logstash-filter-elastic_integration 0.0.1-java

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 9c797a3d5774cab43738ee098605fcba0a8df86d104b5334d38b27f882e7b086
+  data.tar.gz: 43d2a785e22bf742e3e3fb9ba0ae93a7b2ede62ed6a25fae590fbd6c869eb729
+SHA512:
+  metadata.gz: 2ed848a542bf89c151122bdf98d7ca7c85573ee3d81e5019632f2a1be2c61941d704e21342f28c1e52680956a862a823939e43c61d682e59a877bbedd198c0e6
+  data.tar.gz: 3d2231665a2277b8bed047b1fbf412e56d3e84926893769e69277d1e3d400781d41c2e0551b8d21e3b0ba9eaab1621c7514f497c87ea07f402b740d90b1e2fc4

data/LICENSE.md

@@ -0,0 +1,93 @@
+Elastic License 2.0
+
+URL: https://www.elastic.co/licensing/elastic-license
+
+## Acceptance
+
+By using the software, you agree to all of the terms and conditions below.
+
+## Copyright License
+
+The licensor grants you a non-exclusive, royalty-free, worldwide,
+non-sublicensable, non-transferable license to use, copy, distribute, make
+available, and prepare derivative works of the software, in each case subject to
+the limitations and conditions below.
+
+## Limitations
+
+You may not provide the software to third parties as a hosted or managed
+service, where the service provides users with access to any substantial set of
+the features or functionality of the software.
+
+You may not move, change, disable, or circumvent the license key functionality
+in the software, and you may not remove or obscure any functionality in the
+software that is protected by the license key.
+
+You may not alter, remove, or obscure any licensing, copyright, or other notices
+of the licensor in the software. Any use of the licensor’s trademarks is subject
+to applicable law.
+
+## Patents
+
+The licensor grants you a license, under any patent claims the licensor can
+license, or becomes able to license, to make, have made, use, sell, offer for
+sale, import and have imported the software, in each case subject to the
+limitations and conditions in this license. This license does not cover any
+patent claims that you cause to be infringed by modifications or additions to
+the software. If you or your company make any written claim that the software
+infringes or contributes to infringement of any patent, your patent license for
+the software granted under these terms ends immediately. If your company makes
+such a claim, your patent license ends immediately for work on behalf of your
+company.
+
+## Notices
+
+You must ensure that anyone who gets a copy of any part of the software from you
+also gets a copy of these terms.
+
+If you modify the software, you must include in any modified copies of the
+software prominent notices stating that you have modified the software.
+
+## No Other Rights
+
+These terms do not imply any licenses other than those expressly granted in
+these terms.
+
+## Termination
+
+If you use the software in violation of these terms, such use is not licensed,
+and your licenses will automatically terminate. If the licensor provides you
+with a notice of your violation, and you cease all violation of this license no
+later than 30 days after you receive that notice, your licenses will be
+reinstated retroactively. However, if you violate these terms after such
+reinstatement, any additional violation of these terms will cause your licenses
+to terminate automatically and permanently.
+
+## No Liability
+
+*As far as the law allows, the software comes as is, without any warranty or
+condition, and the licensor will not be liable to you for any damages arising
+out of these terms or the use or nature of the software, under any kind of
+legal claim.*
+
+## Definitions
+
+The **licensor** is the entity offering these terms, and the **software** is the
+software the licensor makes available under these terms, including any portion
+of it.
+
+**you** refers to the individual or entity agreeing to these terms.
+
+**your company** is any legal entity, sole proprietorship, or other kind of
+organization that you work for, plus all organizations that have control over,
+are under the control of, or are under common control with that
+organization. **control** means ownership of substantially all the assets of an
+entity, or the power to direct its management and policies by vote, contract, or
+otherwise. Control can be direct or indirect.
+
+**your licenses** are all the licenses granted to you for the software under
+these terms.
+
+**use** means anything you do with the software requiring one of your licenses.
+
+**trademark** means trademarks, service marks, and similar rights.

data/NOTICE.txt

@@ -0,0 +1,5 @@
+Elastic Integration filter for Logstash
+Copyright (c) 2023 Elastic, N.V.
+
+Distributable artifacts of this product include software developed
+by The Apache Software Foundation (http://www.apache.org/).

data/VERSION

@@ -0,0 +1 @@
+0.0.1

data/lib/logstash/filters/elastic_integration/event_api_bridge.rb

@@ -0,0 +1,66 @@
+# encoding: utf-8
+
+########################################################################
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V.
+# under one or more contributor license agreements. Licensed under the
+# Elastic License 2.0; you may not use this file except in compliance
+# with the Elastic License 2.0.
+########################################################################
+
+##
+# This module contains methods for bridging the gap between the
+# Ruby-API [LogStash::Event] and its Java-API [co.elastic.logstash.api.Event]
+# counterpart, producing bidirectional zero-copy _views_ of one API for use
+# with the other API.
+module LogStash::Filters::ElasticIntegration::EventApiBridge
+
+  ##
+  # Converts a collection of Ruby-API events into a collection
+  # of Java-API events.
+  #
+  # @param ruby_events [Array[LogStash::Event]]
+  # @return [Array[co.elastic.logstash.api.Event]]
+  def ruby_events_as_java(ruby_events)
+    ruby_events.map do |ruby_event|
+      mutable_java_view_of_ruby_event(ruby_event)
+    end
+  end
+
+  ##
+  # Converts a collection of Java-API events into a collection
+  # of Ruby-API events.
+  #
+  # @param java_events [Array[co.elastic.logstash.api.Event]]
+  # @return [Array[LogStash::Event]]
+  def java_events_as_ruby(java_events)
+    java_events.map do |java_event|
+      mutable_ruby_view_of_java_event(java_event)
+    end
+  end
+
+  ##
+  # Returns the Java-API event that backs the provided Ruby-API event.
+  # Mutations to the Java-API event are reflected by the Ruby-API event.
+  #
+  # @param ruby_api_event [LogStash::Event]
+  # @return [co.elastic.logstash.api.Event]
+  def mutable_java_view_of_ruby_event(ruby_api_event)
+    ruby_api_event.to_java
+  end
+
+  # Because LS Core's RubyEvent.newRubyEvent(Runtime, Event)
+  # requires the ruby runtime which is constant-once-defined,
+  # we look it up and memoize it once.
+  RUBY_RUNTIME = self.to_java.getMetaClass().to_java.getClassRuntime()
+  private_constant :RUBY_RUNTIME
+
+  ##
+  # Returns a Ruby-API event that is backed by the provided Java-API event.
+  # Mutations to the Ruby-API event directly modify the underlying Java-API event.
+  #
+  # @param java_api_event [co.elastic.logstash.api.Event]
+  # @return [LogStash::Event]
+  def mutable_ruby_view_of_java_event(java_api_event)
+    org.logstash.ext.JrubyEventExtLibrary::RubyEvent.newRubyEvent(RUBY_RUNTIME, java_api_event)
+  end
+end

data/lib/logstash/filters/elastic_integration/jar_dependencies.rb

@@ -0,0 +1,11 @@
+# AUTOGENERATED BY THE GRADLE SCRIPT. DO NOT EDIT.
+
+########################################################################
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V.
+# under one or more contributor license agreements. Licensed under the
+# Elastic License 2.0; you may not use this file except in compliance
+# with the Elastic License 2.0.
+########################################################################
+
+require 'jar_dependencies'
+require_jar('co.elastic.logstash.plugins.filter.elasticintegration', 'logstash-filter-elastic_integration', '0.0.1')

data/lib/logstash/filters/elastic_integration.rb

@@ -0,0 +1,369 @@
+# encoding: utf-8
+
+########################################################################
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V.
+# under one or more contributor license agreements. Licensed under the
+# Elastic License 2.0; you may not use this file except in compliance
+# with the Elastic License 2.0.
+########################################################################
+
+require "logstash/filters/base"
+require "logstash/namespace"
+
+require_relative "elastic_integration/jar_dependencies"
+
+class LogStash::Filters::ElasticIntegration < LogStash::Filters::Base
+
+  require_relative "elastic_integration/event_api_bridge"
+  include EventApiBridge
+
+  config_name "elastic_integration"
+
+  java_import('co.elastic.logstash.filters.elasticintegration.PluginConfiguration')
+  java_import('co.elastic.logstash.filters.elasticintegration.EventProcessor')
+  java_import('co.elastic.logstash.filters.elasticintegration.EventProcessorBuilder')
+  java_import('co.elastic.logstash.filters.elasticintegration.ElasticsearchRestClientBuilder')
+  java_import('co.elastic.logstash.filters.elasticintegration.PreflightCheck')
+
+  ELASTICSEARCH_DEFAULT_PORT = 9200.freeze
+  ELASTICSEARCH_DEFAULT_PATH = '/'.freeze
+  HTTP_PROTOCOL = "http".freeze
+  HTTPS_PROTOCOL = "https".freeze
+
+  # Sets the host(s) of the remote instance. If given an array it will load balance
+  # requests across the hosts specified in the `hosts` parameter. Hosts can be any of
+  # the forms:
+  #     `"127.0.0.1"`
+  #     `["127.0.0.1:9200","127.0.0.2:9200"]`
+  #     `["http://127.0.0.1"]`
+  #     `["https://127.0.0.1:9200"]`
+  #     `["https://127.0.0.1:9200/mypath"]` (If using a proxy on a subpath)
+  # If the protocol is unspecified, this plugin assumes `https` when `ssl => true` (default)
+  # or `http` when `ssl => false`.
+  #
+  # It is important to exclude http://www.elastic.co/guide/en/elasticsearch/reference/current/modules-node.html[dedicated master nodes] from the `hosts` list
+  # to prevent LS from overloading the master nodes. So this parameter should only reference either data or client nodes in Elasticsearch.
+  #
+  # Any special characters present in the URLs here MUST be URL escaped! This means `#` should be put in as `%23` for instance.
+  config :hosts, :validate => :uri, :list => true
+
+  # Cloud ID, from the Elastic Cloud web console. If set `hosts` should not be used.
+  #
+  # For more details, check out the https://www.elastic.co/guide/en/logstash/current/connecting-to-cloud.html#_cloud_id[cloud documentation]
+  config :cloud_id, :validate => :string
+
+  # Enable SSL/TLS secured communication to Elasticsearch cluster
+  config :ssl_enabled, :validate => :boolean
+
+  # Determines how much to verify a presented SSL certificate when `ssl => true`
+  #  - none: no validation
+  #  - certificate: trustworthy certificate (identity claims NOT validated)
+  #  - full (default): trustworthy certificate WITH validated identity claims
+  config :ssl_verification_mode, :validate => %w(full certificate none)
+
+  # A path to truststore, used to _override_ the system truststore
+  config :ssl_truststore_path, :validate => :path
+
+  # A password for truststore
+  config :ssl_truststore_password, :validate => :password
+
+  # list of paths for SSL certificate authorities, used to _override_ the system truststore
+  config :ssl_certificate_authorities, :validate => :path, :list => true
+
+  # a path for SSL certificate which will be used when SSL is enabled
+  config :ssl_certificate, :validate => :path
+
+  # a path for SSL certificate key
+  config :ssl_key, :validate => :path
+
+  # SSL keyphrase
+  config :ssl_key_passphrase, :validate => :password
+
+  # The keystore used to present a certificate to the server
+  config :ssl_keystore_path, :validate => :path
+
+  # A password for SSL keystore
+  config :ssl_keystore_password, :validate => :password
+
+  # Username for basic authentication
+  config :auth_basic_username, :validate => :string
+
+  # Password for basic authentication
+  config :auth_basic_password, :validate => :password
+
+  # Cloud authentication string ("<username>:<password>" format) to connect to Elastic cloud.
+  #
+  # For more details, check out the https://www.elastic.co/guide/en/logstash/current/connecting-to-cloud.html#_cloud_auth[cloud documentation]
+  config :cloud_auth, :validate => :password
+
+  # A key to authenticate when connecting to Elasticsearch
+  config :api_key, :validate => :password
+
+  # A directory containing one or more Maxmind Datbase files in *.mmdb format
+  config :geoip_database_directory, :validate => :path
+
+
+  def initialize(*a, &b)
+    # This Elastic-licensed plugin needs to run in a _complete_ distro of Logstash that
+    # has non-OSS features active. Runtime detection mechanism relies on LogStash::OSS,
+    # which is set in the prelude to LogStash::Runner, and is bypassed when LogStash::OSS
+    # is not defined (such as when running specs from source)
+    if defined?(LogStash::OSS) && LogStash::OSS
+      raise_config_error! <<~ERR
+        The Elastic Integration filter for Logstash is an Elastic-licensed plugin
+        that REQUIRES the complete Logstash distribution, including non-OSS features.
+      ERR
+    end
+
+    super
+  end
+
+  def register
+    @logger.debug("Registering `filter-elastic_integration` plugin.", :params => original_params)
+
+    validate_connection_settings!
+    @ssl_enabled = infer_ssl_from_connection_settings if @ssl_enabled.nil?
+
+    validate_ssl_settings!
+    validate_auth_settings!
+    validate_and_normalize_hosts
+
+    initialize_elasticsearch_rest_client!
+    initialize_geoip_database_provider!
+    initialize_event_processor!
+
+    perform_preflight_check!
+  end # def register
+
+  def filter(event)
+    fail "#{self.class}#filter is not allowed. Use #{self.class}#multi_filter"
+  end
+
+  def multi_filter(ruby_api_events)
+    LogStash::Util.set_thread_plugin(self)
+
+    incoming_java_api_events = ruby_events_as_java(ruby_api_events)
+
+    outgoing_java_api_events = @event_processor.process_events(incoming_java_api_events)
+
+    java_events_as_ruby(outgoing_java_api_events)
+  end
+
+  def filter_matched_java(java_event)
+    filter_matched(mutable_ruby_view_of_java_event(java_event))
+  end
+
+  def close
+    @elasticsearch_rest_client&.close
+    @geoip_database_provider&.close
+    @event_processor&.close
+  end
+
+  private
+
+  def validate_connection_settings!
+    @cloud_id = @cloud_id&.freeze
+
+    raise_config_error! "`hosts` and `cloud_id` cannot be used together." if @hosts && @cloud_id
+    raise_config_error! "Either `hosts` or `cloud_id` is required" unless @hosts || @cloud_id
+    raise_config_error! "Empty `cloud_id` is not allowed" if @cloud_id && @cloud_id.empty?
+    raise_config_error! "Empty `hosts` is not allowed" if @hosts && @hosts.size == 0 # let's also catch [""]
+  end
+
+  def infer_ssl_from_connection_settings
+    return true if @cloud_id
+    return true if @hosts.all? { |host| host.scheme.to_s.empty? }
+    return true if @hosts.all? { |host| host.scheme == HTTPS_PROTOCOL }
+    return false if @hosts.all? { |host| host.scheme == HTTP_PROTOCOL }
+
+    raise_config_error! "`hosts` contains entries with mixed protocols, which are unsupported; when any entry includes a protocol, the protocols of all must match each other"
+  end
+
+  def validate_and_normalize_hosts
+    return if @hosts.nil? || @hosts.size == 0
+
+    # host normalization expects `ssl_enabled` to be resolved (not nil)
+    # let's add a safeguard to make sure we don't break the behavior in the future
+    raise_config_error! "`hosts` cannot be normalized with `ssl_enabled => nil`" if @ssl_enabled.nil?
+
+    root_path = @hosts[0].path.empty? ? ELASTICSEARCH_DEFAULT_PATH : @hosts[0].path
+    scheme = @ssl_enabled ? HTTPS_PROTOCOL : HTTP_PROTOCOL
+
+    @hosts = @hosts.each do |host_uri|
+      # no need to validate hostname, uri validates it at initialize
+      host_uri.port=(ELASTICSEARCH_DEFAULT_PORT) if host_uri.port.nil?
+      host_uri.path=(ELASTICSEARCH_DEFAULT_PATH) if host_uri.path.to_s.empty?
+      agree_with = host_uri.path == root_path
+      raise_config_error! "All hosts must use same path." unless agree_with
+
+      host_uri.update(:scheme, scheme) if host_uri.scheme.to_s.empty?
+      agree_with = host_uri.scheme == scheme
+      raise_config_error! "All hosts must agree with #{scheme} schema when#{@ssl_enabled ? '' : ' NOT'} using `ssl_enabled`." unless agree_with
+
+      host_uri.freeze
+    end.freeze
+  end
+
+  def validate_auth_settings!
+    @cloud_auth           = @cloud_auth&.freeze
+    @api_key              = @api_key&.freeze
+    @auth_basic_username  = @auth_basic_username&.freeze
+    @auth_basic_password  = @auth_basic_password&.freeze
+
+    raise_config_error! "`auth_basic_username` requires `auth_basic_password`" if @auth_basic_username && !@auth_basic_password
+    raise_config_error! "`auth_basic_password` is not allowed unless `auth_basic_username` is specified" if !@auth_basic_username && @auth_basic_password
+    if @auth_basic_username && @auth_basic_password
+      raise_config_error! "Empty `auth_basic_username` or `auth_basic_password` is not allowed" if @auth_basic_username.empty? || @auth_basic_password.value.empty?
+    end
+
+    possible_auth_options = original_params.keys & %w(auth_basic_password cloud_auth api_key)
+    raise_config_error!("Multiple authentication #{possible_auth_options} options cannot be used together. Please provide ONLY one.") if possible_auth_options.size > 1
+
+    raise_config_error! "Empty `cloud_auth` is not allowed" if @cloud_auth && @cloud_auth.value.empty?
+    raise_config_error! "Empty `api_key` is not allowed" if @api_key && @api_key.value.empty?
+
+    @logger.warn("Credentials are being sent over unencrypted HTTP. This may bring security risk.") if possible_auth_options.size == 1 && !@ssl_enabled
+  end
+
+  def validate_ssl_settings!
+    @ssl_enabled                 = @ssl_enabled&.freeze
+    @ssl_verification_mode       = @ssl_verification_mode&.freeze
+    @ssl_certificate             = @ssl_certificate&.freeze
+    @ssl_key                     = @ssl_key&.freeze
+    @ssl_key_passphrase          = @ssl_key_passphrase&.freeze
+    @ssl_truststore_path         = @ssl_truststore_path&.freeze
+    @ssl_truststore_password     = @ssl_truststore_password&.freeze
+    @ssl_keystore_path           = @ssl_keystore_path&.freeze
+    @ssl_keystore_password       = @ssl_keystore_password&.freeze
+    @ssl_certificate_authorities = @ssl_certificate_authorities&.freeze
+
+    if @ssl_enabled
+      # when SSL is enabled, the default ssl_verification_mode is "full"
+      @ssl_verification_mode = "full".freeze if @ssl_verification_mode.nil?
+
+      # optional: presenting our identity
+      raise_config_error! "`ssl_certificate` and `ssl_keystore_path` cannot be used together." if @ssl_certificate && @ssl_keystore_path
+      raise_config_error! "`ssl_certificate` requires `ssl_key`" if @ssl_certificate && !@ssl_key
+      ensure_readable_and_non_writable! "ssl_certificate", @ssl_certificate if @ssl_certificate
+
+      raise_config_error! "`ssl_key` is not allowed unless `ssl_certificate` is specified" if @ssl_key && !@ssl_certificate
+      raise_config_error! "`ssl_key` requires `ssl_key_passphrase`" if @ssl_key && !@ssl_key_passphrase
+      ensure_readable_and_non_writable! "ssl_key", @ssl_key if @ssl_key
+
+      raise_config_error! "`ssl_key_passphrase` is not allowed unless `ssl_key` is specified" if @ssl_key_passphrase && !@ssl_key
+      raise_config_error! "`ssl_key_passphrase` cannot be empty" if @ssl_key_passphrase && @ssl_key_passphrase.value.empty?
+
+      raise_config_error! "`ssl_keystore_path` requires `ssl_keystore_password`" if @ssl_keystore_path && !@ssl_keystore_password
+      raise_config_error! "`ssl_keystore_password` is not allowed unless `ssl_keystore_path` is specified" if @ssl_keystore_password && !@ssl_keystore_path
+      raise_config_error! "`ssl_keystore_password` cannot be empty" if @ssl_keystore_password && @ssl_keystore_password.value.empty?
+      ensure_readable_and_non_writable! "ssl_keystore_path", @ssl_keystore_path if @ssl_keystore_path
+
+      # establishing trust of the server we connect to
+      # system-provided trust requires verification mode enabled
+      if @ssl_verification_mode == "none"
+        raise_config_error! "`ssl_truststore_path` requires `ssl_verification_mode` to be either `full` or `certificate`" if @ssl_truststore_path
+        raise_config_error! "`ssl_truststore_password` requires `ssl_truststore_path` and `ssl_verification_mode` (either `full` or `certificate`)" if @ssl_truststore_password
+        raise_config_error! "`ssl_certificate_authorities` requires `ssl_verification_mode` to be either `full` or `certificate`" if @ssl_certificate_authorities
+      end
+
+      raise_config_error! "`ssl_truststore_path` and `ssl_certificate_authorities` cannot be used together." if @ssl_truststore_path && @ssl_certificate_authorities
+      raise_config_error! "`ssl_truststore_path` requires `ssl_truststore_password`" if @ssl_truststore_path && !@ssl_truststore_password
+      ensure_readable_and_non_writable! "ssl_truststore_path", @ssl_truststore_path if @ssl_truststore_path
+
+      raise_config_error! "`ssl_truststore_password` is not allowed unless `ssl_truststore_path` is specified" if !@ssl_truststore_path && @ssl_truststore_password
+      raise_config_error! "`ssl_truststore_password` cannot be empty" if @ssl_truststore_password && @ssl_truststore_password.value.empty?
+
+      if !@ssl_truststore_path && @ssl_certificate_authorities&.empty?
+        raise_config_error! "`ssl_certificate_authorities` cannot be empty"
+      end
+      @ssl_certificate_authorities&.each do |certificate_authority|
+        ensure_readable_and_non_writable! "ssl_certificate_authorities", certificate_authority
+      end
+    else
+      # Disabled SSL does not allow to set SSL related configs
+      ssl_config_provided = original_params.keys.select {|k| k.start_with?("ssl_", "cloud_id") && k != "ssl_enabled" }
+      if ssl_config_provided.any?
+        raise_config_error! "When SSL is disabled, the following provided parameters are not allowed: #{ssl_config_provided}"
+      end
+    end
+  end
+
+  def ensure_readable_and_non_writable!(name, path)
+    raise_config_error! "Specified #{name} #{path} path must be readable." unless File.readable?(path)
+    raise_config_error! "Specified #{name} #{path} path must not be writable." if File.writable?(path)
+  end
+
+  ##
+  # @param message [String]
+  # @raise [LogStash::ConfigurationError]
+  def raise_config_error!(message)
+    raise LogStash::ConfigurationError, message
+  end
+
+  ##
+  # Builds a `PluginConfiguration` from the previously-validated config
+  def extract_immutable_config
+    builder = PluginConfiguration::Builder.new
+
+    builder.setId @id
+
+    builder.setHosts @hosts&.map(&:to_s)
+    builder.setCloudId @cloud_id
+
+    builder.setSslEnabled @ssl_enabled
+
+    # ssl trust
+    builder.setSslVerificationMode @ssl_verification_mode
+    builder.setSslTruststorePath @ssl_truststore_path
+    builder.setSslTruststorePassword @ssl_truststore_password
+    builder.setSslCertificateAuthorities @ssl_certificate_authorities
+
+    # ssl identity
+    builder.setSslKeystorePath @keystore
+    builder.setSslKeystorePassword @ssl_keystore_password
+    builder.setSslCertificate @ssl_certificate
+    builder.setSslKey @ssl_key
+    builder.setSslKeyPassphrase @ssl_key_passphrase
+
+    # request auth
+    builder.setAuthBasicUsername @auth_basic_username
+    builder.setAuthBasicPassword @auth_basic_password
+    builder.setCloudAuth @cloud_auth
+    builder.setApiKey @api_key
+
+    builder.build
+  end
+
+  def initialize_elasticsearch_rest_client!
+    @elasticsearch_rest_client = ElasticsearchRestClientBuilder.fromPluginConfiguration(extract_immutable_config)
+                                                               .map(&:build)
+                                                               .orElseThrow() # todo: ruby/java bridge better exception
+  end
+
+  def initialize_event_processor!
+    java_import('co.elastic.logstash.filters.elasticintegration.EventProcessorBuilder')
+    java_import('co.elastic.logstash.filters.elasticintegration.geoip.GeoIpProcessorFactory')
+
+    @event_processor = EventProcessorBuilder.fromElasticsearch(@elasticsearch_rest_client)
+                                            .setFilterMatchListener(method(:filter_matched_java).to_proc)
+                                            .addProcessor("geoip") { GeoIpProcessorFactory.new(@geoip_database_provider) }
+                                            .build("logstash.filter.elastic_integration.#{id}.#{__id__}")
+  rescue => exception
+    raise_config_error!("configuration did not produce an EventProcessor: #{exception}")
+  end
+
+  def initialize_geoip_database_provider!
+    java_import('co.elastic.logstash.filters.elasticintegration.geoip.GeoIpDatabaseProvider')
+    java_import('co.elastic.logstash.filters.elasticintegration.geoip.StaticGeoIpDatabase')
+
+    @geoip_database_provider ||= GeoIpDatabaseProvider::Builder.new.tap do |builder|
+      builder.setDatabases(java.io.File.new(@geoip_database_directory)) if @geoip_database_directory
+    end.build
+  end
+
+  def perform_preflight_check!
+    PreflightCheck.new(@elasticsearch_rest_client).check
+  rescue => e
+    raise_config_error!(e.message)
+  end
+end

data/logstash-filter-elastic_integration.gemspec

@@ -0,0 +1,45 @@
+# encoding: utf-8
+ELASTIC_INTEGRATION_VERSION = File.read(File.expand_path(File.join(File.dirname(__FILE__), "VERSION"))).strip unless defined?(ELASTIC_INTEGRATION_VERSION)
+
+Gem::Specification.new do |s|
+  s.name = 'logstash-filter-elastic_integration'
+  s.version = ELASTIC_INTEGRATION_VERSION
+  s.licenses = ['ELv2']
+  s.summary = "Processes Elastic Integrations"
+  s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
+  s.authors = ["Elastic"]
+  s.email = 'info@elastic.co'
+  s.homepage = "http://www.elastic.co/guide/en/logstash/current/index.html"
+  s.require_paths = ["lib", "vendor/jar-dependencies"]
+
+  # Files to be included in package
+  s.files = Dir[*%w{
+    lib/**/*.*
+    *.gemspec
+    vendor/jar-dependencies/**/*.jar
+    VERSION
+    LICENSE.md
+    NOTICE.txt
+  }]
+
+  # Special flag to let us know this is actually a logstash plugin
+  s.metadata = {
+    "logstash_plugin" => "true",
+    "logstash_group" => "filter",
+    "source_code_uri" => "https://github.com/elastic/logstash-filter-elastic_integration",
+  }
+
+  # Gem dependencies
+  s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
+  s.add_runtime_dependency "logstash-core", ">= 8.7.0"
+
+  s.add_development_dependency 'logstash-devutils'
+
+  s.platform = "java"
+
+  s.post_install_message = <<~NOTICES
+    This Logstash plugin embeds a subset of Elasticsearch (https://elastic.co/)
+    and packages from Apache Lucene, including software developed by The Apache
+    Software Foundation (http://www.apache.org/).
+  NOTICES
+end

metadata

@@ -0,0 +1,107 @@
+--- !ruby/object:Gem::Specification
+name: logstash-filter-elastic_integration
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: java
+authors:
+- Elastic
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2023-04-14 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.60'
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: '2.99'
+  name: logstash-core-plugin-api
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.60'
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: '2.99'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 8.7.0
+  name: logstash-core
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 8.7.0
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  name: logstash-devutils
+  prerelease: false
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: This gem is a Logstash plugin required to be installed on top of the
+  Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This
+  gem is not a stand-alone program
+email: info@elastic.co
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE.md
+- NOTICE.txt
+- VERSION
+- lib/logstash/filters/elastic_integration.rb
+- lib/logstash/filters/elastic_integration/event_api_bridge.rb
+- lib/logstash/filters/elastic_integration/jar_dependencies.rb
+- logstash-filter-elastic_integration.gemspec
+- vendor/jar-dependencies/co/elastic/logstash/plugins/filter/elasticintegration/logstash-filter-elastic_integration/0.0.1/logstash-filter-elastic_integration-0.0.1.jar
+homepage: http://www.elastic.co/guide/en/logstash/current/index.html
+licenses:
+- ELv2
+metadata:
+  logstash_plugin: 'true'
+  logstash_group: filter
+  source_code_uri: https://github.com/elastic/logstash-filter-elastic_integration
+post_install_message: |
+  This Logstash plugin embeds a subset of Elasticsearch (https://elastic.co/)
+  and packages from Apache Lucene, including software developed by The Apache
+  Software Foundation (http://www.apache.org/).
+rdoc_options: []
+require_paths:
+- lib
+- vendor/jar-dependencies
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.2.33
+signing_key:
+specification_version: 4
+summary: Processes Elastic Integrations
+test_files: []