logstash-patterns-core 4.3.0 → 4.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/Gemfile +0 -3
- data/logstash-patterns-core.gemspec +1 -1
- data/patterns/ecs-v1/firewalls +1 -1
- data/patterns/ecs-v1/linux-syslog +1 -1
- data/spec/patterns/firewalls_spec.rb +38 -0
- data/spec/patterns/netscreen_spec.rb +1 -1
- data/spec/patterns/syslog_spec.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e24f9461457c5093f38f2fb25a7c120581891be85e564fb0d9d9ec9980a73513
|
|
4
|
+
data.tar.gz: 449d4c10be87120391c73c967db042b9222659c880a3b6ce9f7ddd3fe416c088
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a859be036a74e5beabb757b8d4e51c3af6d483e351135c15e402878a7248c84af521885ef20c29e196d12c3cc311b50e3b4fa52558c7c57fbd468a5c9e69be03
|
|
7
|
+
data.tar.gz: 8ce3ccfe5ec02bc6bf9072e30b469318ccd820e795209acde85297f8bdba6290b694dd802b16c2e4a9b069fec8adffe66e66b9656a6da361efd27e027eff6e1d
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,8 @@
|
|
|
1
|
+
## 4.3.1
|
|
2
|
+
|
|
3
|
+
- Fix: incorrect syslog (priority) field name [#303](https://github.com/logstash-plugins/logstash-patterns-core/pull/303)
|
|
4
|
+
- Fix: missed `ciscotag` field ECS-ification (`cisco.asa.tag`) for the `CISCO_TAGGED_SYSLOG` pattern
|
|
5
|
+
|
|
1
6
|
## 4.3.0
|
|
2
7
|
|
|
3
8
|
With **4.3.0** we're introducing a new set of pattern definitions compliant with Elastic Common Schema (ECS), on numerous
|
data/Gemfile
CHANGED
|
@@ -9,6 +9,3 @@ if Dir.exist?(logstash_path) && use_logstash_source
|
|
|
9
9
|
gem 'logstash-core', :path => "#{logstash_path}/logstash-core"
|
|
10
10
|
gem 'logstash-core-plugin-api', :path => "#{logstash_path}/logstash-core-plugin-api"
|
|
11
11
|
end
|
|
12
|
-
|
|
13
|
-
# TODO till filter grok with ECS support is released :
|
|
14
|
-
gem 'logstash-filter-grok', git: 'https://github.com/kares/logstash-filter-grok.git', ref: 'ecs-1-support'
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
Gem::Specification.new do |s|
|
|
2
2
|
|
|
3
3
|
s.name = 'logstash-patterns-core'
|
|
4
|
-
s.version = '4.3.
|
|
4
|
+
s.version = '4.3.1'
|
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
|
6
6
|
s.summary = "Patterns to be used in logstash"
|
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
data/patterns/ecs-v1/firewalls
CHANGED
|
@@ -4,7 +4,7 @@ NETSCREENSESSIONLOG %{SYSLOGTIMESTAMP:timestamp} %{IPORHOST:[observer][hostname]
|
|
|
4
4
|
# :long - %{INT:[destination][bytes]:int}
|
|
5
5
|
|
|
6
6
|
#== Cisco ASA ==
|
|
7
|
-
CISCO_TAGGED_SYSLOG ^<%{POSINT:[log][syslog][
|
|
7
|
+
CISCO_TAGGED_SYSLOG ^<%{POSINT:[log][syslog][priority]:int}>%{CISCOTIMESTAMP:timestamp}( %{SYSLOGHOST:[host][hostname]})? ?: %%{CISCOTAG:[cisco][asa][tag]}:
|
|
8
8
|
CISCOTIMESTAMP %{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME}
|
|
9
9
|
CISCOTAG [A-Z0-9]+-%{INT}-(?:[A-Z0-9_]+)
|
|
10
10
|
# Common Particles
|
|
@@ -9,7 +9,7 @@ CRONLOG %{SYSLOGBASE} \(%{USER:[user][name]}\) %{CRON_ACTION:[system][cron][acti
|
|
|
9
9
|
SYSLOGLINE %{SYSLOGBASE2} %{GREEDYDATA:message}
|
|
10
10
|
|
|
11
11
|
# IETF 5424 syslog(8) format (see http://www.rfc-editor.org/info/rfc5424)
|
|
12
|
-
SYSLOG5424PRI <%{NONNEGINT:[log][syslog][
|
|
12
|
+
SYSLOG5424PRI <%{NONNEGINT:[log][syslog][priority]:int}>
|
|
13
13
|
SYSLOG5424SD \[%{DATA}\]+
|
|
14
14
|
SYSLOG5424BASE %{SYSLOG5424PRI}%{NONNEGINT:[system][syslog][version]} +(?:-|%{TIMESTAMP_ISO8601:timestamp}) +(?:-|%{IPORHOST:[host][hostname]}) +(?:-|%{SYSLOG5424PRINTASCII:[process][name]}) +(?:-|%{POSINT:[process][pid]:int}) +(?:-|%{SYSLOG5424PRINTASCII:[event][code]}) +(?:-|%{SYSLOG5424SD:[system][syslog][structured_data]})?
|
|
15
15
|
|
|
@@ -595,6 +595,44 @@ describe_pattern "CISCOFW733100", ['legacy', 'ecs-v1'] do
|
|
|
595
595
|
|
|
596
596
|
end
|
|
597
597
|
|
|
598
|
+
describe_pattern "CISCO_TAGGED_SYSLOG", ['legacy', 'ecs-v1'] do
|
|
599
|
+
|
|
600
|
+
let(:message) { "<191>Jan 24 11:28:30.407: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down" }
|
|
601
|
+
|
|
602
|
+
it 'matches' do
|
|
603
|
+
expect(subject).to include("timestamp"=>'Jan 24 11:28:30.407')
|
|
604
|
+
if ecs_compatibility?
|
|
605
|
+
expect(subject).to include('log' => {'syslog' => {'priority' => 191}})
|
|
606
|
+
expect(subject).to include('cisco' => {'asa' => {'tag' => 'LINEPROTO-5-UPDOWN'}})
|
|
607
|
+
else
|
|
608
|
+
expect(subject).to include("syslog_pri"=>'191')
|
|
609
|
+
expect(subject).to include("ciscotag"=>'LINEPROTO-5-UPDOWN')
|
|
610
|
+
end
|
|
611
|
+
end
|
|
612
|
+
|
|
613
|
+
context 'with host' do
|
|
614
|
+
|
|
615
|
+
let(:message) do
|
|
616
|
+
'<191>Aug 1 14:01:20 abc-asa1: %ASA-6-302013: Built outbound TCP connection 906569140 for out-v1101:10.125.126.86/2010 (10.125.126.86/2010) to ent-v1124:100.100.100.111/51444 (10.125.1.11/37785)'
|
|
617
|
+
end
|
|
618
|
+
|
|
619
|
+
it 'matches' do
|
|
620
|
+
expect(subject).to include("timestamp"=>'Aug 1 14:01:20')
|
|
621
|
+
if ecs_compatibility?
|
|
622
|
+
expect(subject).to include('log' => {'syslog' => {'priority' => 191}})
|
|
623
|
+
expect(subject).to include('host' => {'hostname' => 'abc-asa1'})
|
|
624
|
+
expect(subject).to include('cisco' => {'asa' => {'tag' => 'ASA-6-302013'}})
|
|
625
|
+
else
|
|
626
|
+
expect(subject).to include("syslog_pri"=>'191')
|
|
627
|
+
expect(subject).to include("sysloghost"=>'abc-asa1')
|
|
628
|
+
expect(subject).to include("ciscotag"=>'ASA-6-302013')
|
|
629
|
+
end
|
|
630
|
+
end
|
|
631
|
+
|
|
632
|
+
end
|
|
633
|
+
|
|
634
|
+
end
|
|
635
|
+
|
|
598
636
|
|
|
599
637
|
describe_pattern 'SFW2', ['legacy', 'ecs-v1'] do
|
|
600
638
|
|
|
@@ -98,7 +98,7 @@ describe_pattern "NETSCREENSESSIONLOG", ['legacy', 'ecs-v1'] do
|
|
|
98
98
|
context "(with session id)" do
|
|
99
99
|
|
|
100
100
|
let(:message) do
|
|
101
|
-
super + ' session_id=0 reason=Traffic Denied'
|
|
101
|
+
super() + ' session_id=0 reason=Traffic Denied'
|
|
102
102
|
end
|
|
103
103
|
|
|
104
104
|
it 'matches (in ECS mode)' do
|
|
@@ -95,7 +95,7 @@ describe_pattern "SYSLOG5424LINE", ['legacy', 'ecs-v1'] do
|
|
|
95
95
|
message = "<174>1 2016-11-14T09:49:23+01:00 10.23.16.6 named 2255 - - info: client 10.23.56.93#63295 (i1.tmg.com): query: i1.tmg.com IN A + (10.23.4.13)"
|
|
96
96
|
match = grok_match pattern, message
|
|
97
97
|
if ecs_compatibility?
|
|
98
|
-
expect(match).to include("log" => { "syslog" => { "
|
|
98
|
+
expect(match).to include("log" => { "syslog" => { "priority" => 174 }})
|
|
99
99
|
expect(match).to include("host" => { "hostname" => "10.23.16.6"})
|
|
100
100
|
expect(match).to include("process" => { "name" => "named", "pid" => 2255 })
|
|
101
101
|
expect(match).to include("system" => { "syslog" => { "version" => "1" }})
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-patterns-core
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.3.
|
|
4
|
+
version: 4.3.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Elastic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-
|
|
11
|
+
date: 2021-03-16 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|