From 6e46404d986185c69b492792bb631a5b49a5e584 Mon Sep 17 00:00:00 2001 From: Ry Biesemeyer Date: Wed, 28 Jul 2021 17:24:25 +0000 Subject: [PATCH 1/5] ecs: add v8 alias to v1 implementation --- CHANGELOG.md | 3 +++ docs/index.asciidoc | 2 +- lib/logstash/inputs/syslog.rb | 2 +- logstash-input-syslog.gemspec | 2 +- spec/inputs/syslog_spec.rb | 2 +- 5 files changed, 7 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2e7bad5..eb92b1f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +## 3.6.0 + - Add support for ECS v8 as alias to v1 implementation + ## 3.5.0 - Feat: ECS compatibility support [#63](https://github.com/logstash-plugins/logstash-input-syslog/pull/63) diff --git a/docs/index.asciidoc b/docs/index.asciidoc index 8a9db92..49423a9 100644 --- a/docs/index.asciidoc +++ b/docs/index.asciidoc @@ -71,7 +71,7 @@ input plugins. * Value type is <> * Supported values are: ** `disabled`: does not use ECS-compatible field names (for example, `priority` for syslog priority) - ** `v1`: uses fields that are compatible with Elastic Common Schema (for example, `[log][syslog][priority]`) + ** `v1`,`v8`: uses fields that are compatible with Elastic Common Schema (for example, `[log][syslog][priority]`) * Default value depends on which version of Logstash is running: ** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default ** Otherwise, the default value is `disabled`. diff --git a/lib/logstash/inputs/syslog.rb b/lib/logstash/inputs/syslog.rb index 1d4ce81..a6344a5 100644 --- a/lib/logstash/inputs/syslog.rb +++ b/lib/logstash/inputs/syslog.rb @@ -26,7 +26,7 @@ # Note: This input will start listeners on both TCP and UDP. # class LogStash::Inputs::Syslog < LogStash::Inputs::Base - include LogStash::PluginMixins::ECSCompatibilitySupport(:disabled, :v1) + include LogStash::PluginMixins::ECSCompatibilitySupport(:disabled, :v1, :v8 => :v1) config_name "syslog" diff --git a/logstash-input-syslog.gemspec b/logstash-input-syslog.gemspec index 0a29893..87b8985 100644 --- a/logstash-input-syslog.gemspec +++ b/logstash-input-syslog.gemspec @@ -21,7 +21,7 @@ Gem::Specification.new do |s| # Gem dependencies s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99" - s.add_runtime_dependency 'logstash-mixin-ecs_compatibility_support', '~> 1.1' + s.add_runtime_dependency 'logstash-mixin-ecs_compatibility_support', '~> 1.2' s.add_runtime_dependency 'concurrent-ruby' s.add_runtime_dependency 'stud', '>= 0.0.22', '< 0.1.0' diff --git a/spec/inputs/syslog_spec.rb b/spec/inputs/syslog_spec.rb index dfd41d4..067f2ce 100644 --- a/spec/inputs/syslog_spec.rb +++ b/spec/inputs/syslog_spec.rb @@ -100,7 +100,7 @@ def pattern_path(path) end context 'tag', :ecs_compatibility_support do - ecs_compatibility_matrix(:disabled, :v1) do + ecs_compatibility_matrix(:disabled, :v1, :v8 => :v1) do before(:each) do allow_any_instance_of(described_class).to receive(:ecs_compatibility).and_return(ecs_compatibility) From c7ca0926a774ac40ce3d9bef75078fc0098b0651 Mon Sep 17 00:00:00 2001 From: Ry Biesemeyer Date: Fri, 5 Nov 2021 15:58:59 -0700 Subject: [PATCH 2/5] Update CHANGELOG.md with link to PR --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index eb92b1f..48abd56 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,5 @@ ## 3.6.0 - - Add support for ECS v8 as alias to v1 implementation + - Add support for ECS v8 as alias to v1 implementation [#68](https://github.com/logstash-plugins/logstash-input-syslog/pull/68) ## 3.5.0 - Feat: ECS compatibility support [#63](https://github.com/logstash-plugins/logstash-input-syslog/pull/63) From db68032544bbe5be69a565e11da874ae6b2ba24b Mon Sep 17 00:00:00 2001 From: Ry Biesemeyer Date: Mon, 8 Nov 2021 00:04:28 +0000 Subject: [PATCH 3/5] pin to grok >= 4.4.1, which supplies ECS v8 --- logstash-input-syslog.gemspec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/logstash-input-syslog.gemspec b/logstash-input-syslog.gemspec index 87b8985..88e586c 100644 --- a/logstash-input-syslog.gemspec +++ b/logstash-input-syslog.gemspec @@ -27,7 +27,7 @@ Gem::Specification.new do |s| s.add_runtime_dependency 'stud', '>= 0.0.22', '< 0.1.0' s.add_runtime_dependency 'logstash-codec-plain' - s.add_runtime_dependency 'logstash-filter-grok', '>= 4.4.0' + s.add_runtime_dependency 'logstash-filter-grok', '>= 4.4.1' s.add_runtime_dependency 'logstash-filter-date' s.add_development_dependency 'logstash-devutils' From a8c0036c8d9db9365661df2eeab35fe84a8b1ea2 Mon Sep 17 00:00:00 2001 From: Ry Biesemeyer Date: Wed, 10 Nov 2021 11:55:03 -0800 Subject: [PATCH 4/5] specs: fix assertions that rely on serialization-length of timestamp --- logstash-input-syslog.gemspec | 2 +- spec/inputs/syslog_spec.rb | 9 +++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/logstash-input-syslog.gemspec b/logstash-input-syslog.gemspec index 88e586c..8f38769 100644 --- a/logstash-input-syslog.gemspec +++ b/logstash-input-syslog.gemspec @@ -30,7 +30,7 @@ Gem::Specification.new do |s| s.add_runtime_dependency 'logstash-filter-grok', '>= 4.4.1' s.add_runtime_dependency 'logstash-filter-date' - s.add_development_dependency 'logstash-devutils' + s.add_development_dependency 'logstash-devutils', '~> 2.3' s.add_development_dependency 'logstash-codec-cef' end diff --git a/spec/inputs/syslog_spec.rb b/spec/inputs/syslog_spec.rb index 067f2ce..9dc3900 100644 --- a/spec/inputs/syslog_spec.rb +++ b/spec/inputs/syslog_spec.rb @@ -172,7 +172,7 @@ def pattern_path(path) expect( events.length ).to eql event_count events.each do |event| - expect( event.get("@timestamp").to_iso8601 ).to eql "#{Time.now.year}-10-26T15:19:25.000Z" + expect( event.get("@timestamp") ).to be_a_logstash_timestamp_equivalent_to("#{Time.now.year}-10-26T15:19:25Z") end end @@ -196,8 +196,9 @@ def pattern_path(path) queue.pop end - # chances platform timezone is not UTC so ignore the hours - expect( event.get("@timestamp").to_iso8601 ).to match /#{Time.now.year}-10-26T\d\d:19:25.000Z/ + # chances platform timezone is not UTC, so parse without offset to create expectation + equivalent_time = Time.parse("#{Time.now.year}-10-26T15:19:25") + expect( event.get("@timestamp") ).to be_a_logstash_timestamp_equivalent_to(equivalent_time) end it "should support non UTC timezone" do @@ -209,7 +210,7 @@ def pattern_path(path) syslog_event = LogStash::Event.new({ "message" => "<164>Oct 26 15:19:25 1.2.3.4 %ASA-4-106023: Deny udp src DRAC:10.1.2.3/43434" }) input.syslog_relay(syslog_event) - expect( syslog_event.get("@timestamp").to_iso8601 ).to eql "#{Time.now.year}-10-26T20:19:25.000Z" + expect( syslog_event.get("@timestamp") ).to be_a_logstash_timestamp_equivalent_to("#{Time.now.year}-10-26T20:19:25Z") input.close end From 752d433993470cd0641f95b72cf048db8ce4bdc9 Mon Sep 17 00:00:00 2001 From: Ry Biesemeyer Date: Thu, 11 Nov 2021 18:06:48 +0000 Subject: [PATCH 5/5] version bump --- logstash-input-syslog.gemspec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/logstash-input-syslog.gemspec b/logstash-input-syslog.gemspec index 8f38769..1039fdb 100644 --- a/logstash-input-syslog.gemspec +++ b/logstash-input-syslog.gemspec @@ -1,7 +1,7 @@ Gem::Specification.new do |s| s.name = 'logstash-input-syslog' - s.version = '3.5.0' + s.version = '3.6.0' s.licenses = ['Apache License (2.0)'] s.summary = "Reads syslog messages as events" s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"