logstash-filter-cidrtagmap 1.2.0 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +33 -22
- data/lib/logstash/filters/cidrtagmap.rb +29 -39
- data/logstash-filter-cidrtagmap.gemspec +3 -3
- metadata +6 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: edb209f7d360805f5be547d28728b63e180f3a89
|
|
4
|
+
data.tar.gz: 3e67480b82b0747e954f43d7ff0891b9db9ab3d6
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 9025ea9cce3c73b21487e8d4ae7278e1fefe300684e960fb555b64d9372a547b2d37333edae89bad3a88ab0d15287cd2e5007478ffac1f4f6942204e51475ccf
|
|
7
|
+
data.tar.gz: 3623e9fe0dc6f99ec37b23ea5ea5cde0ca5cbc51b6e2d9785590b9d20de23b2ef5824804a8c6d6f9e2921dbc92c80f5d50e604854a11fee43e80136a1d8ca896
|
data/README.md
CHANGED
|
@@ -1,38 +1,49 @@
|
|
|
1
|
-
This logstash filter tags
|
|
1
|
+
This logstash filter tags events according to a list of CIDR to tag mappings, and optionally maps ASN numbers to names
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+
|
|
4
|
+
Example:
|
|
5
|
+
|
|
6
|
+
```
|
|
7
|
+
cidrtagmap {
|
|
8
|
+
mapfilepath => "/path/to/ipmap/file"
|
|
9
|
+
asnmapfilepath => "/path/to/asnmap/file"
|
|
10
|
+
ipfieldlist => [
|
|
11
|
+
'host',
|
|
12
|
+
'[netflow][dst_address]',
|
|
13
|
+
'[etc]'
|
|
14
|
+
]
|
|
15
|
+
asfieldlist => [
|
|
16
|
+
'[netflow][dst_as]',
|
|
17
|
+
'[netflow][src_as]
|
|
18
|
+
]
|
|
19
|
+
}
|
|
20
|
+
```
|
|
21
|
+
|
|
22
|
+
* mapfilepath (required) points to an external / stand alone text file consisting of lines of the form:
|
|
4
23
|
|
|
5
24
|
```
|
|
6
25
|
<network>/<mask>,<tag>
|
|
7
26
|
```
|
|
8
27
|
|
|
9
28
|
The filter can be made to re-load its in-memory representation of the contents of the
|
|
10
|
-
|
|
29
|
+
ipmap file without interrupting/restarting the logstash instance by touching a flag file.
|
|
11
30
|
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
31
|
+
```
|
|
32
|
+
touch <mapfilepath>.RELOAD
|
|
33
|
+
```
|
|
15
34
|
|
|
16
|
-
src_tagMatch = the CIDR spec that matched (as rendered by IPAddr.to_s)
|
|
17
35
|
|
|
18
|
-
|
|
36
|
+
* asnmapfilepath (optional) points to a copy of this file: ftp://ftp.arin.net/info/asn.txt
|
|
19
37
|
|
|
20
38
|
|
|
21
|
-
|
|
39
|
+
* ipfieldlist (required) is a list of event fields that will be eligible for mapping. Everything that matches
|
|
40
|
+
will be put in a structure subtending an item called cidrtagmap, so
|
|
41
|
+
from the above example a match of the [netflow][dst_address] field would add
|
|
42
|
+
cidrtagmap.netflow.dst_address.tag. A pair to this field will be cidrtagmap.netflow.dst_address.match
|
|
43
|
+
which indicates which rule was matched for the mapping.
|
|
22
44
|
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
cidrtagmap {
|
|
26
|
-
mapfilepath => "cidrmap.txt"
|
|
27
|
-
asnmapfilepath => "asn.txt"
|
|
28
|
-
}
|
|
29
|
-
}
|
|
30
|
-
```
|
|
45
|
+
* asnfieldlist (optional) is a list of fields presumed to contain asn numbers. Everything that matches
|
|
46
|
+
will add e.g. cidrtagmap.netflow.dst_as.asname
|
|
31
47
|
|
|
32
|
-
Tell the filter to reload its maps
|
|
33
48
|
|
|
34
|
-
```
|
|
35
|
-
touch <mapfilepath>.RELOAD
|
|
36
|
-
```
|
|
37
49
|
|
|
38
|
-
Reloading is thread safe.
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# encoding: utf-8
|
|
1
2
|
require "logstash/filters/base"
|
|
2
3
|
require "logstash/namespace"
|
|
3
4
|
require 'ipaddr'
|
|
@@ -25,10 +26,10 @@ class LogStash::Filters::CIDRTagMap < LogStash::Filters::Base
|
|
|
25
26
|
|
|
26
27
|
config_name "cidrtagmap"
|
|
27
28
|
|
|
28
|
-
milestone 1
|
|
29
|
-
|
|
30
29
|
config :mapfilepath, :validate => :string, :default => 'cidrmap.txt'
|
|
31
30
|
config :asnmapfilepath, :validate => :string, :default => 'asn.txt'
|
|
31
|
+
config :ipfieldlist, :required => true, :list => true , :validate => :string
|
|
32
|
+
config :asfieldlist, :list => true, :validate => :string
|
|
32
33
|
|
|
33
34
|
|
|
34
35
|
private
|
|
@@ -121,47 +122,36 @@ class LogStash::Filters::CIDRTagMap < LogStash::Filters::Base
|
|
|
121
122
|
public
|
|
122
123
|
def filter(event)
|
|
123
124
|
return unless filter?(event)
|
|
124
|
-
|
|
125
|
-
|
|
126
|
-
|
|
127
|
-
if
|
|
128
|
-
@logger.debug("cidrtagmap:
|
|
129
|
-
|
|
130
|
-
if
|
|
131
|
-
@logger.debug("cidrtagmap:
|
|
132
|
-
|
|
133
|
-
|
|
134
|
-
filter_matched(event)
|
|
135
|
-
end
|
|
136
|
-
end
|
|
137
|
-
if netflow["ipv4_dst_addr"]
|
|
138
|
-
@logger.debug("cidrtagmap: checking for dst #{netflow['ipv4_dst_addr']}")
|
|
139
|
-
dst_map = mapForIp(netflow["ipv4_dst_addr"])
|
|
140
|
-
if dst_map
|
|
141
|
-
@logger.debug("cidrtagmap: tagging dst #{netflow['ipv4_dst_addr']} with #{dst_map.tag}")
|
|
142
|
-
netflow["dst_tag"] = dst_map.tag
|
|
143
|
-
netflow["dst_tagMatch"] = dst_map.range.to_s
|
|
144
|
-
filter_matched(event)
|
|
145
|
-
end
|
|
146
|
-
end
|
|
147
|
-
if netflow["dst_as"]
|
|
148
|
-
@logger.debug("cidrtagmap: checking for dst_as #{netflow['dst_as']}")
|
|
149
|
-
dst_asname = asNameForNumber(netflow["dst_as"])
|
|
150
|
-
if dst_asname
|
|
151
|
-
@logger.debug("cidrtagmap: tagging dst_as #{netflow['dst_as']} with #{dst_asname}")
|
|
152
|
-
netflow["dst_as_name"] = dst_asname
|
|
125
|
+
# There *will* be an @ipfieldlist - this is enforced by the :required directive above
|
|
126
|
+
@ipfieldlist.each { |fieldname|
|
|
127
|
+
@logger.debug("cidrtagmap: looking for ipfield '#{fieldname}'")
|
|
128
|
+
if ipvalue = event.get(fieldname)
|
|
129
|
+
@logger.debug("cidrtagmap: I found ipfield #{fieldname} with value #{ipvalue}")
|
|
130
|
+
mapping = mapForIp(ipvalue)
|
|
131
|
+
if mapping
|
|
132
|
+
@logger.debug("cidrtagmap: I mapped IP address #{ipvalue} to #{mapping.tag} via range #{mapping.range.to_s}")
|
|
133
|
+
event.set("[cidrtagmap]#{fieldname}[tag]",mapping.tag)
|
|
134
|
+
event.set("[cidrtagmap]#{fieldname}[match]",mapping.range.to_s)
|
|
153
135
|
filter_matched(event)
|
|
154
136
|
end
|
|
155
137
|
end
|
|
156
|
-
|
|
157
|
-
|
|
158
|
-
|
|
159
|
-
|
|
160
|
-
|
|
161
|
-
|
|
162
|
-
|
|
138
|
+
}
|
|
139
|
+
if @asfieldlist
|
|
140
|
+
@asfieldlist.each { |fieldname|
|
|
141
|
+
@logger.debug("cidrtagmap: looking for asfield '#{fieldname}'")
|
|
142
|
+
if asvalue = event.get(fieldname)
|
|
143
|
+
@logger.debug("cidrtagmap: I found asfield #{fieldname} with value #{asvalue}")
|
|
144
|
+
asname = asNameForNumber(asvalue)
|
|
145
|
+
if asname
|
|
146
|
+
@logger.debug("cidrtagmap: I mapped as number #{asvalue} to #{asname}")
|
|
147
|
+
event.set("[cidrtagmap]#{fieldname}[asname]",asname)
|
|
148
|
+
filter_matched(event)
|
|
149
|
+
end
|
|
163
150
|
end
|
|
164
|
-
|
|
151
|
+
}
|
|
152
|
+
else
|
|
153
|
+
@logger.debug("cidrtagmap: No as field list defined - not attempting to translate asnames!")
|
|
165
154
|
end
|
|
155
|
+
|
|
166
156
|
end
|
|
167
157
|
end
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
Gem::Specification.new do |s|
|
|
2
2
|
s.name = 'logstash-filter-cidrtagmap'
|
|
3
|
-
s.version = '
|
|
4
|
-
s.licenses = ['Apache
|
|
3
|
+
s.version = '2.0.0'
|
|
4
|
+
s.licenses = ['Apache-2.0']
|
|
5
5
|
s.summary = "Filter adds tags to netflow records in logstash based on a static table of cidr->name and adds asn name fields"
|
|
6
6
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
|
7
7
|
s.authors = ["svdasein"]
|
|
@@ -18,6 +18,6 @@ Gem::Specification.new do |s|
|
|
|
18
18
|
s.metadata = { "logstash_plugin" => "true", "logstash_group" => "filter" }
|
|
19
19
|
|
|
20
20
|
# Gem dependencies
|
|
21
|
-
s.add_runtime_dependency "logstash-core-plugin-api", "~>
|
|
21
|
+
s.add_runtime_dependency "logstash-core-plugin-api", "~> 2.0"
|
|
22
22
|
s.add_development_dependency 'logstash-devutils'
|
|
23
23
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-filter-cidrtagmap
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version:
|
|
4
|
+
version: 2.0.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- svdasein
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-
|
|
11
|
+
date: 2017-08-15 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: logstash-core-plugin-api
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - "~>"
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: '
|
|
19
|
+
version: '2.0'
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - "~>"
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: '
|
|
26
|
+
version: '2.0'
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: logstash-devutils
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -57,7 +57,7 @@ files:
|
|
|
57
57
|
- spec/spec_helper.rb
|
|
58
58
|
homepage: https://github.com/svdasein/cidrtagmap
|
|
59
59
|
licenses:
|
|
60
|
-
- Apache
|
|
60
|
+
- Apache-2.0
|
|
61
61
|
metadata:
|
|
62
62
|
logstash_plugin: 'true'
|
|
63
63
|
logstash_group: filter
|
|
@@ -77,7 +77,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
77
77
|
version: '0'
|
|
78
78
|
requirements: []
|
|
79
79
|
rubyforge_project:
|
|
80
|
-
rubygems_version: 2.
|
|
80
|
+
rubygems_version: 2.5.1
|
|
81
81
|
signing_key:
|
|
82
82
|
specification_version: 4
|
|
83
83
|
summary: Filter adds tags to netflow records in logstash based on a static table of
|