logstash-filter-dns 3.0.14 → 3.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +3 -0
- data/docs/index.asciidoc +18 -7
- data/lib/logstash/filters/dns.rb +42 -6
- data/logstash-filter-dns.gemspec +1 -1
- data/spec/filters/dns_spec.rb +113 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 72c7e403d0237346a3b975607b580a4becc8c8fb58307837787672aedd8c1e39
|
4
|
+
data.tar.gz: 362fda06ed74282ccb9601d8edd520de61feb04da36dd4faf37242ddabfe334e
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 63b668e2338a8b0a7d2135bcc54fb6325cad0a1cce60a5a6aadd6a9328c14e8a187248d2211cff189c6bbddea185b1150fe46af2b816a29f735498fbf35d0033
|
7
|
+
data.tar.gz: 7ebd10080f2bd78bc325a566f5b31031d20bb8c3e35ee8481bb6943ab8bc07587883f61270b32116500455053a9641f8191cca13f85a25ee5101fab6c513b97c
|
data/CHANGELOG.md
CHANGED
data/docs/index.asciidoc
CHANGED
@@ -55,7 +55,7 @@ This plugin supports the following configuration options plus the <<plugins-{typ
|
|
55
55
|
| <<plugins-{type}s-{plugin}-hit_cache_ttl>> |<<number,number>>|No
|
56
56
|
| <<plugins-{type}s-{plugin}-hostsfile>> |<<array,array>>|No
|
57
57
|
| <<plugins-{type}s-{plugin}-max_retries>> |<<number,number>>|No
|
58
|
-
| <<plugins-{type}s-{plugin}-nameserver>> |<<
|
58
|
+
| <<plugins-{type}s-{plugin}-nameserver>> |<<hash,hash>>|No
|
59
59
|
| <<plugins-{type}s-{plugin}-resolve>> |<<array,array>>|No
|
60
60
|
| <<plugins-{type}s-{plugin}-reverse>> |<<array,array>>|No
|
61
61
|
| <<plugins-{type}s-{plugin}-timeout>> |<<number,number>>|No
|
@@ -126,18 +126,29 @@ number of times to retry a failed resolve/reverse
|
|
126
126
|
[id="plugins-{type}s-{plugin}-nameserver"]
|
127
127
|
===== `nameserver`
|
128
128
|
|
129
|
-
* Value type is <<
|
129
|
+
* Value type is <<hash,hash>>, and is composed of:
|
130
|
+
* a required `address` key, whose value is either a <<string,string>> or an <<array,array>>, representing one or more nameserver ip addresses
|
131
|
+
* an optional `search` key, whose value is either a <<string,string>> or an <<array,array>>, representing between one and six search domains (e.g., with search domain `com`, a query for `example` will match DNS entries for `example.com`)
|
132
|
+
* an optional `ndots` key, used in conjunction with `search`, whose value is a <<number,number>>, representing the minimum number of dots in a domain name being resolved that will _prevent_ the search domains from being used (default `1`; this option is rarely needed)
|
133
|
+
* For backward-compatibility, values of <<string,string>> and <<array,array>> are also accepted, representing one or more nameserver ip addresses _without_ search domains.
|
130
134
|
* There is no default value for this setting.
|
131
135
|
|
132
|
-
Use custom nameserver(s). For example:
|
136
|
+
Use custom nameserver(s). For example:
|
137
|
+
|
138
|
+
[source]
|
139
|
+
filter {
|
140
|
+
dns {
|
141
|
+
nameserver => {
|
142
|
+
address => ["8.8.8.8", "8.8.4.4"]
|
143
|
+
search => ["internal.net"]
|
144
|
+
}
|
145
|
+
}
|
146
|
+
}
|
147
|
+
|
133
148
|
If `nameserver` is not specified then `/etc/resolv.conf` will be read to
|
134
149
|
configure the resolver using the `nameserver`, `domain`,
|
135
150
|
`search` and `ndots` directives in `/etc/resolv.conf`.
|
136
151
|
|
137
|
-
Note that nameservers normally resolve fully qualified domain names (FQDN)
|
138
|
-
and relying on `/etc/resolv.conf` can be useful to provide a domains search
|
139
|
-
list to resolve underqualified host names for example.
|
140
|
-
|
141
152
|
[id="plugins-{type}s-{plugin}-resolve"]
|
142
153
|
===== `resolve`
|
143
154
|
|
data/lib/logstash/filters/dns.rb
CHANGED
@@ -46,14 +46,25 @@ class LogStash::Filters::DNS < LogStash::Filters::Base
|
|
46
46
|
# specified under `reverse` and `resolve`.
|
47
47
|
config :action, :validate => [ "append", "replace" ], :default => "append"
|
48
48
|
|
49
|
-
# Use custom nameserver(s). For example:
|
49
|
+
# Use custom nameserver(s). For example:
|
50
|
+
# filter {
|
51
|
+
# dns {
|
52
|
+
# nameserver => {
|
53
|
+
# address => ["8.8.8.8", "8.8.4.4"]
|
54
|
+
# search => ["internal.net"]
|
55
|
+
# }
|
56
|
+
# }
|
57
|
+
# }
|
58
|
+
#
|
59
|
+
# nameserver is a hash with the following key:
|
60
|
+
# * a required `address` key, whose value is either a <<string,string>> or an <<array,array>>, representing one or more nameserver ip addresses
|
61
|
+
# * an optional `search` key, whose value is either a <<string,string>> or an <<array,array>>, representing between one and six search domains (e.g., with search domain `com`, a query for `example` will match DNS entries for `example.com`)
|
62
|
+
# * an optional `ndots` key, used in conjunction with `search`, whose value is a <<number,number>>, representing the minimum number of dots in a domain name being resolved that will _prevent_ the search domains from being used (default `1`; this option is rarely needed)
|
63
|
+
# * For backward-compatibility, string ans arrays values are also accepted, representing one or more nameserver ip addresses _without_ search domains.
|
64
|
+
#
|
50
65
|
# If `nameserver` is not specified then `/etc/resolv.conf` will be read to
|
51
66
|
# configure the resolver using the `nameserver`, `domain`,
|
52
67
|
# `search` and `ndots` directives in `/etc/resolv.conf`.
|
53
|
-
#
|
54
|
-
# Note that nameservers normally resolve fully qualified domain names (FQDN)
|
55
|
-
# and relying on `/etc/resolv.conf` can be useful to provide a domains search
|
56
|
-
# list to resolve underqualified host names for example.
|
57
68
|
config :nameserver, :validate => :array
|
58
69
|
|
59
70
|
# `resolv` calls will be wrapped in a timeout instance
|
@@ -125,7 +136,32 @@ class LogStash::Filters::DNS < LogStash::Filters::Base
|
|
125
136
|
|
126
137
|
def build_user_dns_resolver
|
127
138
|
return [] if @nameserver.nil? || @nameserver.empty?
|
128
|
-
|
139
|
+
|
140
|
+
[::Resolv::DNS.new(normalised_nameserver)]
|
141
|
+
end
|
142
|
+
|
143
|
+
def normalised_nameserver
|
144
|
+
nameserver_hash = @nameserver.kind_of?(Hash) ? @nameserver.dup : { 'address' => @nameserver }
|
145
|
+
|
146
|
+
nameserver = nameserver_hash.delete('address') || fail(LogStash::ConfigurationError, "DNS Filter: `nameserver` hash must include `address` (got `#{@nameserver}`)")
|
147
|
+
nameserver = Array(nameserver).map(&:to_s)
|
148
|
+
nameserver.empty? && fail(LogStash::ConfigurationError, "DNS Filter: `nameserver` addresses, when specified, cannot be empty (got `#{@nameserver}`)")
|
149
|
+
|
150
|
+
search = nameserver_hash.delete('search') || []
|
151
|
+
search = Array(search).map(&:to_s)
|
152
|
+
search.size > 6 && fail(LogStash::ConfigurationError, "DNS Filter: A maximum of 6 `search` domains are accepted (got `#{@nameserver}`)")
|
153
|
+
|
154
|
+
ndots = nameserver_hash.delete('ndots') || 1
|
155
|
+
ndots = Integer(ndots)
|
156
|
+
ndots <= 0 && fail(LogStash::ConfigurationError, "DNS Filter: `ndots` must be positive (got `#{@nameserver}`)")
|
157
|
+
|
158
|
+
fail(LogStash::ConfigurationError, "Unknown `nameserver` argument(s): #{nameserver_hash}") unless nameserver_hash.empty?
|
159
|
+
|
160
|
+
{
|
161
|
+
:nameserver => nameserver,
|
162
|
+
:search => search,
|
163
|
+
:ndots => ndots
|
164
|
+
}
|
129
165
|
end
|
130
166
|
|
131
167
|
def resolve(event)
|
data/logstash-filter-dns.gemspec
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
2
|
|
3
3
|
s.name = 'logstash-filter-dns'
|
4
|
-
s.version = '3.0
|
4
|
+
s.version = '3.1.0'
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
6
6
|
s.summary = "Performs a standard or reverse DNS lookup"
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
data/spec/filters/dns_spec.rb
CHANGED
@@ -418,7 +418,119 @@ describe LogStash::Filters::DNS do
|
|
418
418
|
end
|
419
419
|
end
|
420
420
|
|
421
|
-
describe "with
|
421
|
+
describe "with search configuration" do
|
422
|
+
subject(:dns_filter_plugin) { LogStash::Filters::DNS.new(config) }
|
423
|
+
|
424
|
+
before(:each) do
|
425
|
+
subject.register
|
426
|
+
end
|
427
|
+
|
428
|
+
context "search domain specified" do
|
429
|
+
let(:config) { { "resolve" => ["domain"], "action" => "replace", "nameserver" => { "address" => ["1.2.3.4"], "search" => "elastic.co" } } }
|
430
|
+
let(:event) { LogStash::Event.new("domain" => "training") }
|
431
|
+
|
432
|
+
it "will expand training to training.elastic.co" do
|
433
|
+
allow(Resolv::DNS::Name).to receive(:new).and_call_original
|
434
|
+
|
435
|
+
# This is implementation specific but the only way I found to verify that the "search" option was working.
|
436
|
+
expect(Resolv::DNS::Name).to receive(:new).with([Resolv::DNS::Label::Str.new("training"), Resolv::DNS::Label::Str.new("elastic"), Resolv::DNS::Label::Str.new("co")]).and_call_original
|
437
|
+
|
438
|
+
subject.filter(event)
|
439
|
+
end
|
440
|
+
end
|
441
|
+
end
|
442
|
+
|
443
|
+
describe "with nameserver configuration" do
|
444
|
+
subject(:dns_filter_plugin) { LogStash::Filters::DNS.new(config) }
|
445
|
+
|
446
|
+
before(:each) do
|
447
|
+
allow(Resolv::DNS).to receive(:new).and_call_original
|
448
|
+
end
|
449
|
+
|
450
|
+
context 'nameserver specified as a string' do
|
451
|
+
let(:config) { { "nameserver" => "8.8.8.8" } }
|
452
|
+
|
453
|
+
it 'sets up the expected Resolv::DNS' do
|
454
|
+
dns_filter_plugin.register
|
455
|
+
|
456
|
+
expect(Resolv::DNS).to have_received(:new).with(:nameserver => ["8.8.8.8"], :search => [], :ndots => 1)
|
457
|
+
end
|
458
|
+
end
|
459
|
+
|
460
|
+
context 'nameserver specified as an array of strings' do
|
461
|
+
let(:config) { { "nameserver" => ["8.8.8.8", "8.8.4.4"] } }
|
462
|
+
|
463
|
+
it 'sets up the expected Resolv::DNS' do
|
464
|
+
dns_filter_plugin.register
|
465
|
+
|
466
|
+
expect(Resolv::DNS).to have_received(:new).with(:nameserver => ["8.8.8.8", "8.8.4.4"], :search => [], :ndots => 1)
|
467
|
+
end
|
468
|
+
end
|
469
|
+
|
470
|
+
context 'nameserver specified as a hash' do
|
471
|
+
context 'with only string address' do
|
472
|
+
let(:config) { { "nameserver" => { "address" => "8.8.8.8" } } }
|
473
|
+
|
474
|
+
it 'sets up the expected Resolv::DNS' do
|
475
|
+
dns_filter_plugin.register
|
476
|
+
|
477
|
+
expect(Resolv::DNS).to have_received(:new).with(:nameserver => ["8.8.8.8"], :search => [], :ndots => 1)
|
478
|
+
end
|
479
|
+
end
|
480
|
+
context 'with only array address' do
|
481
|
+
let(:config) { { "nameserver" => { "address" => ["8.8.8.8", "8.8.4.4"] } } }
|
482
|
+
|
483
|
+
it 'sets up the expected Resolv::DNS' do
|
484
|
+
dns_filter_plugin.register
|
485
|
+
|
486
|
+
expect(Resolv::DNS).to have_received(:new).with(:nameserver => ["8.8.8.8", "8.8.4.4"], :search => [], :ndots => 1)
|
487
|
+
end
|
488
|
+
end
|
489
|
+
context 'with search domains' do
|
490
|
+
let(:config) do
|
491
|
+
{
|
492
|
+
"nameserver" => {
|
493
|
+
"address" => ["127.0.0.1"],
|
494
|
+
"search" => search_domains
|
495
|
+
}
|
496
|
+
}
|
497
|
+
end
|
498
|
+
|
499
|
+
{
|
500
|
+
"string" => "internal.net",
|
501
|
+
"array of strings" => ["internal.net", "internal1.com"]
|
502
|
+
}.each do |desc, search_domains_arg|
|
503
|
+
let(:search_domains) { search_domains_arg }
|
504
|
+
context "as #{desc}" do
|
505
|
+
it 'sets up the expected Resolv::DNS' do
|
506
|
+
dns_filter_plugin.register
|
507
|
+
|
508
|
+
expect(Resolv::DNS).to have_received(:new).with(:nameserver => ["127.0.0.1"], :search => Array(search_domains), :ndots => 1)
|
509
|
+
end
|
510
|
+
end
|
511
|
+
end
|
512
|
+
end
|
513
|
+
end
|
514
|
+
end
|
515
|
+
|
516
|
+
describe "without nameserver configuration" do
|
517
|
+
subject(:dns_filter_plugin) { LogStash::Filters::DNS.new(config) }
|
518
|
+
|
519
|
+
context 'nameserver not specified' do
|
520
|
+
let(:config) { { "resolve" => ["domain"], "action" => "replace" } }
|
521
|
+
|
522
|
+
it 'sets up the expected Resolv::DNS without arguments' do
|
523
|
+
# We expect that when no nameserver option is specified
|
524
|
+
# Resolv::DNS.new will be called without arguments thus reading /etc/resolv.conf
|
525
|
+
# for its configuration which is the desired behaviour for backward compatibility
|
526
|
+
|
527
|
+
expect(Resolv::DNS).to receive(:new).once.with(no_args)
|
528
|
+
dns_filter_plugin.register
|
529
|
+
end
|
530
|
+
end
|
531
|
+
end
|
532
|
+
|
533
|
+
describe "with hostsfile integration" do
|
422
534
|
describe "lookup using fixture hosts file" do
|
423
535
|
let(:subject) { LogStash::Filters::DNS.new(config) }
|
424
536
|
let(:hostsfile) { File.join(File.dirname(__FILE__), "..", "fixtures", "hosts") }
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-filter-dns
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.0
|
4
|
+
version: 3.1.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Elastic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2019-10-
|
11
|
+
date: 2019-10-22 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|