From db587bca0e2fe422ccdff8ea85a2fd6c549c5513 Mon Sep 17 00:00:00 2001 From: "Jeroen van Meeuwen (Kolab Systems)" Date: Sat, 10 May 2014 01:06:57 +0200 Subject: [PATCH 1/3] MONTHDAY must not require a leading zero for day-of-month < 10 --- patterns/grok-patterns | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/patterns/grok-patterns b/patterns/grok-patterns index 37c70487..4b1bb4bd 100755 --- a/patterns/grok-patterns +++ b/patterns/grok-patterns @@ -48,7 +48,7 @@ URI %{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})? MONTH \b(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\b MONTHNUM (?:0?[1-9]|1[0-2]) MONTHNUM2 (?:0[1-9]|1[0-2]) -MONTHDAY (?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) +MONTHDAY (?:(?:(0|\s)?[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) # Days: Monday, Tue, Thu, etc... DAY (?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?) From 7a390ddb259b9f5b1d9ce3ed4907f951e14a2b7b Mon Sep 17 00:00:00 2001 From: "Jeroen van Meeuwen (Kolab Systems)" Date: Fri, 30 May 2014 15:06:07 +0200 Subject: [PATCH 2/3] Add tests for MONTHDAY not requiring a 0 prefix. --- spec/patterns/core_spec.rb | 41 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/spec/patterns/core_spec.rb b/spec/patterns/core_spec.rb index b85f6e09..e54ffc8d 100644 --- a/spec/patterns/core_spec.rb +++ b/spec/patterns/core_spec.rb @@ -3,4 +3,45 @@ require 'logstash/patterns/core' describe LogStash::Patterns::Core do + describe "rfc822 dates" do + config <<-CONFIG + filter { + grok { + match => { + "message" => [ + "%{DATESTAMP_RFC2822}", + "%{MONTH} %{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND}" + ] + } + named_captures_only => false + } + } + CONFIG + + sample "Mon, 12 May 2014 17:00:32 -0500" do + insist { subject["DATESTAMP_RFC2822"] } == "Mon, 12 May 2014 17:00:32 -0500" + insist { subject["MONTHDAY"] } == "12" + end + + # As occurs in a syslog/maillog message such as: + # lmtpunix[$pid]: dupelim: eliminated duplicate message to domain!user.john date Mon, 5 May 2014 17:00:32 -0500 (delivery) + sample "Mon, 5 May 2014 17:00:32 -0500" do + insist { subject["DATESTAMP_RFC2822"] } == "Mon, 5 May 2014 17:00:32 -0500" + insist { subject["MONTHDAY"] } == "5" + end + + # As might occur in a syslog/maillog message such as: + # postfix/anvil[$pid]: statistics: max cache size 28 at May 6 00:02:47 + # Note: The match will have a space, but this does not prevent conversion to integer. + sample "May 6 00:02:47" do + insist { subject["MONTHDAY"] } == " 6" + end + + # With a 0 prefix + sample "May 06 00:02:47" do + insist { subject["MONTHDAY"] } == "06" + end + + end + end From 34531664ffcb424d3c143669cc4456e83e8f5e0f Mon Sep 17 00:00:00 2001 From: Joao Duarte Date: Wed, 7 Jan 2015 11:35:19 +0000 Subject: [PATCH 3/3] add grok filter to development dependencies --- logstash-patterns-core.gemspec | 1 + 1 file changed, 1 insertion(+) diff --git a/logstash-patterns-core.gemspec b/logstash-patterns-core.gemspec index 2082ba71..02617918 100644 --- a/logstash-patterns-core.gemspec +++ b/logstash-patterns-core.gemspec @@ -23,5 +23,6 @@ Gem::Specification.new do |s| s.add_runtime_dependency 'logstash', '>= 1.4.0', '< 2.0.0' s.add_development_dependency 'logstash-devutils' + s.add_development_dependency 'logstash-filter-grok' end