fluent-plugin-modsecurity 0.1.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: db0d869f49d5a7d562f6eb8fb70622246224f47d
+  data.tar.gz: 2773e9590c6c25cfd7298def65a81382db6aa248
+SHA512:
+  metadata.gz: 6f35e35ae50132b6cc4ba39a3cef68a04f2862ee32520947653c3a82c8f0876c4a028f576cda1273a57b860901665b89588d1b73674ed9cc1cf99e96f5449328
+  data.tar.gz: 2f2dbedaef76ea31bcf1d17351f0a17d57e9b00b20a4b51d381a204817273f295cbe31e10762c940565b9c5008a3c73a4a467a7f1bcf9654137f726845bbc615

data/.gitignore

@@ -0,0 +1,50 @@
+*.gem
+*.rbc
+/.config
+/coverage/
+/InstalledFiles
+/pkg/
+/spec/reports/
+/spec/examples.txt
+/test/tmp/
+/test/version_tmp/
+/tmp/
+
+# Used by dotenv library to load environment variables.
+# .env
+
+## Specific to RubyMotion:
+.dat*
+.repl_history
+build/
+*.bridgesupport
+build-iPhoneOS/
+build-iPhoneSimulator/
+
+## Specific to RubyMotion (use of CocoaPods):
+#
+# We recommend against adding the Pods directory to your .gitignore. However
+# you should judge for yourself, the pros and cons are mentioned at:
+# https://guides.cocoapods.org/using/using-cocoapods.html#should-i-check-the-pods-directory-into-source-control
+#
+# vendor/Pods/
+
+## Documentation cache and generated files:
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+
+## Environment normalization:
+/.bundle/
+/vendor/bundle
+/lib/bundler/man/
+
+# for a library or gem, you might want to ignore these files since the code is
+# intended to run in multiple environments; otherwise, check them in:
+# Gemfile.lock
+# .ruby-version
+# .ruby-gemset
+
+# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
+.rvmrc

data/.travis.yml

@@ -0,0 +1,12 @@
+language: ruby
+
+rvm:
+  - 2.1
+  - 2.2
+  - 2.3.1
+
+gemfile:
+ - Gemfile
+
+script: bundle exec rake test
+sudo: false

data/Gemfile

@@ -0,0 +1,10 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in fluent-plugin-elasticsearch.gemspec
+gemspec
+
+gem 'simplecov', require: false
+gem 'coveralls', require: false
+gem 'strptime', require: false if RUBY_ENGINE == "ruby" && RUBY_VERSION =~ /^2/
+
+gem "fluent-plugin-modsecurity", :git => "https://github.com/kaija/fluent-plugin-modsecurity.git"

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2017 kaija
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,57 @@
+# fluent-plugin-modsecurity
+fluentd plugin for modsecurity log
+
+[![Build Status](https://travis-ci.org/kaija/fluent-plugin-modsecurity.svg?branch=master)](https://travis-ci.org/kaija/fluent-plugin-modsecurity)
+
+
+# td-agent config
+
+
+```
+# (1) Consume the input by tail and tag modsecurity
+<source>
+    type tail
+    tag modsecurity
+    format /^(?<host>[^ ]*) (?<remote_addr>[^ ]*) (?<remote_user>[^ ]*) (?<local_user>[^ ]*) \[(?<timestamp>[^\]]*)\] "(?<method>\S+)(?: +(?<path>[^\"]*) +\S*)?" (?<status_code>[^ ]*) (?<body_bytes_sent>[^ ]*) "(?<message>.*)$/
+    time_format %d/%b/%Y:%H:%M:%S %z
+    pos_file /var/log/td-agent/modsec_audit2.log.pos
+    path /var/log/modsec/audit.log
+</source>
+
+# (2) retreive detail log from each record and append back to record
+<filter modsecurity>
+    type modsecurity
+    path_prefix /var/log
+</filter>
+
+# (3) append geoip information (optional)
+<match modsecurity>
+    type geoip
+    geoip_lookup_key transaction.client_ip
+    enable_key_country_code geoip_country
+    enable_key_city         geoip_city
+    enable_key_latitude     geoip_lat
+    enable_key_longitude    geoip_lon
+    remove_tag_prefix       test.
+    add_tag_prefix          geoip.
+    flush_interval          5s
+</match>
+
+# (3) Output
+
+<match geoip.modsecurity>
+    type elasticsearch
+    include_tag_key true
+    log_level info
+    logstash_format true
+    logstash_prefix modsecurity_geo
+    type_name blocked
+    buffer_chunk_limit 1M
+    buffer_queue_limit 32
+    flush_interval 30s
+    host 192.168.1.2
+    port 9200
+</match>
+```
+
+

data/Rakefile

@@ -0,0 +1,11 @@
+require 'bundler/gem_tasks'
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'test'
+  test.pattern = 'test/**/test_*.rb'
+  test.verbose = true
+  test.warning = false
+end
+
+task :default => :test

data/fluent-plugin-modsecurity.gemspec

@@ -0,0 +1,30 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path('../lib', __FILE__)
+
+Gem::Specification.new do |s|
+  s.name          = 'fluent-plugin-modsecurity'
+  s.version       = '0.1.2'
+  s.authors       = ['kaija']
+  s.email         = ['kaija.chang@gmail.com']
+  s.description   = %q{modsecurity filter plugin for Fluent detail log}
+  s.summary       = %q{modsecurity filter plugin}
+  s.homepage      = 'https://github.com/kaija/fluent-plugin-modsecurity'
+  s.license       = 'MIT'
+
+  s.files         = `git ls-files`.split($/)
+  s.executables   = s.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  s.test_files    = s.files.grep(%r{^(test|spec|features)/})
+  s.require_paths = ['lib']
+
+  s.required_ruby_version = Gem::Requirement.new(">= 2.0".freeze)
+
+  s.add_runtime_dependency 'fluentd', '~> 0.10'
+  s.extra_rdoc_files = [
+    "CHANGELOG",
+    "README.rdoc"
+  ]
+
+  s.add_development_dependency 'rake', '~> 0'
+  s.add_development_dependency 'test-unit', '~> 3.1'
+  s.add_development_dependency 'minitest', '~> 5.8'
+end

data/lib/fluent/plugin/filter_modsecurity.rb

@@ -0,0 +1,36 @@
+# encoding: UTF-8
+require 'json'
+
+class Fluent::ModsecurityFilter < Fluent::Filter
+
+    Fluent::Plugin.register_filter('modsecurity', self)
+
+    desc "Path prefix of the detail log"
+    config_param :path_prefix, :string, default: "/var/log"
+
+    def configure(conf)
+        super
+        @path_prefix = conf['path_prefix']
+    end
+
+    def filter(tag, time, record)
+        log_path = ""
+        record.each{ |key, value|
+            token = value.split(" ")
+            token.each { |v|
+                if v.start_with?(@path_prefix)
+                    log_path = v
+                    break
+                end
+            }
+        }
+        #find detail log and append to record
+        unless log_path.to_s.strip.empty?
+            file = File.read(log_path)
+            data_hash = JSON.parse(file)
+            #copy transaction object to original record
+            record['transaction'] = data_hash['transaction']
+        end
+        record
+    end
+end

data/test/helper.rb

@@ -0,0 +1,24 @@
+require 'simplecov'
+SimpleCov.start do
+  add_filter do |src|
+    !(src.filename =~ /^#{SimpleCov.root}\/lib/)
+  end
+end
+
+require 'coveralls'
+Coveralls.wear!
+
+# needs to be after simplecov but before test/unit, because fluentd sets default
+# encoding to ASCII-8BIT, but coverall might load git data which could contain a
+# UTF-8 character
+at_exit do
+  Encoding.default_internal = 'UTF-8' if defined?(Encoding) && Encoding.respond_to?(:default_internal)
+  Encoding.default_external = 'UTF-8' if defined?(Encoding) && Encoding.respond_to?(:default_external)
+end
+
+require 'test/unit'
+require 'fluent/test'
+require 'minitest/pride'
+
+#require 'webmock/test_unit'
+#WebMock.disable_net_connect!

data/test/plugin/test_filter_modsecurity.rb

@@ -0,0 +1,23 @@
+require 'helper'
+
+class ModsecurityFilter < Test::Unit::TestCase
+
+	def setup
+		Fluent::Test.setup
+        require 'fluent/plugin/filter_modsecurity'
+        @driver = nil
+	end
+
+    def driver(tag='test', config='')
+        @driver ||= Fluent::Test::FilterTestDriver.new(Fluent::ModsecurityFilter, tag).configure(config)
+    end
+
+    def test_configure
+        config = %{
+            path_prefix /var/log
+        }
+        instance = driver('test', config).instance
+        path = instance.path_prefix
+        assert_equal "/var/log", path
+    end
+end

metadata

@@ -0,0 +1,116 @@
+--- !ruby/object:Gem::Specification
+name: fluent-plugin-modsecurity
+version: !ruby/object:Gem::Version
+  version: 0.1.2
+platform: ruby
+authors:
+- kaija
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-06-15 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: fluentd
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.10'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.10'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: test-unit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.8'
+description: modsecurity filter plugin for Fluent detail log
+email:
+- kaija.chang@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files:
+- CHANGELOG
+- README.rdoc
+files:
+- ".gitignore"
+- ".travis.yml"
+- CHANGELOG
+- Gemfile
+- LICENSE
+- README.md
+- README.rdoc
+- Rakefile
+- fluent-plugin-modsecurity.gemspec
+- lib/fluent/plugin/filter_modsecurity.rb
+- test/helper.rb
+- test/plugin/test_filter_modsecurity.rb
+homepage: https://github.com/kaija/fluent-plugin-modsecurity
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: modsecurity filter plugin
+test_files:
+- test/helper.rb
+- test/plugin/test_filter_modsecurity.rb