Class: Fluent::Plugin::CommonEventFormatParser

Inherits:
Parser
  • Object
show all
Defined in:
lib/fluent/plugin/parser_cef.rb

Instance Method Summary collapse

Instance Method Details

#configure(conf) ⇒ Object 



20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
 
# File 'lib/fluent/plugin/parser_cef.rb', line 20

def configure(conf)
  super
  @key_value_format_regexp = /([^\s=]+)=(.*?)(?:(?=[^\s=]+=)|\z)/
  @valid_format_regexp = create_valid_format_regexp
  @utc_offset = get_utc_offset(@log_utc_offset)
  begin
    if @parse_strict_mode
      if @cef_keyfilename =~ /^\//
        yaml_fieldinfo = YAML.load_file(@cef_keyfilename)
      else
        yaml_fieldinfo = YAML.load_file("#{File.dirname(File.expand_path(__FILE__))}/#{@cef_keyfilename}")
      end
      @keys_array = []
      yaml_fieldinfo.each {|_key, value| @keys_array.concat(value) }
      $log.info "running with strict mode, #{@keys_array.length} keys are valid."
    else
      $log.info "running without strict mode"
    end
  rescue => e
    @parse_strict_mode = false
    $log.warn "running without strict mode because of the following error"
    $log.warn "#{e.message}"
  end
end

#parse(text) {|time, record| ... } ⇒ Object

Yields:

  • (time, record) 


45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
 
# File 'lib/fluent/plugin/parser_cef.rb', line 45

def parse(text)
  if text.nil? || text.empty?
    yield nil, nil
    return
  end
  text.force_encoding("utf-8")
  replaced_text = text.scrub('?')
  record = {}
  record_overview = @valid_format_regexp.match(replaced_text)
  if record_overview.nil?
    yield Engine.now, { "raw" => replaced_text }
    return
  end
  time = get_unixtime_with_utc_offset(record_overview["syslog_timestamp"], @utc_offset)
  begin
    record_overview.names.each {|key| record[key] = record_overview[key] }
    text_cef_extension = record_overview["cef_extension"]
    record.delete("cef_extension")
  rescue
    yield Engine.now, { "raw" => replaced_text }
    return
  end
  unless text_cef_extension.nil?
    record_cef_extension = parse_cef_extension(text_cef_extension)
    record.merge!(record_cef_extension)
  end
  record["raw"] = replaced_text if @output_raw_field
  yield time, record
  return
end