logstash-patterns-core 4.0.2 → 4.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +36 -8
- data/logstash-patterns-core.gemspec +1 -1
- data/patterns/aws +3 -0
- data/patterns/bind +3 -0
- data/patterns/firewalls +6 -1
- data/patterns/grok-patterns +0 -8
- data/patterns/httpd +15 -0
- data/patterns/java +0 -1
- data/patterns/linux-syslog +1 -1
- data/patterns/maven +1 -0
- data/patterns/redis +1 -1
- data/patterns/squid +4 -0
- data/spec/patterns/core_spec.rb +0 -10
- data/spec/patterns/firewalls_spec.rb +31 -0
- data/spec/patterns/httpd_spec.rb +112 -9
- data/spec/patterns/maven_spec.rb +61 -0
- data/spec/patterns/redis_spec.rb +171 -0
- data/spec/patterns/s3_spec.rb +41 -0
- data/spec/patterns/syslog_spec.rb +14 -0
- metadata +11 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 36d2a300d64eee6d5b7f294802ffe2e0bc63729e
|
4
|
+
data.tar.gz: f8244876e124251a382333a2b10cd35acaf2b720
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 7aeea39d789b000f5d930ca9a7df02e4e9f7f205b16fe36c71d7f0244bd2bf891d424e5b564f466245af05e705767732ee660be8dea74a74a00fc085f1913083
|
7
|
+
data.tar.gz: f377108083d51399bca1ee25fafd4802c5085026e02d8caf762b89844a2b3c57f41267d93a8f4ac860ed3771a9da5a5a3a3c8893269ed502d2f11fa1c09871c1
|
data/CHANGELOG.md
CHANGED
@@ -1,22 +1,50 @@
|
|
1
|
+
## 4.1.0
|
2
|
+
- Added SYSLOG5424LINE and test ipv4/ipv6/hostname as syslog5424_host rfc5424
|
3
|
+
- Accordig to rcf5424 IP address should be accepted
|
4
|
+
- HTTPDATE is used by patterns/aws
|
5
|
+
- HTTPD (formerly APACHE) deserves its own pattern and test files. See #45
|
6
|
+
- httpd: sync names between httpd20 and httpd24
|
7
|
+
- Adding maven version to the list of default Grok patterns
|
8
|
+
- Added Redis Monitor Log format
|
9
|
+
- Remove extra space in ASA-6-106015 rule
|
10
|
+
- fix COMMONAPACHELOG specs
|
11
|
+
- Added SuSEfirewall2 pattern
|
12
|
+
- switch USER to HTTPDUSER for "auth" field (match email addresses)
|
13
|
+
- bind9 pattern
|
14
|
+
- Pattern for squid3 native format
|
15
|
+
- Parse Cisco ASA-5-304001
|
16
|
+
- use underscores instead of hyphens in field names
|
17
|
+
- fix timestamp expect
|
18
|
+
- fix cs_protocol pattern name
|
19
|
+
- fix cs_protocol and cs_uri_query names
|
20
|
+
- added cloudfront spec test
|
21
|
+
- add pattern for cloudfront access log
|
22
|
+
- Java Patterns: JAVASTACKTRACEPART was duplicate
|
23
|
+
|
1
24
|
## 4.0.2
|
2
25
|
- Relax constraint on logstash-core-plugin-api to >= 1.60 <= 2.99
|
3
26
|
|
4
27
|
## 4.0.1
|
5
28
|
- Republish all the gems under jruby.
|
29
|
+
|
6
30
|
## 4.0.0
|
7
31
|
- Update the plugin to the version 2.0 of the plugin api, this change is required for Logstash 5.0 compatibility. See https://github.com/elastic/logstash/issues/5141
|
8
|
-
|
32
|
+
|
33
|
+
## 2.0.5
|
9
34
|
- Specs fixes, see https://github.com/logstash-plugins/logstash-patterns-core/pull/137
|
10
|
-
|
35
|
+
|
36
|
+
## 2.0.4
|
11
37
|
- Depend on logstash-core-plugin-api instead of logstash-core, removing the need to mass update plugins on major releases of logstash
|
12
|
-
|
38
|
+
|
39
|
+
## 2.0.3
|
13
40
|
- New dependency requirements for logstash-core for the 5.0 release
|
41
|
+
|
14
42
|
## 2.0.0
|
15
43
|
- Plugins were updated to follow the new shutdown semantic, this mainly allows Logstash to instruct input plugins to terminate gracefully,
|
16
44
|
instead of using Thread.raise on the plugins' threads. Ref: https://github.com/elastic/logstash/pull/3895
|
17
45
|
- Dependency on logstash-core update to 2.0
|
18
46
|
|
19
|
-
|
47
|
+
## 0.4.0
|
20
48
|
- Added grok patterns for nagios notifications
|
21
49
|
- Added commong exim patterns
|
22
50
|
- Allow optional space between sysloghost and colon, fixes https://github.com/elastic/logstash/issues/2101 for Cisco ASA devises.
|
@@ -32,17 +60,17 @@
|
|
32
60
|
- Add basic apache httpd error log format
|
33
61
|
- Support TIMESTAMP_ISO8601 in HAProxy patterns, useful for rsyslog and other systems that can be configured to use this format. Fixes https://github.com/logstash-plugins/logstash-patterns-core/pull/80
|
34
62
|
|
35
|
-
|
63
|
+
## 0.3.0
|
36
64
|
- Updated the AWS S3 patterns
|
37
65
|
- Added patterns for rails 3
|
38
66
|
- Added patterns for haproxy
|
39
67
|
- Added patterns for bro http.log
|
40
68
|
- Added shorewall patterns
|
41
|
-
|
69
|
+
## 0.2.0
|
42
70
|
- Added patterns for S3 and ELB access logs amazon services
|
43
|
-
|
71
|
+
## 0.1.12
|
44
72
|
- add some missing Cisco ASA firewall system log patterns
|
45
73
|
- fix cisco firewall policy_id regex for policies with '-' in the name
|
46
|
-
|
74
|
+
## 0.1.11
|
47
75
|
- Added Catalina and Tomcat patterns
|
48
76
|
- Added German month names
|
@@ -1,7 +1,7 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
2
|
|
3
3
|
s.name = 'logstash-patterns-core'
|
4
|
-
s.version = '4.0
|
4
|
+
s.version = '4.1.0'
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
6
6
|
s.summary = "Patterns to be used in logstash"
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
data/patterns/aws
CHANGED
@@ -9,3 +9,6 @@ ELB_URI %{URIPROTO:proto}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST:urihost})?(?:%{
|
|
9
9
|
ELB_REQUEST_LINE (?:%{WORD:verb} %{ELB_URI:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})
|
10
10
|
|
11
11
|
ELB_ACCESS_LOG %{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:elb} %{IP:clientip}:%{INT:clientport:int} (?:(%{IP:backendip}:?:%{INT:backendport:int})|-) %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{INT:response:int} %{INT:backend_response:int} %{INT:received_bytes:int} %{INT:bytes:int} "%{ELB_REQUEST_LINE}"
|
12
|
+
|
13
|
+
CLOUDFRONT_ACCESS_LOG (?<timestamp>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}\t%{TIME})\t%{WORD:x_edge_location}\t(?:%{NUMBER:sc_bytes:int}|-)\t%{IPORHOST:clientip}\t%{WORD:cs_method}\t%{HOSTNAME:cs_host}\t%{NOTSPACE:cs_uri_stem}\t%{NUMBER:sc_status:int}\t%{GREEDYDATA:referrer}\t%{GREEDYDATA:agent}\t%{GREEDYDATA:cs_uri_query}\t%{GREEDYDATA:cookies}\t%{WORD:x_edge_result_type}\t%{NOTSPACE:x_edge_request_id}\t%{HOSTNAME:x_host_header}\t%{URIPROTO:cs_protocol}\t%{INT:cs_bytes:int}\t%{GREEDYDATA:time_taken:float}\t%{GREEDYDATA:x_forwarded_for}\t%{GREEDYDATA:ssl_protocol}\t%{GREEDYDATA:ssl_cipher}\t%{GREEDYDATA:x_edge_response_result_type}
|
14
|
+
|
data/patterns/bind
ADDED
data/patterns/firewalls
CHANGED
@@ -36,7 +36,7 @@ CISCOFW106006_106007_106010 %{CISCO_ACTION:action} %{CISCO_DIRECTION:direction}
|
|
36
36
|
# ASA-3-106014
|
37
37
|
CISCOFW106014 %{CISCO_ACTION:action} %{CISCO_DIRECTION:direction} %{WORD:protocol} src %{DATA:src_interface}:%{IP:src_ip}(\(%{DATA:src_fwuser}\))? dst %{DATA:dst_interface}:%{IP:dst_ip}(\(%{DATA:dst_fwuser}\))? \(type %{INT:icmp_type}, code %{INT:icmp_code}\)
|
38
38
|
# ASA-6-106015
|
39
|
-
CISCOFW106015 %{CISCO_ACTION:action} %{WORD:protocol} \(%{DATA:policy_id}\) from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags %{DATA:tcp_flags}
|
39
|
+
CISCOFW106015 %{CISCO_ACTION:action} %{WORD:protocol} \(%{DATA:policy_id}\) from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags %{DATA:tcp_flags} on interface %{GREEDYDATA:interface}
|
40
40
|
# ASA-1-106021
|
41
41
|
CISCOFW106021 %{CISCO_ACTION:action} %{WORD:protocol} reverse path check from %{IP:src_ip} to %{IP:dst_ip} on interface %{GREEDYDATA:interface}
|
42
42
|
# ASA-4-106023
|
@@ -45,6 +45,8 @@ CISCOFW106023 %{CISCO_ACTION:action}( protocol)? %{WORD:protocol} src %{DATA:src
|
|
45
45
|
CISCOFW106100_2_3 access-list %{NOTSPACE:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} for user '%{DATA:src_fwuser}' %{DATA:src_interface}/%{IP:src_ip}\(%{INT:src_port}\) -> %{DATA:dst_interface}/%{IP:dst_ip}\(%{INT:dst_port}\) hit-cnt %{INT:hit_count} %{CISCO_INTERVAL:interval} \[%{DATA:hashcode1}, %{DATA:hashcode2}\]
|
46
46
|
# ASA-5-106100
|
47
47
|
CISCOFW106100 access-list %{NOTSPACE:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} %{DATA:src_interface}/%{IP:src_ip}\(%{INT:src_port}\)(\(%{DATA:src_fwuser}\))? -> %{DATA:dst_interface}/%{IP:dst_ip}\(%{INT:dst_port}\)(\(%{DATA:src_fwuser}\))? hit-cnt %{INT:hit_count} %{CISCO_INTERVAL:interval} \[%{DATA:hashcode1}, %{DATA:hashcode2}\]
|
48
|
+
# ASA-5-304001
|
49
|
+
CISCOFW304001 %{IP:src_ip}(\(%{DATA:src_fwuser}\))? Accessed URL %{IP:dst_ip}:%{GREEDYDATA:dst_url}
|
48
50
|
# ASA-6-110002
|
49
51
|
CISCOFW110002 %{CISCO_REASON:reason} for %{WORD:protocol} from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}
|
50
52
|
# ASA-6-302010
|
@@ -84,3 +86,6 @@ CISCOFW733100 \[\s*%{DATA:drop_type}\s*\] drop %{DATA:drop_rate_id} exceeded. Cu
|
|
84
86
|
# Shorewall firewall logs
|
85
87
|
SHOREWALL (%{SYSLOGTIMESTAMP:timestamp}) (%{WORD:nf_host}) kernel:.*Shorewall:(%{WORD:nf_action1})?:(%{WORD:nf_action2})?.*IN=(%{USERNAME:nf_in_interface})?.*(OUT= *MAC=(%{COMMONMAC:nf_dst_mac}):(%{COMMONMAC:nf_src_mac})?|OUT=%{USERNAME:nf_out_interface}).*SRC=(%{IPV4:nf_src_ip}).*DST=(%{IPV4:nf_dst_ip}).*LEN=(%{WORD:nf_len}).?*TOS=(%{WORD:nf_tos}).?*PREC=(%{WORD:nf_prec}).?*TTL=(%{INT:nf_ttl}).?*ID=(%{INT:nf_id}).?*PROTO=(%{WORD:nf_protocol}).?*SPT=(%{INT:nf_src_port}?.*DPT=%{INT:nf_dst_port}?.*)
|
86
88
|
#== End Shorewall
|
89
|
+
#== SuSE Firewall 2 ==
|
90
|
+
SFW2 ((%{SYSLOGTIMESTAMP})|(%{TIMESTAMP_ISO8601}))\s*%{HOSTNAME}\s*kernel\S+\s*%{NAGIOSTIME}\s*SFW2\-INext\-%{NOTSPACE:nf_action}\s*IN=%{USERNAME:nf_in_interface}.*OUT=((\s*%{USERNAME:nf_out_interface})|(\s*))MAC=((%{COMMONMAC:nf_dst_mac}:%{COMMONMAC:nf_src_mac})|(\s*)).*SRC=%{IP:nf_src_ip}\s*DST=%{IP:nf_dst_ip}.*PROTO=%{WORD:nf_protocol}((.*SPT=%{INT:nf_src_port}.*DPT=%{INT:nf_dst_port}.*)|())
|
91
|
+
#== End SuSE ==
|
data/patterns/grok-patterns
CHANGED
@@ -2,7 +2,6 @@ USERNAME [a-zA-Z0-9._-]+
|
|
2
2
|
USER %{USERNAME}
|
3
3
|
EMAILLOCALPART [a-zA-Z][a-zA-Z0-9_.+-=:]+
|
4
4
|
EMAILADDRESS %{EMAILLOCALPART}@%{HOSTNAME}
|
5
|
-
HTTPDUSER %{EMAILADDRESS}|%{USER}
|
6
5
|
INT (?:[+-]?(?:[0-9]+))
|
7
6
|
BASE10NUM (?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))
|
8
7
|
NUMBER (?:%{BASE10NUM})
|
@@ -77,7 +76,6 @@ DATESTAMP_RFC822 %{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME} %{TZ}
|
|
77
76
|
DATESTAMP_RFC2822 %{DAY}, %{MONTHDAY} %{MONTH} %{YEAR} %{TIME} %{ISO8601_TIMEZONE}
|
78
77
|
DATESTAMP_OTHER %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{TZ} %{YEAR}
|
79
78
|
DATESTAMP_EVENTLOG %{YEAR}%{MONTHNUM2}%{MONTHDAY}%{HOUR}%{MINUTE}%{SECOND}
|
80
|
-
HTTPDERROR_DATE %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}
|
81
79
|
|
82
80
|
# Syslog Dates: Month Day HH:MM:SS
|
83
81
|
SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME}
|
@@ -92,12 +90,6 @@ QS %{QUOTEDSTRING}
|
|
92
90
|
|
93
91
|
# Log formats
|
94
92
|
SYSLOGBASE %{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:
|
95
|
-
COMMONAPACHELOG %{IPORHOST:clientip} %{HTTPDUSER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-)
|
96
|
-
COMBINEDAPACHELOG %{COMMONAPACHELOG} %{QS:referrer} %{QS:agent}
|
97
|
-
HTTPD20_ERRORLOG \[%{HTTPDERROR_DATE:timestamp}\] \[%{LOGLEVEL:loglevel}\] (?:\[client %{IPORHOST:clientip}\] ){0,1}%{GREEDYDATA:errormsg}
|
98
|
-
HTTPD24_ERRORLOG \[%{HTTPDERROR_DATE:timestamp}\] \[%{WORD:module}:%{LOGLEVEL:loglevel}\] \[pid %{POSINT:pid}:tid %{NUMBER:tid}\]( \(%{POSINT:proxy_errorcode}\)%{DATA:proxy_errormessage}:)?( \[client %{IPORHOST:client}:%{POSINT:clientport}\])? %{DATA:errorcode}: %{GREEDYDATA:message}
|
99
|
-
HTTPD_ERRORLOG %{HTTPD20_ERRORLOG}|%{HTTPD24_ERRORLOG}
|
100
|
-
|
101
93
|
|
102
94
|
# Log Levels
|
103
95
|
LOGLEVEL ([Aa]lert|ALERT|[Tt]race|TRACE|[Dd]ebug|DEBUG|[Nn]otice|NOTICE|[Ii]nfo|INFO|[Ww]arn?(?:ing)?|WARN?(?:ING)?|[Ee]rr?(?:or)?|ERR?(?:OR)?|[Cc]rit?(?:ical)?|CRIT?(?:ICAL)?|[Ff]atal|FATAL|[Ss]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?)
|
data/patterns/httpd
ADDED
@@ -0,0 +1,15 @@
|
|
1
|
+
HTTPDUSER %{EMAILADDRESS}|%{USER}
|
2
|
+
HTTPDERROR_DATE %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}
|
3
|
+
|
4
|
+
# Log formats
|
5
|
+
HTTPD_COMMONLOG %{IPORHOST:clientip} %{HTTPDUSER:ident} %{HTTPDUSER:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-)
|
6
|
+
HTTPD_COMBINEDLOG %{HTTPD_COMMONLOG} %{QS:referrer} %{QS:agent}
|
7
|
+
|
8
|
+
# Error logs
|
9
|
+
HTTPD20_ERRORLOG \[%{HTTPDERROR_DATE:timestamp}\] \[%{LOGLEVEL:loglevel}\] (?:\[client %{IPORHOST:clientip}\] ){0,1}%{GREEDYDATA:message}
|
10
|
+
HTTPD24_ERRORLOG \[%{HTTPDERROR_DATE:timestamp}\] \[%{WORD:module}:%{LOGLEVEL:loglevel}\] \[pid %{POSINT:pid}:tid %{NUMBER:tid}\]( \(%{POSINT:proxy_errorcode}\)%{DATA:proxy_message}:)?( \[client %{IPORHOST:clientip}:%{POSINT:clientport}\])? %{DATA:errorcode}: %{GREEDYDATA:message}
|
11
|
+
HTTPD_ERRORLOG %{HTTPD20_ERRORLOG}|%{HTTPD24_ERRORLOG}
|
12
|
+
|
13
|
+
# Deprecated
|
14
|
+
COMMONAPACHELOG %{HTTPD_COMMONLOG}
|
15
|
+
COMBINEDAPACHELOG %{HTTPD_COMBINEDLOG}
|
data/patterns/java
CHANGED
@@ -9,7 +9,6 @@ JAVASTACKTRACEPART %{SPACE}at %{JAVACLASS:class}\.%{JAVAMETHOD:method}\(%{JAVAFI
|
|
9
9
|
JAVATHREAD (?:[A-Z]{2}-Processor[\d]+)
|
10
10
|
JAVACLASS (?:[a-zA-Z0-9-]+\.)+[A-Za-z0-9$]+
|
11
11
|
JAVAFILE (?:[A-Za-z0-9_.-]+)
|
12
|
-
JAVASTACKTRACEPART at %{JAVACLASS:class}\.%{WORD:method}\(%{JAVAFILE:file}:%{NUMBER:line}\)
|
13
12
|
JAVALOGMESSAGE (.*)
|
14
13
|
# MMM dd, yyyy HH:mm:ss eg: Jan 9, 2014 7:13:13 AM
|
15
14
|
CATALINA_DATESTAMP %{MONTH} %{MONTHDAY}, 20%{YEAR} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) (?:AM|PM)
|
data/patterns/linux-syslog
CHANGED
@@ -11,6 +11,6 @@ SYSLOGLINE %{SYSLOGBASE2} %{GREEDYDATA:message}
|
|
11
11
|
# IETF 5424 syslog(8) format (see http://www.rfc-editor.org/info/rfc5424)
|
12
12
|
SYSLOG5424PRI <%{NONNEGINT:syslog5424_pri}>
|
13
13
|
SYSLOG5424SD \[%{DATA}\]+
|
14
|
-
SYSLOG5424BASE %{SYSLOG5424PRI}%{NONNEGINT:syslog5424_ver} +(?:%{TIMESTAMP_ISO8601:syslog5424_ts}|-) +(?:%{
|
14
|
+
SYSLOG5424BASE %{SYSLOG5424PRI}%{NONNEGINT:syslog5424_ver} +(?:%{TIMESTAMP_ISO8601:syslog5424_ts}|-) +(?:%{IPORHOST:syslog5424_host}|-) +(-|%{SYSLOG5424PRINTASCII:syslog5424_app}) +(-|%{SYSLOG5424PRINTASCII:syslog5424_proc}) +(-|%{SYSLOG5424PRINTASCII:syslog5424_msgid}) +(?:%{SYSLOG5424SD:syslog5424_sd}|-|)
|
15
15
|
|
16
16
|
SYSLOG5424LINE %{SYSLOG5424BASE} +%{GREEDYDATA:syslog5424_msg}
|
data/patterns/maven
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
MAVEN_VERSION (?:(\d+)\.)?(?:(\d+)\.)?(\*|\d+)(?:[.-](RELEASE|SNAPSHOT))?
|
data/patterns/redis
CHANGED
data/patterns/squid
ADDED
@@ -0,0 +1,4 @@
|
|
1
|
+
# Pattern squid3
|
2
|
+
# Documentation of squid3 logs formats can be found at the following link:
|
3
|
+
# http://wiki.squid-cache.org/Features/LogFormat
|
4
|
+
SQUID3 %{NUMBER:timestamp}\s+%{NUMBER:duration}\s%{IP:client_address}\s%{WORD:cache_result}/%{POSINT:status_code}\s%{NUMBER:bytes}\s%{WORD:request_method}\s%{NOTSPACE:url}\s(%{NOTSPACE:user}|-)\s%{WORD:hierarchy_code}/%{IPORHOST:server}\s%{NOTSPACE:content_type}
|
data/spec/patterns/core_spec.rb
CHANGED
@@ -20,16 +20,6 @@ describe "SYSLOGLINE" do
|
|
20
20
|
|
21
21
|
end
|
22
22
|
|
23
|
-
describe "COMMONAPACHELOG" do
|
24
|
-
|
25
|
-
let(:value) { '83.149.9.216 - - [24/Feb/2015:23:13:42 +0000] "GET /presentations/logstash-monitorama-2013/images/kibana-search.png HTTP/1.1" 200 203023 "http://semicomplete.com/presentations/logstash-monitorama-2013/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36'}
|
26
|
-
|
27
|
-
it "generates the clientip field" do
|
28
|
-
expect(grok_match(subject, value)).to include("clientip" => "83.149.9.216")
|
29
|
-
end
|
30
|
-
|
31
|
-
end
|
32
|
-
|
33
23
|
describe "HTTP DATE parsing" do
|
34
24
|
|
35
25
|
context "HTTPDATE", "when having a German month" do
|
@@ -19,6 +19,21 @@ describe "FIREWALLS" do
|
|
19
19
|
expect(subject["message"]).to include("(Secondary) Switching to ACTIVE - Service card in other unit has failed")
|
20
20
|
end
|
21
21
|
end
|
22
|
+
|
23
|
+
let(:pattern106015) { "CISCOFW106015" }
|
24
|
+
|
25
|
+
context "parsing a 106015 message" do
|
26
|
+
|
27
|
+
let(:value) { "Deny TCP (no connection) from 192.168.150.65/2278 to 64.101.128.83/80 flags RST on interface inside" }
|
28
|
+
|
29
|
+
subject { grok_match(pattern106015, value) }
|
30
|
+
|
31
|
+
it { should include("interface" => "inside") }
|
32
|
+
|
33
|
+
it "generates a message field" do
|
34
|
+
expect(subject["message"]).to include("Deny TCP (no connection) from 192.168.150.65/2278 to 64.101.128.83/80 flags RST on interface inside")
|
35
|
+
end
|
36
|
+
end
|
22
37
|
|
23
38
|
let(:pattern106100) { "CISCOFW106100" }
|
24
39
|
|
@@ -50,6 +65,22 @@ describe "FIREWALLS" do
|
|
50
65
|
end
|
51
66
|
end
|
52
67
|
|
68
|
+
let(:pattern304001) { "CISCOFW304001" }
|
69
|
+
|
70
|
+
context "parsing a 304001 message" do
|
71
|
+
|
72
|
+
let(:value) { "10.20.30.40(DOMAIN\\login) Accessed URL 10.11.12.13:http://example.org/" }
|
73
|
+
|
74
|
+
subject { grok_match(pattern304001, value) }
|
75
|
+
|
76
|
+
it 'should break the message up into fields' do
|
77
|
+
expect(subject['src_ip']).to eq('10.20.30.40')
|
78
|
+
expect(subject['src_fwuser']).to eq('DOMAIN\\login')
|
79
|
+
expect(subject['dst_ip']).to eq('10.11.12.13')
|
80
|
+
expect(subject['dst_url']).to eq('http://example.org/')
|
81
|
+
end
|
82
|
+
end
|
83
|
+
|
53
84
|
let(:pattern106023) { "CISCOFW106023" }
|
54
85
|
|
55
86
|
context "parsing a 106023 message" do
|
data/spec/patterns/httpd_spec.rb
CHANGED
@@ -2,23 +2,126 @@
|
|
2
2
|
require "spec_helper"
|
3
3
|
require "logstash/patterns/core"
|
4
4
|
|
5
|
+
describe "HTTPD_COMBINEDLOG" do
|
6
|
+
|
7
|
+
context "HTTPD_COMBINEDLOG", "Typical test case" do
|
8
|
+
|
9
|
+
let(:value) { '83.149.9.216 - - [24/Feb/2015:23:13:42 +0000] "GET /presentations/logstash-monitorama-2013/images/kibana-search.png HTTP/1.1" 200 203023 "http://semicomplete.com/presentations/logstash-monitorama-2013/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36"'}
|
10
|
+
|
11
|
+
it "generates the clientip field" do
|
12
|
+
expect(grok_match(subject, value)).to include(
|
13
|
+
'clientip' => '83.149.9.216',
|
14
|
+
'verb' => 'GET',
|
15
|
+
'request' => '/presentations/logstash-monitorama-2013/images/kibana-search.png',
|
16
|
+
'httpversion' => '1.1',
|
17
|
+
'response' => '200',
|
18
|
+
'bytes' => '203023',
|
19
|
+
'referrer' => '"http://semicomplete.com/presentations/logstash-monitorama-2013/"',
|
20
|
+
'agent' => '"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36"'
|
21
|
+
)
|
22
|
+
end
|
23
|
+
|
24
|
+
end
|
25
|
+
|
26
|
+
context "HTTPD_COMBINEDLOG", "Email address in auth field" do
|
27
|
+
|
28
|
+
let(:value) { '10.0.0.1 - username@example.com [07/Apr/2016:18:42:24 +0000] "GET /bar/foo/users/1/username%40example.com/authenticate?token=blargh&client_id=15 HTTP/1.1" 400 75 "" "Mozilla/5.0 (iPad; CPU OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1"'}
|
29
|
+
|
30
|
+
it "generates the clientip field" do
|
31
|
+
expect(grok_match(subject, value)).to include("auth" => "username@example.com")
|
32
|
+
end
|
33
|
+
|
34
|
+
end
|
35
|
+
|
36
|
+
end
|
37
|
+
|
5
38
|
describe "HTTPD_ERRORLOG" do
|
6
39
|
|
7
|
-
|
8
|
-
|
40
|
+
context "HTTPD_ERRORLOG", "matches a full httpd 2.4 message" do
|
41
|
+
let(:value) {
|
42
|
+
"[Mon Aug 31 09:30:48.958285 2015] [proxy_fcgi:error] [pid 28787:tid 140169587934976] (70008)Partial results are valid but processing is incomplete: [client 58.13.45.166:59307] AH01075: Error dispatching request to : (reading input brigade), referer: http://example.com/index.php?id_product=11&controller=product"
|
43
|
+
}
|
44
|
+
it "generates the fields" do
|
45
|
+
|
46
|
+
expect(grok_match(subject, value)).to include(
|
47
|
+
'timestamp' => 'Mon Aug 31 09:30:48.958285 2015',
|
48
|
+
'module' => 'proxy_fcgi',
|
49
|
+
'loglevel' => 'error',
|
50
|
+
'pid' => '28787',
|
51
|
+
'tid' => '140169587934976',
|
52
|
+
'proxy_errorcode' => '70008',
|
53
|
+
'proxy_message' => 'Partial results are valid but processing is incomplete',
|
54
|
+
'clientip' => '58.13.45.166',
|
55
|
+
'clientport' => '59307',
|
56
|
+
'errorcode' => 'AH01075',
|
57
|
+
'message' => [ value, 'Error dispatching request to : (reading input brigade), referer: http://example.com/index.php?id_product=11&controller=product' ],
|
58
|
+
)
|
59
|
+
end
|
9
60
|
end
|
10
61
|
|
11
|
-
|
12
|
-
|
62
|
+
context "HTTPD_ERRORLOG", "matches a httpd 2.2 log message" do
|
63
|
+
let(:value) {
|
64
|
+
"[Mon Aug 31 16:27:04 2015] [error] [client 10.17.42.3] Premature end of script headers: example.com"
|
65
|
+
}
|
66
|
+
it "generates the fields" do
|
67
|
+
expect(grok_match(subject, value)).to include(
|
68
|
+
'timestamp' => 'Mon Aug 31 16:27:04 2015',
|
69
|
+
'loglevel' => 'error',
|
70
|
+
'clientip' => '10.17.42.3',
|
71
|
+
'message' => [ value, 'Premature end of script headers: example.com' ]
|
72
|
+
)
|
73
|
+
end
|
13
74
|
end
|
14
75
|
|
15
|
-
|
16
|
-
|
76
|
+
context "HTTPD_ERRORLOG", "matches a short httpd 2.4 message" do
|
77
|
+
let(:value) {
|
78
|
+
"[Mon Aug 31 07:15:38.664897 2015] [proxy_fcgi:error] [pid 28786:tid 140169629898496] [client 81.139.1.34:52042] AH01071: Got error 'Primary script unknown\n'"
|
79
|
+
}
|
80
|
+
it "generates the fields" do
|
81
|
+
expect(grok_match(subject, value)).to include(
|
82
|
+
'timestamp' => 'Mon Aug 31 07:15:38.664897 2015',
|
83
|
+
'module' => 'proxy_fcgi',
|
84
|
+
'loglevel' => 'error',
|
85
|
+
'pid' => '28786',
|
86
|
+
'tid' => '140169629898496',
|
87
|
+
'clientip' => '81.139.1.34',
|
88
|
+
'clientport' => '52042',
|
89
|
+
'errorcode' => 'AH01071',
|
90
|
+
'message' => [ value, "Got error 'Primary script unknown\n'" ]
|
91
|
+
)
|
92
|
+
end
|
17
93
|
end
|
18
94
|
|
19
|
-
|
20
|
-
|
21
|
-
|
95
|
+
context "HTTPD_ERRORLOG", "matches an httpd 2.4 restart" do
|
96
|
+
let(:value1) {
|
97
|
+
"[Mon Aug 31 06:29:47.406518 2015] [mpm_event:notice] [pid 24968:tid 140169861986176] AH00489: Apache/2.4.16 (Ubuntu) configured -- resuming normal operations"
|
98
|
+
}
|
99
|
+
it "generates the fields" do
|
100
|
+
expect(grok_match(subject, value1)).to include(
|
101
|
+
'timestamp' => 'Mon Aug 31 06:29:47.406518 2015',
|
102
|
+
'module' => 'mpm_event',
|
103
|
+
'loglevel' => 'notice',
|
104
|
+
'pid' => '24968',
|
105
|
+
'tid' => '140169861986176',
|
106
|
+
'errorcode' => 'AH00489',
|
107
|
+
'message' => [ value1, 'Apache/2.4.16 (Ubuntu) configured -- resuming normal operations' ]
|
108
|
+
)
|
109
|
+
end
|
110
|
+
|
111
|
+
let(:value2) {
|
112
|
+
"[Mon Aug 31 06:29:47.406530 2015] [core:notice] [pid 24968:tid 140169861986176] AH00094: Command line: '/usr/sbin/apache2'"
|
113
|
+
}
|
114
|
+
it "generates the fields" do
|
115
|
+
expect(grok_match(subject, value2)).to include(
|
116
|
+
'timestamp' => 'Mon Aug 31 06:29:47.406530 2015',
|
117
|
+
'module' => 'core',
|
118
|
+
'loglevel' => 'notice',
|
119
|
+
'pid' => '24968',
|
120
|
+
'tid' => '140169861986176',
|
121
|
+
'errorcode' => 'AH00094',
|
122
|
+
'message' => [ value2, 'Command line: \'/usr/sbin/apache2\'' ]
|
123
|
+
)
|
124
|
+
end
|
22
125
|
end
|
23
126
|
|
24
127
|
end
|
@@ -0,0 +1,61 @@
|
|
1
|
+
# encoding: utf-8
|
2
|
+
require "spec_helper"
|
3
|
+
require "logstash/patterns/core"
|
4
|
+
|
5
|
+
describe "MAVEN_VERSION" do
|
6
|
+
|
7
|
+
let(:pattern) { 'MAVEN_VERSION' }
|
8
|
+
|
9
|
+
context "when maven version is simple" do
|
10
|
+
let(:value) { '1.1.0' }
|
11
|
+
|
12
|
+
it "should match the version" do
|
13
|
+
expect(grok_match(pattern,value)).to pass
|
14
|
+
end
|
15
|
+
end
|
16
|
+
|
17
|
+
context "when maven version is a bit more complex" do
|
18
|
+
let(:value) { '2.35.128' }
|
19
|
+
|
20
|
+
it "should match the version" do
|
21
|
+
expect(grok_match(pattern,value)).to pass
|
22
|
+
end
|
23
|
+
end
|
24
|
+
|
25
|
+
context "when maven version contains release" do
|
26
|
+
let(:value) { '1.1.0.RELEASE' }
|
27
|
+
|
28
|
+
it "should match the version" do
|
29
|
+
expect(grok_match(pattern,value)).to pass
|
30
|
+
end
|
31
|
+
end
|
32
|
+
|
33
|
+
context "when maven version contains shapshot" do
|
34
|
+
let(:value) { '1.1.0.SNAPSHOT' }
|
35
|
+
|
36
|
+
it "should match the version" do
|
37
|
+
expect(grok_match(pattern,value)).to pass
|
38
|
+
end
|
39
|
+
end
|
40
|
+
|
41
|
+
context "when maven version contains release" do
|
42
|
+
context "and the version contains a dash" do
|
43
|
+
let(:value) { '1.1.0-RELEASE' }
|
44
|
+
|
45
|
+
it "should match the version" do
|
46
|
+
expect(grok_match(pattern,value)).to pass
|
47
|
+
end
|
48
|
+
end
|
49
|
+
end
|
50
|
+
|
51
|
+
context "when maven version contains shapshot" do
|
52
|
+
context "and the version contains a dash" do
|
53
|
+
let(:value) { '1.1.0-SNAPSHOT' }
|
54
|
+
|
55
|
+
it "should match the version" do
|
56
|
+
expect(grok_match(pattern,value)).to pass
|
57
|
+
end
|
58
|
+
end
|
59
|
+
end
|
60
|
+
|
61
|
+
end
|
@@ -0,0 +1,171 @@
|
|
1
|
+
# encoding: utf-8
|
2
|
+
require "spec_helper"
|
3
|
+
require "logstash/patterns/core"
|
4
|
+
|
5
|
+
describe "REDISTIMESTAMP" do
|
6
|
+
|
7
|
+
let(:value) { '14 Nov 07:01:22.119'}
|
8
|
+
let(:pattern) { "REDISTIMESTAMP" }
|
9
|
+
|
10
|
+
it "a pattern pass the grok expression" do
|
11
|
+
expect(grok_match(pattern, value)).to pass
|
12
|
+
end
|
13
|
+
|
14
|
+
end
|
15
|
+
|
16
|
+
describe "REDISLOG" do
|
17
|
+
|
18
|
+
let(:value) { "[4018] 14 Nov 07:01:22.119 * Background saving terminated with success" }
|
19
|
+
let(:pattern) { "REDISLOG" }
|
20
|
+
let(:grok) { grok_match(pattern, value) }
|
21
|
+
|
22
|
+
it "a pattern pass the grok expression" do
|
23
|
+
expect(grok).to pass
|
24
|
+
end
|
25
|
+
|
26
|
+
it "generates the pid field" do
|
27
|
+
expect(grok).to include("pid" => "4018")
|
28
|
+
end
|
29
|
+
|
30
|
+
end
|
31
|
+
|
32
|
+
|
33
|
+
describe "REDISMONLOG - SIMPLE COMMAND" do
|
34
|
+
|
35
|
+
let(:value) { "1470637867.953466 [0 195.168.1.1:52500] \"info\"" }
|
36
|
+
let(:pattern) { "REDISMONLOG" }
|
37
|
+
let(:grok) { grok_match(pattern, value) }
|
38
|
+
|
39
|
+
it "a pattern pass the grok expression" do
|
40
|
+
expect(grok).to pass
|
41
|
+
end
|
42
|
+
|
43
|
+
it "generates the timestamp field" do
|
44
|
+
expect(grok).to include("timestamp" => "1470637867.953466")
|
45
|
+
end
|
46
|
+
|
47
|
+
it "generates the database field" do
|
48
|
+
expect(grok).to include("database" => "0")
|
49
|
+
end
|
50
|
+
|
51
|
+
it "generates the client field" do
|
52
|
+
expect(grok).to include("client" => "195.168.1.1")
|
53
|
+
end
|
54
|
+
|
55
|
+
it "generates the port field" do
|
56
|
+
expect(grok).to include("port" => "52500")
|
57
|
+
end
|
58
|
+
|
59
|
+
it "generates the command field" do
|
60
|
+
expect(grok).to include("command" => "info")
|
61
|
+
end
|
62
|
+
|
63
|
+
end
|
64
|
+
|
65
|
+
describe "REDISMONLOG - ONE PARAM COMMAND" do
|
66
|
+
|
67
|
+
let(:value) { "1339518083.107412 [0 127.0.0.1:60866] \"keys\" \"*\"" }
|
68
|
+
let(:pattern) { "REDISMONLOG" }
|
69
|
+
let(:grok) { grok_match(pattern, value) }
|
70
|
+
|
71
|
+
it "a pattern pass the grok expression" do
|
72
|
+
expect(grok).to pass
|
73
|
+
end
|
74
|
+
|
75
|
+
it "generates the timestamp field" do
|
76
|
+
expect(grok).to include("timestamp" => "1339518083.107412")
|
77
|
+
end
|
78
|
+
|
79
|
+
it "generates the database field" do
|
80
|
+
expect(grok).to include("database" => "0")
|
81
|
+
end
|
82
|
+
|
83
|
+
it "generates the client field" do
|
84
|
+
expect(grok).to include("client" => "127.0.0.1")
|
85
|
+
end
|
86
|
+
|
87
|
+
it "generates the port field" do
|
88
|
+
expect(grok).to include("port" => "60866")
|
89
|
+
end
|
90
|
+
|
91
|
+
it "generates the command field" do
|
92
|
+
expect(grok).to include("command" => "keys")
|
93
|
+
end
|
94
|
+
|
95
|
+
it "generates the params field" do
|
96
|
+
expect(grok).to include("params" => "\"*\"")
|
97
|
+
end
|
98
|
+
|
99
|
+
end
|
100
|
+
|
101
|
+
describe "REDISMONLOG - TWO PARAM COMMAND" do
|
102
|
+
|
103
|
+
let(:value) { "1470637925.186681 [0 127.0.0.1:39404] \"rpush\" \"my:special:key\" \"{\\\"data\\\":\"cdr\\\",\\\"payload\\\":\\\"json\\\"}\"" }
|
104
|
+
let(:pattern) { "REDISMONLOG" }
|
105
|
+
let(:grok) { grok_match(pattern, value) }
|
106
|
+
|
107
|
+
it "a pattern pass the grok expression" do
|
108
|
+
expect(grok).to pass
|
109
|
+
end
|
110
|
+
|
111
|
+
it "generates the timestamp field" do
|
112
|
+
expect(grok).to include("timestamp" => "1470637925.186681")
|
113
|
+
end
|
114
|
+
|
115
|
+
it "generates the database field" do
|
116
|
+
expect(grok).to include("database" => "0")
|
117
|
+
end
|
118
|
+
|
119
|
+
it "generates the client field" do
|
120
|
+
expect(grok).to include("client" => "127.0.0.1")
|
121
|
+
end
|
122
|
+
|
123
|
+
it "generates the port field" do
|
124
|
+
expect(grok).to include("port" => "39404")
|
125
|
+
end
|
126
|
+
|
127
|
+
it "generates the command field" do
|
128
|
+
expect(grok).to include("command" => "rpush")
|
129
|
+
end
|
130
|
+
|
131
|
+
it "generates the params field" do
|
132
|
+
expect(grok).to include("params" => "\"my:special:key\" \"{\\\"data\\\":\"cdr\\\",\\\"payload\\\":\\\"json\\\"}\"")
|
133
|
+
end
|
134
|
+
|
135
|
+
end
|
136
|
+
|
137
|
+
describe "REDISMONLOG - VARIADIC COMMAND" do
|
138
|
+
|
139
|
+
let(:value) { "1470637875.777457 [15 195.168.1.1:52500] \"intentionally\" \"broken\" \"variadic\" \"log\" \"entry\"" }
|
140
|
+
let(:pattern) { "REDISMONLOG" }
|
141
|
+
let(:grok) { grok_match(pattern, value) }
|
142
|
+
|
143
|
+
it "a pattern pass the grok expression" do
|
144
|
+
expect(grok).to pass
|
145
|
+
end
|
146
|
+
|
147
|
+
it "generates the timestamp field" do
|
148
|
+
expect(grok).to include("timestamp" => "1470637875.777457")
|
149
|
+
end
|
150
|
+
|
151
|
+
it "generates the database field" do
|
152
|
+
expect(grok).to include("database" => "15")
|
153
|
+
end
|
154
|
+
|
155
|
+
it "generates the client field" do
|
156
|
+
expect(grok).to include("client" => "195.168.1.1")
|
157
|
+
end
|
158
|
+
|
159
|
+
it "generates the port field" do
|
160
|
+
expect(grok).to include("port" => "52500")
|
161
|
+
end
|
162
|
+
|
163
|
+
it "generates the command field" do
|
164
|
+
expect(grok).to include("command" => "intentionally")
|
165
|
+
end
|
166
|
+
|
167
|
+
it "generates the params field" do
|
168
|
+
expect(grok).to include("params" => "\"broken\" \"variadic\" \"log\" \"entry\"")
|
169
|
+
end
|
170
|
+
|
171
|
+
end
|
data/spec/patterns/s3_spec.rb
CHANGED
@@ -130,3 +130,44 @@ describe "S3_ACCESS_LOG" do
|
|
130
130
|
|
131
131
|
end
|
132
132
|
end
|
133
|
+
|
134
|
+
describe "CLOUDFRONT_ACCESS_LOG" do
|
135
|
+
|
136
|
+
let(:pattern) { "CLOUDFRONT_ACCESS_LOG" }
|
137
|
+
|
138
|
+
context "parsing a cloudfront access log" do
|
139
|
+
|
140
|
+
let(:value) { "2016-06-10 18:41:39 IAD53 224281 192.168.1.1 GET d27enomp470abc.cloudfront.net /content/sample/thing.pdf 200 https://example.com/ Mozilla/5.0%2520(Windows%2520NT%25206.1;%2520WOW64)%2520AppleWebKit/537.36%2520(KHTML,%2520like%2520Gecko)%2520Chrome/51.0.2704.79%2520Safari/537.36 - - Miss UGskZ6dUKY7b4C6Pt7wAWVsU2KO-vTRe-mR4r9H-WQMjhNvY6w1Xcg== host.example.com https 883 0.036 - TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Miss" }
|
141
|
+
|
142
|
+
subject { grok_match(pattern, value) }
|
143
|
+
|
144
|
+
it { should include("timestamp" => "2016-06-10 18:41:39" ) }
|
145
|
+
it { should include("x_edge_location" => "IAD53" ) }
|
146
|
+
it { should include("sc_bytes" => 224281 ) }
|
147
|
+
it { should include("clientip" => "192.168.1.1" ) }
|
148
|
+
it { should include("cs_method" => "GET" ) }
|
149
|
+
it { should include("cs_host" => "d27enomp470abc.cloudfront.net" ) }
|
150
|
+
it { should include("cs_uri_stem" => "/content/sample/thing.pdf" ) }
|
151
|
+
it { should include("sc_status" => 200 ) }
|
152
|
+
it { should include("referrer" => "https://example.com/" ) }
|
153
|
+
it { should include("agent" => "Mozilla/5.0%2520(Windows%2520NT%25206.1;%2520WOW64)%2520AppleWebKit/537.36%2520(KHTML,%2520like%2520Gecko)%2520Chrome/51.0.2704.79%2520Safari/537.36" ) }
|
154
|
+
it { should include("cs_uri_query" => "-" ) }
|
155
|
+
it { should include("cookies" => "-" ) }
|
156
|
+
it { should include("x_edge_result_type" => "Miss" ) }
|
157
|
+
it { should include("x_edge_request_id" => "UGskZ6dUKY7b4C6Pt7wAWVsU2KO-vTRe-mR4r9H-WQMjhNvY6w1Xcg==" ) }
|
158
|
+
it { should include("x_host_header" => "host.example.com" ) }
|
159
|
+
it { should include("cs_protocol" => "https" ) }
|
160
|
+
it { should include("cs_bytes" => 883 ) }
|
161
|
+
it { should include("time_taken" => 0.036 ) }
|
162
|
+
it { should include("x_forwarded_for" => "-" ) }
|
163
|
+
it { should include("ssl_protocol" => "TLSv1.2" ) }
|
164
|
+
it { should include("ssl_cipher" => "ECDHE-RSA-AES128-GCM-SHA256" ) }
|
165
|
+
it { should include("x_edge_response_result_type" => "Miss" ) }
|
166
|
+
|
167
|
+
["tags", "params"].each do |attribute|
|
168
|
+
it "have #{attribute} as nil" do
|
169
|
+
expect(subject[attribute]).to be_nil
|
170
|
+
end
|
171
|
+
end
|
172
|
+
end
|
173
|
+
end
|
@@ -4,6 +4,20 @@ require "logstash/patterns/core"
|
|
4
4
|
|
5
5
|
describe "SYSLOGLINE" do
|
6
6
|
|
7
|
+
describe "SYSLOG5424BASE" do
|
8
|
+
it "matches host names in the syslog base pattern" do
|
9
|
+
expect(subject).to match("<174>1 2016-11-14T09:32:44+01:00 resolver.se named 6344 - - info: client 10.23.53.22#63252: query: googlehosted.l.googleusercontent.com IN A + (10.23.16.6)")
|
10
|
+
end
|
11
|
+
|
12
|
+
it "matches ipv4 in the syslog base pattern" do
|
13
|
+
expect(subject).to match("<174>1 2016-11-14T09:49:23+01:00 10.23.16.6 named 2255 - - info: client 10.23.56.93#63295 (i1.tmg.com): query: i1.tmg.com IN A + (10.23.4.13)")
|
14
|
+
end
|
15
|
+
|
16
|
+
it "matches ipv6 in the syslog base pattern" do
|
17
|
+
expect(subject).to match("<174>1 2016-11-14T09:49:23+01:00 2000:6a0:b:315:10:23:4:13 named 2255 - - info: client 10.23.56.9#63295 (i1.tmg.com): query: i1.tmg.com IN A + (10.23.4.13)")
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
7
21
|
it "matches a simple message with pid" do
|
8
22
|
expect(subject).to match("May 11 15:17:02 meow.soy.se CRON[10973]: pam_unix(cron:session): session opened for user root by (uid=0)")
|
9
23
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-patterns-core
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.0
|
4
|
+
version: 4.1.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Elastic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2017-03-01 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
@@ -74,14 +74,17 @@ files:
|
|
74
74
|
- logstash-patterns-core.gemspec
|
75
75
|
- patterns/aws
|
76
76
|
- patterns/bacula
|
77
|
+
- patterns/bind
|
77
78
|
- patterns/bro
|
78
79
|
- patterns/exim
|
79
80
|
- patterns/firewalls
|
80
81
|
- patterns/grok-patterns
|
81
82
|
- patterns/haproxy
|
83
|
+
- patterns/httpd
|
82
84
|
- patterns/java
|
83
85
|
- patterns/junos
|
84
86
|
- patterns/linux-syslog
|
87
|
+
- patterns/maven
|
85
88
|
- patterns/mcollective
|
86
89
|
- patterns/mcollective-patterns
|
87
90
|
- patterns/mongodb
|
@@ -90,14 +93,17 @@ files:
|
|
90
93
|
- patterns/rails
|
91
94
|
- patterns/redis
|
92
95
|
- patterns/ruby
|
96
|
+
- patterns/squid
|
93
97
|
- spec/patterns/bro.rb
|
94
98
|
- spec/patterns/core_spec.rb
|
95
99
|
- spec/patterns/firewalls_spec.rb
|
96
100
|
- spec/patterns/haproxy_spec.rb
|
97
101
|
- spec/patterns/httpd_spec.rb
|
102
|
+
- spec/patterns/maven_spec.rb
|
98
103
|
- spec/patterns/mongodb_spec.rb
|
99
104
|
- spec/patterns/nagios_spec.rb
|
100
105
|
- spec/patterns/rails3_spec.rb
|
106
|
+
- spec/patterns/redis_spec.rb
|
101
107
|
- spec/patterns/s3_spec.rb
|
102
108
|
- spec/patterns/shorewall_spec.rb
|
103
109
|
- spec/patterns/syslog_spec.rb
|
@@ -123,7 +129,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
123
129
|
version: '0'
|
124
130
|
requirements: []
|
125
131
|
rubyforge_project:
|
126
|
-
rubygems_version: 2.
|
132
|
+
rubygems_version: 2.4.8
|
127
133
|
signing_key:
|
128
134
|
specification_version: 4
|
129
135
|
summary: Patterns to be used in logstash
|
@@ -133,9 +139,11 @@ test_files:
|
|
133
139
|
- spec/patterns/firewalls_spec.rb
|
134
140
|
- spec/patterns/haproxy_spec.rb
|
135
141
|
- spec/patterns/httpd_spec.rb
|
142
|
+
- spec/patterns/maven_spec.rb
|
136
143
|
- spec/patterns/mongodb_spec.rb
|
137
144
|
- spec/patterns/nagios_spec.rb
|
138
145
|
- spec/patterns/rails3_spec.rb
|
146
|
+
- spec/patterns/redis_spec.rb
|
139
147
|
- spec/patterns/s3_spec.rb
|
140
148
|
- spec/patterns/shorewall_spec.rb
|
141
149
|
- spec/patterns/syslog_spec.rb
|