1

Implementing CICD for logstash parsers with rspec.

Some fields have nested fields such as event_data in Windows logs. Rspec throws syntax errors with this filter config:

if [event_data][Hashes] {
  grok {
     match => {"[event_data][Hashes]" => "^MD5=%{NOTSPACE:[event_data][hash_MD5]},SHA256=%{NOTSPACE:[event_data][hash_SHA256]}"}
     remove_field => [ "[event_data][Hashes]"]
  }
}

RSpec test:

# encoding: utf-8
require "logstash/devutils/rspec/spec_helper"
require "logstash/filters/grok"
require "logstash/filters/date"
require "logstash/filters/geoip"
require "logstash/filters/mutate"

@@configuration = String.new
@@configuration << File.read("config/filter.conf")

describe "Log filter" do

  config(@@configuration)

  sample("event_data": {"Hashes":"MD5=F20E74AEC0FB6214B51FCA476C878,SHA256=903D79506914E84A4877907A99B4FEAAFE9613FF719EA09B0E6F59B1340"}) do

    insist { subject.get("[event_data][hash_MD5]") } == "F20E74AEC0FB6214B51FCA476C878"
    insist { subject.get("[event_data][hash_SHA256]") } == "903D79506914E84A4877907A99B4FEAAFE9613FF719EA09B0E6F59B1340"

  end

Error message:

SyntaxError:
  /opt/logstash/spec/test.rb:27: syntax error, unexpected end-of-file
  ./lib/bootstrap/rspec.rb:13:in `<main>'
  No examples found
Michael Lihs
  • 7,460
  • 17
  • 52
  • 85
Frank Hicks
  • 13
  • 2

1 Answers1

1

Following this SO post, maybe the following code does what you want:

# encoding: utf-8
require "logstash/devutils/rspec/spec_helper"
require "logstash/filters/grok"
require "logstash/filters/date"
require "logstash/filters/geoip"
require "logstash/filters/mutate"

@@configuration = String.new
@@configuration << File.read("config/filter.conf")

describe "Log filter" do

  config(@@configuration)

  sample("event_data" => {"Hashes" => "MD5=F20E74AEC0FB6214B51FCA476C878,SHA256=903D79506914E84A4877907A99B4FEAAFE9613FF719EA09B0E6F59B1340"}) do

    insist { subject.get("[event_data][hash_MD5]") } == "F20E74AEC0FB6214B51FCA476C878"
    insist { subject.get("[event_data][hash_SHA256]") } == "903D79506914E84A4877907A99B4FEAAFE9613FF719EA09B0E6F59B1340"

  end

end

You should replace : with => in your sample method call and you were short of one end.

Unfortunately I do not have a test environment to verify this.

Michael Lihs
  • 7,460
  • 17
  • 52
  • 85