when sd_params.host exists, @shipper.host = syslog_hostname, @source.…

…host = sd_params.host
logsearch · Sep 25, 2015 · 3bf496a · 3bf496a
1 parent 8a34db3
commit 3bf496a
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 1 deletion.
diff --git a/src/logsearch-filters-common/src/logstash-filters/snippets/syslog_standard.conf b/src/logsearch-filters-common/src/logstash-filters/snippets/syslog_standard.conf
@@ -61,6 +61,13 @@ if !("fail/syslog_standard/_grokparsefailure" in [tags]) {
                     ]
                 }
 
+		if [syslog_sd_params][host] {
+		  mutate {
+		    replace => { "[@shipper][host]" => "%{[syslog_hostname]}" }
+		    replace => { "[@source][host]" => "%{[syslog_sd_params][host]}" }
+		  }
+		}
+
                if [syslog_sd_params][type] {
                    # when the syslog params include a type, prepare the message for parsing by additional downstream parsing rules:
                    #  - Change the @type - this triggers downstream parsing rules

diff --git a/src/logsearch-filters-common/target/logstash-filters-default.conf b/src/logsearch-filters-common/target/logstash-filters-default.conf
@@ -62,6 +62,13 @@ if [@type] in ["syslog", "relp"] {
                       ]
                   }
 
+  		if [syslog_sd_params][host] {
+  		  mutate {
+  		    replace => { "[@shipper][host]" => "%{[syslog_hostname]}" }
+  		    replace => { "[@source][host]" => "%{[syslog_sd_params][host]}" }
+  		  }
+  		}
+
                  if [syslog_sd_params][type] {
                      # when the syslog params include a type, prepare the message for parsing by additional downstream parsing rules:
                      #  - Change the @type - this triggers downstream parsing rules

diff --git a/src/logsearch-filters-common/target/logstash-filters-default.conf.erb b/src/logsearch-filters-common/target/logstash-filters-default.conf.erb
@@ -62,6 +62,13 @@ if [@type] in ["syslog", "relp"] {
                       ]
                   }
 
+  		if [syslog_sd_params][host] {
+  		  mutate {
+  		    replace => { "[@shipper][host]" => "%{[syslog_hostname]}" }
+  		    replace => { "[@source][host]" => "%{[syslog_sd_params][host]}" }
+  		  }
+  		}
+
                  if [syslog_sd_params][type] {
                      # when the syslog params include a type, prepare the message for parsing by additional downstream parsing rules:
                      #  - Change the @type - this triggers downstream parsing rules

diff --git a/src/logsearch-filters-common/test/logstash-filters/snippets/syslog_standard-spec.rb b/src/logsearch-filters-common/test/logstash-filters/snippets/syslog_standard-spec.rb
@@ -132,13 +132,35 @@
     end
   end
 
+  describe "syslog_sd_params rules" do
+    describe "when sd_params.host exists, @shipper.host = syslog_hostname, @source.host = sd_params.host" do
+      sample("@message" => '<13>1 2015-09-24T11:16:12.808763+01:00 SYSLOG-HOST - - - [NXLOG@14506 host="SDPARAMS-HOST"] IOrderService.ListOpenPositions Duration 8ms') do
+
+        insist { subject["tags"] } == [ 'syslog_standard' ]
+
+        insist { subject['@shipper']['host'] } == 'SYSLOG-HOST'
+        insist { subject['@source']['host'] } == 'SDPARAMS-HOST'
+      end
+    end
+    describe "when sd_params.type exists, @type = sd_params.type, @message_body = syslog_message" do
+      sample("@message" => '<13>1 2015-09-24T11:16:12.808763+01:00 SYSLOG-HOST - - - [NXLOG@14506 type="SDPARAMS-TYPE"] IOrderService.ListOpenPositions Duration 8ms') do
+
+        insist { subject["tags"] } == [ 'syslog_standard' ]
+
+        insist { subject['@type'] } == 'SDPARAMS-TYPE'
+        insist { subject['@message_body'] } == 'IOrderService.ListOpenPositions Duration 8ms'
+      end
+    end
+  end
+
   describe "NXLOG message" do
     sample("@message" => '<13>1 2015-09-24T11:16:12.808763+01:00 PKH-PPE-WEB28 - - - [NXLOG@14506 EventReceivedTime="2015-09-24 11:16:12" SourceModuleName="in_file1" SourceModuleType="im_file" path="\\PKH-PPE-WEB24\\Logs\\TradingApi.log*.log" type="ci_log4net" host="PKH-PPE-WEB24" service="CI WEBSERVICE/TradingAPI" environment="PPE"] INFO  2015-09-24 11:16:12,501 42 CityIndex.TradingApi.Common.Logging.MethodTimeLogger Request 4133629: Action: IOrderService.ListOpenPositions Duration 8ms') do
 
       insist { subject["tags"] } == [ 'syslog_standard' ]
       insist { subject["@timestamp"] } == Time.iso8601("2015-09-24T10:16:12.808Z")
 
-      insist { subject['@source']['host'] } == 'PKH-PPE-WEB28'
+      insist { subject['@shipper']['host'] } == 'PKH-PPE-WEB28'
+      insist { subject['@source']['host'] } == 'PKH-PPE-WEB24'
       insist { subject['syslog_hostname'] } == 'PKH-PPE-WEB28'
 
       insist { subject['syslog_sd_id'] } == 'NXLOG@14506'