-
1) Install difftastic (
difft
cli)brew install difftastic
Other: See other installation options for difftastic here.
-
2) Clone / start the local VRL webserver (for testing)
git clone https://github.com/shaeqahmed/vrl-web.git
cd vrl-web/vrl-web-server-warp cargo run --release
python3 -m pip install -r requirements.txt
examples (an example directory)
βββ aws_vpcflow # (create a folder with the logsource name)
βββ fields # (place files containing ECS / custom fields specified in the Filebeat-style format in this sub directory)
β βββ agent.yml
β βββ base-fields.yml
β βββ ecs.yml
β βββ fields.yml
βββ log_source.yml # (the edited log source file)
βββ log_source_generated.yml.go # (the generated log source file, use this to update^)
βββ test # (directory containing test + expected files, also according to the Filebeat style (e.g. '-expected.json' for assertions)
βββ test-extra-samples.log
βββ test-extra-samples.log-expected.json
βββ test-tcp-flag-sequence.log
βββ test-tcp-flag-sequence.log-expected.json
βββ test-v5-all-fields.log
βββ test-v5-all-fields.log-expected.json
βββ test-with-message-field.log
βββ test-with-message-field.log-expected.json
python3 main.py --logsource-dir examples/minimal # simple working example
python3 main.py --logsource-dir examples/aws_vpcflow # example for devloping a new log source for AWS VPC Flow logs using an existing test case suite / schema
Running this command will help you create a valid log_source.yml
file for a log source name aws_vpcflow
. It will use the fields (schema) and tests you have provided in the fields/
and test/
subdirectories respectively.
For inspiration on example test cases, fields to start with, and how to structure ECS compatible tables, you can reference the approach from Filebeat / Elastic e.g.:
After running the script, if an error is encountered such as an invalid VRL script, mismatching schemas, etc. the error will be logged by the CLI and your EDITOR will be opened with the corresponding files (log source, failing test case, etc.) prompting you to make the necessary fixes.
Once you have made the fixes, close the editor window, and hit 'enter in the CLI as it prompts you to re-run the steps until all the test cases are passing. To close out the interactive session, run Ctrl + C in the terminal to end the process.
Happy log source writing π.