Open jdelker opened 2 years ago
Hi @jdelker, any chance you could submit a PR, adding the fix to the regex and using your example line as a test? You can see a couple of example PRs that do a similar task (fix + add or update tests) here: https://github.com/logstash-plugins/logstash-patterns-core/pull/313/files and https://github.com/logstash-plugins/logstash-patterns-core/pull/311/files
I'm sorry, @jsvd. While I respect your request - and generally like to contribute - I'm not into Ruby at all. Providing a diff for the ecs-v1 pattern is no problem (basically it's exchanging the provided line above), but coding the particular test is beyond what I can provide.
@jdelker that's ok, can I ask you to just create a PR with the change to the grok pattern so that we can attribute this change to you? I'll carry it forward from there.
This applies to logstash-patterns-core 4.3.4:
The provided grok pattern for IPTABLES in
patterns/ecs-v1/firewalls
is incomplete and does not match all variants. Obviously that applies for logged ICMP packages, which show less attributes (missing SPT, DPT, ...).The following
message
does not match `%{IPTABLES}':Reason: The IPTABLES pattern expects SPT and DPT fields, which are not present for ICMP packets.
Suggestion for corrected pattern:
This basically makes everything after PROTO optional.