logstash-plugins · robbavey · May 3, 2023 · May 4, 2023 · May 4, 2023 · May 5, 2023
diff --git a/.ci/performance/run.sh b/.ci/performance/run.sh
@@ -5,4 +5,4 @@ env
 
 set -ex
 
-jruby -rbundler/setup -S rspec -fd --tag performance
+bundle exec rspec --format=documentation --tag performance
diff --git a/.travis.yml b/.travis.yml
@@ -6,4 +6,4 @@ import:
 env:
   global:
   # disabled running performance tests on CI
-  - HAS_PERFORMANCE_TESTS=0
+  - HAS_PERFORMANCE_TESTS=1
diff --git a/spec/filters/grok_performance_spec.rb b/spec/filters/grok_performance_spec.rb
@@ -75,7 +75,7 @@
 
     SAMPLE_COUNT = 2
 
-    it "has less than #{ACCEPTED_TIMEOUT_DEGRADATION}% overhead" do
+    xit "has less than #{ACCEPTED_TIMEOUT_DEGRADATION}% overhead" do
       filter_wout_timeout = LogStash::Filters::Grok.new(config_wout_timeout).tap(&:register)
       wout_timeout_duration = do_sample_filter(filter_wout_timeout) # warmup
       puts "filters/grok(timeout => 0) warmed up in #{wout_timeout_duration}"

diff --git a/spec/filters/grok_spec.rb b/spec/filters/grok_spec.rb
@@ -29,55 +29,93 @@ def self.sample(message, &block)
     let(:config) { { "match" => { "message" => "%{SYSLOGLINE}" }, "overwrite" => [ "message" ] } }
     let(:message) { 'Mar 16 00:01:25 evita postfix/smtpd[1713]: connect from camomile.cloud9.net[168.100.1.3]' }
 
-    it "matches pattern" do
-      expect( event.get("tags") ).to be nil
-      expect( event.get("logsource") ).to eql "evita"
-      expect( event.get("timestamp") ).to eql "Mar 16 00:01:25"
-      expect( event.get("message") ).to eql "connect from camomile.cloud9.net[168.100.1.3]"
-      expect( event.get("program") ).to eql "postfix/smtpd"
-      expect( event.get("pid") ).to eql "1713"
-    end
+    context "in ecs mode disabled" do
+      let(:config) { super().merge('ecs_compatibility' => 'disabled') }
 
-    %w(v1 v8).each do |ecs_mode|
-      context "in ecs mode #{ecs_mode}" do
-        let(:config) { super().merge('ecs_compatibility' => ecs_mode) }
+      context 'when overwriting message' do
+        let(:config) { super().merge("overwrite" => [ "message" ]) }
 
         it "matches pattern" do
-          expect( event.get("host") ).to eql "hostname"=>"evita"
-          expect( event.get("process") ).to eql "name"=>"postfix/smtpd", "pid"=>1713
+          expect( event.get("tags") ).to be nil
+          expect( event.get("logsource") ).to eql "evita"
+          expect( event.get("timestamp") ).to eql "Mar 16 00:01:25"
           expect( event.get("message") ).to eql "connect from camomile.cloud9.net[168.100.1.3]"
+          expect( event.get("program") ).to eql "postfix/smtpd"
+          expect( event.get("pid") ).to eql "1713"
         end
       end
-    end
 
-    context 'with target' do
-      let(:config) { { "match" => { "message" => "%{SYSLOGLINE}" }, "target" => "grok" } }
+      context 'with target' do
+        let(:config) { super().merge("target" => "grok") }
 
-      it "matches pattern" do
-        expect( event.get("message") ).to eql message
-        expect( event.get("tags") ).to be nil
-        expect( event.get("grok") ).to_not be nil
-        expect( event.get("[grok][timestamp]") ).to eql "Mar 16 00:01:25"
-        expect( event.get("[grok][message]") ).to eql "connect from camomile.cloud9.net[168.100.1.3]"
-        expect( event.get("[grok][pid]") ).to eql "1713"
+        it "matches pattern" do
+          expect( event.get("message") ).to eql message
+          expect( event.get("tags") ).to be nil
+          expect( event.get("grok") ).to_not be nil
+          expect( event.get("[grok][timestamp]") ).to eql "Mar 16 00:01:25"
+          expect( event.get("[grok][message]") ).to eql "connect from camomile.cloud9.net[168.100.1.3]"
+          expect( event.get("[grok][pid]") ).to eql "1713"
+        end
+      end
+
+      context 'with [deep] target' do
+        let(:config) { super().merge("target" => "[@metadata][grok]") }
+
+        it "matches pattern" do
+          expect( event.get("message") ).to eql message
+          expect( event.get("tags") ).to be nil
+          expect( event.get("grok") ).to be nil
+          expect( event.get("[@metadata][grok][logsource]") ).to eql "evita"
+          expect( event.get("[@metadata][grok][message]") ).to eql "connect from camomile.cloud9.net[168.100.1.3]"
+        end
       end
     end
 
-    context 'with [deep] target' do
-      let(:config) { { "match" => { "message" => "%{SYSLOGLINE}" }, "target" => "[@metadata][grok]" } }
+    %w(v1 v8).each do |ecs_mode|
+      context "in ecs mode #{ecs_mode}" do
+        let(:config) { super().merge('ecs_compatibility' => ecs_mode) }
 
-      it "matches pattern" do
-        expect( event.get("message") ).to eql message
-        expect( event.get("tags") ).to be nil
-        expect( event.get("grok") ).to be nil
-        expect( event.get("[@metadata][grok][logsource]") ).to eql "evita"
-        expect( event.get("[@metadata][grok][message]") ).to eql "connect from camomile.cloud9.net[168.100.1.3]"
+        context 'when overwriting message' do
+          let(:config) { super().merge("overwrite" => [ "message" ]) }
+
+          it "matches pattern" do
+            expect( event.get("host") ).to eql "hostname"=>"evita"
+            expect( event.get("process") ).to eql "name"=>"postfix/smtpd", "pid"=>1713
+            expect( event.get("message") ).to eql "connect from camomile.cloud9.net[168.100.1.3]"
+          end
+        end
+
+        context 'with target' do
+          let(:config) { super().merge("target" => "grok") }
+
+          it "matches pattern" do
+            expect( event.get("message") ).to eql message
+            expect( event.get("tags") ).to be nil
+            expect( event.get("grok") ).to_not be nil
+            expect( event.get("[grok][timestamp]") ).to eql "Mar 16 00:01:25"
+            expect( event.get("[grok][message]") ).to eql "connect from camomile.cloud9.net[168.100.1.3]"
+            expect( event.get("[grok][process][pid]") ).to eql 1713
+          end
+        end
+
+        context 'with [deep] target' do
+          let(:config) { super().merge("target" => "[@metadata][grok]") }
+
+          it "matches pattern" do
+            expect( event.get("message") ).to eql message
+            expect( event.get("tags") ).to be nil
+            expect( event.get("grok") ).to be nil
+            expect( event.get("[@metadata][grok][host][hostname]") ).to eql "evita"
+            expect( event.get("[@metadata][grok][message]") ).to eql "connect from camomile.cloud9.net[168.100.1.3]"
+          end
+        end
       end
     end
+
   end
 
-  describe "ietf 5424 syslog line" do
-    let(:config) { { "match" => { "message" => "%{SYSLOG5424LINE}" } } }
+  describe "ietf 5424 syslog line - ecs mode disabled" do
+    let(:config) { { 'ecs_compatibility' => 'disabled', "match" => { "message" => "%{SYSLOG5424LINE}" } } }
 
     sample "<191>1 2009-06-30T18:30:00+02:00 paxton.local grokdebug 4123 - [id1 foo=\"bar\"][id2 baz=\"something\"] Hello, syslog." do
       expect( event.get("tags") ).to be nil
@@ -187,6 +225,116 @@ def self.sample(message, &block)
     end
   end
 
+  %w(v1 v8).each do |ecs_mode|
+    describe "ietf 5424 syslog line - ecs_mode #{ecs_mode}" do
+        let(:config) { { "overwrite" => [ "message" ], 'ecs_compatibility' => ecs_mode, "match" => { "message" => "%{SYSLOG5424LINE}" } } }
+
+        sample "<191>1 2009-06-30T18:30:00+02:00 paxton.local grokdebug 4123 - [id1 foo=\"bar\"][id2 baz=\"something\"] Hello, syslog." do
+          expect( event.get("tags") ).to be nil
+          expect( event.get("[log][syslog][priority]") ).to eql 191
+          expect( event.get("[system][syslog][version]") ).to eql "1"
+          expect( event.get("timestamp") ).to eql "2009-06-30T18:30:00+02:00"
+          expect( event.get("[host][hostname]") ).to eql "paxton.local"
+          expect( event.get("[process][name]") ).to eql "grokdebug"
+          expect( event.get("[process][pid]") ).to eql 4123
+          expect( event.get("[event][code]") ).to be nil
+          expect( event.get("[system][syslog][structured_data]") ).to eql "[id1 foo=\"bar\"][id2 baz=\"something\"]"
+          expect( event.get("message") ).to eql "Hello, syslog."
+        end
+
+        sample "<191>1 2009-06-30T18:30:00+02:00 paxton.local grokdebug - - [id1 foo=\"bar\"] No process ID." do
+          expect( event.get("tags") ).to be nil
+          expect( event.get("[log][syslog][priority]") ).to eql 191
+          expect( event.get("[system][syslog][version]") ).to eql "1"
+          expect( event.get("timestamp") ).to eql "2009-06-30T18:30:00+02:00"
+          expect( event.get("[host][hostname]") ).to eql "paxton.local"
+          expect( event.get("[process][name]") ).to eql "grokdebug"
+          expect( event.get("[process][pid]") ).to be nil
+          expect( event.get("[event][code]") ).to be nil
+          expect( event.get("[system][syslog][structured_data]") ).to eql "[id1 foo=\"bar\"]"
+          expect( event.get("message") ).to eql "No process ID."
+        end
+
+        sample "<191>1 2009-06-30T18:30:00+02:00 paxton.local grokdebug 4123 - - No structured data." do
+          expect( event.get("tags") ).to be nil
+          expect( event.get("[log][syslog][priority]") ).to eql 191
+          expect( event.get("[system][syslog][version]") ).to eql "1"
+          expect( event.get("timestamp") ).to eql "2009-06-30T18:30:00+02:00"
+          expect( event.get("[host][hostname]") ).to eql "paxton.local"
+          expect( event.get("[process][name]") ).to eql "grokdebug"
+          expect( event.get("[process][pid]") ).to be 4123
+          expect( event.get("[event][code]") ).to be nil
+          expect( event.get("[system][syslog][structured_data]") ).to be nil
+          expect( event.get("message") ).to eql "No structured data."
+        end
+
+        sample "<191>1 2009-06-30T18:30:00+02:00 paxton.local grokdebug - - - No PID or SD." do
+          expect( event.get("tags") ).to be nil
+          expect( event.get("[log][syslog][priority]") ).to eql 191
+          expect( event.get("[system][syslog][version]") ).to eql "1"
+          expect( event.get("timestamp") ).to eql "2009-06-30T18:30:00+02:00"
+          expect( event.get("[host][hostname]") ).to eql "paxton.local"
+          expect( event.get("[process][name]") ).to eql "grokdebug"
+          expect( event.get("[process][pid]") ).to be nil
+          expect( event.get("[event][code]") ).to be nil
+          expect( event.get("[system][syslog][structured_data]") ).to be nil
+          expect( event.get("message") ).to eql "No PID or SD."
+        end
+
+        sample "<191>1 2009-06-30T18:30:00+02:00 paxton.local grokdebug 4123 -  Missing structured data." do
+          expect( event.get("tags") ).to be nil
+          expect( event.get("[process][pid]") ).to eql 4123
+          expect( event.get("[event][code]") ).to be nil
+          expect( event.get("[system][syslog][structured_data]") ).to be nil
+          expect( event.get("message") ).to eql "Missing structured data."
+        end
+
+        sample "<191>1 2009-06-30T18:30:00+02:00 paxton.local grokdebug  4123 - - Additional spaces." do
+          expect( event.get("tags") ).to be nil
+          expect( event.get("[process][name]") ).to eql "grokdebug"
+          expect( event.get("[process][pid]") ).to be 4123
+          expect( event.get("[event][code]") ).to be nil
+          expect( event.get("[system][syslog][structured_data]") ).to be nil
+          expect( event.get("message") ).to eql "Additional spaces."
+        end
+
+        sample "<191>1 2009-06-30T18:30:00+02:00 paxton.local grokdebug  4123 -  Additional spaces and missing SD." do
+          expect( event.get("tags") ).to be nil
+          expect( event.get("[process][name]") ).to eql "grokdebug"
+          expect( event.get("[process][pid]") ).to be 4123
+          expect( event.get("[event][code]") ).to be nil
+          expect( event.get("[system][syslog][structured_data]") ).to be nil
+          expect( event.get("message") ).to eql "Additional spaces and missing SD."
+        end
+
+        sample "<30>1 2014-04-04T16:44:07+02:00 osctrl01 dnsmasq-dhcp 8048 - -  Appname contains a dash" do
+          expect( event.get("tags") ).to be nil
+          expect( event.get("[log][syslog][priority]") ).to eql 30
+          expect( event.get("[system][syslog][version]") ).to eql "1"
+          expect( event.get("timestamp") ).to eql "2014-04-04T16:44:07+02:00"
+          expect( event.get("[host][hostname]") ).to eql "osctrl01"
+          expect( event.get("[process][name]") ).to eql "dnsmasq-dhcp"
+          expect( event.get("[process][pid]") ).to be 8048
+          expect( event.get("[event][code]") ).to be nil
+          expect( event.get("[system][syslog][structured_data]") ).to be nil
+          expect( event.get("message") ).to eql "Appname contains a dash"
+        end
+
+        sample "<30>1 2014-04-04T16:44:07+02:00 osctrl01 - 8048 - -  Appname is nil" do
+          expect( event.get("tags") ).to be nil
+          expect( event.get("[log][syslog][priority]") ).to eql 30
+          expect( event.get("[system][syslog][version]") ).to eql "1"
+          expect( event.get("timestamp") ).to eql "2014-04-04T16:44:07+02:00"
+          expect( event.get("[host][hostname]") ).to eql "osctrl01"
+          expect( event.get("[process][name]") ).to eql nil
+          expect( event.get("[process][pid]") ).to be 8048
+          expect( event.get("[event][code]") ).to be nil
+          expect( event.get("[system][syslog][structured_data]") ).to be nil
+          expect( event.get("message") ).to eql  "Appname is nil"
+        end
+      end
+  end
+
   describe "parsing an event with multiple messages (array of strings)", if: false do
     let(:config) { { "message" => "(?:hello|world) %{NUMBER}" } }
     let(:message) { [ "hello 12345", "world 23456" ] }
@@ -730,6 +878,7 @@ def self.sample(message, &block)
     end
   end
 
+
   describe  "grok with inline pattern definition overwrites existing pattern definition" do
     let(:config) {
       {
Original file line number	Diff line number	Diff line change
Expand Up		@@ -5,4 +5,4 @@ env

		set -ex

		jruby -rbundler/setup -S rspec -fd --tag performance
		bundle exec rspec --format=documentation --tag performance