Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ecs: add v8 alias to v1 implementation #68

Merged
merged 5 commits into from
Nov 11, 2021
Merged

ecs: add v8 alias to v1 implementation #68

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
6e46404
ecs: add v8 alias to v1 implementation
yaauie Jul 28, 2021
c7ca092
Update CHANGELOG.md with link to PR
yaauie Nov 5, 2021
db68032
pin to grok >= 4.4.1, which supplies ECS v8
yaauie Nov 8, 2021
a8c0036
specs: fix assertions that rely on serialization-length of timestamp
yaauie Nov 10, 2021
752d433
version bump
yaauie Nov 11, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
## 3.6.0
- Add support for ECS v8 as alias to v1 implementation [#68](https://github.com/logstash-plugins/logstash-input-syslog/pull/68)

## 3.5.0
- Feat: ECS compatibility support [#63](https://github.com/logstash-plugins/logstash-input-syslog/pull/63)

Expand Down
2 changes: 1 addition & 1 deletion docs/index.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ input plugins.
* Value type is <<string,string>>
* Supported values are:
** `disabled`: does not use ECS-compatible field names (for example, `priority` for syslog priority)
** `v1`: uses fields that are compatible with Elastic Common Schema (for example, `[log][syslog][priority]`)
** `v1`,`v8`: uses fields that are compatible with Elastic Common Schema (for example, `[log][syslog][priority]`)
* Default value depends on which version of Logstash is running:
** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
** Otherwise, the default value is `disabled`.
Expand Down
2 changes: 1 addition & 1 deletion lib/logstash/inputs/syslog.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
# Note: This input will start listeners on both TCP and UDP.
#
class LogStash::Inputs::Syslog < LogStash::Inputs::Base
include LogStash::PluginMixins::ECSCompatibilitySupport(:disabled, :v1)
include LogStash::PluginMixins::ECSCompatibilitySupport(:disabled, :v1, :v8 => :v1)

config_name "syslog"

Expand Down
8 changes: 4 additions & 4 deletions logstash-input-syslog.gemspec
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Gem::Specification.new do |s|

s.name = 'logstash-input-syslog'
s.version = '3.5.0'
s.version = '3.6.0'
s.licenses = ['Apache License (2.0)']
s.summary = "Reads syslog messages as events"
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
Expand All @@ -21,16 +21,16 @@ Gem::Specification.new do |s|

# Gem dependencies
s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
s.add_runtime_dependency 'logstash-mixin-ecs_compatibility_support', '~> 1.1'
s.add_runtime_dependency 'logstash-mixin-ecs_compatibility_support', '~> 1.2'

s.add_runtime_dependency 'concurrent-ruby'
s.add_runtime_dependency 'stud', '>= 0.0.22', '< 0.1.0'

s.add_runtime_dependency 'logstash-codec-plain'
s.add_runtime_dependency 'logstash-filter-grok', '>= 4.4.0'
s.add_runtime_dependency 'logstash-filter-grok', '>= 4.4.1'
s.add_runtime_dependency 'logstash-filter-date'

s.add_development_dependency 'logstash-devutils'
s.add_development_dependency 'logstash-devutils', '~> 2.3'
s.add_development_dependency 'logstash-codec-cef'
end

11 changes: 6 additions & 5 deletions spec/inputs/syslog_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@ def pattern_path(path)
end

context 'tag', :ecs_compatibility_support do
ecs_compatibility_matrix(:disabled, :v1) do
ecs_compatibility_matrix(:disabled, :v1, :v8 => :v1) do

before(:each) do
allow_any_instance_of(described_class).to receive(:ecs_compatibility).and_return(ecs_compatibility)
Expand Down Expand Up @@ -172,7 +172,7 @@ def pattern_path(path)

expect( events.length ).to eql event_count
events.each do |event|
expect( event.get("@timestamp").to_iso8601 ).to eql "#{Time.now.year}-10-26T15:19:25.000Z"
expect( event.get("@timestamp") ).to be_a_logstash_timestamp_equivalent_to("#{Time.now.year}-10-26T15:19:25Z")
end
end

Expand All @@ -196,8 +196,9 @@ def pattern_path(path)
queue.pop
end

# chances platform timezone is not UTC so ignore the hours
expect( event.get("@timestamp").to_iso8601 ).to match /#{Time.now.year}-10-26T\d\d:19:25.000Z/
# chances platform timezone is not UTC, so parse without offset to create expectation
equivalent_time = Time.parse("#{Time.now.year}-10-26T15:19:25")
expect( event.get("@timestamp") ).to be_a_logstash_timestamp_equivalent_to(equivalent_time)
end

it "should support non UTC timezone" do
Expand All @@ -209,7 +210,7 @@ def pattern_path(path)
syslog_event = LogStash::Event.new({ "message" => "<164>Oct 26 15:19:25 1.2.3.4 %ASA-4-106023: Deny udp src DRAC:10.1.2.3/43434" })
input.syslog_relay(syslog_event)

expect( syslog_event.get("@timestamp").to_iso8601 ).to eql "#{Time.now.year}-10-26T20:19:25.000Z"
expect( syslog_event.get("@timestamp") ).to be_a_logstash_timestamp_equivalent_to("#{Time.now.year}-10-26T20:19:25Z")

input.close
end
Expand Down