logstash-patterns-core 4.3.1 → 4.3.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/README.md +1 -1
- data/logstash-patterns-core.gemspec +1 -1
- data/patterns/ecs-v1/bind +1 -1
- data/spec/patterns/bind_spec.rb +18 -4
- data/spec/patterns/core_spec.rb +8 -8
- data/spec/patterns/redis_spec.rb +51 -11
- metadata +3 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8fd19e7a4b9cc9862e688c51424be2524c3a410acd3740da2b31f0c151d0b48d
|
|
4
|
+
data.tar.gz: 0f933c1abf8681f4417b88f5e605b99223dec2211be07a45c295d35776531a02
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ff175b37722607f79d725d6422e530acd3141604d8af37e44d2c366b646bab424cc6936395a261b91994f1c9aa207cdfc4ce72678aff9b1b23e63e066e68856d
|
|
7
|
+
data.tar.gz: e04bac413798ca872f0bd1221449d6d39797b97e1049a6a60cc182062dbd2aba8b30b70ceeed2e8c86d4cf1a1f47f0f9fa829ce06170f8154acfe982a0d1122c
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,7 @@
|
|
|
1
|
+
## 4.3.2
|
|
2
|
+
|
|
3
|
+
- Fix: typo in BIN9_QUERYLOG pattern (in ECS mode) [#307](https://github.com/logstash-plugins/logstash-patterns-core/pull/307)
|
|
4
|
+
|
|
1
5
|
## 4.3.1
|
|
2
6
|
|
|
3
7
|
- Fix: incorrect syslog (priority) field name [#303](https://github.com/logstash-plugins/logstash-patterns-core/pull/303)
|
data/README.md
CHANGED
|
@@ -87,5 +87,5 @@ It is more important to the community that you are able to contribute.
|
|
|
87
87
|
|
|
88
88
|
For more information about contributing, see the [CONTRIBUTING](https://github.com/elastic/logstash/blob/master/CONTRIBUTING.md) file.
|
|
89
89
|
|
|
90
|
-
[1]: /tree/
|
|
90
|
+
[1]: https://github.com/logstash-plugins/logstash-patterns-core/tree/main/patterns
|
|
91
91
|
[2]: https://github.com/logstash-plugins/logstash-filter-grok
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
Gem::Specification.new do |s|
|
|
2
2
|
|
|
3
3
|
s.name = 'logstash-patterns-core'
|
|
4
|
-
s.version = '4.3.
|
|
4
|
+
s.version = '4.3.2'
|
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
|
6
6
|
s.summary = "Patterns to be used in logstash"
|
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
data/patterns/ecs-v1/bind
CHANGED
|
@@ -8,6 +8,6 @@ BIND9_CATEGORY (?:queries)
|
|
|
8
8
|
BIND9_QUERYLOGBASE client(:? @0x(?:[0-9A-Fa-f]+))? %{IP:[client][ip]}#%{POSINT:[client][port]:int} \(%{GREEDYDATA:[bind][log][question][name]}\): query: %{GREEDYDATA:[dns][question][name]} (?<[dns][question][class]>IN) %{BIND9_DNSTYPE:[dns][question][type]}(:? %{DATA:[bind][log][question][flags]})? \(%{IP:[server][ip]}\)
|
|
9
9
|
|
|
10
10
|
# for query-logging category and severity are always fixed as "queries: info: "
|
|
11
|
-
BIND9_QUERYLOG %{BIND9_TIMESTAMP:timestamp} %{BIND9_CATEGORY:[
|
|
11
|
+
BIND9_QUERYLOG %{BIND9_TIMESTAMP:timestamp} %{BIND9_CATEGORY:[bind][log][category]}: %{LOGLEVEL:[log][level]}: %{BIND9_QUERYLOGBASE}
|
|
12
12
|
|
|
13
13
|
BIND9 %{BIND9_QUERYLOG}
|
data/spec/patterns/bind_spec.rb
CHANGED
|
@@ -14,10 +14,10 @@ describe_pattern "BIND9", ['legacy', 'ecs-v1'] do
|
|
|
14
14
|
should include("log" => hash_including("level" => "info"))
|
|
15
15
|
should include("client" => { "ip" => "172.26.0.1", "port" => 12345 })
|
|
16
16
|
should include("dns" => { "question" => { "name" => "test.example.com", "type" => 'A', "class" => 'IN' }})
|
|
17
|
-
should include("bind" => { "log" =>
|
|
17
|
+
should include("bind" => { "log" => hash_including("question" => hash_including("flags" => '+E(0)K'))})
|
|
18
18
|
should include("server" => { "ip" => "172.26.0.3" })
|
|
19
19
|
# NOTE: duplicate but still captured since we've been doing that before as well :
|
|
20
|
-
should include("bind" => { "log" =>
|
|
20
|
+
should include("bind" => { "log" => hash_including("question" => hash_including("name" => 'test.example.com'))})
|
|
21
21
|
else
|
|
22
22
|
should include("loglevel" => "info")
|
|
23
23
|
should include("clientip" => "172.26.0.1")
|
|
@@ -48,7 +48,7 @@ describe_pattern "BIND9", ['legacy', 'ecs-v1'] do
|
|
|
48
48
|
should include("log" => hash_including("level" => "info"))
|
|
49
49
|
should include("client" => { "ip" => "192.168.10.48", "port" => 60061 })
|
|
50
50
|
should include("dns" => { "question" => { "name" => "91.2.10.170.in-addr.internal", "type" => 'PTR', "class" => 'IN' }})
|
|
51
|
-
should include("bind" => { "log" =>
|
|
51
|
+
should include("bind" => { "log" => hash_including("question" => hash_including("flags" => '+')) })
|
|
52
52
|
should include("server" => { "ip" => "192.168.2.2" })
|
|
53
53
|
else
|
|
54
54
|
should include("loglevel" => "info")
|
|
@@ -72,7 +72,21 @@ describe_pattern "BIND9_QUERYLOGBASE", ['ecs-v1'] do
|
|
|
72
72
|
it 'matches' do
|
|
73
73
|
should include("client" => { "ip" => "127.0.0.1", "port" => 42520 })
|
|
74
74
|
should include("dns" => { "question" => { "name" => "ci.elastic.co", "type" => 'A', "class" => 'IN' }})
|
|
75
|
-
should include("bind" => { "log" =>
|
|
75
|
+
should include("bind" => { "log" => hash_including("question" => hash_including("flags" => '+E(0)K') )})
|
|
76
76
|
should include("server" => { "ip" => "35.193.103.164" })
|
|
77
77
|
end
|
|
78
78
|
end
|
|
79
|
+
|
|
80
|
+
describe_pattern "BIND9_QUERYLOG", ['ecs-v1'] do
|
|
81
|
+
let(:message) do
|
|
82
|
+
'01-May-2019 00:27:48.084 queries: info: client @0x7f82bc11d4e0 192.168.1.111#53995 (google.com): query: google.com IN A +E(0) (10.80.1.88)'
|
|
83
|
+
end
|
|
84
|
+
|
|
85
|
+
it 'matches' do
|
|
86
|
+
should include("client" => { "ip" => "192.168.1.111", "port" => 53995 })
|
|
87
|
+
should include("dns" => { "question" => { "name" => "google.com", "type" => 'A', "class" => 'IN' }})
|
|
88
|
+
should include("bind" => { "log" => hash_including("question" => { "flags" => '+E(0)', "name" => 'google.com' })})
|
|
89
|
+
should include("server" => { "ip" => "10.80.1.88" })
|
|
90
|
+
should include("log" => { "level" => "info" })
|
|
91
|
+
end
|
|
92
|
+
end
|
data/spec/patterns/core_spec.rb
CHANGED
|
@@ -2,20 +2,20 @@
|
|
|
2
2
|
require "spec_helper"
|
|
3
3
|
require "logstash/patterns/core"
|
|
4
4
|
|
|
5
|
-
|
|
5
|
+
describe_pattern "SYSLOGLINE", ['legacy', 'ecs-v1'] do
|
|
6
|
+
|
|
7
|
+
let(:message) { "Mar 16 00:01:25 evita postfix/smtpd[1713]: connect from camomile.cloud9.net[168.100.1.3]" }
|
|
6
8
|
|
|
7
|
-
let(:value) { "Mar 16 00:01:25 evita postfix/smtpd[1713]: connect from camomile.cloud9.net[168.100.1.3]" }
|
|
8
|
-
let(:grok) { grok_match(subject, value) }
|
|
9
9
|
it "a pattern pass the grok expression" do
|
|
10
10
|
expect(grok).to pass
|
|
11
11
|
end
|
|
12
12
|
|
|
13
|
-
it "matches a simple message" do
|
|
14
|
-
expect(subject).to match(value)
|
|
15
|
-
end
|
|
16
|
-
|
|
17
13
|
it "generates the program field" do
|
|
18
|
-
|
|
14
|
+
if ecs_compatibility?
|
|
15
|
+
expect(grok).to include("process" => hash_including('name' => 'postfix/smtpd'))
|
|
16
|
+
else
|
|
17
|
+
expect(grok).to include("program" => "postfix/smtpd")
|
|
18
|
+
end
|
|
19
19
|
end
|
|
20
20
|
|
|
21
21
|
end
|
data/spec/patterns/redis_spec.rb
CHANGED
|
@@ -134,7 +134,7 @@ describe_pattern 'REDISMONLOG', [ 'legacy', 'ecs-v1' ] do
|
|
|
134
134
|
|
|
135
135
|
end
|
|
136
136
|
|
|
137
|
-
describe_pattern "REDISMONLOG" do
|
|
137
|
+
describe_pattern "REDISMONLOG", [ 'legacy', 'ecs-v1' ] do
|
|
138
138
|
|
|
139
139
|
context 'two param command' do
|
|
140
140
|
|
|
@@ -149,23 +149,43 @@ describe_pattern "REDISMONLOG" do
|
|
|
149
149
|
end
|
|
150
150
|
|
|
151
151
|
it "generates the database field" do
|
|
152
|
-
|
|
152
|
+
if ecs_compatibility?
|
|
153
|
+
expect(grok).to include("redis" => hash_including('database' => hash_including('id' => '0')))
|
|
154
|
+
else
|
|
155
|
+
expect(grok).to include("database" => "0")
|
|
156
|
+
end
|
|
153
157
|
end
|
|
154
158
|
|
|
155
159
|
it "generates the client field" do
|
|
156
|
-
|
|
160
|
+
if ecs_compatibility?
|
|
161
|
+
expect(grok).to include("client" => hash_including('ip' => '127.0.0.1'))
|
|
162
|
+
else
|
|
163
|
+
expect(grok).to include("client" => "127.0.0.1")
|
|
164
|
+
end
|
|
157
165
|
end
|
|
158
166
|
|
|
159
167
|
it "generates the port field" do
|
|
160
|
-
|
|
168
|
+
if ecs_compatibility?
|
|
169
|
+
expect(grok).to include("client" => hash_including('port' => 39404))
|
|
170
|
+
else
|
|
171
|
+
expect(grok).to include("port" => "39404")
|
|
172
|
+
end
|
|
161
173
|
end
|
|
162
174
|
|
|
163
175
|
it "generates the command field" do
|
|
164
|
-
|
|
176
|
+
if ecs_compatibility?
|
|
177
|
+
expect(grok).to include("redis" => hash_including('command' => hash_including('name' => 'rpush')))
|
|
178
|
+
else
|
|
179
|
+
expect(grok).to include("command" => "rpush")
|
|
180
|
+
end
|
|
165
181
|
end
|
|
166
182
|
|
|
167
183
|
it "generates the params field" do
|
|
168
|
-
|
|
184
|
+
if ecs_compatibility?
|
|
185
|
+
expect(grok).to include("redis" => hash_including('command' => hash_including('args' => "\"my:special:key\" \"{\\\"data\\\":\"cdr\\\",\\\"payload\\\":\\\"json\\\"}\"")))
|
|
186
|
+
else
|
|
187
|
+
expect(grok).to include("params" => "\"my:special:key\" \"{\\\"data\\\":\"cdr\\\",\\\"payload\\\":\\\"json\\\"}\"")
|
|
188
|
+
end
|
|
169
189
|
end
|
|
170
190
|
|
|
171
191
|
end
|
|
@@ -183,23 +203,43 @@ describe_pattern "REDISMONLOG" do
|
|
|
183
203
|
end
|
|
184
204
|
|
|
185
205
|
it "generates the database field" do
|
|
186
|
-
|
|
206
|
+
if ecs_compatibility?
|
|
207
|
+
expect(grok).to include("redis" => hash_including('database' => hash_including('id' => '15')))
|
|
208
|
+
else
|
|
209
|
+
expect(grok).to include("database" => "15")
|
|
210
|
+
end
|
|
187
211
|
end
|
|
188
212
|
|
|
189
213
|
it "generates the client field" do
|
|
190
|
-
|
|
214
|
+
if ecs_compatibility?
|
|
215
|
+
expect(grok).to include("client" => hash_including('ip' => '195.168.1.1'))
|
|
216
|
+
else
|
|
217
|
+
expect(grok).to include("client" => "195.168.1.1")
|
|
218
|
+
end
|
|
191
219
|
end
|
|
192
220
|
|
|
193
221
|
it "generates the port field" do
|
|
194
|
-
|
|
222
|
+
if ecs_compatibility?
|
|
223
|
+
expect(grok).to include("client" => hash_including('port' => 52500))
|
|
224
|
+
else
|
|
225
|
+
expect(grok).to include("port" => "52500")
|
|
226
|
+
end
|
|
195
227
|
end
|
|
196
228
|
|
|
197
229
|
it "generates the command field" do
|
|
198
|
-
|
|
230
|
+
if ecs_compatibility?
|
|
231
|
+
expect(grok).to include("redis" => hash_including('command' => hash_including('name' => 'intentionally')))
|
|
232
|
+
else
|
|
233
|
+
expect(grok).to include("command" => "intentionally")
|
|
234
|
+
end
|
|
199
235
|
end
|
|
200
236
|
|
|
201
237
|
it "generates the params field" do
|
|
202
|
-
|
|
238
|
+
if ecs_compatibility?
|
|
239
|
+
expect(grok).to include("redis" => hash_including('command' => hash_including('args' => "\"broken\" \"variadic\" \"log\" \"entry\"")))
|
|
240
|
+
else
|
|
241
|
+
expect(grok).to include("params" => "\"broken\" \"variadic\" \"log\" \"entry\"")
|
|
242
|
+
end
|
|
203
243
|
end
|
|
204
244
|
|
|
205
245
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-patterns-core
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.3.
|
|
4
|
+
version: 4.3.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Elastic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2022-01-07 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -160,8 +160,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
160
160
|
- !ruby/object:Gem::Version
|
|
161
161
|
version: '0'
|
|
162
162
|
requirements: []
|
|
163
|
-
|
|
164
|
-
rubygems_version: 2.6.13
|
|
163
|
+
rubygems_version: 3.1.6
|
|
165
164
|
signing_key:
|
|
166
165
|
specification_version: 4
|
|
167
166
|
summary: Patterns to be used in logstash
|