Added more tests without the need for live syslog input

Suyog Rao · Suyog Rao · commit a764ed956ef1 · 2014-08-26T14:38:37.000-07:00
Closes elastic#1593
diff --git a/lib/logstash/inputs/syslog.rb b/lib/logstash/inputs/syslog.rb
@@ -56,7 +56,7 @@ def register
     @grok_filter = LogStash::Filters::Grok.new(
       "overwrite" => "message",
       "match" => { "message" => "<%{POSINT:priority}>%{SYSLOGLINE}" },
-      "tag_on_failure" => ["_grokparsefailure_sysloginputplugin"],
+      "tag_on_failure" => ["_grokparsefailure_sysloginput"],
     )
 
     @date_filter = LogStash::Filters::Date.new(
@@ -198,7 +198,7 @@ def close_tcp
   def syslog_relay(event)
     @grok_filter.filter(event)
 
-    if event["tags"].nil? || !event["tags"].include?("_grokparsefailure")
+    if event["tags"].nil? || !event["tags"].include?(@grok_filter.tag_on_failure)
       # Per RFC3164, priority = (facility * 8) + severity
       #                       = (facility << 3) & (severity)
       priority = event["priority"].to_i rescue 13
diff --git a/spec/inputs/syslog.rb b/spec/inputs/syslog.rb
@@ -1,11 +1,13 @@
 # coding: utf-8
 require "test_utils"
 require "socket"
+require "logstash/inputs/syslog"
+require "logstash/event"
 
-describe "inputs/syslog", :socket => true do
+describe "inputs/syslog" do
   extend LogStash::RSpec
 
-  describe "properly handles priority, severity and facilities" do
+  it "should properly handle priority, severity and facilities", :socket => true do
     port = 5511
     event_count = 10
 
@@ -39,7 +41,7 @@
     end
   end
 
-  describe "adds unique tag when grok parsing fails" do
+  it "should add unique tag when grok parsing fails with live syslog input", :socket => true do
     port = 5511
     event_count = 10
 
@@ -70,4 +72,21 @@
       end
     end
   end
+
+  it "should add unique tag when grok parsing fails" do
+    input = LogStash::Inputs::Syslog.new({})
+    input.register
+
+    # event which is not syslog should have a new tag
+    event = LogStash::Event.new({ "message" => "hello world, this is not syslog RFC3164" })
+    input.syslog_relay(event)
+    insist { event["tags"] } ==  ["_grokparsefailure_sysloginput"]
+
+    syslog_event = LogStash::Event.new({ "message" => "<164>Oct 26 15:19:25 1.2.3.4 %ASA-4-106023: Deny udp src DRAC:10.1.2.3/43434" })
+    input.syslog_relay(syslog_event)
+    insist { syslog_event["priority"] } ==  164
+    insist { syslog_event["severity"] } ==  4
+    insist { syslog_event["tags"] } ==  nil
+  end
+
 end
