Fix: typo in BIN9_QUERYLOG pattern (in ECS mode) (#307)

camAtGitHub · web-flow · commit cd84000d4cc0 · 2022-01-07T09:42:34.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 4.3.2
+
+- Fix: typo in BIN9_QUERYLOG pattern (in ECS mode) [#307](https://github.com/logstash-plugins/logstash-patterns-core/pull/307)
+
 ## 4.3.1
 
 - Fix: incorrect syslog (priority) field name [#303](https://github.com/logstash-plugins/logstash-patterns-core/pull/303)
diff --git a/logstash-patterns-core.gemspec b/logstash-patterns-core.gemspec
@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
 
   s.name            = 'logstash-patterns-core'
-  s.version         = '4.3.1'
+  s.version         = '4.3.2'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "Patterns to be used in logstash"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
diff --git a/patterns/ecs-v1/bind b/patterns/ecs-v1/bind
@@ -8,6 +8,6 @@ BIND9_CATEGORY (?:queries)
 BIND9_QUERYLOGBASE client(:? @0x(?:[0-9A-Fa-f]+))? %{IP:[client][ip]}#%{POSINT:[client][port]:int} \(%{GREEDYDATA:[bind][log][question][name]}\): query: %{GREEDYDATA:[dns][question][name]} (?<[dns][question][class]>IN) %{BIND9_DNSTYPE:[dns][question][type]}(:? %{DATA:[bind][log][question][flags]})? \(%{IP:[server][ip]}\)
 
 # for query-logging category and severity are always fixed as "queries: info: "
-BIND9_QUERYLOG %{BIND9_TIMESTAMP:timestamp} %{BIND9_CATEGORY:[bing][log][category]}: %{LOGLEVEL:[log][level]}: %{BIND9_QUERYLOGBASE}
+BIND9_QUERYLOG %{BIND9_TIMESTAMP:timestamp} %{BIND9_CATEGORY:[bind][log][category]}: %{LOGLEVEL:[log][level]}: %{BIND9_QUERYLOGBASE}
 
 BIND9 %{BIND9_QUERYLOG}
diff --git a/spec/patterns/bind_spec.rb b/spec/patterns/bind_spec.rb
@@ -14,10 +14,10 @@
       should include("log" => hash_including("level" => "info"))
       should include("client" => { "ip" => "172.26.0.1", "port" => 12345 })
       should include("dns" => { "question" => { "name" => "test.example.com", "type" => 'A', "class" => 'IN' }})
-      should include("bind" => { "log" => { "question" => hash_including("flags" => '+E(0)K')}})
+      should include("bind" => { "log" => hash_including("question" => hash_including("flags" => '+E(0)K'))})
       should include("server" => { "ip" => "172.26.0.3" })
       # NOTE: duplicate but still captured since we've been doing that before as well :
-      should include("bind" => { "log" => { "question" => hash_including("name" => 'test.example.com')}})
+      should include("bind" => { "log" => hash_including("question" => hash_including("name" => 'test.example.com'))})
     else
       should include("loglevel" => "info")
       should include("clientip" => "172.26.0.1")
@@ -48,7 +48,7 @@
         should include("log" => hash_including("level" => "info"))
         should include("client" => { "ip" => "192.168.10.48", "port" => 60061 })
         should include("dns" => { "question" => { "name" => "91.2.10.170.in-addr.internal", "type" => 'PTR', "class" => 'IN' }})
-        should include("bind" => { "log" => { "question" => hash_including("flags" => '+')}})
+        should include("bind" => { "log" => hash_including("question" => hash_including("flags" => '+')) })
         should include("server" => { "ip" => "192.168.2.2" })
       else
         should include("loglevel" => "info")
@@ -72,7 +72,21 @@
   it 'matches' do
     should include("client" => { "ip" => "127.0.0.1", "port" => 42520 })
     should include("dns" => { "question" => { "name" => "ci.elastic.co", "type" => 'A', "class" => 'IN' }})
-    should include("bind" => { "log" => { "question" => hash_including("flags" => '+E(0)K') }})
+    should include("bind" => { "log" => hash_including("question" => hash_including("flags" => '+E(0)K') )})
     should include("server" => { "ip" => "35.193.103.164" })
   end
 end
+
+describe_pattern "BIND9_QUERYLOG", ['ecs-v1'] do
+  let(:message) do
+    '01-May-2019 00:27:48.084 queries: info: client @0x7f82bc11d4e0 192.168.1.111#53995 (google.com): query: google.com IN A +E(0) (10.80.1.88)'
+  end
+
+  it 'matches' do
+    should include("client" => { "ip" => "192.168.1.111", "port" => 53995 })
+    should include("dns" => { "question" => { "name" => "google.com", "type" => 'A', "class" => 'IN' }})
+    should include("bind" => { "log" => hash_including("question" => { "flags" => '+E(0)', "name" => 'google.com' })})
+    should include("server" => { "ip" => "10.80.1.88" })
+    should include("log" => { "level" => "info" })
+  end
+end
