syslog-logstash-loggly 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: c911cd23311486b3ecc3d4a43c602fd175a61db6
+  data.tar.gz: 66496f69c95808a62e85e06540c7710297b6d70b
+SHA512:
+  metadata.gz: 44ce2cd664074aa3645ef7ae330af9994bc6f9e66934826c812f5a3a9bea2e69da40b76990f55fc9172f1ab719203fdcdefcb27f36954e6d74d131ec64a3e96a
+  data.tar.gz: 63c6ba90d764fe898e9b293a6ff38104e5599e8ea511f652b7651c24b2e7e5f0b5c7764728a930185d22cbc463233dd78b5b2d4e7f99cfe1075b19db189f8d17

data/CHANGELOG.md

@@ -0,0 +1,31 @@
+## 3.0.1
+  - Relax constraint on logstash-core-plugin-api to >= 1.60 <= 2.99
+
+## 3.0.0
+ - breaking,config: Remove deprecated `timestamp` config.
+ - internal: migrate to Logstash Event API 2.0
+
+## 2.1.5
+ - [Internal] test fix to not depend on json order
+
+## 2.1.4
+ - [Internal] fix tests
+
+## 2.1.3
+  - Depend on logstash-core-plugin-api instead of logstash-core, removing the need to mass update plugins on major releases of logstash
+
+## 2.1.2
+  - New dependency requirements for logstash-core for the 5.0 release
+
+## 2.1.1
+ - Add SSL/TLS support to syslog output plugin (thanks @breml)
+ - Added ability to use codecs for this output (thanks @breml)
+
+## 2.1.0
+ - reconnect on exception. added basic specs
+
+## 2.0.0
+ - Plugins were updated to follow the new shutdown semantic, this mainly allows Logstash to instruct input plugins to terminate gracefully,
+   instead of using Thread.raise on the plugins' threads. Ref: https://github.com/elastic/logstash/pull/3895
+ - Dependency on logstash-core update to 2.0
+

data/CONTRIBUTORS

@@ -0,0 +1,19 @@
+The following is a list of people who have contributed ideas, code, bug
+reports, or in general have helped logstash along its way.
+
+Maintainers:
+* Lucas Bremgartner (breml)
+
+Contributors:
+* Aaron Mildenstein (untergeek)
+* Dan Everton (deverton)
+* Jordan Sissel (jordansissel)
+* Pier-Hugues Pellerin (ph)
+* Richard Pijnenburg (electrical)
+* ruckalvnet
+* Lucas Bremgartner (breml)
+
+Note: If you've sent us patches, bug reports, or otherwise contributed to
+Logstash, and you aren't on the list above and want to be, please let us know
+and we'll make sure you're here. Contributions from folks like you are what make
+open source awesome.

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+gemspec
+#gem "logstash", :github => "elastic/logstash", :branch => "6.2"
+#gem "logstash-output-syslog", :path => "/home/ubuntu/logstash-output-sysloggly-plugin"

data/LICENSE

@@ -0,0 +1,13 @@
+Copyright (c) 2012–2016 Elasticsearch <http://www.elastic.co>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/NOTICE.TXT

@@ -0,0 +1,5 @@
+Elasticsearch
+Copyright 2012-2015 Elasticsearch
+
+This product includes software developed by The Apache Software
+Foundation (http://www.apache.org/).

data/README.md

@@ -0,0 +1,98 @@
+# Logstash Plugin
+
+[![Travis Build Status](https://travis-ci.org/logstash-plugins/logstash-output-syslog.svg)](https://travis-ci.org/logstash-plugins/logstash-output-syslog)
+
+This is a plugin for [Logstash](https://github.com/elastic/logstash).
+
+It is fully free and fully open source. The license is Apache 2.0, meaning you are pretty much free to use it however you want in whatever way.
+
+## Documentation
+
+Logstash provides infrastructure to automatically generate documentation for this plugin. We use the asciidoc format to write documentation so any comments in the source code will be first converted into asciidoc and then into html. All plugin documentation are placed under one [central location](http://www.elastic.co/guide/en/logstash/current/).
+
+- For formatting code or config example, you can use the asciidoc `[source,ruby]` directive
+- For more asciidoc formatting tips, see the excellent reference here https://github.com/elastic/docs#asciidoc-guide
+
+## Need Help?
+
+Need help? Try #logstash on freenode IRC or the https://discuss.elastic.co/c/logstash discussion forum.
+
+## Developing
+
+### 1. Plugin Developement and Testing
+
+#### Code
+- To get started, you'll need JRuby with the Bundler gem installed.
+
+- Create a new plugin or clone and existing from the GitHub [logstash-plugins](https://github.com/logstash-plugins) organization. We also provide [example plugins](https://github.com/logstash-plugins?query=example).
+
+- Install dependencies
+```sh
+bundle install
+```
+
+#### Test
+
+- Update your dependencies
+
+```sh
+bundle install
+```
+
+- Run tests
+
+```sh
+bundle exec rspec
+```
+
+### 2. Running your unpublished Plugin in Logstash
+
+#### 2.1 Run in a local Logstash clone
+
+- Edit Logstash `Gemfile` and add the local plugin path, for example:
+```ruby
+gem "logstash-filter-awesome", :path => "/your/local/logstash-filter-awesome"
+```
+- Install plugin
+```sh
+# Logstash 2.3 and higher
+bin/logstash-plugin install --no-verify
+
+# Prior to Logstash 2.3
+bin/plugin install --no-verify
+
+```
+- Run Logstash with your plugin
+```sh
+bin/logstash -e 'filter {awesome {}}'
+```
+At this point any modifications to the plugin code will be applied to this local Logstash setup. After modifying the plugin, simply rerun Logstash.
+
+#### 2.2 Run in an installed Logstash
+
+You can use the same **2.1** method to run your plugin in an installed Logstash by editing its `Gemfile` and pointing the `:path` to your local plugin development directory or you can build the gem and install it using:
+
+- Build your plugin gem
+```sh
+gem build logstash-filter-awesome.gemspec
+```
+- Install the plugin from the Logstash home
+```sh
+# Logstash 2.3 and higher
+bin/logstash-plugin install --no-verify
+
+# Prior to Logstash 2.3
+bin/plugin install --no-verify
+
+```
+- Start Logstash and proceed to test the plugin
+
+## Contributing
+
+All contributions are welcome: ideas, patches, documentation, bug reports, complaints, and even something you drew up on a napkin.
+
+Programming is not a required skill. Whatever you've seen about open source and maintainers or community members  saying "send patches or die" - you will not see that here.
+
+It is more important to the community that you are able to contribute.
+
+For more information about contributing, see the [CONTRIBUTING](https://github.com/elastic/logstash/blob/master/CONTRIBUTING.md) file.

data/lib/logstash/outputs/syslog.rb

@@ -0,0 +1,265 @@
+# encoding: utf-8
+require "logstash/outputs/base"
+require "logstash/namespace"
+require "date"
+require "logstash/codecs/plain"
+
+
+# Send events to a syslog server.
+#
+# You can send messages compliant with RFC3164 or RFC5424
+# using either UDP or TCP as the transport protocol.
+#
+# By default the contents of the `message` field will be shipped as
+# the free-form message text part of the emitted syslog message. If
+# your messages don't have a `message` field or if you for some other
+# reason want to change the emitted message, modify the `message`
+# configuration option.
+class LogStash::Outputs::Syslog < LogStash::Outputs::Base
+  config_name "syslog"
+
+  FACILITY_LABELS = [
+    "kernel",
+    "user-level",
+    "mail",
+    "daemon",
+    "security/authorization",
+    "syslogd",
+    "line printer",
+    "network news",
+    "uucp",
+    "clock",
+    "ftp",
+    "ntp",
+    "log audit",
+    "log alert",
+    "local0",
+    "local1",
+    "local2",
+    "local3",
+    "local4",
+    "local5",
+    "local6",
+    "local7",
+  ]
+
+  SEVERITY_LABELS = [
+    "emergency",
+    "alert",
+    "critical",
+    "error",
+    "warning",
+    "notice",
+    "informational",
+    "debug",
+  ]
+
+  #key for inclusion in syslog header
+  config :key, :validate => :string, :default => "-"
+ 
+  #private enterprise number
+  config :pen, :validate => :string, :default => "41058"
+
+  # Loggly tag, can use %{somefield} to build the tag, values must be
+  # seperated by a comma, so the system can build the tag.
+  config :tag, :validate => :string, :default => "loggly-syslog"
+
+  # Retry count
+  # the number of times we will try to send the data to loggly
+  config :retry_count, :validate => :number, :default => 5
+
+
+  # syslog server address to connect to
+  config :host, :validate => :string, :required => true
+
+  # syslog server port to connect to
+  config :port, :validate => :number, :required => true
+
+  # when connection fails, retry interval in sec.
+  config :reconnect_interval, :validate => :number, :default => 1
+
+  # syslog server protocol. you can choose between udp, tcp and ssl/tls over tcp
+  config :protocol, :validate => ["tcp", "udp", "ssl-tcp"], :default => "udp"
+
+  # Verify the identity of the other end of the SSL connection against the CA.
+  config :ssl_verify, :validate => :boolean, :default => false
+
+  # The SSL CA certificate, chainfile or CA path. The system CA path is automatically included.
+  config :ssl_cacert, :validate => :path
+
+  # SSL certificate path
+  config :ssl_cert, :validate => :path
+
+  # SSL key path
+  config :ssl_key, :validate => :path
+
+  # SSL key passphrase
+  config :ssl_key_passphrase, :validate => :password, :default => nil
+
+  # use label parsing for severity and facility levels
+  # use priority field if set to false
+  config :use_labels, :validate => :boolean, :default => true
+
+  # syslog priority
+  # The new value can include `%{foo}` strings
+  # to help you build a new value from other parts of the event.
+  config :priority, :validate => :string, :default => "%{syslog_pri}"
+
+  # facility label for syslog message
+  # default fallback to user-level as in rfc3164
+  # The new value can include `%{foo}` strings
+  # to help you build a new value from other parts of the event.
+  config :facility, :validate => :string, :default => "user-level"
+
+  # severity label for syslog message
+  # default fallback to notice as in rfc3164
+  # The new value can include `%{foo}` strings
+  # to help you build a new value from other parts of the event.
+  config :severity, :validate => :string, :default => "notice"
+
+  # source host for syslog message. The new value can include `%{foo}` strings
+  # to help you build a new value from other parts of the event.
+  config :sourcehost, :validate => :string, :default => "%{host}"
+
+  # application name for syslog message. The new value can include `%{foo}` strings
+  # to help you build a new value from other parts of the event.
+  config :appname, :validate => :string, :default => "LOGSTASH"
+
+  # process id for syslog message. The new value can include `%{foo}` strings
+  # to help you build a new value from other parts of the event.
+  config :procid, :validate => :string, :default => "-"
+
+  # message text to log. The new value can include `%{foo}` strings
+  # to help you build a new value from other parts of the event.
+  config :message, :validate => :string, :default => "%{message}"
+
+  # message id for syslog message. The new value can include `%{foo}` strings
+  # to help you build a new value from other parts of the event.
+  config :msgid, :validate => :string, :default => "-"
+
+  # syslog message format: you can choose between rfc3164 or rfc5424
+  config :rfc, :validate => ["rfc3164", "rfc5424"], :default => "rfc3164"
+
+  def register
+    @client_socket = nil
+
+    if ssl?
+      @ssl_context = setup_ssl
+    end
+    
+    if @codec.instance_of? LogStash::Codecs::Plain
+      if @codec.config["format"].nil?
+        @codec = LogStash::Codecs::Plain.new({"format" => @message})
+      end
+    end
+    @codec.on_event(&method(:publish))
+
+    # use instance variable to avoid string comparison for each event
+    @is_rfc3164 = (@rfc == "rfc3164")
+  end
+
+  def receive(event)
+    @codec.encode(event)
+  end
+
+  def publish(event, payload)
+    appname = event.sprintf(@appname)
+    procid = event.sprintf(@procid)
+    sourcehost = event.sprintf(@sourcehost)
+	tag = event.sprintf(@tag)
+
+    message = payload.to_s.rstrip.gsub(/[\r][\n]/, "\n").gsub(/[\n]/, '\n')
+	tags = tag.split(",").map { |value| "tag=\"#{value}\""}.join(" ")
+
+    # fallback to pri 13 (facility 1, severity 5)
+    if @use_labels
+      facility_code = (FACILITY_LABELS.index(event.sprintf(@facility)) || 1)
+      severity_code = (SEVERITY_LABELS.index(event.sprintf(@severity)) || 5)
+      priority = (facility_code * 8) + severity_code
+    else
+      priority = Integer(event.sprintf(@priority)) rescue 13
+      priority = 13 if (priority < 0 || priority > 191)
+    end
+
+    if @is_rfc3164
+      timestamp = event.sprintf("%{+MMM dd HH:mm:ss}")
+      syslog_msg = "<#{priority.to_s}>#{timestamp} #{sourcehost} #{appname}[#{procid}]: #{message}"
+    else
+      msgid = event.sprintf(@msgid)
+      timestamp = event.sprintf("%{+YYYY-MM-dd'T'HH:mm:ss.SSSZZ}")
+      syslog_msg = "<#{priority.to_s}>1 #{timestamp} #{sourcehost} #{appname} #{procid} #{msgid} [#{key}@#{pen} #{tags}] #{message}"
+    end
+
+	counter = 0
+    begin
+      @client_socket ||= connect
+      @client_socket.write(syslog_msg + "\n")
+    rescue => e
+      # We don't expect udp connections to fail because they are stateless, but ...
+      # udp connections may fail/raise an exception if used with localhost/127.0.0.1
+      return if udp?
+ 
+      @logger.warn("Attempt - #{counter} syslog " + @protocol + " output exception: closing, reconnecting and resending event", :host => @host, :port => @port, :exception => e, :backtrace => e.backtrace, :event => event)
+	  @logger.warn("Contents: " )
+	  @logger.warn("#{syslog_msg}")
+	  @client_socket.close rescue nil
+      @client_socket = nil
+	  counter = counter + 1
+      sleep(@reconnect_interval)
+      retry if counter <= retry_count 
+    end
+  end
+
+  private
+
+  def udp?
+    @protocol == "udp"
+  end
+
+  def ssl?
+    @protocol == "ssl-tcp"
+  end
+
+  def connect
+    socket = nil
+    if udp?
+      socket = UDPSocket.new
+      socket.connect(@host, @port)
+    else
+      socket = TCPSocket.new(@host, @port)
+      if ssl?
+        socket = OpenSSL::SSL::SSLSocket.new(socket, @ssl_context)
+        begin
+          socket.connect
+        rescue OpenSSL::SSL::SSLError => ssle
+          @logger.error("SSL Error", :exception => ssle,
+                        :backtrace => ssle.backtrace)
+          # NOTE(mrichar1): Hack to prevent hammering peer
+          sleep(5)
+          raise
+        end
+      end
+    end
+    socket
+  end
+
+  def setup_ssl
+    require "openssl"
+    ssl_context = OpenSSL::SSL::SSLContext.new
+    ssl_context.cert = OpenSSL::X509::Certificate.new(File.read(@ssl_cert))
+#    ssl_context.key = OpenSSL::PKey::RSA.new(File.read(@ssl_key),@ssl_key_passphrase)
+    if @ssl_verify
+      cert_store = OpenSSL::X509::Store.new
+      # Load the system default certificate path to the store
+      cert_store.set_default_paths
+      if File.directory?(@ssl_cacert)
+        cert_store.add_path(@ssl_cacert)
+      else
+        cert_store.add_file(@ssl_cacert)
+      end
+      ssl_context.cert_store = cert_store
+      ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
+    end
+    ssl_context
+  end
+end

data/logstash-output-syslog.gemspec

@@ -0,0 +1,29 @@
+Gem::Specification.new do |s|
+
+  s.name            = 'syslog-logstash-loggly'
+  s.version         = '1.0.0'
+  s.licenses        = ['Apache License (2.0)']
+  s.summary         = "Send events to a syslog server."
+  s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
+  s.authors         = ["Elastic"]
+  s.email           = 'info@elastic.co'
+  s.homepage        = "http://www.elastic.co/guide/en/logstash/current/index.html"
+  s.require_paths = ["lib"]
+
+  # Files
+  s.files = Dir['lib/**/*','spec/**/*','vendor/**/*','*.gemspec','*.md','CONTRIBUTORS','Gemfile','LICENSE','NOTICE.TXT']
+
+  # Tests
+  s.test_files = s.files.grep(%r{^(test|spec|features)/})
+
+  # Special flag to let us know this is actually a logstash plugin
+  s.metadata = { "logstash_plugin" => "true", "logstash_group" => "output" }
+
+  # Gem dependencies
+  s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
+  s.add_runtime_dependency 'logstash-codec-plain'
+
+  s.add_development_dependency 'logstash-devutils'
+  s.add_development_dependency 'logstash-codec-json'
+end
+

data/spec/outputs/syslog_spec.rb

@@ -0,0 +1,142 @@
+# encoding: utf-8
+
+require "logstash/devutils/rspec/spec_helper"
+require "logstash/outputs/syslog"
+require "logstash/codecs/plain"
+require "json"
+
+describe LogStash::Outputs::Syslog do
+
+  RFC3164_DATE_TIME_REGEX = "(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) (0[1-9]|[12][0-9]|3[01]) ([01][0-9]|2[0-3]):([0-5][0-9]):([0-5][0-9]|60)"
+  RFC3339_DATE_TIME_REGEX = "([0-9]+)-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])[Tt]([01][0-9]|2[0-3]):([0-5][0-9]):([0-5][0-9]|60)(\.[0-9]{3})?([Zz]|([+-]([01][0-9]|2[0-3]):[0-5][0-9]))"
+
+  it "should register without errors" do
+    plugin = LogStash::Plugin.lookup("output", "syslog").new({"host" => "foo", "port" => "123", "facility" => "kernel", "severity" => "emergency"})
+    expect { plugin.register }.to_not raise_error
+  end
+
+  subject do
+    plugin = LogStash::Plugin.lookup("output", "syslog").new(options)
+    plugin.register
+    plugin
+  end
+
+  let(:socket) { double("fake socket") }
+  let(:event) { LogStash::Event.new({"message" => "bar", "host" => "baz"}) }
+
+  shared_examples "syslog output" do
+    it "should write expected format" do
+      expect(subject).to receive(:connect).and_return(socket)
+      expect(socket).to receive(:write).with(output)
+      subject.receive(event)
+    end
+  end
+
+  context "rfc 3164 and udp by default" do
+    let(:options) { {"host" => "foo", "port" => "123", "facility" => "kernel", "severity" => "emergency"} }
+    let(:output) { /^<0>#{RFC3164_DATE_TIME_REGEX} baz LOGSTASH\[-\]: bar\n/m }
+
+    it_behaves_like "syslog output"
+  end
+
+  context "rfc 5424 and tcp" do
+    let(:options) { {"rfc" => "rfc5424", "protocol" => "tcp", "host" => "foo", "port" => "123", "facility" => "kernel", "severity" => "emergency"} }
+    let(:output) { /^<0>1 #{RFC3339_DATE_TIME_REGEX} baz LOGSTASH - - - bar\n/m }
+
+    it_behaves_like "syslog output"
+  end
+
+  context "calculate priority" do
+    let(:options) { {"host" => "foo", "port" => "123", "facility" => "mail", "severity" => "critical"} }
+    let(:output) { /^<18>#{RFC3164_DATE_TIME_REGEX} baz LOGSTASH\[-\]: bar\n/m }
+
+    it_behaves_like "syslog output"
+  end
+
+  context "sprintf rfc 3164" do
+    let(:event) { LogStash::Event.new({"message" => "bar", "host" => "baz", "facility" => "mail", "severity" => "critical", "appname" => "appname", "procid" => "1000" }) }
+    let(:options) { {"host" => "foo", "port" => "123", "facility" => "%{facility}", "severity" => "%{severity}", "appname" => "%{appname}", "procid" => "%{procid}"} }
+    let(:output) { /^<18>#{RFC3164_DATE_TIME_REGEX} baz appname\[1000\]: bar\n/m }
+
+    it_behaves_like "syslog output"
+  end
+
+  context "sprintf rfc 5424" do
+    let(:event) { LogStash::Event.new({"message" => "bar", "host" => "baz", "facility" => "mail", "severity" => "critical", "appname" => "appname", "procid" => "1000", "msgid" => "2000" }) }
+    let(:options) { {"rfc" => "rfc5424", "host" => "foo", "port" => "123", "facility" => "%{facility}", "severity" => "%{severity}", "appname" => "%{appname}", "procid" => "%{procid}", "msgid" => "%{msgid}"} }
+    let(:output) { /^<18>1 #{RFC3339_DATE_TIME_REGEX} baz appname 1000 2000 - bar\n/m }
+
+    it_behaves_like "syslog output"
+  end
+
+  context "use_labels == false, default" do
+    let(:event) { LogStash::Event.new({"message" => "bar", "host" => "baz" }) }
+    let(:options) { {"use_labels" => false, "host" => "foo", "port" => "123" } }
+    let(:output) { /^<13>#{RFC3164_DATE_TIME_REGEX} baz LOGSTASH\[-\]: bar\n/m }
+
+    it_behaves_like "syslog output"
+  end
+
+  context "use_labels == false, syslog_pri" do
+    let(:event) { LogStash::Event.new({"message" => "bar", "host" => "baz", "syslog_pri" => "18" }) }
+    let(:options) { {"use_labels" => false, "host" => "foo", "port" => "123" } }
+    let(:output) { /^<18>#{RFC3164_DATE_TIME_REGEX} baz LOGSTASH\[-\]: bar\n/m }
+
+    it_behaves_like "syslog output"
+  end
+
+  context "use_labels == false, sprintf" do
+    let(:event) { LogStash::Event.new({"message" => "bar", "host" => "baz", "priority" => "18" }) }
+    let(:options) { {"use_labels" => false, "host" => "foo", "port" => "123", "priority" => "%{priority}" } }
+    let(:output) { /^<18>#{RFC3164_DATE_TIME_REGEX} baz LOGSTASH\[-\]: bar\n/m }
+
+    it_behaves_like "syslog output"
+  end
+
+  context "use plain codec with format set" do
+    let(:plain) { LogStash::Codecs::Plain.new({"format" => "%{host} %{message}"}) }
+    let(:options) { {"host" => "foo", "port" => "123", "facility" => "kernel", "severity" => "emergency", "codec" => plain} }
+    let(:output) { /^<0>#{RFC3164_DATE_TIME_REGEX} baz LOGSTASH\[-\]: baz bar\n/m }
+
+    it_behaves_like "syslog output"
+  end
+
+  context "use codec json" do
+    let(:options) { {"host" => "foo", "port" => "123", "facility" => "kernel", "severity" => "emergency", "codec" => "json" } }
+
+    it "should write event encoded with json codec" do
+      expect(subject).to receive(:connect).and_return(socket)
+      expect(socket).to receive(:write) do |arg|
+        message = arg[/^<0>#{RFC3164_DATE_TIME_REGEX} baz LOGSTASH\[-\]: (.*)/, 1]
+        expect(message).not_to be_nil
+        message_json = JSON.parse(message)
+        expect(message_json).to include("@timestamp")
+        expect(message_json).to include("host" => "baz")
+        expect(message_json).to include("@version" => "1")
+        expect(message_json).to include("message" => "bar")
+      end
+      subject.receive(event)
+    end
+  end
+
+  context "escape carriage return, newline and newline to \\n" do
+    let(:options) { {"host" => "foo", "port" => "123", "facility" => "kernel", "severity" => "emergency", "message" => "foo\r\nbar\nbaz" } }
+    let(:output) { /^<0>#{RFC3164_DATE_TIME_REGEX} baz LOGSTASH\[-\]: foo\\nbar\\nbaz\n/m }
+
+    it_behaves_like "syslog output"
+  end
+
+  context "tailing newline" do
+    let(:options) { {"host" => "foo", "port" => "123", "facility" => "kernel", "severity" => "emergency", "message" => "%{message}\n" } }
+    let(:output) { /^<0>#{RFC3164_DATE_TIME_REGEX} baz LOGSTASH\[-\]: bar\n/m }
+
+    it_behaves_like "syslog output"
+  end
+
+  context "tailing carriage return and newline (windows)" do
+    let(:options) { {"host" => "foo", "port" => "123", "facility" => "kernel", "severity" => "emergency", "message" => "%{message}\n" } }
+    let(:output) { /^<0>#{RFC3164_DATE_TIME_REGEX} baz LOGSTASH\[-\]: bar\n/m }
+
+    it_behaves_like "syslog output"
+  end
+end

metadata

@@ -0,0 +1,119 @@
+--- !ruby/object:Gem::Specification
+name: syslog-logstash-loggly
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Elastic
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2018-05-29 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: logstash-core-plugin-api
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.60'
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: '2.99'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.60'
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: '2.99'
+- !ruby/object:Gem::Dependency
+  name: logstash-codec-plain
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: logstash-devutils
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: logstash-codec-json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: This gem is a Logstash plugin required to be installed on top of the
+  Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This
+  gem is not a stand-alone program
+email: info@elastic.co
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- CONTRIBUTORS
+- Gemfile
+- LICENSE
+- NOTICE.TXT
+- README.md
+- lib/logstash/outputs/syslog.rb
+- logstash-output-syslog.gemspec
+- spec/outputs/syslog_spec.rb
+homepage: http://www.elastic.co/guide/en/logstash/current/index.html
+licenses:
+- Apache License (2.0)
+metadata:
+  logstash_plugin: 'true'
+  logstash_group: output
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.2.1
+signing_key: 
+specification_version: 4
+summary: Send events to a syslog server.
+test_files:
+- spec/outputs/syslog_spec.rb