diff --git a/spec/examples/syslog.rb b/spec/examples/syslog.rb index 748096a6261..f1b5fce4f12 100644 --- a/spec/examples/syslog.rb +++ b/spec/examples/syslog.rb @@ -10,7 +10,7 @@ singles => true pattern => [ "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{PROG:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" ] add_field => [ "received_at", "%{@timestamp}" ] - add_field => [ "received_from", "%{@source_host}" ] + add_field => [ "received_from", "%{source_host}" ] } syslog_pri { type => "syslog" @@ -22,8 +22,8 @@ mutate { type => "syslog" exclude_tags => "_grokparsefailure" - replace => [ "@source_host", "%{syslog_hostname}" ] - replace => [ "@message", "%{syslog_message}" ] + replace => [ "source_host", "%{syslog_hostname}" ] + replace => [ "message", "%{syslog_message}" ] } mutate { type => "syslog" @@ -32,18 +32,16 @@ } CONFIG - sample("@message" => "<164>Oct 26 15:19:25 1.2.3.4 %ASA-4-106023: Deny udp src DRAC:10.1.2.3/43434 dst outside:192.168.0.1/53 by access-group \"acl_drac\" [0x0, 0x0]", "@type" => "syslog") do + sample("message" => "<164>Oct 26 15:19:25 1.2.3.4 %ASA-4-106023: Deny udp src DRAC:10.1.2.3/43434 dst outside:192.168.0.1/53 by access-group \"acl_drac\" [0x0, 0x0]", "type" => "syslog") do insist { subject.type } == "syslog" - reject { subject.tags }.include?("_grokparsefailure") + insist { subject.tags }.nil? insist { subject["syslog_pri"] } == "164" - #insist { subject.timestamp } == "2012-10-26T15:19:25.000Z" - puts subject.to_hash end # Single digit day - sample("@message" => "<164>Oct 6 15:19:25 1.2.3.4 %ASA-4-106023: Deny udp src DRAC:10.1.2.3/43434 dst outside:192.168.0.1/53 by access-group \"acl_drac\" [0x0, 0x0]", "@type" => "syslog") do + sample("message" => "<164>Oct 6 15:19:25 1.2.3.4 %ASA-4-106023: Deny udp src DRAC:10.1.2.3/43434 dst outside:192.168.0.1/53 by access-group \"acl_drac\" [0x0, 0x0]", "type" => "syslog") do insist { subject.type } == "syslog" - reject { subject.tags }.include?("_grokparsefailure") + insist { subject.tags }.nil? insist { subject["syslog_pri"] } == "164" #insist { subject.timestamp } == "2012-10-26T15:19:25.000Z" puts subject.to_hash