logstash-filter-SDS 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 79283771fe6b695798029ebbcda8c17e0f5593aa
+  data.tar.gz: c3ede4f018deca97ca1a9e543bb7de6ad6fd6fd9
+SHA512:
+  metadata.gz: 1dc35485dd8900cbe2b8452645936022c53076a5fca5195d7bf27dd1ee06e45e9e2aaf3b59a7c148ae1113f576b9f41d389c82d2f8ff3dadfd5f6fa9b58c08e1
+  data.tar.gz: c696d2dadf29bf9e7bcccb5fe99350ac3b8a638983edeb846b4b64c351448e75e4a6450e3ff9c829b510f045332e645ad166a112d03a1935a192c528a55d199e

data/Gemfile

@@ -0,0 +1,2 @@
+source 'http://rubygems.org'
+gemspec

data/LICENSE

@@ -0,0 +1,14 @@
+Copyright (c) 2012-2018 Elasticsearch <http://www.elastic.co>
+Copyright (c) 2018 Stormshield <https://www.stormshield.com>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/NOTICE.TXT

@@ -0,0 +1,5 @@
+Elasticsearch
+Copyright 2012-2015 Elasticsearch
+
+This product includes software developed by The Apache Software
+Foundation (http://www.apache.org/).

data/README.md

@@ -0,0 +1,106 @@
+# Logstash Stormshield SDS Plugin
+
+## Developing
+
+### 1. Plugin Developement and Testing
+
+#### Code
+- To get started, you'll need JRuby with the Bundler gem installed.
+
+- Create a new plugin or clone and existing from the GitHub [logstash-plugins](https://github.com/logstash-plugins) organization. We also provide [example plugins](https://github.com/logstash-plugins?query=example).
+
+- Install dependencies
+```sh
+bundle install
+```
+
+#### Test
+
+- Update your dependencies
+```sh
+bundle install
+```
+
+- Run tests
+```sh
+bundle exec rspec
+```
+
+### 2. Running your unpublished Plugin in Logstash
+
+#### 2.1 Run in a local Logstash clone
+
+- Edit Logstash `Gemfile` and add the local plugin path, for example:
+```ruby
+gem "logstash-filter-awesome", :path => "/your/local/logstash-filter-awesome"
+```
+
+- Install plugin
+```sh
+bin/plugin install --no-verify
+```
+
+- Run Logstash with your plugin
+```sh
+bin/logstash -e 'filter {awesome {}}'
+```
+
+At this point any modifications to the plugin code will be applied to this local Logstash setup. After modifying the plugin, simply rerun Logstash.
+
+#### 2.2 Run in an installed Logstash
+
+You can use the same **2.1** method to run your plugin in an installed Logstash by editing its `Gemfile` and pointing the `:path` to your local plugin development directory or you can build the gem and install it using:
+
+- Build your plugin gem
+```sh
+gem build logstash-filter-awesome.gemspec
+```
+
+- Install the plugin from the Logstash home
+```sh
+bin/plugin install /your/local/plugin/logstash-filter-awesome.gem
+```
+
+- Start Logstash and proceed to test the plugin
+
+- Run tests
+```sh
+bundle exec rspec
+```
+
+### 2. Running your unpublished Plugin in Logstash
+
+#### 2.1 Run in a local Logstash clone
+
+- Edit Logstash `Gemfile` and add the local plugin path, for example:
+```ruby
+gem "logstash-filter-awesome", :path => "/your/local/logstash-filter-awesome"
+```
+
+- Install plugin
+```sh
+bin/plugin install --no-verify
+```
+
+- Run Logstash with your plugin
+```sh
+bin/logstash -e 'filter {awesome {}}'
+```
+
+At this point any modifications to the plugin code will be applied to this local Logstash setup. After modifying the plugin, simply rerun Logstash.
+
+#### 2.2 Run in an installed Logstash
+
+You can use the same **2.1** method to run your plugin in an installed Logstash by editing its `Gemfile` and pointing the `:path` to your local plugin development directory or you can build the gem and install it using:
+
+- Build your plugin gem
+```sh
+gem build logstash-filter-awesome.gemspec
+```
+
+- Install the plugin from the Logstash home
+```sh
+bin/plugin install /your/local/plugin/logstash-filter-awesome.gem
+```
+
+- Start Logstash and proceed to test the plugin

data/lib/logstash/filters/SDS.rb

@@ -0,0 +1,139 @@
+# encoding: utf-8
+require 'set'
+require 'logstash/filters/base'
+require 'logstash/namespace'
+
+class LogStash::Filters::SDS < LogStash::Filters::Base
+    config_name 'SDS'
+
+    public
+
+    def register
+        @re_msg = /(?:Stormshield Data Security Login|Identifiant Stormshield Data Security)\s?:\s(?<userFullName>.*[^(?:\s{2}|\r{2})])(?:\s{2}|\r{2}|(?:\\\\r){2})Description\s?:(?:\s|\r|\\\\r)?(?<description>[^"]*)/m
+        @re_file = /(?:File|fichier|file)\s*'(?<File>.*)'/
+        @re_folder = /(?:Folder|dossier|folder)\s*'(?<Folder>.*)'/
+        @eventId_files_set = Set.new [
+            # "L'utilisateur a chiffré avec succès le fichier '%2' en mode auto-déchiffrable."
+            # "File '%2' has been successfully encrypted (auto-decrypt mode)."
+            18_300,
+            # "Le chiffrement du fichier '%2' en mode auto-déchiffrable a échoué."
+            # "File '%2' encryption (auto-decrypt mode) has failed."
+            18_301,
+            # "File '%2' was successfully encrypted (SmartFILE? mode)."
+            # "L'utilisateur a chiffré avec succès le fichier '%2' en utilisant SecurityBOX? SmartFile?."
+            18_304,
+            # "File '%2' encryption (SmartFILE? mode) has failed."
+            # "Le chiffrement du fichier '%2' en utilisant SecurityBOX? SmartFile? a échoué."
+            18_305,
+            # "L'utilisateur a chiffré avec succès le fichier '%2' pour les correspondants suivants : %r%3."
+            # "File '%2' has been successfully encrypted for the following recipients: %r%3."
+            18_308,
+            # "File '%2' encryption has failed for the following recipients: %r%3."
+            # "Le chiffrement du fichier '%2' pour les correspondants suivants a échoué : %r%3."
+            18_309,
+            # "Les collaborateurs suivants ont été ajoutés avec succès au fichier '%2' :%r%3."
+            # "These coworkers have been added successfully to the file '%2' :%r%3."
+            18_312,
+            # "These coworkers could not be added to the file '%2' : %r%3."
+            # "L'ajout des collaborateurs suivants au fichier '%2' a échoué :%r%3."
+            18_313,
+            # "Les collaborateurs suivants ont été supprimés avec succès du fichier '%2' :%r%3."
+            # "These coworkers have been removed successfully from the file '%2':%r%3."
+            18_314,
+            # "La suppression des collaborateurs suivants du fichier '%2' a échoué : %r%3."
+            # "These coworkers could not be removed from the file '%2': %r%3."
+            18_315,
+            # "L'utilisateur a chiffré le fichier '%2' avec succès."
+            # "File '%2' has been successfully encrypted."
+            18_700,
+            # "Le chiffrement du fichier '%2' a échoué."
+            # "File '%2' encryption has failed."
+            18_701,
+            # "L'utilisateur a déchiffré le fichier '%2' avec succès."
+            # "File '%2' has been successfully decrypted."
+            18_702,
+            # "Le déchiffrement du fichier '%2' a échoué."
+            # "File '%2' decryption has failed."
+            18_703
+        ]
+
+        @eventId_folders_set = Set.new [
+            # "L'utilisateur a chiffré avec succès le dossier '%2' en mode auto-déchiffrable."
+            # "Folder '%2' has been successfully encrypted (auto-decrypt mode)."
+            18_302,
+            # "Le chiffrement du dossier '%2' en mode auto-déchiffrable a échoué."
+            # "Folder '%2' decryption (auto-decrypt mode) has failed."
+            18_303,
+            # "Folder '%2' has been successfully encrypted (SmartFILE? mode)."
+            # "L'utilisateur a chiffré avec succès le dossier '%2' en utilisant SecurityBOX? SmartFile?."
+            18_306,
+            # "Folder '%2' encryption (SmartFILE? mode) failed."
+            # "Le chiffrement du dossier '%2' en utilisant SecurityBOX? SmartFile? a échoué."
+            18_307,
+            # "L'utilisateur a chiffré avec succès le dossier '%2' pour les correspondants suivants : %r%3."
+            # "Folder '%2' has been successfully encrypted for the following recipients: %r%3."
+            18_310,
+            # "Le chiffrement du dossier '%2' pour les correspondants suivants a échoué: %r%3."
+            # "Folder '%2' encryption has failed for the following recipients: %r%3."
+            18_311
+        ]
+    end # def register
+
+    public
+
+    def filter(event)
+        eventId = event.get('EventID')
+        # Try to extract the header/description
+        m = @re_msg.match(event.get('Message'))
+        if m
+            event.set('userFullName', m['userFullName'])
+            event.set('msg', m['description'])
+            event.remove('Message')
+        end
+
+        # Assign category name in EN function of event id range
+        if eventId
+            eventId = eventId.to_i
+            case eventId
+            when 300..699 then event.set('Category', 'Administration')
+            when 700..1099 then event.set('Category', 'Directory administration')
+            when 1100..1499  then event.set('Category', 'CRL administration')
+            when 8300..8699  then event.set('Category', 'Volume management')
+            when 18_300..18_699 then event.set('Category', 'Encryption / Decryption to')
+            when 18_700..19_099 then event.set('Category', 'Encryption / Decryption')
+            when 25_300..25_699 then event.set('Category', 'Start / Stop')
+            when 25_700..26_099 then event.set('Category', 'Network')
+            when 26_100..26_499 then event.set('Category', 'Card Extension')
+            when 31_300..31_699 then event.set('Category', 'Login / Logout')
+            when 31_700..32_099 then event.set('Category', 'Account administration')
+            when 32_100..32_499 then event.set('Category', 'Key management')
+            when 32_500..32_899 then event.set('Category', 'Keystore administration')
+            when 39_300..39_699 then event.set('Category', 'Send / Receive')
+            when 47_300..47_499 then event.set('Category', 'Sign / Signature')
+            when 49_300..49_699 then event.set('Category', 'Rule management')
+            when 49_700..50_099 then event.set('Category', 'Encryption / Decryption')
+            when 50_100..50_499 then event.set('Category', 'Backup / Restore')
+            when 50_500..50_899 then event.set('Category', 'Driver message')
+            else
+                event.set('Category', "Umanaged category: '" + event.get('Category') + "'")
+            end
+
+            # Capture file or folder name for file events
+            m = nil
+            if @eventId_files_set.include?(eventId)
+                m = @re_file.match(event.get('msg'))
+                if m
+                  event.set('file', m['File'])
+                end
+            elsif @eventId_folders_set.include?(eventId)
+                m = @re_folder.match(event.get('msg'))
+                if m
+                  event.set('folder', m['Folder'])
+                end
+            end
+        end
+
+        # filter_matched should go in the last line of our successful code
+        filter_matched(event)
+    end # def filter
+end # class LogStash::Filters::SDS

data/logstash-filter-SDS.gemspec

@@ -0,0 +1,23 @@
+Gem::Specification.new do |s|
+  s.name = 'logstash-filter-SDS'
+  s.version = '1.0.0'
+  s.licenses = ['Apache License (2.0)']
+  s.summary = "SDS filter."
+  s.description = "SDS filter"
+  s.authors = ["Stormshield"]
+  s.email = 'svc@stormshield.eu'
+  s.homepage = "https://www.stormshield.eu"
+  s.require_paths = ["lib"]
+
+  # Files
+  s.files = Dir['lib/**/*','spec/**/*','vendor/**/*','*.gemspec','*.md','CONTRIBUTORS','Gemfile','LICENSE','NOTICE.TXT']
+   # Tests
+  s.test_files = s.files.grep(%r{^(test|spec|features)/})
+
+  # Special flag to let us know this is actually a logstash plugin
+  s.metadata = { "logstash_plugin" => "true", "logstash_group" => "filter" }
+
+  # Gem dependencies
+  s.add_runtime_dependency 'logstash-core-plugin-api', '>= 1.60', '<= 2.99'
+  s.add_development_dependency "logstash-devutils", "= 1.3.4"
+end

data/spec/filters/SDS_spec.rb

@@ -0,0 +1,224 @@
+# encoding: utf-8
+
+require 'logstash/devutils/rspec/spec_helper'
+require 'logstash/filters/SDS'
+
+describe LogStash::Filters::SDS do
+    describe 'SDS log analyser' do
+        unmanagedCategory = 'an unmanaged category'
+        let(:config) do
+            <<-CONFIG
+      filter {
+        SDS {
+        }
+      }
+    CONFIG
+        end
+
+        # Test re_msg
+        [
+          {
+            'message' => "Message=\"Stormshield Data Security Login: Amelia\r\rDescription:\rCOMMON_NAME_REVOKE option: Value: ALL Access FALSE",
+            'expectedUserFullName' => 'Amelia',
+            'expectedMsg' => 'COMMON_NAME_REVOKE option: Value: ALL Access FALSE'
+          },
+          {
+            'message' => "Message=\"Stormshield Data Security Login: Emily\r\rDescription:\rThe Stormshield Data Security account or card is blocked.\" Category=\"Login / Logout\" Opcode=ERROR EventReceivedTime=1458835949 SourceModuleName=SDS_events SourceModuleType=im_msvistalog",
+            'expectedUserFullName' => 'Emily',
+            'expectedMsg' => 'The Stormshield Data Security account or card is blocked.'
+          },
+          {
+            'message' => "Message=\"Identifiant Stormshield Data Security : Emily\r\rDescription :\rThe Stormshield Data Security account or card is blocked.\" Category=\"Login / Logout\" Opcode=ERROR EventReceivedTime=1458835949 SourceModuleName=SDS_events SourceModuleType=im_msvistalog",
+            'expectedUserFullName' => 'Emily',
+            'expectedMsg' => 'The Stormshield Data Security account or card is blocked.'
+          },
+          {
+            'message' => "Stormshield Data Security Login: Bruno THILL\r\rDescription:\rUpdate of the CRL C:\\ProgramData\\Arkoon\\Security BOX\\Users\\bruno thill\\bruno thill.bcrl has been successful.",
+            'expectedUserFullName' => 'Bruno THILL',
+            'expectedMsg' => 'Update of the CRL C:\\ProgramData\\Arkoon\\Security BOX\\Users\\bruno thill\\bruno thill.bcrl has been successful.'
+          },
+          {
+            'message' => "Stormshield Data Security Login: Bruno THILL\r\rDescription:\rDownload of the security policy from 'http://sbam.arkoon.net/update-users-fr/Bruno%20THILL/Bruno%20THILL.usx'.",
+            'expectedUserFullName' => 'Bruno THILL',
+            'expectedMsg' => "Download of the security policy from 'http://sbam.arkoon.net/update-users-fr/Bruno%20THILL/Bruno%20THILL.usx'."
+          },
+          {
+            'message' => "Stormshield Data Security Login: THILL Bruno\r\rDescription:\rError while trying to open the file 'E:\\USERS\\BTHILL\\DOCUMENTS\\TESTS VERSION 9.1\\屜尯CARACTÈRES UNICODE - UTF-16 - あいおと - NOMS LONGS TEAM 8.0.6\\尯屜あいお尯あうおあい - COPIE - COPI - COPIE (68).DOC' using 'SBKRNL.EXE'.",
+            'expectedUserFullName' => 'THILL Bruno',
+            'expectedMsg' => "Error while trying to open the file 'E:\\USERS\\BTHILL\\DOCUMENTS\\TESTS VERSION 9.1\\屜尯CARACTÈRES UNICODE - UTF-16 - あいおと - NOMS LONGS TEAM 8.0.6\\尯屜あいお尯あうおあい - COPIE - COPI - COPIE (68).DOC' using 'SBKRNL.EXE'."
+          },
+          {
+            'message' => "Stormshield Data Security Login: N/A\r\rDescription:\rCOMMON_NAME_REVOKE option: Value: ALL Access FALSE",
+            'expectedUserFullName' => 'N/A',
+            'expectedMsg' => 'COMMON_NAME_REVOKE option: Value: ALL Access FALSE'
+          },
+          {
+            'message' => "Stormshield Data Security Login: N/A\r\rDescription:%COMMON_NAME_NOT_ON_LDAP option: Value: ALL Access FALSE",
+            'expectedUserFullName' => 'N/A',
+            'expectedMsg' => '%COMMON_NAME_NOT_ON_LDAP option: Value: ALL Access FALSE'
+          },
+          {
+            'message' => "Stormshield Data Security Login: Bruno THILL\r\rDescription:\rThe user logged out its Stormshield Data Security keystore.",
+            'expectedUserFullName' => 'Bruno THILL',
+            'expectedMsg' => 'The user logged out its Stormshield Data Security keystore.'
+          },
+          {
+            'message' => "Stormshield Data Security Login: Bruno THILL\r\rDescription:\rThe user logged on its Stormshield Data Security keystore.",
+            'expectedUserFullName' => 'Bruno THILL',
+            'expectedMsg' => 'The user logged on its Stormshield Data Security keystore.'
+          },
+          {
+            'message' => "Stormshield Data Security Login: THILL Bruno\r\rDescription:\rTeam service request failed: 'C:\\TMP\\TESTTEST\\CHALLENGE.DOCX.SBCLOUD|TEAMOFB (4)' using 'explorer.exe'.",
+            'expectedUserFullName' => 'THILL Bruno',
+            'expectedMsg' => "Team service request failed: 'C:\\TMP\\TESTTEST\\CHALLENGE.DOCX.SBCLOUD|TEAMOFB (4)' using 'explorer.exe'."
+          },
+          {
+            'message' => "Stormshield Data Security Login: THILL Bruno\r\rDescription:\rAutomatic volume mounting'E:\\Users\\bthill\\Documents\\Tests Version 9.1\\9.1.vbox' has been successfully operated on 'Z:\\' in 'RW' mode.",
+            'expectedUserFullName' => 'THILL Bruno',
+            'expectedMsg' => "Automatic volume mounting'E:\\Users\\bthill\\Documents\\Tests Version 9.1\\9.1.vbox' has been successfully operated on 'Z:\\' in 'RW' mode."
+          },
+          {
+            'message' => "Identifiant Stormshield Data Security : Jocelyn KRYSTLIK\r\rDescription :\rLe déverrouillage de la session Stormshield Data Security de l'utilisateur s'est déroulé normalement.",
+            'expectedUserFullName' => 'Jocelyn KRYSTLIK',
+            'expectedMsg' => "Le déverrouillage de la session Stormshield Data Security de l'utilisateur s'est déroulé normalement."
+          },
+          {
+            'message' => "Identifiant Stormshield Data Security : Jocelyn KRYSTLIK  Description : La demande au service Team a échoué : ''\\\\ARKOON.NET\\BAOBAB\\SHARE\\JPC\\SECURED\\SBOXTEAM.SBT|TEAMOFB (7)'' par ''SBKRNL.EXE''.",
+            'expectedUserFullName' => 'Jocelyn KRYSTLIK',
+            'expectedMsg' => "La demande au service Team a échoué : ''\\\\ARKOON.NET\\BAOBAB\\SHARE\\JPC\\SECURED\\SBOXTEAM.SBT|TEAMOFB (7)'' par ''SBKRNL.EXE''."
+          },
+          {
+            'message' => "Stormshield Data Security Login: Oscar\\\\r\\\\rDescription:\\\\rRépertoire d'installation : C:\\Program Files\\Arkoon\\Security BOX",
+            'expectedUserFullName' => 'Oscar',
+            'expectedMsg' => "Répertoire d'installation : C:\\Program Files\\Arkoon\\Security BOX"
+          },
+        ].each do |test|
+            sample('Message' => test['message']) do
+                expect(subject.get('userFullName')).to eq(test['expectedUserFullName'])
+                expect(subject.get('msg')).to eq test['expectedMsg']
+            end
+        end
+
+        # Test that category is well replaced by EN value
+        sample(
+            'Category' => 'Installation de la Suite Stormshield Data Security',
+            'EventID' => '301',
+        ) do
+            expect(subject.get('Category')).to eq('Administration')
+        end
+
+        # Test a full syslog message
+        sample('Message' => "id=datasecurity AccountName=\"Amelia\" AccountType=User Category=\"Directory administration\" Channel=\"Stormshield Data Security\" Domain=domain.local EventID=728 EventReceivedTime=1471940690 EventTime=\"2016-08-23 08:24:50\" EventType=INFO HostIP=\"10.0.100.11\" Hostname=\"pc11\" Keywords=36028797018963968 Message=\"Stormshield Data Security Login: Amelia\r\rDescription:\rCOMMON_NAME_REVOKE option: Value: ALL Access FALSE\" Opcode=Informations ProcessID=0 RecordNumber=541 Severity=INFO SeverityValue=2 SourceModuleName=SDS_events SourceModuleType=im_msvistalog SourceName=\"Administration\" Task=6 ThreadID=0 UserID=S-1-5-21-1986321934-3787518990-59020978-1000\"") do
+            expect(subject.get('userFullName')).to eq('Amelia')
+            expect(subject.get('msg')).to eq 'COMMON_NAME_REVOKE option: Value: ALL Access FALSE'
+        end
+
+        # Test categories from event id
+        {
+          "300" => "Administration",
+          "699'" => "Administration",
+          "700'" => "Directory administration",
+          "1099'" => "Directory administration",
+          "1100'" => "CRL administration",
+          "1499'" => "CRL administration",
+          "8300'" => "Volume management",
+          "8699'" => "Volume management",
+          "18300" => "Encryption / Decryption to",
+          "18699" => "Encryption / Decryption to",
+          "18700" => "Encryption / Decryption",
+          "19099" => "Encryption / Decryption",
+          "25300" => "Start / Stop",
+          "25699" => "Start / Stop",
+          "25700" => "Network",
+          "26099" => "Network",
+          "26100" => "Card Extension",
+          "26499" => "Card Extension",
+          "31300" => "Login / Logout",
+          "31699" => "Login / Logout",
+          "31700" => "Account administration",
+          "32099" => "Account administration",
+          "32100" => "Key management",
+          "32499" => "Key management",
+          "32500" => "Keystore administration",
+          "32899" => "Keystore administration",
+          "39300" => "Send / Receive",
+          "39699" => "Send / Receive",
+          "47300" => "Sign / Signature",
+          "47499" => "Sign / Signature",
+          "49300" => "Rule management",
+          "49699" => "Rule management",
+          "49700" => "Encryption / Decryption",
+          "50099" => "Encryption / Decryption",
+          "50100" => "Backup / Restore",
+          "50499" => "Backup / Restore",
+          "50500" => "Driver message",
+          "50899" => "Driver message"
+        }.each do |eventID, category|
+          sample('EventID' => eventID) do
+              expect(subject.get('Category')).to eq(category)
+          end
+        end
+
+        # Test unmamaged category
+        sample('EventID' => '50900', 'Category' => unmanagedCategory) do
+          expect(subject.get('Category')).to eq("Umanaged category: '" + unmanagedCategory + "'")
+        end
+
+        # Test file events
+        {
+          "18703" => "File 'A fake file' decryption has failed.",
+          "18301" => "File 'A fake file' encryption (auto-decrypt mode) has failed.",
+          "18305" => "File 'A fake file' encryption (SmartFILE? mode) has failed.",
+          "18309" => "File 'A fake file' encryption has failed for the following recipients: %r%3.",
+          "18701" => "File 'A fake file' encryption has failed.",
+          "18702" => "File 'A fake file' has been successfully decrypted.",
+          "18300" => "File 'A fake file' has been successfully encrypted (auto-decrypt mode).",
+          "18308" => "File 'A fake file' has been successfully encrypted for the following recipients: %r%3.",
+          "18700" => "File 'A fake file' has been successfully encrypted.",
+          "18304" => "File 'A fake file' was successfully encrypted (SmartFILE? mode).",
+          "18313" => "L'ajout des collaborateurs suivants au fichier 'A fake file' a échoué :%r%3.",
+          "18300" => "L'utilisateur a chiffré avec succès le fichier 'A fake file' en mode auto-déchiffrable.",
+          "18304" => "L'utilisateur a chiffré avec succès le fichier 'A fake file' en utilisant SecurityBOX? SmartFile?.",
+          "18308" => "L'utilisateur a chiffré avec succès le fichier 'A fake file' pour les correspondants suivants : %r%3.",
+          "18700" => "L'utilisateur a chiffré le fichier 'A fake file' avec succès.",
+          "18702" => "L'utilisateur a déchiffré le fichier 'A fake file' avec succès.",
+          "18315" => "La suppression des collaborateurs suivants du fichier 'A fake file' a échoué : %r%3.",
+          "18701" => "Le chiffrement du fichier 'A fake file' a échoué.",
+          "18301" => "Le chiffrement du fichier 'A fake file' en mode auto-déchiffrable a échoué.",
+          "18305" => "Le chiffrement du fichier 'A fake file' en utilisant SecurityBOX? SmartFile? a échoué.",
+          "18309" => "Le chiffrement du fichier 'A fake file' pour les correspondants suivants a échoué : %r%3.",
+          "18703" => "Le déchiffrement du fichier 'A fake file' a échoué.",
+          "18312" => "Les collaborateurs suivants ont été ajoutés avec succès au fichier 'A fake file' :%r%3.",
+          "18314" => "Les collaborateurs suivants ont été supprimés avec succès du fichier 'A fake file' :%r%3.",
+          "18313" => "These coworkers could not be added to the file 'A fake file' : %r%3.",
+          "18315" => "These coworkers could not be removed from the file 'A fake file': %r%3.",
+          "18312" => "These coworkers have been added successfully to the file 'A fake file' :%r%3.",
+          "18314" => "These coworkers have been removed successfully from the file 'A fake file':%r%3.",
+        }.each do |eventID, message|
+          sample('EventID' => eventID, 'Message' => "Stormshield Data Security Login: A fake login\r\rDescription:\r" + message) do
+              expect(subject.get('file')).to eq('A fake file')
+          end
+        end
+
+        # Test folder events
+        {
+          "18303" => "Folder 'A fake folder' decryption (auto-decrypt mode) has failed.",
+          "18307" => "Folder 'A fake folder' encryption (SmartFILE? mode) failed.",
+          "18311" => "Folder 'A fake folder' encryption has failed for the following recipients: %r%3.",
+          "18302" => "Folder 'A fake folder' has been successfully encrypted (auto-decrypt mode).",
+          "18306" => "Folder 'A fake folder' has been successfully encrypted (SmartFILE? mode).",
+          "18310" => "Folder 'A fake folder' has been successfully encrypted for the following recipients: %r%3.",
+          "18302" => "L'utilisateur a chiffré avec succès le dossier 'A fake folder' en mode auto-déchiffrable.",
+          "18306" => "L'utilisateur a chiffré avec succès le dossier 'A fake folder' en utilisant SecurityBOX? SmartFile?.",
+          "18310" => "L'utilisateur a chiffré avec succès le dossier 'A fake folder' pour les correspondants suivants : %r%3.",
+          "18303" => "Le chiffrement du dossier 'A fake folder' en mode auto-déchiffrable a échoué.",
+          "18307" => "Le chiffrement du dossier 'A fake folder' en utilisant SecurityBOX? SmartFile? a échoué.",
+          "18311" => "Le chiffrement du dossier 'A fake folder' pour les correspondants suivants a échoué: %r%3.",
+        }.each do |eventID, message|
+          sample('EventID' => eventID, 'Message' => "Stormshield Data Security Login: A fake login\r\rDescription:\r" + message) do
+              expect(subject.get('folder')).to eq('A fake folder')
+          end
+        end
+
+    end
+end

data/spec/spec_helper.rb

@@ -0,0 +1 @@
+require "logstash/devutils/rspec/spec_helper"

metadata

@@ -0,0 +1,92 @@
+--- !ruby/object:Gem::Specification
+name: logstash-filter-SDS
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Stormshield
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2018-09-17 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.60'
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: '2.99'
+  name: logstash-core-plugin-api
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.60'
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: '2.99'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.3.4
+  name: logstash-devutils
+  prerelease: false
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.3.4
+description: SDS filter
+email: svc@stormshield.eu
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- CONTRIBUTORS
+- DEVELOPER.md
+- Gemfile
+- LICENSE
+- NOTICE.TXT
+- README.md
+- lib/logstash/filters/SDS.rb
+- logstash-filter-SDS.gemspec
+- spec/filters/SDS_spec.rb
+- spec/spec_helper.rb
+homepage: https://www.stormshield.eu
+licenses:
+- Apache License (2.0)
+metadata:
+  logstash_plugin: 'true'
+  logstash_group: filter
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.4.8
+signing_key:
+specification_version: 4
+summary: SDS filter.
+test_files:
+- spec/filters/SDS_spec.rb
+- spec/spec_helper.rb