logstash-plugins · jsvd · May 9, 2014 · May 30, 2014 · Jan 7, 2015 · jordansissel
diff --git a/logstash-patterns-core.gemspec b/logstash-patterns-core.gemspec
@@ -23,5 +23,6 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency 'logstash', '>= 1.4.0', '< 2.0.0'
 
   s.add_development_dependency 'logstash-devutils'
+  s.add_development_dependency 'logstash-filter-grok'
 end
 
diff --git a/patterns/grok-patterns b/patterns/grok-patterns
@@ -48,7 +48,7 @@ URI %{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})?
 MONTH \b(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\b
 MONTHNUM (?:0?[1-9]|1[0-2])
 MONTHNUM2 (?:0[1-9]|1[0-2])
-MONTHDAY (?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])
+MONTHDAY (?:(?:(0|\s)?[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])
 
 # Days: Monday, Tue, Thu, etc...
 DAY (?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?)

diff --git a/spec/patterns/core_spec.rb b/spec/patterns/core_spec.rb
@@ -3,4 +3,45 @@
 require 'logstash/patterns/core'
 
 describe LogStash::Patterns::Core do
+  describe "rfc822 dates" do
+    config <<-CONFIG
+      filter {
+        grok {
+          match => {
+            "message" => [
+              "%{DATESTAMP_RFC2822}",
+              "%{MONTH} %{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND}"
+            ]
+          }
+          named_captures_only => false
+        }
+      }
+    CONFIG
+
+    sample "Mon, 12 May 2014 17:00:32 -0500" do
+      insist { subject["DATESTAMP_RFC2822"] } == "Mon, 12 May 2014 17:00:32 -0500"
+      insist { subject["MONTHDAY"] } == "12"
+    end
+
+    # As occurs in a syslog/maillog message such as:
+    # lmtpunix[$pid]: dupelim: eliminated duplicate message to domain!user.john <message-id> date Mon, 5 May 2014 17:00:32 -0500 (delivery)
+    sample "Mon, 5 May 2014 17:00:32 -0500" do
+      insist { subject["DATESTAMP_RFC2822"] } == "Mon, 5 May 2014 17:00:32 -0500"
+      insist { subject["MONTHDAY"] } == "5"
+    end
+
+    # As might occur in a syslog/maillog message such as:
+    # postfix/anvil[$pid]: statistics: max cache size 28 at May  6 00:02:47
+    # Note: The match will have a space, but this does not prevent conversion to integer.
+    sample "May  6 00:02:47" do
+      insist { subject["MONTHDAY"] } == " 6"
+    end
+
+    # With a 0 prefix
+    sample "May 06 00:02:47" do
+      insist { subject["MONTHDAY"] } == "06"
+    end
+
+  end
+
 end