Sha256: 8a32d4dd71ca66cd1fb3e232c411b5bdc22c390c90a4726f8ee14af637e185e2
Contents?: true
Size: 1.76 KB
Versions: 1
Compression:
Stored size: 1.76 KB
Contents
require "test_utils"
describe "parse syslog", :if => RUBY_ENGINE == "jruby" do
extend LogStash::RSpec
config <<-'CONFIG'
filter {
grok {
type => "syslog"
singles => true
pattern => [ "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{PROG:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" ]
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{source_host}" ]
}
syslog_pri {
type => "syslog"
}
date {
type => "syslog"
match => ["syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
mutate {
type => "syslog"
exclude_tags => "_grokparsefailure"
replace => [ "source_host", "%{syslog_hostname}" ]
replace => [ "message", "%{syslog_message}" ]
}
mutate {
type => "syslog"
remove => [ "syslog_hostname", "syslog_message", "syslog_timestamp" ]
}
}
CONFIG
sample("message" => "<164>Oct 26 15:19:25 1.2.3.4 %ASA-4-106023: Deny udp src DRAC:10.1.2.3/43434 dst outside:192.168.0.1/53 by access-group \"acl_drac\" [0x0, 0x0]", "type" => "syslog") do
insist { subject["type"] } == "syslog"
insist { subject["tags"] }.nil?
insist { subject["syslog_pri"] } == "164"
end
# Single digit day
sample("message" => "<164>Oct 6 15:19:25 1.2.3.4 %ASA-4-106023: Deny udp src DRAC:10.1.2.3/43434 dst outside:192.168.0.1/53 by access-group \"acl_drac\" [0x0, 0x0]", "type" => "syslog") do
insist { subject["type"] } == "syslog"
insist { subject["tags"] }.nil?
insist { subject["syslog_pri"] } == "164"
#insist { subject.timestamp } == "2012-10-26T15:19:25.000Z"
end
end
Version data entries
1 entries across 1 versions & 1 rubygems
| Version | Path |
|---|---|
| logstash-lib-1.3.2 | spec/examples/syslog.rb |