使用rspec对CIDT进行logstash解析器的实现。
某些字段在Windows日志中具有嵌套字段,例如event_data。 Rspec使用此过滤器配置抛出语法错误:
if [event_data][Hashes] {
grok {
match => {"[event_data][Hashes]" => "^MD5=%{NOTSPACE:[event_data][hash_MD5]},SHA256=%{NOTSPACE:[event_data][hash_SHA256]}"}
remove_field => [ "[event_data][Hashes]"]
}
}
RSpec测试:
# encoding: utf-8
require "logstash/devutils/rspec/spec_helper"
require "logstash/filters/grok"
require "logstash/filters/date"
require "logstash/filters/geoip"
require "logstash/filters/mutate"
@@configuration = String.new
@@configuration << File.read("config/filter.conf")
describe "Log filter" do
config(@@configuration)
sample("event_data": {"Hashes":"MD5=F20E74AEC0FB6214B51FCA476C878,SHA256=903D79506914E84A4877907A99B4FEAAFE9613FF719EA09B0E6F59B1340"}) do
insist { subject.get("[event_data][hash_MD5]") } == "F20E74AEC0FB6214B51FCA476C878"
insist { subject.get("[event_data][hash_SHA256]") } == "903D79506914E84A4877907A99B4FEAAFE9613FF719EA09B0E6F59B1340"
end
错误消息:
SyntaxError:
/opt/logstash/spec/test.rb:27: syntax error, unexpected end-of-file
./lib/bootstrap/rspec.rb:13:in `<main>'
No examples found
答案 0 :(得分:0)
在此SO post之后,也许以下代码可以满足您的要求:
# encoding: utf-8
require "logstash/devutils/rspec/spec_helper"
require "logstash/filters/grok"
require "logstash/filters/date"
require "logstash/filters/geoip"
require "logstash/filters/mutate"
@@configuration = String.new
@@configuration << File.read("config/filter.conf")
describe "Log filter" do
config(@@configuration)
sample("event_data" => {"Hashes" => "MD5=F20E74AEC0FB6214B51FCA476C878,SHA256=903D79506914E84A4877907A99B4FEAAFE9613FF719EA09B0E6F59B1340"}) do
insist { subject.get("[event_data][hash_MD5]") } == "F20E74AEC0FB6214B51FCA476C878"
insist { subject.get("[event_data][hash_SHA256]") } == "903D79506914E84A4877907A99B4FEAAFE9613FF719EA09B0E6F59B1340"
end
end
您应该在示例方法调用中将:替换为=>,但缺少一个end。
很遗憾,我没有测试环境可以对此进行验证。