From adb5d48227c20c18eb711b8e030608aafec1a286 Mon Sep 17 00:00:00 2001 From: Jan Tytgat Date: Sun, 2 Aug 2020 14:57:34 +0200 Subject: [PATCH 1/2] Citrix ADC Pattern and test --- patterns/citrixadc | 1 + spec/patterns/citrixadc_spec.rb | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+) create mode 100644 patterns/citrixadc create mode 100644 spec/patterns/citrixadc_spec.rb diff --git a/patterns/citrixadc b/patterns/citrixadc new file mode 100644 index 00000000..7175a5f5 --- /dev/null +++ b/patterns/citrixadc @@ -0,0 +1 @@ +CITRIXADC_LOG %{SYSLOG5424PRI:CitrixAdcSyslog5424Pri} %{DATE:CitrixAdcDate}:%{TIME:CitrixAdcTime} %{NOTSPACE:CitrixAdcHostname} %{NOTSPACE:CitrixAdcPacketEngine} : %{WORD} %{WORD:CitrixAdcModule} %{WORD:CitrixAdcEventType} %{WORD:CitrixAdcEventId} \d : %{GREEDYDATA:CitrixAdcMessage} \ No newline at end of file diff --git a/spec/patterns/citrixadc_spec.rb b/spec/patterns/citrixadc_spec.rb new file mode 100644 index 00000000..5db5a331 --- /dev/null +++ b/spec/patterns/citrixadc_spec.rb @@ -0,0 +1,20 @@ +# encoding: utf-8 +require "spec_helper" +require "logstash/patterns/core" + +describe "CIRIXADC" do + + let(:citrixadc_pattern) { "CITRIXADC_LOG" } + + context "Parsing Citrix ADC log line from raw syslog line" do + + let(:value) { '"<134> 08/02/2020:14:53:24 vpx 0-PPE-0 : default CLI CMD_EXECUTED 1488010 0 : User nsroot - Remote_ip 192.168.0.1 - Command \"save ns config\" - Status \"Success\"\n"' } + subject { grok_match(citrixadc_pattern, value) } + + it { should include("CitrixAdcHostname" => "vpx") } + it { should include("CitrixAdcModule" => "CLI") } + it { should include("CitrixAdcEventType" => "CMD_EXECUTED") } + + end + +end From 3333d058637f40bad1b73ac84d93b13909c425d9 Mon Sep 17 00:00:00 2001 From: Jan Tytgat Date: Sun, 2 Aug 2020 21:54:31 +0200 Subject: [PATCH 2/2] Updated pattern --- patterns/citrixadc | 2 +- spec/patterns/citrixadc_spec.rb | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/patterns/citrixadc b/patterns/citrixadc index 7175a5f5..74504f96 100644 --- a/patterns/citrixadc +++ b/patterns/citrixadc @@ -1 +1 @@ -CITRIXADC_LOG %{SYSLOG5424PRI:CitrixAdcSyslog5424Pri} %{DATE:CitrixAdcDate}:%{TIME:CitrixAdcTime} %{NOTSPACE:CitrixAdcHostname} %{NOTSPACE:CitrixAdcPacketEngine} : %{WORD} %{WORD:CitrixAdcModule} %{WORD:CitrixAdcEventType} %{WORD:CitrixAdcEventId} \d : %{GREEDYDATA:CitrixAdcMessage} \ No newline at end of file +CITRIXADC_LOG %{SYSLOG5424PRI:citrixadc_syslog5424pri} %{DATE:citrixadc_date}:%{TIME:citrixadc_time} %{NOTSPACE:citrixadc_hostname} %{NOTSPACE:citrixadc_packetengine} : %{WORD} %{WORD:citrixadc_module} %{WORD:citrixadc_eventtype} %{WORD:citrixadc_eventid} \d : %{GREEDYDATA:citrixadc_message} \ No newline at end of file diff --git a/spec/patterns/citrixadc_spec.rb b/spec/patterns/citrixadc_spec.rb index 5db5a331..1679f6e4 100644 --- a/spec/patterns/citrixadc_spec.rb +++ b/spec/patterns/citrixadc_spec.rb @@ -4,16 +4,16 @@ describe "CIRIXADC" do - let(:citrixadc_pattern) { "CITRIXADC_LOG" } + let(:citrixadc_pattern) { "CITRIXADC_LOG" } context "Parsing Citrix ADC log line from raw syslog line" do let(:value) { '"<134> 08/02/2020:14:53:24 vpx 0-PPE-0 : default CLI CMD_EXECUTED 1488010 0 : User nsroot - Remote_ip 192.168.0.1 - Command \"save ns config\" - Status \"Success\"\n"' } subject { grok_match(citrixadc_pattern, value) } - it { should include("CitrixAdcHostname" => "vpx") } - it { should include("CitrixAdcModule" => "CLI") } - it { should include("CitrixAdcEventType" => "CMD_EXECUTED") } + it { should include("citrixadc_hostname" => "vpx") } + it { should include("citrixadc_module" => "CLI") } + it { should include("citrixadc_eventtype" => "CMD_EXECUTED") } end