-test-loadbalancer 192.168.131.39:2817 10.0.0.1:80 0.000073 0.001048 0.000057 200 200 0 29 \"GET http://www.example.com:80/ HTTP/1.1\"" }
+
+    subject { grok_match(pattern, value) }
+
+    it { should include("timestamp" => "2014-02-15T23:39:43.945958Z" ) }
+    it { should include("elb" => "my-test-loadbalancer" ) }
+    it { should include("clientip" => "192.168.131.39" ) }
+    it { should include("clientport" => 2817 ) }
+    it { should include("backendip" => "10.0.0.1" ) }
+    it { should include("backendport" => 80 ) }
+    it { should include("request_processing_time" => 0.000073 ) }
+    it { should include("backend_processing_time" => 0.001048 ) }
+    it { should include("response_processing_time" => 0.000057 ) }
+    it { should include("response" => 200 ) }
+    it { should include("backend_response" => 200 ) }
+    it { should include("received_bytes" => 0 ) }
+    it { should include("bytes" => 29 ) }
+    it { should include("verb" => "GET" ) }
+    it { should include("request" => "http://www.example.com:80/" ) }
+    it { should include("proto" => "http" ) }
+    it { should include("httpversion" => "1.1" ) }
+    it { should include("urihost" => "www.example.com:80" ) }
+    it { should include("path" => "/" ) }
+
+    ["tags", "params"].each do |attribute|
+      it "have #{attribute} as nil" do
+        expect(subject[attribute]).to be_nil
+      end
+    end
+  end
+
+  context "parsing a PUT request access log with missing backend info" do
+
+    let(:value) { '2015-04-10T08:11:09.865823Z us-west-1-production-media 49.150.87.133:55128 - -1 -1 -1 408 0 1294336 0 "PUT https://media.xxxyyyzzz.com:443/videos/F4_M-T4X0MM6Hvy1PFHesw HTTP/1.1"' }
+
+    subject { grok_match(pattern, value) }
+
+    it "a pattern pass the grok expression" do
+      expect(subject).to pass
+    end
+
+    ["backendip", "backendport"].each do |attribute|
+      it "have #{attribute} as nil" do
+        expect(subject[attribute]).to be_nil
+      end
+    end
+  end
+end
+
+describe "S3_ACCESS_LOG" do
+
+  let(:pattern)    { "S3_ACCESS_LOG" }
+
+  context "parsing GET.VERSIONING message" do
+
+    let(:value) { "79a5 mybucket [06/Feb/2014:00:00:38 +0000] 192.0.2.3 79a5 3E57427F3EXAMPLE REST.GET.VERSIONING - \"GET /mybucket?versioning HTTP/1.1\" 200 - 113 - 7 - \"-\" \"S3Console/0.4\" -" }
+
+    subject { grok_match(pattern, value) }
+
+    it { should include("owner" => "79a5" ) }
+    it { should include("bucket" => "mybucket" ) }
+    it { should include("timestamp" => "06/Feb/2014:00:00:38 +0000" ) }
+    it { should include("clientip" => "192.0.2.3" ) }
+    it { should include("requester" => "79a5" ) }
+    it { should include("request_id" => "3E57427F3EXAMPLE" ) }
+    it { should include("operation" => "REST.GET.VERSIONING" ) }
+    it { should include("key" => "-" ) }
+
+    it { should include("verb" => "GET" ) }
+    it { should include("request" => "/mybucket?versioning" ) }
+    it { should include("httpversion" => "1.1" ) }
+    it { should include("response" => 200 ) }
+    it { should include("bytes" => 113 ) }
+
+    it { should include("request_time_ms" => 7 ) }
+    it { should include("referrer" => "\"-\"" ) }
+    it { should include("agent" => "\"S3Console/0.4\"" ) }
+
+
+    ["tags", "error_code", "object_size", "turnaround_time_ms", "version_id"].each do |attribute|
+      it "have #{attribute} as nil" do
+        expect(subject[attribute]).to be_nil
+      end
+    end
+
+  end
+
+  context "parsing a GET.OBJECT message" do
+
+    let(:value) { "79a5 mybucket [12/May/2014:07:54:01 +0000] 10.0.1.2 - 7ACC4BE89EXAMPLE REST.GET.OBJECT foo/bar.html \"GET /foo/bar.html HTTP/1.1\" 304 - - 1718 10 - \"-\" \"Mozilla/5.0\" -" }
+
+    subject { grok_match(pattern, value) }
+
+    it { should include("owner" => "79a5" ) }
+    it { should include("bucket" => "mybucket" ) }
+    it { should include("timestamp" => "12/May/2014:07:54:01 +0000" ) }
+    it { should include("clientip" => "10.0.1.2" ) }
+    it { should include("requester" => "-" ) }
+    it { should include("request_id" => "7ACC4BE89EXAMPLE" ) }
+    it { should include("operation" => "REST.GET.OBJECT" ) }
+    it { should include("key" => "foo/bar.html" ) }
+
+    it { should include("verb" => "GET" ) }
+    it { should include("request" => "/foo/bar.html" ) }
+    it { should include("httpversion" => "1.1" ) }
+    it { should include("response" => 304 ) }
+    it { should include("object_size" => 1718 ) }
+
+    it { should include("request_time_ms" => 10 ) }
+    it { should include("referrer" => "\"-\"" ) }
+    it { should include("agent" => "\"Mozilla/5.0\"" ) }
+
+
+    ["tags", "error_code", "turnaround_time_ms", "version_id", "bytes"].each do |attribute|
+      it "have #{attribute} as nil" do
+        expect(subject[attribute]).to be_nil
+      end
+    end
+
+  end
+end

data/spec/patterns/shorewall_spec.rb

@@ -0,0 +1,90 @@
+# encoding: utf-8
+require "spec_helper"
+require "logstash/patterns/core"
+
+describe "SHOREWALL" do
+
+  let(:pattern)    { "SHOREWALL" }
+
+  context "parsing a message with OUT interface" do
+
+    let(:value) { "May 28 17:23:25 myHost kernel: [3124658.791874] Shorewall:FORWARD:REJECT:IN=eth2 OUT=eth2 SRC=1.2.3.4 DST=1.2.3.4 LEN=141 TOS=0x00 PREC=0x00 TTL=63 ID=55251 PROTO=UDP SPT=5353 DPT=5353 LEN=121" }
+
+    subject     { grok_match(pattern, value) }
+
+    it { should include("timestamp" => "May 28 17:23:25") }
+
+    it { should include("nf_host" => "myHost") }
+
+    it { should include("nf_action1" => "FORWARD") }
+
+    it { should include("nf_action2" => "REJECT") }
+
+    it { should include("nf_in_interface" => "eth2") }
+
+    it { should include("nf_out_interface" => "eth2") }
+
+    it { should include("nf_src_ip" => "1.2.3.4") }
+
+    it { should include("nf_dst_ip" => "1.2.3.4") }
+
+    it { should include("nf_len" => "141") }
+
+    it { should include("nf_tos" => "0x00") }
+
+    it { should include("nf_prec" => "0x00") }
+
+    it { should include("nf_ttl" => "63") }
+
+    it { should include("nf_id" => "55251") }
+
+    it { should include("nf_protocol" => "UDP") }
+
+    it { should include("nf_src_port" => "5353") }
+
+    it { should include("nf_dst_port" => "5353") }
+  end
+
+  context "parsing a message without OUT interface" do
+
+    let(:value) { "May 28 17:31:07 myHost kernel: [3125121.106700] Shorewall:net2fw:DROP:IN=eth1 OUT= MAC=00:02:b3:c7:2f:77:38:72:c0:6e:92:9c:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=6480 DF PROTO=TCP SPT=59088 DPT=8080 WINDOW=2920 RES=0x00 SYN URGP=0" }
+
+    subject     { grok_match(pattern, value) }
+
+    it { should include("timestamp" => "May 28 17:31:07") }
+
+    it { should include("nf_host" => "myHost") }
+
+    it { should include("nf_action1" => "net2fw") }
+
+    it { should include("nf_action2" => "DROP") }
+
+    it { should include("nf_in_interface" => "eth1") }
+
+    it { expect(subject["nf_out_interface"]).to be_nil }
+
+    it { should include("nf_dst_mac" => "00:02:b3:c7:2f:77") }
+
+    it { should include("nf_src_mac" => "38:72:c0:6e:92:9c") }
+
+    it { should include("nf_src_ip" => "1.2.3.4") }
+
+    it { should include("nf_dst_ip" => "1.2.3.4") }
+
+    it { should include("nf_len" => "60") }
+
+    it { should include("nf_tos" => "0x00") }
+
+    it { should include("nf_prec" => "0x00") }
+
+    it { should include("nf_ttl" => "49") }
+
+    it { should include("nf_id" => "6480") }
+
+    it { should include("nf_protocol" => "TCP") }
+
+    it { should include("nf_src_port" => "59088") }
+
+    it { should include("nf_dst_port" => "8080") }
+  end
+end

data/spec/patterns/syslog_spec.rb

@@ -0,0 +1,26 @@
+# encoding: utf-8
+require "spec_helper"
+require "logstash/patterns/core"
+
+describe "SYSLOGLINE" do
+
+  it "matches a simple message with pid" do
+    expect(subject).to match("May 11 15:17:02 meow.soy.se CRON[10973]: pam_unix(cron:session): session opened for user root by (uid=0)")
+  end
+
+  it "matches prog with slash" do
+    expect(subject).to match("Mar 16 00:01:25 evita postfix/smtpd[1713]: connect from camomile.cloud9.net[168.100.1.3]")
+  end
+
+  it "matches prog from ansible" do
+    expect(subject).to match("May 11 15:40:51 meow.soy.se ansible-<stdin>: Invoked with filter=* fact_path=/etc/ansible/facts.d")
+  end
+
+  it "matches prog from RFC5424 APP-NAME" do
+    # https://tools.ietf.org/html/rfc5424#section-6.2.5
+    # https://tools.ietf.org/html/rfc5424#section-6
+    tag_from_rfc = ((33..126).map { |c| c.chr } - %w{[ ]}).join
+    expect(subject).to match("May 11 15:40:51 meow.soy.se #{tag_from_rfc}: Just some data which conforms to RFC5424")
+  end
+
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-patterns-core
 version: !ruby/object:Gem::Version
-  version: 0.1.10
+  version: 0.3.0
 platform: ruby
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-05-06 00:00:00.000000000 Z
+date: 2015-08-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: logstash-core
@@ -58,6 +58,20 @@ dependencies:
         version: '0'
   prerelease: false
   type: :development
+- !ruby/object:Gem::Dependency
+  name: logstash-filter-grok
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  prerelease: false
+  type: :development
 description: This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program
 email: info@elastic.co
 executables: []
@@ -65,13 +79,17 @@ extensions: []
 extra_rdoc_files: []
 files:
 - .gitignore
+- CHANGELOG.md
 - CONTRIBUTORS
 - Gemfile
 - LICENSE
+- NOTICE.TXT
 - README.md
 - Rakefile
 - lib/logstash/patterns/core.rb
 - logstash-patterns-core.gemspec
+- patterns/aws
+- patterns/bro
 - patterns/firewalls
 - patterns/grok-patterns
 - patterns/haproxy
@@ -83,11 +101,19 @@ files:
 - patterns/mongodb
 - patterns/nagios
 - patterns/postgresql
+- patterns/rails
 - patterns/redis
 - patterns/ruby
+- spec/patterns/bro.rb
 - spec/patterns/core_spec.rb
+- spec/patterns/firewalls_spec.rb
+- spec/patterns/haproxy_spec.rb
 - spec/patterns/mongodb_spec.rb
 - spec/patterns/nagios_spec.rb
+- spec/patterns/rails3_spec.rb
+- spec/patterns/s3_spec.rb
+- spec/patterns/shorewall_spec.rb
+- spec/patterns/syslog_spec.rb
 - spec/spec_helper.rb
 homepage: http://www.elastic.co/guide/en/logstash/current/index.html
 licenses:
@@ -115,7 +141,14 @@ signing_key:
 specification_version: 4
 summary: Patterns to be used in logstash
 test_files:
+- spec/patterns/bro.rb
 - spec/patterns/core_spec.rb
+- spec/patterns/firewalls_spec.rb
+- spec/patterns/haproxy_spec.rb
 - spec/patterns/mongodb_spec.rb
 - spec/patterns/nagios_spec.rb
+- spec/patterns/rails3_spec.rb
+- spec/patterns/s3_spec.rb
+- spec/patterns/shorewall_spec.rb
+- spec/patterns/syslog_spec.rb
 - spec/spec_helper.rb