logstash-patterns-core 4.3.2 → 4.3.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/logstash-patterns-core.gemspec +1 -1
- data/patterns/ecs-v1/aws +6 -1
- data/spec/patterns/aws_spec.rb +32 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a140c63f36f693e1a77aa232ef7e86ace02819488195de75f3abf54efff6768a
|
|
4
|
+
data.tar.gz: 5fcdaec2903fedca22c9da735a417b16782bb8782a9e49cb07eedfbbba36bebf
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 639a5b7fdb5ee6f4e9d24d77f4dd790983c9b84211e999cc18facf361f8a3040c225c73b70ddbd1ab0ac6cb37c7c597ab5e2b72b589c6b0e578e331e13ad2543
|
|
7
|
+
data.tar.gz: e4c6b94985b3edf00e81dae22521c798a9f940f72912fded835b50dedf344fd2234146ca074e52602e3b03780db1fcbc935aac67d7be5a3ec287620e7fede7b7
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,7 @@
|
|
|
1
|
+
## 4.3.3
|
|
2
|
+
|
|
3
|
+
- Fix: parsing x-edge-location in CLOUDFRONT_ACCESS_LOG (ECS mode) [#311](https://github.com/logstash-plugins/logstash-patterns-core/pull/311)
|
|
4
|
+
|
|
1
5
|
## 4.3.2
|
|
2
6
|
|
|
3
7
|
- Fix: typo in BIN9_QUERYLOG pattern (in ECS mode) [#307](https://github.com/logstash-plugins/logstash-patterns-core/pull/307)
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
Gem::Specification.new do |s|
|
|
2
2
|
|
|
3
3
|
s.name = 'logstash-patterns-core'
|
|
4
|
-
s.version = '4.3.
|
|
4
|
+
s.version = '4.3.3'
|
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
|
6
6
|
s.summary = "Patterns to be used in logstash"
|
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
data/patterns/ecs-v1/aws
CHANGED
|
@@ -19,8 +19,13 @@ ELB_V1_HTTP_LOG %{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:[aws][elb][name]} %{IP
|
|
|
19
19
|
|
|
20
20
|
ELB_ACCESS_LOG %{ELB_V1_HTTP_LOG}
|
|
21
21
|
|
|
22
|
+
# Each edge location is identified by a three-letter code and an arbitrarily assigned number.
|
|
23
|
+
# The three-letter IATA code typically represents an airport near the edge location.
|
|
24
|
+
# examples: "LHR62-C2", "SFO5-P1", ""IND6", "CPT50"
|
|
25
|
+
CLOUDFRONT_EDGE_LOCATION [A-Z]{3}[0-9]{1,2}(?:-[A-Z0-9]{2})?
|
|
26
|
+
|
|
22
27
|
# pattern used to match a shorted format, that's why we have the optional part (starting with *http.version*) at the end
|
|
23
|
-
CLOUDFRONT_ACCESS_LOG (?<timestamp>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}\t%{TIME})\t%{
|
|
28
|
+
CLOUDFRONT_ACCESS_LOG (?<timestamp>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}\t%{TIME})\t%{CLOUDFRONT_EDGE_LOCATION:[aws][cloudfront][x_edge_location]}\t(?:-|%{INT:[destination][bytes]:int})\t%{IPORHOST:[source][ip]}\t%{WORD:[http][request][method]}\t%{HOSTNAME:[url][domain]}\t%{NOTSPACE:[url][path]}\t(?:(?:000)|%{INT:[http][response][status_code]:int})\t(?:-|%{DATA:[http][request][referrer]})\t%{DATA:[user_agent][original]}\t(?:-|%{DATA:[url][query]})\t(?:-|%{DATA:[aws][cloudfront][http][request][cookie]})\t%{WORD:[aws][cloudfront][x_edge_result_type]}\t%{NOTSPACE:[aws][cloudfront][x_edge_request_id]}\t%{HOSTNAME:[aws][cloudfront][http][request][host]}\t%{URIPROTO:[network][protocol]}\t(?:-|%{INT:[source][bytes]:int})\t%{NUMBER:[aws][cloudfront][time_taken]:float}\t(?:-|%{IP:[network][forwarded_ip]})\t(?:-|%{DATA:[aws][cloudfront][ssl_protocol]})\t(?:-|%{NOTSPACE:[tls][cipher]})\t%{WORD:[aws][cloudfront][x_edge_response_result_type]}(?:\t(?:-|HTTP/%{NUMBER:[http][version]})\t(?:-|%{DATA:[aws][cloudfront][fle_status]})\t(?:-|%{DATA:[aws][cloudfront][fle_encrypted_fields]})\t%{INT:[source][port]:int}\t%{NUMBER:[aws][cloudfront][time_to_first_byte]:float}\t(?:-|%{DATA:[aws][cloudfront][x_edge_detailed_result_type]})\t(?:-|%{NOTSPACE:[http][request][mime_type]})\t(?:-|%{INT:[aws][cloudfront][http][request][size]:int})\t(?:-|%{INT:[aws][cloudfront][http][request][range][start]:int})\t(?:-|%{INT:[aws][cloudfront][http][request][range][end]:int}))?
|
|
24
29
|
# :long - %{INT:[destination][bytes]:int}
|
|
25
30
|
# :long - %{INT:[source][bytes]:int}
|
|
26
31
|
# :long - %{INT:[aws][cloudfront][http][request][size]:int}
|
data/spec/patterns/aws_spec.rb
CHANGED
|
@@ -390,6 +390,38 @@ describe_pattern "CLOUDFRONT_ACCESS_LOG", ['legacy', 'ecs-v1'] do
|
|
|
390
390
|
end
|
|
391
391
|
end
|
|
392
392
|
|
|
393
|
+
context 'GH-306' do
|
|
394
|
+
|
|
395
|
+
let(:message) do
|
|
396
|
+
#Version: 1.0
|
|
397
|
+
#Fields: date time x-edge-location sc-bytes c-ip cs-method cs(Host) cs-uri-stem sc-status cs(Referer) cs(User-Agent) cs-uri-query cs(Cookie) x-edge-result-type x-edge-request-id x-host-header cs-protocol cs-bytes time-taken x-forwarded-for ssl-protocol ssl-cipher x-edge-response-result-type cs-protocol-version fle-status fle-encrypted-fields c-port time-to-first-byte x-edge-detailed-result-type sc-content-type sc-content-len sc-range-start sc-range-end
|
|
398
|
+
"2021-08-24 00:24:40 LHR62-C3 33517 82.44.60.119 GET d1236u0ikuk2zt.cloudfront.net /p/101/thumbnail/entry_id/0_50xpj7v0/width/290/height/150/type/3 200 https://www.liverpoolfc.com/ Mozilla/5.0%20(iPhone;%20CPU%20iPhone%20OS%2014_7_1%20like%20Mac%20OS%20X)%20AppleWebKit/605.1.15%20(KHTML,%20like%20Gecko)%20Version/14.1.2%20Mobile/15E148%20Safari/604.1 - - Hit YoIRNxF4o0fam7eNcIJ_QG24jMjjMNBvWK0xoveWisgYoWVzvyYFvQ== open.http.mp.streamamg.com https 289 0.003 - TLSv1.3 TLS_AES_128_GCM_SHA256 Hit HTTP/2.0 - - 54902 0.003 Hit image/jpeg 33046 - -"
|
|
399
|
+
end
|
|
400
|
+
|
|
401
|
+
it 'matches' do
|
|
402
|
+
skip 'fixed in ECS mode only' unless ecs_compatibility?
|
|
403
|
+
|
|
404
|
+
should include("timestamp" => "2021-08-24\t00:24:40")
|
|
405
|
+
should include("url"=>{"domain"=>"d1236u0ikuk2zt.cloudfront.net", "path"=>"/p/101/thumbnail/entry_id/0_50xpj7v0/width/290/height/150/type/3"})
|
|
406
|
+
should include("http"=>{
|
|
407
|
+
"request"=>{"referrer"=>"https://www.liverpoolfc.com/", "mime_type"=>"image/jpeg", "method"=>"GET"},
|
|
408
|
+
"response"=>{"status_code"=>200}, "version"=>"2.0"
|
|
409
|
+
})
|
|
410
|
+
should include("tls"=>{"cipher"=>"TLS_AES_128_GCM_SHA256"})
|
|
411
|
+
should include("aws"=>{"cloudfront"=>{
|
|
412
|
+
"x_edge_location"=>"LHR62-C3",
|
|
413
|
+
"x_edge_response_result_type"=>"Hit",
|
|
414
|
+
"x_edge_detailed_result_type"=>"Hit",
|
|
415
|
+
"x_edge_result_type"=>"Hit",
|
|
416
|
+
"ssl_protocol"=>"TLSv1.3",
|
|
417
|
+
"http"=>{"request"=>{"size"=>33046, "host"=>"open.http.mp.streamamg.com"}},
|
|
418
|
+
"time_to_first_byte"=>0.003, "time_taken"=>0.003,
|
|
419
|
+
"x_edge_request_id"=>"YoIRNxF4o0fam7eNcIJ_QG24jMjjMNBvWK0xoveWisgYoWVzvyYFvQ=="
|
|
420
|
+
}})
|
|
421
|
+
end
|
|
422
|
+
|
|
423
|
+
end
|
|
424
|
+
|
|
393
425
|
end
|
|
394
426
|
|
|
395
427
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-patterns-core
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.3.
|
|
4
|
+
version: 4.3.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Elastic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-
|
|
11
|
+
date: 2022-05-17 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|