github-mirrors/logstash
1
0
Fork 0
mirror of https://github.com/elastic/logstash.git synced 2025-04-24 06:37:19 -04:00
Code Issues Projects Releases Packages Wiki Activity

[syslog5424] structured data should be nil when RFC NILVALUE is used

Browse source
This commit is contained in:
Brad Fritz 2013-08-22 11:14:40 -04:00
parent 0985f02eb7
commit 93990829f2
2 changed files with 28 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
patterns/linux-syslog
View file

@ -8,6 +8,6 @@ SYSLOGLINE %{SYSLOGBASE2} %{GREEDYDATA:message}
# IETF 5424 syslog(8) format (see http://www.rfc-editor.org/info/rfc5424)
SYSLOG5424PRI (?:\<%{NONNEGINT}\>)
SYSLOG5424SD (?:\[%{DATA}\]+|-)
SYSLOG5424SD \[%{DATA}\]+
SYSLOG5424LINE %{SYSLOG5424PRI:syslog5424_pri}%{NONNEGINT:syslog5424_ver} (%{TIMESTAMP_ISO8601:syslog5424_ts}|-) (%{HOSTNAME:syslog5424_host}|-) (%{WORD:syslog5424_app}|-) (%{WORD:syslog5424_proc}|-) (%{WORD:syslog5424_msgid}|-) %{SYSLOG5424SD:syslog5424_sd} %{GREEDYDATA:syslog5424_msg}
SYSLOG5424LINE %{SYSLOG5424PRI:syslog5424_pri}%{NONNEGINT:syslog5424_ver} (%{TIMESTAMP_ISO8601:syslog5424_ts}|-) (%{HOSTNAME:syslog5424_host}|-) (%{WORD:syslog5424_app}|-) (%{WORD:syslog5424_proc}|-) (%{WORD:syslog5424_msgid}|-) (?:%{SYSLOG5424SD:syslog5424_sd}|-) %{GREEDYDATA:syslog5424_msg}

26
spec/filters/grok.rb
View file

@ -64,6 +64,32 @@ describe LogStash::Filters::Grok do
insist { subject["syslog5424_sd"] } == "[id1 foo=\"bar\"]"
insist { subject["syslog5424_msg"] } == "No process ID."
end
sample "<191>1 2009-06-30T18:30:00+02:00 paxton.local grokdebug 4123 - - No structured data." do
insist { subject["tags"] }.nil?
insist { subject["syslog5424_pri"] } == "<191>"
insist { subject["syslog5424_ver"] } == "1"
insist { subject["syslog5424_ts"] } == "2009-06-30T18:30:00+02:00"
insist { subject["syslog5424_host"] } == "paxton.local"
insist { subject["syslog5424_app"] } == "grokdebug"
insist { subject["syslog5424_proc"] } == "4123"
insist { subject["syslog5424_msgid"] } == nil
insist { subject["syslog5424_sd"] } == nil
insist { subject["syslog5424_msg"] } == "No structured data."
end
sample "<191>1 2009-06-30T18:30:00+02:00 paxton.local grokdebug - - - No PID or SD." do
insist { subject["tags"] }.nil?
insist { subject["syslog5424_pri"] } == "<191>"
insist { subject["syslog5424_ver"] } == "1"
insist { subject["syslog5424_ts"] } == "2009-06-30T18:30:00+02:00"
insist { subject["syslog5424_host"] } == "paxton.local"
insist { subject["syslog5424_app"] } == "grokdebug"
insist { subject["syslog5424_proc"] } == nil
insist { subject["syslog5424_msgid"] } == nil
insist { subject["syslog5424_sd"] } == nil
insist { subject["syslog5424_msg"] } == "No PID or SD."
end
end
describe "parsing an event with multiple messages (array of strings)" do