logstash-filter-cidrtagmap 2.0.0 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: edb209f7d360805f5be547d28728b63e180f3a89
-  data.tar.gz: 3e67480b82b0747e954f43d7ff0891b9db9ab3d6
+  metadata.gz: 46643c17c700e7a7d0df67803c025b0cfd5eaddc
+  data.tar.gz: 9bf4896f9bb7c02e28ea37100932a5c53367a5f5
 SHA512:
-  metadata.gz: 9025ea9cce3c73b21487e8d4ae7278e1fefe300684e960fb555b64d9372a547b2d37333edae89bad3a88ab0d15287cd2e5007478ffac1f4f6942204e51475ccf
-  data.tar.gz: 3623e9fe0dc6f99ec37b23ea5ea5cde0ca5cbc51b6e2d9785590b9d20de23b2ef5824804a8c6d6f9e2921dbc92c80f5d50e604854a11fee43e80136a1d8ca896
+  metadata.gz: 352ede9a9fd1a2044ec928d612c917b56bbafee51cb62b693b9d62aa52c41a050fe2c3fb05376d1530507a3d367077f5ccf203c80ebe5c5a43cfba498b7cd2b2
+  data.tar.gz: d30675b270005ca35b78620117db7958733297319d3da9ee392f548ecf24e674054691838ed80b3c5d83013baf4a5f25cd51743240eeaf8e31f71769eb8e312a

data/README.md

@@ -2,9 +2,12 @@ This logstash filter tags events according to a list of CIDR to tag mappings, an
 
 
 Example:
+--------
 
 ```
 cidrtagmap {
+	#redisserver => '127.0.0.1'
+	#redisnamespace => "ereiamjh"
         mapfilepath => "/path/to/ipmap/file"
         asnmapfilepath => "/path/to/asnmap/file"
         ipfieldlist => [
@@ -19,7 +22,15 @@ cidrtagmap {
 }
 ```
 
-* mapfilepath (required) points to an  external / stand alone text file consisting of lines of the form:
+
+CIDR map configuration
+----------------------
+
+You must specify a map source. Currently there are two forms of this: file based and redis based.
+
+### File based configuration:
+
+* mapfilepath points to an  external / stand alone text file consisting of lines of the form:
 
 ```
 <network>/<mask>,<tag>
@@ -33,15 +44,28 @@ touch <mapfilepath>.RELOAD
 ```
 
 
-* asnmapfilepath (optional) points to a copy of this file: ftp://ftp.arin.net/info/asn.txt 
+### Redis based configuration:
+
+* redisserver = name or ip address of redis server to connect to. If you define this you should also define:
+* redisnamespace = string that will act as a prefix to variables stored in redis
 
 
+In redis then you should define two items:
+* redisnamespace.cidrmap = a hash with cidr => tag kv pairs
+* redisnamespace.reloadmap = 1|0 - tell filter to reload map
+
+
+Other configuration:
+--------------------
+
 * ipfieldlist (required) is a list of event fields that will be eligible for mapping.  Everything that matches
 will be put in a structure subtending an item called cidrtagmap, so
 from the above example a match of the [netflow][dst_address] field would add
 cidrtagmap.netflow.dst_address.tag.  A pair to this field will be cidrtagmap.netflow.dst_address.match 
 which indicates which rule was matched for the mapping.
 
+* asnmapfilepath (optional) points to a copy of this file: ftp://ftp.arin.net/info/asn.txt 
+
 * asnfieldlist (optional) is a list of fields presumed to contain asn numbers.  Everything that matches
 will add e.g. cidrtagmap.netflow.dst_as.asname
 

data/lib/logstash/filters/cidrtagmap.rb

@@ -2,6 +2,7 @@
 require "logstash/filters/base"
 require "logstash/namespace"
 require 'ipaddr'
+require 'redis'
 
 class MapEntry
 	attr_reader :range,:tag
@@ -28,14 +29,29 @@ class LogStash::Filters::CIDRTagMap < LogStash::Filters::Base
 
 	config :mapfilepath, :validate => :string, :default => 'cidrmap.txt'
 	config :asnmapfilepath, :validate => :string, :default => 'asn.txt'
-	config :ipfieldlist, :required => true, :list => true , :validate => :string
-	config :asfieldlist, :list => true, :validate => :string
+	config :ipfieldlist, :optional=> true, :list => true , :validate => :string
+	config :redisserver, :optional=> true, :validate => :string
+	config :redisnamespace, :optional=> true, :validate => :string
+	config :asnfieldlist, :list => true, :validate => :string
 
 
 	private
 
+
+	def loadAsnMap
+		begin
+			asntable = File.readlines(@asnmapfilepath)
+			regex = /^ (\d+?)\s+(.+?)\s+/
+			@asnmap = Hash[asntable.collect { |line| line.match(regex)}.select {|each| not each.nil?}.collect{|each| [each[1],each[2]] }]
+			@logger.info("cidrtagmap: loaded asn map file #{@asnmapfilepath}")
+		rescue Exception => e
+			@logger.warn("cidrtagmap: error loading asn map file #{@asnmapfilepath}")
+			@logger.warn("cidrtagmap: #{e.inspect}")
+		end
+	end
+
 	def loadLatestMap
-		if File.exist?(@reloadFlagPath) or @cidrMap.nil?
+		if (not @redisserver) and (File.exist?(@reloadFlagPath) or @cidrMap.nil?)
 			@logger.debug("cidrtagmap: need to load, getting mutex")
 			@mutex.synchronize {
 				# Test again now that we have the floor just in case someone else did it already
@@ -70,18 +86,38 @@ class LogStash::Filters::CIDRTagMap < LogStash::Filters::Base
 						@logger.warn("cidrtagmap: error opening map file #{@mapfilepath}\n")
 						@mapFile = nil
 					end
-					begin
-						asntable = File.readlines(@asnmapfilepath)
-						regex = /^ (\d+?)\s+(.+?)\s+/
-						@asnmap = Hash[asntable.collect { |line| line.match(regex)}.select {|each| not each.nil?}.collect{|each| [each[1],each[2]] }]
-					rescue Exception => e
-						@logger.warn("cidrtagmap: error loading asn map file #{@asnmapfilepath}\n")
-						@logger.warn("cidrtagmap: #{e.inspect}")
-					end
+					loadAsnMap
 				else
 					@logger.debug("cidrtagmap: someone already loaded the map - I'm outta here")
 				end
 			}
+		elsif @redisserver
+			if not @redisnamespace
+				@logger.warn("cidrtagmap: redisnamespace not defined - using cidrtagmap")
+				@redisnamespace = 'cidrtagmap'
+			end
+			if @redis["#{@redisnamespace}.reloadmap"] == '1' or @cidrMap.nil?
+				@mutex.synchronize {
+					if @redis["#{@redisnamespace}.reloadmap"] == '1' or @cidrMap.nil?
+						@redis["#{@redisnamespace}.reloadmap"] = '0'
+						@logger.info("cidrtagmap: refreshing map from redis server at #{@redisserver} using namespace '#{@redisnamespace}'")
+						begin
+							rawcidrmap = @redis.hgetall("#{@redisnamespace}.cidrmap")
+							@cidrMap = rawcidrmap.each.map{ |cidr,tag|
+								MapEntry.new("#{cidr},#{tag}")
+							}
+							@cidrMap = @cidrMap.reject { |item| item.nil? }
+							@logger.info("cidrtagmap: loaded #{@cidrMap.inspect}")
+						rescue Exception => e
+							@logger.error("cidrtagmap: error attempting to load map from redis")
+							@logger.error(e.inspect)
+						end
+						loadAsnMap
+					else
+						@logger.debug("cidrtagmap: someone already loaded the map - I'm outta here")
+					end
+				}
+			end
 		end
 	end
 
@@ -114,33 +150,46 @@ class LogStash::Filters::CIDRTagMap < LogStash::Filters::Base
 	public
 	def register
 		@mutex = Mutex.new
-		@reloadFlagPath = "#{@mapfilepath}.RELOAD"
-		@logger.info("cidrtagmap: NOTE: touch #{@reloadFlagPath} to force map reload")
+		if @redisserver
+			begin
+				@redis = Redis.new(:host=>@redisserver)
+				@logger.info("cidrtagmap: connected to redis server at #{@redisserver}")
+			rescue Exception => e
+				@logger.error("cidrtagmap: failed to connect to redis server at #{@redisserver}")
+			end
+		else
+			@reloadFlagPath = "#{@mapfilepath}.RELOAD"
+			@logger.info("cidrtagmap: NOTE: touch #{@reloadFlagPath} to force map reload")
+		end
 		loadLatestMap
 	end
 
 	public
 	def filter(event)
 		return unless filter?(event)
-		# There *will* be an @ipfieldlist - this is enforced by the :required directive above
-		@ipfieldlist.each { |fieldname|
-			@logger.debug("cidrtagmap: looking for ipfield '#{fieldname}'")
-			if ipvalue = event.get(fieldname)
-				@logger.debug("cidrtagmap: I found ipfield #{fieldname} with value #{ipvalue}")
-				mapping = mapForIp(ipvalue)
-				if mapping
-					@logger.debug("cidrtagmap: I mapped IP address #{ipvalue} to #{mapping.tag} via range #{mapping.range.to_s}")
-					event.set("[cidrtagmap]#{fieldname}[tag]",mapping.tag)
-					event.set("[cidrtagmap]#{fieldname}[match]",mapping.range.to_s)
-					filter_matched(event)
+		loadLatestMap
+		if @ipfieldlist
+			@ipfieldlist.each { |fieldname|
+				@logger.debug("cidrtagmap: looking for ipfield '#{fieldname}'")
+				if ipvalue = event.get(fieldname)
+					@logger.debug("cidrtagmap: I found ipfield #{fieldname} with value #{ipvalue}")
+					mapping = mapForIp(ipvalue)
+					if mapping
+						@logger.debug("cidrtagmap: I mapped IP address #{ipvalue} to #{mapping.tag} via range #{mapping.range.to_s}")
+						event.set("[cidrtagmap]#{fieldname}[tag]",mapping.tag)
+						event.set("[cidrtagmap]#{fieldname}[match]",mapping.range.to_s)
+						filter_matched(event)
+					end
 				end
-			end
-		}
-		if @asfieldlist
-			@asfieldlist.each { |fieldname|
-				@logger.debug("cidrtagmap: looking for asfield '#{fieldname}'")
+			}
+		else
+			@logger.warn("cidrtagmap: No IP field list defined - not attempting to translate ip addresses!")
+		end
+		if @asnfieldlist
+			@asnfieldlist.each { |fieldname|
+				@logger.debug("cidrtagmap: looking for asnfield '#{fieldname}'")
 				if asvalue = event.get(fieldname)
-					@logger.debug("cidrtagmap: I found asfield #{fieldname} with value #{asvalue}")
+					@logger.debug("cidrtagmap: I found asnfield #{fieldname} with value #{asvalue}")
 					asname = asNameForNumber(asvalue)
 					if asname
 						@logger.debug("cidrtagmap: I mapped as number #{asvalue} to #{asname}")

data/logstash-filter-cidrtagmap.gemspec

@@ -1,9 +1,9 @@
 Gem::Specification.new do |s|
   s.name = 'logstash-filter-cidrtagmap'
-  s.version         = '2.0.0'
+  s.version         = '2.1.0'
   s.licenses = ['Apache-2.0']
-  s.summary = "Filter adds tags to netflow records in logstash based on a static table of cidr->name and adds asn name fields"
-  s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
+  s.summary = "Filter adds tags to events in logstash based on a table of cidr->name mappings  and optionally adds asn name fields"
+  s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program.  Filter adds tags to events in logstash based on a table of cidr->name mappings  and optionally adds asn name fields"
   s.authors = ["svdasein"]
   s.email = 'daveparker01@gmail.com'
   s.homepage = "https://github.com/svdasein/cidrtagmap"
@@ -20,4 +20,6 @@ Gem::Specification.new do |s|
   # Gem dependencies
   s.add_runtime_dependency "logstash-core-plugin-api", "~> 2.0"
   s.add_development_dependency 'logstash-devutils'
+
+  s.add_runtime_dependency "redis","~> 3.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: logstash-filter-cidrtagmap
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.1.0
 platform: ruby
 authors:
 - svdasein
@@ -38,9 +38,24 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: redis
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
 description: This gem is a Logstash plugin required to be installed on top of the
   Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This
-  gem is not a stand-alone program
+  gem is not a stand-alone program.  Filter adds tags to events in logstash based
+  on a table of cidr->name mappings  and optionally adds asn name fields
 email: daveparker01@gmail.com
 executables: []
 extensions: []
@@ -80,8 +95,8 @@ rubyforge_project:
 rubygems_version: 2.5.1
 signing_key: 
 specification_version: 4
-summary: Filter adds tags to netflow records in logstash based on a static table of
-  cidr->name and adds asn name fields
+summary: Filter adds tags to events in logstash based on a table of cidr->name mappings  and
+  optionally adds asn name fields
 test_files:
 - spec/filters/example_spec.rb
 - spec/spec_helper.rb