logstash-filter-cidrtagmap 1.2.0 → 2.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +33 -22
- data/lib/logstash/filters/cidrtagmap.rb +29 -39
- data/logstash-filter-cidrtagmap.gemspec +3 -3
- metadata +6 -6
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: edb209f7d360805f5be547d28728b63e180f3a89
|
4
|
+
data.tar.gz: 3e67480b82b0747e954f43d7ff0891b9db9ab3d6
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 9025ea9cce3c73b21487e8d4ae7278e1fefe300684e960fb555b64d9372a547b2d37333edae89bad3a88ab0d15287cd2e5007478ffac1f4f6942204e51475ccf
|
7
|
+
data.tar.gz: 3623e9fe0dc6f99ec37b23ea5ea5cde0ca5cbc51b6e2d9785590b9d20de23b2ef5824804a8c6d6f9e2921dbc92c80f5d50e604854a11fee43e80136a1d8ca896
|
data/README.md
CHANGED
@@ -1,38 +1,49 @@
|
|
1
|
-
This logstash filter tags
|
1
|
+
This logstash filter tags events according to a list of CIDR to tag mappings, and optionally maps ASN numbers to names
|
2
2
|
|
3
|
-
|
3
|
+
|
4
|
+
Example:
|
5
|
+
|
6
|
+
```
|
7
|
+
cidrtagmap {
|
8
|
+
mapfilepath => "/path/to/ipmap/file"
|
9
|
+
asnmapfilepath => "/path/to/asnmap/file"
|
10
|
+
ipfieldlist => [
|
11
|
+
'host',
|
12
|
+
'[netflow][dst_address]',
|
13
|
+
'[etc]'
|
14
|
+
]
|
15
|
+
asfieldlist => [
|
16
|
+
'[netflow][dst_as]',
|
17
|
+
'[netflow][src_as]
|
18
|
+
]
|
19
|
+
}
|
20
|
+
```
|
21
|
+
|
22
|
+
* mapfilepath (required) points to an external / stand alone text file consisting of lines of the form:
|
4
23
|
|
5
24
|
```
|
6
25
|
<network>/<mask>,<tag>
|
7
26
|
```
|
8
27
|
|
9
28
|
The filter can be made to re-load its in-memory representation of the contents of the
|
10
|
-
|
29
|
+
ipmap file without interrupting/restarting the logstash instance by touching a flag file.
|
11
30
|
|
12
|
-
|
13
|
-
|
14
|
-
|
31
|
+
```
|
32
|
+
touch <mapfilepath>.RELOAD
|
33
|
+
```
|
15
34
|
|
16
|
-
src_tagMatch = the CIDR spec that matched (as rendered by IPAddr.to_s)
|
17
35
|
|
18
|
-
|
36
|
+
* asnmapfilepath (optional) points to a copy of this file: ftp://ftp.arin.net/info/asn.txt
|
19
37
|
|
20
38
|
|
21
|
-
|
39
|
+
* ipfieldlist (required) is a list of event fields that will be eligible for mapping. Everything that matches
|
40
|
+
will be put in a structure subtending an item called cidrtagmap, so
|
41
|
+
from the above example a match of the [netflow][dst_address] field would add
|
42
|
+
cidrtagmap.netflow.dst_address.tag. A pair to this field will be cidrtagmap.netflow.dst_address.match
|
43
|
+
which indicates which rule was matched for the mapping.
|
22
44
|
|
23
|
-
|
24
|
-
|
25
|
-
cidrtagmap {
|
26
|
-
mapfilepath => "cidrmap.txt"
|
27
|
-
asnmapfilepath => "asn.txt"
|
28
|
-
}
|
29
|
-
}
|
30
|
-
```
|
45
|
+
* asnfieldlist (optional) is a list of fields presumed to contain asn numbers. Everything that matches
|
46
|
+
will add e.g. cidrtagmap.netflow.dst_as.asname
|
31
47
|
|
32
|
-
Tell the filter to reload its maps
|
33
48
|
|
34
|
-
```
|
35
|
-
touch <mapfilepath>.RELOAD
|
36
|
-
```
|
37
49
|
|
38
|
-
Reloading is thread safe.
|
@@ -1,3 +1,4 @@
|
|
1
|
+
# encoding: utf-8
|
1
2
|
require "logstash/filters/base"
|
2
3
|
require "logstash/namespace"
|
3
4
|
require 'ipaddr'
|
@@ -25,10 +26,10 @@ class LogStash::Filters::CIDRTagMap < LogStash::Filters::Base
|
|
25
26
|
|
26
27
|
config_name "cidrtagmap"
|
27
28
|
|
28
|
-
milestone 1
|
29
|
-
|
30
29
|
config :mapfilepath, :validate => :string, :default => 'cidrmap.txt'
|
31
30
|
config :asnmapfilepath, :validate => :string, :default => 'asn.txt'
|
31
|
+
config :ipfieldlist, :required => true, :list => true , :validate => :string
|
32
|
+
config :asfieldlist, :list => true, :validate => :string
|
32
33
|
|
33
34
|
|
34
35
|
private
|
@@ -121,47 +122,36 @@ class LogStash::Filters::CIDRTagMap < LogStash::Filters::Base
|
|
121
122
|
public
|
122
123
|
def filter(event)
|
123
124
|
return unless filter?(event)
|
124
|
-
|
125
|
-
|
126
|
-
|
127
|
-
if
|
128
|
-
@logger.debug("cidrtagmap:
|
129
|
-
|
130
|
-
if
|
131
|
-
@logger.debug("cidrtagmap:
|
132
|
-
|
133
|
-
|
134
|
-
filter_matched(event)
|
135
|
-
end
|
136
|
-
end
|
137
|
-
if netflow["ipv4_dst_addr"]
|
138
|
-
@logger.debug("cidrtagmap: checking for dst #{netflow['ipv4_dst_addr']}")
|
139
|
-
dst_map = mapForIp(netflow["ipv4_dst_addr"])
|
140
|
-
if dst_map
|
141
|
-
@logger.debug("cidrtagmap: tagging dst #{netflow['ipv4_dst_addr']} with #{dst_map.tag}")
|
142
|
-
netflow["dst_tag"] = dst_map.tag
|
143
|
-
netflow["dst_tagMatch"] = dst_map.range.to_s
|
144
|
-
filter_matched(event)
|
145
|
-
end
|
146
|
-
end
|
147
|
-
if netflow["dst_as"]
|
148
|
-
@logger.debug("cidrtagmap: checking for dst_as #{netflow['dst_as']}")
|
149
|
-
dst_asname = asNameForNumber(netflow["dst_as"])
|
150
|
-
if dst_asname
|
151
|
-
@logger.debug("cidrtagmap: tagging dst_as #{netflow['dst_as']} with #{dst_asname}")
|
152
|
-
netflow["dst_as_name"] = dst_asname
|
125
|
+
# There *will* be an @ipfieldlist - this is enforced by the :required directive above
|
126
|
+
@ipfieldlist.each { |fieldname|
|
127
|
+
@logger.debug("cidrtagmap: looking for ipfield '#{fieldname}'")
|
128
|
+
if ipvalue = event.get(fieldname)
|
129
|
+
@logger.debug("cidrtagmap: I found ipfield #{fieldname} with value #{ipvalue}")
|
130
|
+
mapping = mapForIp(ipvalue)
|
131
|
+
if mapping
|
132
|
+
@logger.debug("cidrtagmap: I mapped IP address #{ipvalue} to #{mapping.tag} via range #{mapping.range.to_s}")
|
133
|
+
event.set("[cidrtagmap]#{fieldname}[tag]",mapping.tag)
|
134
|
+
event.set("[cidrtagmap]#{fieldname}[match]",mapping.range.to_s)
|
153
135
|
filter_matched(event)
|
154
136
|
end
|
155
137
|
end
|
156
|
-
|
157
|
-
|
158
|
-
|
159
|
-
|
160
|
-
|
161
|
-
|
162
|
-
|
138
|
+
}
|
139
|
+
if @asfieldlist
|
140
|
+
@asfieldlist.each { |fieldname|
|
141
|
+
@logger.debug("cidrtagmap: looking for asfield '#{fieldname}'")
|
142
|
+
if asvalue = event.get(fieldname)
|
143
|
+
@logger.debug("cidrtagmap: I found asfield #{fieldname} with value #{asvalue}")
|
144
|
+
asname = asNameForNumber(asvalue)
|
145
|
+
if asname
|
146
|
+
@logger.debug("cidrtagmap: I mapped as number #{asvalue} to #{asname}")
|
147
|
+
event.set("[cidrtagmap]#{fieldname}[asname]",asname)
|
148
|
+
filter_matched(event)
|
149
|
+
end
|
163
150
|
end
|
164
|
-
|
151
|
+
}
|
152
|
+
else
|
153
|
+
@logger.debug("cidrtagmap: No as field list defined - not attempting to translate asnames!")
|
165
154
|
end
|
155
|
+
|
166
156
|
end
|
167
157
|
end
|
@@ -1,7 +1,7 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
2
|
s.name = 'logstash-filter-cidrtagmap'
|
3
|
-
s.version = '
|
4
|
-
s.licenses = ['Apache
|
3
|
+
s.version = '2.0.0'
|
4
|
+
s.licenses = ['Apache-2.0']
|
5
5
|
s.summary = "Filter adds tags to netflow records in logstash based on a static table of cidr->name and adds asn name fields"
|
6
6
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
7
7
|
s.authors = ["svdasein"]
|
@@ -18,6 +18,6 @@ Gem::Specification.new do |s|
|
|
18
18
|
s.metadata = { "logstash_plugin" => "true", "logstash_group" => "filter" }
|
19
19
|
|
20
20
|
# Gem dependencies
|
21
|
-
s.add_runtime_dependency "logstash-core-plugin-api", "~>
|
21
|
+
s.add_runtime_dependency "logstash-core-plugin-api", "~> 2.0"
|
22
22
|
s.add_development_dependency 'logstash-devutils'
|
23
23
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-filter-cidrtagmap
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 2.0.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- svdasein
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-
|
11
|
+
date: 2017-08-15 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: logstash-core-plugin-api
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - "~>"
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: '
|
19
|
+
version: '2.0'
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - "~>"
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: '
|
26
|
+
version: '2.0'
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: logstash-devutils
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -57,7 +57,7 @@ files:
|
|
57
57
|
- spec/spec_helper.rb
|
58
58
|
homepage: https://github.com/svdasein/cidrtagmap
|
59
59
|
licenses:
|
60
|
-
- Apache
|
60
|
+
- Apache-2.0
|
61
61
|
metadata:
|
62
62
|
logstash_plugin: 'true'
|
63
63
|
logstash_group: filter
|
@@ -77,7 +77,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
77
77
|
version: '0'
|
78
78
|
requirements: []
|
79
79
|
rubyforge_project:
|
80
|
-
rubygems_version: 2.
|
80
|
+
rubygems_version: 2.5.1
|
81
81
|
signing_key:
|
82
82
|
specification_version: 4
|
83
83
|
summary: Filter adds tags to netflow records in logstash based on a static table of
|