fluent-plugin-twistlock-syslog 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/README.md +0 -0
- data/Rakefile +11 -0
- data/lib/fluent/plugin/filter_twistlock_syslog.rb +44 -0
- metadata +95 -0
checksums.yaml
ADDED
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
---
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: 62d3bfe07dfc4bf1a5860a676260c0206b60eec0e22782be0173add3e8979b66
|
|
4
|
+
data.tar.gz: 742634d44f0c3083930a33fb3fbd2e5d0fc064060f5c3dbd51852b54f096b069
|
|
5
|
+
SHA512:
|
|
6
|
+
metadata.gz: 692797d8e84d71f0375b1e10fb7d9ccc6bf7bd0aa12cafb6cf453a5b17526dafd3297ee1ef65c78729a4228f3f91baddde20b27a124fee0b9feb1e2206538f9a
|
|
7
|
+
data.tar.gz: 90c94079781fc2a9427467f047572722116fd60fe4b9644545d04c1601107f3b23a7905952cdb7b431947cf12e69d4eb163f1f06ede412f6013a68d595f5bde9
|
data/README.md
ADDED
|
File without changes
|
data/Rakefile
ADDED
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
require 'fluent/plugin/filter'
|
|
2
|
+
require 'digest'
|
|
3
|
+
|
|
4
|
+
module Fluent::Plugin
|
|
5
|
+
class TwistlockSyslogFilter < Filter
|
|
6
|
+
# Register this filter as "twistlock-syslog"
|
|
7
|
+
Fluent::Plugin.register_filter('twistlock_syslog', self)
|
|
8
|
+
config_param :key_path, :string, default: '/fluentd/etc/private.pem'
|
|
9
|
+
config_param :key_name, :string, default: 'message'
|
|
10
|
+
|
|
11
|
+
def configure(conf)
|
|
12
|
+
super
|
|
13
|
+
unless File.file?(@key_path)
|
|
14
|
+
raise Fluent::ConfigError, "Private key file must be present. #{@key_path} Please check."
|
|
15
|
+
end
|
|
16
|
+
end
|
|
17
|
+
def start
|
|
18
|
+
super
|
|
19
|
+
@private_key = OpenSSL::PKey::RSA.new(File.read(@key_path))
|
|
20
|
+
end
|
|
21
|
+
def filter(tag, time, record)
|
|
22
|
+
message = record[@key_name][0..-2]
|
|
23
|
+
begin
|
|
24
|
+
message.split(/(?<!\\|=)"\s/).each { |in_msg|
|
|
25
|
+
keymap = in_msg.split('="')
|
|
26
|
+
record[keymap[0]] = keymap[1]
|
|
27
|
+
}
|
|
28
|
+
record.delete("ident")
|
|
29
|
+
record.delete("pid")
|
|
30
|
+
record.delete("time")
|
|
31
|
+
if record.key?("host_name")
|
|
32
|
+
record["host"] = record["host_name"]
|
|
33
|
+
record.delete("host_name")
|
|
34
|
+
end
|
|
35
|
+
signature = @private_key.sign(OpenSSL::Digest::SHA256.new, record[@key_name])
|
|
36
|
+
record["signature"] = Base64.encode64(signature)
|
|
37
|
+
rescue Exception => e
|
|
38
|
+
log.warn "Unable to map record with message=#{record[@key_name]}"
|
|
39
|
+
log.warn e.backtrace.inspect
|
|
40
|
+
end
|
|
41
|
+
record.sort_by { |key, strings| strings.length }
|
|
42
|
+
end
|
|
43
|
+
end
|
|
44
|
+
end
|
metadata
ADDED
|
@@ -0,0 +1,95 @@
|
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
|
2
|
+
name: fluent-plugin-twistlock-syslog
|
|
3
|
+
version: !ruby/object:Gem::Version
|
|
4
|
+
version: 1.0.0
|
|
5
|
+
platform: ruby
|
|
6
|
+
authors:
|
|
7
|
+
- nronix
|
|
8
|
+
autorequire:
|
|
9
|
+
bindir: bin
|
|
10
|
+
cert_chain: []
|
|
11
|
+
date: 2021-06-13 00:00:00.000000000 Z
|
|
12
|
+
dependencies:
|
|
13
|
+
- !ruby/object:Gem::Dependency
|
|
14
|
+
name: fluentd
|
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
|
16
|
+
requirements:
|
|
17
|
+
- - ">="
|
|
18
|
+
- !ruby/object:Gem::Version
|
|
19
|
+
version: 0.10.58
|
|
20
|
+
- - "<"
|
|
21
|
+
- !ruby/object:Gem::Version
|
|
22
|
+
version: '2'
|
|
23
|
+
type: :runtime
|
|
24
|
+
prerelease: false
|
|
25
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
26
|
+
requirements:
|
|
27
|
+
- - ">="
|
|
28
|
+
- !ruby/object:Gem::Version
|
|
29
|
+
version: 0.10.58
|
|
30
|
+
- - "<"
|
|
31
|
+
- !ruby/object:Gem::Version
|
|
32
|
+
version: '2'
|
|
33
|
+
- !ruby/object:Gem::Dependency
|
|
34
|
+
name: rake
|
|
35
|
+
requirement: !ruby/object:Gem::Requirement
|
|
36
|
+
requirements:
|
|
37
|
+
- - ">="
|
|
38
|
+
- !ruby/object:Gem::Version
|
|
39
|
+
version: 0.9.2
|
|
40
|
+
type: :development
|
|
41
|
+
prerelease: false
|
|
42
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
43
|
+
requirements:
|
|
44
|
+
- - ">="
|
|
45
|
+
- !ruby/object:Gem::Version
|
|
46
|
+
version: 0.9.2
|
|
47
|
+
- !ruby/object:Gem::Dependency
|
|
48
|
+
name: test-unit
|
|
49
|
+
requirement: !ruby/object:Gem::Requirement
|
|
50
|
+
requirements:
|
|
51
|
+
- - ">="
|
|
52
|
+
- !ruby/object:Gem::Version
|
|
53
|
+
version: 3.0.8
|
|
54
|
+
type: :development
|
|
55
|
+
prerelease: false
|
|
56
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
57
|
+
requirements:
|
|
58
|
+
- - ">="
|
|
59
|
+
- !ruby/object:Gem::Version
|
|
60
|
+
version: 3.0.8
|
|
61
|
+
description: Filter plugin for Fluent to convert twistlock syslog message to hashmap
|
|
62
|
+
for better SIEM data
|
|
63
|
+
email: nikhilrao37@gmail.com
|
|
64
|
+
executables: []
|
|
65
|
+
extensions: []
|
|
66
|
+
extra_rdoc_files: []
|
|
67
|
+
files:
|
|
68
|
+
- README.md
|
|
69
|
+
- Rakefile
|
|
70
|
+
- lib/fluent/plugin/filter_twistlock_syslog.rb
|
|
71
|
+
homepage: https://github.com/nronix/fluentd-filter-twistlock-syslog
|
|
72
|
+
licenses:
|
|
73
|
+
- MIT
|
|
74
|
+
metadata: {}
|
|
75
|
+
post_install_message:
|
|
76
|
+
rdoc_options: []
|
|
77
|
+
require_paths:
|
|
78
|
+
- lib
|
|
79
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
|
80
|
+
requirements:
|
|
81
|
+
- - ">="
|
|
82
|
+
- !ruby/object:Gem::Version
|
|
83
|
+
version: '0'
|
|
84
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
85
|
+
requirements:
|
|
86
|
+
- - ">="
|
|
87
|
+
- !ruby/object:Gem::Version
|
|
88
|
+
version: '0'
|
|
89
|
+
requirements: []
|
|
90
|
+
rubygems_version: 3.1.4
|
|
91
|
+
signing_key:
|
|
92
|
+
specification_version: 4
|
|
93
|
+
summary: Filter plugin for Fluent to convert twistlock syslog message to hashmap for
|
|
94
|
+
better SIEM data
|
|
95
|
+
test_files: []
|