logstash-filter-fingerprint 0.1.0

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    M2IxMjQ1ZjcyMWI0NzE2ZmExYzg1ZGY2MTA5YjE0YjkyYzgxN2MxZg==
+  data.tar.gz: !binary |-
+    OWZiMTA4NGY1NTViY2ExZjNhNDJkZTMxYzc0OTcyZmRhZTU0MGJmNQ==
+SHA512:
+  metadata.gz: !binary |-
+    NmZkZjJhMzg2MTAzOTAxMDQ5NzZiNDdhZjEyOTA5YTE3YjBmOGI2Y2NiZjQz
+    N2FmMWM3OGMwNDYwNjg5NzQ4NmU5YjFjODY2ZmIzMTUzNWRmOWY2NDEwYTZl
+    YWI0MWQ5NWVmOWM3ODY5YmNjNmFlZGI5MzM5MjhmNDEyMmM2YmM=
+  data.tar.gz: !binary |-
+    OGYwNGI2NGRmMjAyZmM3NGJiY2E3NzAzYTQ5N2JmZDY0MmNhNTVhMWU3ODNj
+    NTZjNGUxY2QyYWMwMjcxOTJkMThjZjEwMDJiNWFjMDdiMmEzNWVmYjMzN2M4
+    ZWY4MDMzNDAxMjYzZjQ5NTdiYmJjODcxMjlkNGU3YWJlMzBkOGI=

data/.gitignore

@@ -0,0 +1,4 @@
+*.gem
+Gemfile.lock
+.bundle
+vendor

data/Gemfile

@@ -0,0 +1,4 @@
+source 'http://rubygems.org'
+gem 'rake'
+gem 'gem_publisher'
+gem 'archive-tar-minitar'

data/LICENSE

@@ -0,0 +1,13 @@
+Copyright (c) 2012-2014 Elasticsearch <http://www.elasticsearch.org>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/Rakefile

@@ -0,0 +1,6 @@
+@files=[]
+
+task :default do
+  system("rake -T")
+end
+

data/lib/logstash/filters/fingerprint.rb

@@ -0,0 +1,122 @@
+# encoding: utf-8
+require "logstash/filters/base"
+require "logstash/namespace"
+
+#  Fingerprint fields using by replacing values with a consistent hash.
+class LogStash::Filters::Fingerprint < LogStash::Filters::Base
+  config_name "fingerprint"
+  milestone 1
+
+  # Source field(s)
+  config :source, :validate => :array, :default => 'message'
+
+  # Target field.
+  # will overwrite current value of a field if it exists.
+  config :target, :validate => :string, :default => 'fingerprint'
+
+  # When used with IPV4_NETWORK method fill in the subnet prefix length
+  # Not required for MURMUR3 or UUID methods
+  # With other methods fill in the HMAC key
+  config :key, :validate => :string
+
+  # Fingerprint method
+  config :method, :validate => ['SHA1', 'SHA256', 'SHA384', 'SHA512', 'MD5', "MURMUR3", "IPV4_NETWORK", "UUID", "PUNCTUATION"], :required => true, :default => 'SHA1'
+
+  # When set to true, we concatenate the values of all fields into 1 string like the old checksum filter.
+  config :concatenate_sources, :validate => :boolean, :default => false
+
+  def register
+    # require any library and set the anonymize function
+    case @method
+      when "IPV4_NETWORK"
+        require 'ipaddr'
+        @logger.error("Key value is empty. please fill in a subnet prefix length") if @key.nil?
+        class << self; alias_method :anonymize, :anonymize_ipv4_network; end
+      when "MURMUR3"
+        require "murmurhash3"
+        class << self; alias_method :anonymize, :anonymize_murmur3; end
+      when "UUID"
+        require "securerandom"
+      when "PUNCTUATION"
+        # nothing required
+      else
+        require 'openssl'
+        @logger.error("Key value is empty. Please fill in an encryption key") if @key.nil?
+        class << self; alias_method :anonymize, :anonymize_openssl; end
+    end
+  end # def register
+
+  public
+  def filter(event)
+    return unless filter?(event)
+    case @method
+      when "UUID"
+        event[@target] = SecureRandom.uuid
+      when "PUNCTUATION"
+        @source.sort.each do |field|
+          next unless event.include?(field)
+          event[@target] = event[field].tr('A-Za-z0-9 \t','')
+        end
+      else
+        if @concatenate_sources
+          to_string = ''
+          @source.sort.each do |k|
+            @logger.debug("Adding key to string")
+            to_string << "|#{k}|#{event[k]}"
+          end
+          to_string << "|"
+          @logger.debug("String built", :to_checksum => to_string)
+          event[@target] = anonymize(to_string)
+        else
+          @source.each do |field|
+            next unless event.include?(field)
+            if event[field].is_a?(Array)
+              event[@target] = event[field].collect { |v| anonymize(v) }
+            else
+              event[@target] = anonymize(event[field])
+            end
+          end # @source.each
+        end # concatenate_sources
+
+    end # casse @method
+  end # def filter
+
+  private
+  def anonymize_ipv4_network(ip_string)
+    # in JRuby 1.7.11 outputs as US-ASCII
+    IPAddr.new(ip_string).mask(@key.to_i).to_s.force_encoding(Encoding::UTF_8)
+  end
+
+  def anonymize_openssl(data)
+    digest = encryption_algorithm()
+    # in JRuby 1.7.11 outputs as ASCII-8BIT
+    OpenSSL::HMAC.hexdigest(digest, @key, data.to_s).force_encoding(Encoding::UTF_8)
+  end
+
+  def anonymize_murmur3(value)
+    case value
+      when Fixnum
+        MurmurHash3::V32.int_hash(value)
+      else
+        MurmurHash3::V32.str_hash(value.to_s)
+    end
+  end
+
+  def encryption_algorithm
+   case @method
+     when 'SHA1'
+       return OpenSSL::Digest::SHA1.new
+     when 'SHA256'
+       return OpenSSL::Digest::SHA256.new
+     when 'SHA384'
+       return OpenSSL::Digest::SHA384.new
+     when 'SHA512'
+       return OpenSSL::Digest::SHA512.new
+     when 'MD5'
+       return OpenSSL::Digest::MD5.new
+     else
+       @logger.error("Unknown algorithm")
+    end
+  end
+
+end # class LogStash::Filters::Anonymize

data/logstash-filter-fingerprint.gemspec

@@ -0,0 +1,26 @@
+Gem::Specification.new do |s|
+
+  s.name            = 'logstash-filter-fingerprint'
+  s.version         = '0.1.0'
+  s.licenses        = ['Apache License (2.0)']
+  s.summary         = "Fingerprint fields using by replacing values with a consistent hash."
+  s.description     = "Fingerprint fields using by replacing values with a consistent hash."
+  s.authors         = ["Elasticsearch"]
+  s.email           = 'richard.pijnenburg@elasticsearch.com'
+  s.homepage        = "http://logstash.net/"
+  s.require_paths = ["lib"]
+
+  # Files
+  s.files = `git ls-files`.split($\)+::Dir.glob('vendor/*')
+
+  # Tests
+  s.test_files = s.files.grep(%r{^(test|spec|features)/})
+
+  # Special flag to let us know this is actually a logstash plugin
+  s.metadata = { "logstash_plugin" => "true", "group" => "filter" }
+
+  # Gem dependencies
+  s.add_runtime_dependency 'logstash', '>= 1.4.0', '< 2.0.0'
+  s.add_runtime_dependency "murmurhash3"                      #(MIT license)
+end
+

data/rakelib/publish.rake

@@ -0,0 +1,9 @@
+require "gem_publisher"
+
+desc "Publish gem to RubyGems.org"
+task :publish_gem do |t|
+  gem_file = Dir.glob(File.expand_path('../*.gemspec',File.dirname(__FILE__))).first
+  gem = GemPublisher.publish_if_updated(gem_file, :rubygems)
+  puts "Published #{gem}" if gem
+end
+

data/rakelib/vendor.rake

@@ -0,0 +1,169 @@
+require "net/http"
+require "uri"
+require "digest/sha1"
+
+def vendor(*args)
+  return File.join("vendor", *args)
+end
+
+directory "vendor/" => ["vendor"] do |task, args|
+  mkdir task.name
+end
+
+def fetch(url, sha1, output)
+
+  puts "Downloading #{url}"
+  actual_sha1 = download(url, output)
+
+  if actual_sha1 != sha1
+    fail "SHA1 does not match (expected '#{sha1}' but got '#{actual_sha1}')"
+  end
+end # def fetch
+
+def file_fetch(url, sha1)
+  filename = File.basename( URI(url).path )
+  output = "vendor/#{filename}"
+  task output => [ "vendor/" ] do
+    begin
+      actual_sha1 = file_sha1(output)
+      if actual_sha1 != sha1
+        fetch(url, sha1, output)
+      end
+    rescue Errno::ENOENT
+      fetch(url, sha1, output)
+    end
+  end.invoke
+
+  return output
+end
+
+def file_sha1(path)
+  digest = Digest::SHA1.new
+  fd = File.new(path, "r")
+  while true
+    begin
+      digest << fd.sysread(16384)
+    rescue EOFError
+      break
+    end
+  end
+  return digest.hexdigest
+ensure
+  fd.close if fd
+end
+
+def download(url, output)
+  uri = URI(url)
+  digest = Digest::SHA1.new
+  tmp = "#{output}.tmp"
+  Net::HTTP.start(uri.host, uri.port, :use_ssl => (uri.scheme == "https")) do |http|
+    request = Net::HTTP::Get.new(uri.path)
+    http.request(request) do |response|
+      fail "HTTP fetch failed for #{url}. #{response}" if [200, 301].include?(response.code)
+      size = (response["content-length"].to_i || -1).to_f
+      count = 0
+      File.open(tmp, "w") do |fd|
+        response.read_body do |chunk|
+          fd.write(chunk)
+          digest << chunk
+          if size > 0 && $stdout.tty?
+            count += chunk.bytesize
+            $stdout.write(sprintf("\r%0.2f%%", count/size * 100))
+          end
+        end
+      end
+      $stdout.write("\r      \r") if $stdout.tty?
+    end
+  end
+
+  File.rename(tmp, output)
+
+  return digest.hexdigest
+rescue SocketError => e
+  puts "Failure while downloading #{url}: #{e}"
+  raise
+ensure
+  File.unlink(tmp) if File.exist?(tmp)
+end # def download
+
+def untar(tarball, &block)
+  require "archive/tar/minitar"
+  tgz = Zlib::GzipReader.new(File.open(tarball))
+  # Pull out typesdb
+  tar = Archive::Tar::Minitar::Input.open(tgz)
+  tar.each do |entry|
+    path = block.call(entry)
+    next if path.nil?
+    parent = File.dirname(path)
+    
+    mkdir_p parent unless File.directory?(parent)
+
+    # Skip this file if the output file is the same size
+    if entry.directory?
+      mkdir path unless File.directory?(path)
+    else
+      entry_mode = entry.instance_eval { @mode } & 0777
+      if File.exists?(path)
+        stat = File.stat(path)
+        # TODO(sissel): Submit a patch to archive-tar-minitar upstream to
+        # expose headers in the entry.
+        entry_size = entry.instance_eval { @size }
+        # If file sizes are same, skip writing.
+        next if stat.size == entry_size && (stat.mode & 0777) == entry_mode
+      end
+      puts "Extracting #{entry.full_name} from #{tarball} #{entry_mode.to_s(8)}"
+      File.open(path, "w") do |fd|
+        # eof? check lets us skip empty files. Necessary because the API provided by
+        # Archive::Tar::Minitar::Reader::EntryStream only mostly acts like an
+        # IO object. Something about empty files in this EntryStream causes
+        # IO.copy_stream to throw "can't convert nil into String" on JRuby
+        # TODO(sissel): File a bug about this.
+        while !entry.eof?
+          chunk = entry.read(16384)
+          fd.write(chunk)
+        end
+          #IO.copy_stream(entry, fd)
+      end
+      File.chmod(entry_mode, path)
+    end
+  end
+  tar.close
+  File.unlink(tarball) if File.file?(tarball)
+end # def untar
+
+def ungz(file)
+
+  outpath = file.gsub('.gz', '')
+  tgz = Zlib::GzipReader.new(File.open(file))
+  begin
+    File.open(outpath, "w") do |out|
+      IO::copy_stream(tgz, out)
+    end
+    File.unlink(file)
+  rescue
+    File.unlink(outpath) if File.file?(outpath)
+   raise
+  end
+  tgz.close
+end
+
+desc "Process any vendor files required for this plugin"
+task "vendor" do |task, args|
+
+  @files.each do |file| 
+    download = file_fetch(file['url'], file['sha1'])
+    if download =~ /.tar.gz/
+      prefix = download.gsub('.tar.gz', '').gsub('vendor/', '')
+      untar(download) do |entry|
+        if !file['files'].nil?
+          next unless file['files'].include?(entry.full_name.gsub(prefix, ''))
+          out = entry.full_name.split("/").last
+        end
+        File.join('vendor', out)
+      end
+    elsif download =~ /.gz/
+      ungz(download)
+    end
+  end
+
+end

data/spec/filters/fingerprint_spec.rb

@@ -0,0 +1,200 @@
+# encoding: utf-8
+require "spec_helper"
+require "logstash/filters/fingerprint"
+
+describe LogStash::Filters::Fingerprint do
+
+  describe "fingerprint ipaddress with IPV4_NETWORK method" do
+    config <<-CONFIG
+      filter {
+        fingerprint {
+          source => ["clientip"]
+          method => "IPV4_NETWORK"
+          key => 24
+        }
+      }
+    CONFIG
+
+    sample("clientip" => "233.255.13.44") do
+      insist { subject["fingerprint"] } == "233.255.13.0"
+    end
+  end
+
+  describe "fingerprint string with MURMUR3 method" do
+    config <<-CONFIG
+      filter {
+        fingerprint {
+          source => ["clientip"]
+          method => "MURMUR3"
+        }
+      }
+    CONFIG
+
+    sample("clientip" => "123.52.122.33") do
+      insist { subject["fingerprint"] } == 1541804874
+    end
+  end
+
+   describe "fingerprint string with SHA1 alogrithm" do
+    config <<-CONFIG
+      filter {
+        fingerprint {
+          source => ["clientip"]
+          key => "longencryptionkey"
+          method => 'SHA1'
+        }
+      }
+    CONFIG
+
+    sample("clientip" => "123.123.123.123") do
+      insist { subject["fingerprint"] } == "fdc60acc4773dc5ac569ffb78fcb93c9630797f4"
+    end
+  end
+
+  describe "fingerprint string with SHA256 alogrithm" do
+    config <<-CONFIG
+      filter {
+        fingerprint {
+          source => ["clientip"]
+          key => "longencryptionkey"
+          method => 'SHA256'
+        }
+      }
+    CONFIG
+
+    sample("clientip" => "123.123.123.123") do
+      insist { subject["fingerprint"] } == "345bec3eff242d53b568916c2610b3e393d885d6b96d643f38494fd74bf4a9ca"
+    end
+  end
+
+  describe "fingerprint string with SHA384 alogrithm" do
+    config <<-CONFIG
+      filter {
+        fingerprint {
+          source => ["clientip"]
+          key => "longencryptionkey"
+          method => 'SHA384'
+        }
+      }
+    CONFIG
+
+    sample("clientip" => "123.123.123.123") do
+      insist { subject["fingerprint"] } == "22d4c0e8c4fbcdc4887d2038fca7650f0e2e0e2457ff41c06eb2a980dded6749561c814fe182aff93e2538d18593947a"
+    end
+  end
+
+  describe "fingerprint string with SHA512 alogrithm" do
+    config <<-CONFIG
+      filter {
+        fingerprint {
+          source => ["clientip"]
+          key => "longencryptionkey"
+          method => 'SHA512'
+        }
+      }
+    CONFIG
+
+    sample("clientip" => "123.123.123.123") do
+      insist { subject["fingerprint"] } == "11c19b326936c08d6c50a3c847d883e5a1362e6a64dd55201a25f2c1ac1b673f7d8bf15b8f112a4978276d573275e3b14166e17246f670c2a539401c5bfdace8"
+    end
+  end
+
+  describe "fingerprint string with MD5 alogrithm" do
+    config <<-CONFIG
+      filter {
+        fingerprint {
+          source => ["clientip"]
+          key => "longencryptionkey"
+          method => 'MD5'
+        }
+      }
+    CONFIG
+
+    sample("clientip" => "123.123.123.123") do
+      insist { subject["fingerprint"] } == "9336c879e305c9604a3843fc3e75948f"
+    end
+  end
+
+  describe "Test field with multiple values" do
+    config <<-CONFIG
+      filter {
+        fingerprint {
+          source => ["clientip"]
+          key => "longencryptionkey"
+          method => 'MD5'
+        }
+      }
+    CONFIG
+
+    sample("clientip" => [ "123.123.123.123", "223.223.223.223" ]) do
+      insist { subject["fingerprint"]} == [ "9336c879e305c9604a3843fc3e75948f", "7a6c66b8d3f42a7d650e3354af508df3" ]
+    end
+  end
+
+  describe "Concatenate multiple values into 1" do
+    config <<-CONFIG
+      filter {
+        fingerprint {
+          source => ['field1', 'field2']
+          key => "longencryptionkey"
+          method => 'MD5'
+        }
+      }
+    CONFIG
+
+    sample("field1" => "test1", "field2" => "test2") do
+      insist { subject["fingerprint"]} == "872da745e45192c2a1d4bf7c1ff8a370"
+    end
+  end
+
+  describe "PUNCTUATION method" do
+    config <<-CONFIG
+      filter {
+        fingerprint {
+          source => 'field1'
+          method => 'PUNCTUATION'
+        }
+      }
+    CONFIG
+
+    sample("field1" =>  "PHP Warning:  json_encode() [<a href='function.json-encode'>function.json-encode</a>]: Invalid UTF-8 sequence in argument in /var/www/htdocs/test.php on line 233") do
+      insist { subject["fingerprint"] } == ":_()[<='.-'>.-</>]:-////."
+    end
+  end
+
+  context 'Timestamps' do
+    epoch_time = Time.at(0).gmtime
+
+    describe 'OpenSSL Fingerprinting' do
+      config <<-CONFIG
+        filter {
+          fingerprint {
+            source => ['@timestamp']
+            key    => '0123'
+            method => 'SHA1'
+          }
+        }
+      CONFIG
+
+      sample("@timestamp" => epoch_time) do
+        insist { subject["fingerprint"] } == '1d5379ec92d86a67cfc642d55aa050ca312d3b9a'
+      end
+    end
+
+    describe 'MURMUR3 Fingerprinting' do
+      config <<-CONFIG
+        filter {
+          fingerprint {
+            source => ['@timestamp']
+            method => 'MURMUR3'
+          }
+        }
+      CONFIG
+
+      sample("@timestamp" => epoch_time) do
+        insist { subject["fingerprint"] } == 743372282
+      end
+    end
+  end
+
+end

metadata

@@ -0,0 +1,89 @@
+--- !ruby/object:Gem::Specification
+name: logstash-filter-fingerprint
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Elasticsearch
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-11-05 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: logstash
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.4.0
+    - - <
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.4.0
+    - - <
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+- !ruby/object:Gem::Dependency
+  name: murmurhash3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Fingerprint fields using by replacing values with a consistent hash.
+email: richard.pijnenburg@elasticsearch.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- LICENSE
+- Rakefile
+- lib/logstash/filters/fingerprint.rb
+- logstash-filter-fingerprint.gemspec
+- rakelib/publish.rake
+- rakelib/vendor.rake
+- spec/filters/fingerprint_spec.rb
+homepage: http://logstash.net/
+licenses:
+- Apache License (2.0)
+metadata:
+  logstash_plugin: 'true'
+  group: filter
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.1
+signing_key: 
+specification_version: 4
+summary: Fingerprint fields using by replacing values with a consistent hash.
+test_files:
+- spec/filters/fingerprint_spec.rb