logstash-filter-geoip 0.1.0

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    ZjNjMDZhOTg1OTNhNmU5NTI2YzlhYzkyYzJlZDY4MThhZDA0ZDRkNQ==
+  data.tar.gz: !binary |-
+    NjgzN2Q5YWU1ODgxOWNmMjEwZjVjZjcwMWY4ODIxN2I5M2I5MGQ4Zg==
+SHA512:
+  metadata.gz: !binary |-
+    MDVmMjY0NmE5MmM3NTI2YWJhYTYzNzY4Nzc0YWY3NDAzMWYzZWVmYzNhYjll
+    NjdjODViZGIwOTgxZWMzZmZhYjFiZDU3YmU4NmQ0ZGZlZTU4ZTY0OThiM2Jk
+    YTMxNzVkZWY0YmFiMDIxYjhhM2YxZWZmMGZkMGU4MzdlMzU1MGE=
+  data.tar.gz: !binary |-
+    NDk1NjhmOWMzNWMxMTc3OTNlYzY0MGU1Zjc3M2Q4MjY0NmQyNjRkNTRkMTE2
+    M2ZjYzY4OWE2NDdhMWNiMzc2OGViNGU1ODNjOTRkYzcwMjg0ZDI4YzlhOTky
+    OGU1OTlhZTQwODFhYjNmYjQzODU2MDI3MzA5M2M3NDExM2FmMTM=

data/.gitignore

@@ -0,0 +1,4 @@
+*.gem
+Gemfile.lock
+.bundle
+vendor

data/Gemfile

@@ -0,0 +1,4 @@
+source 'http://rubygems.org'
+gem 'rake'
+gem 'gem_publisher'
+gem 'archive-tar-minitar'

data/Rakefile

@@ -0,0 +1,8 @@
+@files=[ {'url' => 'http://logstash.objects.dreamhost.com/maxmind/GeoLiteCity-2013-01-18.dat.gz', 'sha1' => '15aab9a90ff90c4784b2c48331014d242b86bf82' },
+         {'url' => 'http://logstash.objects.dreamhost.com/maxmind/GeoIPASNum-2014-02-12.dat.gz', 'sha1' => '6f33ca0b31e5f233e36d1f66fbeae36909b58f91' }
+  ]
+
+task :default do
+  system("rake -T")
+end
+

data/lib/logstash/filters/geoip.rb

@@ -0,0 +1,149 @@
+# encoding: utf-8
+require "logstash/filters/base"
+require "logstash/namespace"
+require "tempfile"
+
+# The GeoIP filter adds information about the geographical location of IP addresses,
+# based on data from the Maxmind database.
+#
+# Starting with version 1.3.0 of Logstash, a [geoip][location] field is created if
+# the GeoIP lookup returns a latitude and longitude. The field is stored in
+# [GeoJSON](http://geojson.org/geojson-spec.html) format. Additionally,
+# the default Elasticsearch template provided with the
+# [elasticsearch output](../outputs/elasticsearch.html)
+# maps the [geoip][location] field to a
+# [geo_point](http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/mapping-geo-point-type.html).
+#
+# As this field is a geo\_point _and_ it is still valid GeoJSON, you get
+# the awesomeness of Elasticsearch's geospatial query, facet and filter functions
+# and the flexibility of having GeoJSON for all other applications (like Kibana's
+# [bettermap panel](https://github.com/elasticsearch/kibana/tree/master/src/app/panels/bettermap)).
+#
+# Logstash releases ship with the GeoLiteCity database made available from
+# Maxmind with a CCA-ShareAlike 3.0 license. For more details on GeoLite, see
+# <http://www.maxmind.com/en/geolite>.
+class LogStash::Filters::GeoIP < LogStash::Filters::Base
+  config_name "geoip"
+  milestone 3
+
+  VERSION='0.1.0'
+
+  # The path to the GeoIP database file which Logstash should use. Country, City, ASN, ISP
+  # and organization databases are supported.
+  #
+  # If not specified, this will default to the GeoLiteCity database that ships
+  # with Logstash.
+  config :database, :validate => :path
+
+  # The field containing the IP address or hostname to map via geoip. If
+  # this field is an array, only the first value will be used.
+  config :source, :validate => :string, :required => true
+
+  # An array of geoip fields to be included in the event.
+  #
+  # Possible fields depend on the database type. By default, all geoip fields
+  # are included in the event.
+  #
+  # For the built-in GeoLiteCity database, the following are available:
+  # `city\_name`, `continent\_code`, `country\_code2`, `country\_code3`, `country\_name`,
+  # `dma\_code`, `ip`, `latitude`, `longitude`, `postal\_code`, `region\_name` and `timezone`.
+  config :fields, :validate => :array
+
+  # Specify the field into which Logstash should store the geoip data.
+  # This can be useful, for example, if you have `src\_ip` and `dst\_ip` fields and
+  # would like the GeoIP information of both IPs.
+  #
+  # If you save the data to a target field other than "geoip" and want to use the
+  # geo\_point related functions in Elasticsearch, you need to alter the template
+  # provided with the Elasticsearch output and configure the output to use the
+  # new template.
+  #
+  # Even if you don't use the geo\_point mapping, the [target][location] field
+  # is still valid GeoJSON.
+  config :target, :validate => :string, :default => 'geoip'
+
+  public
+  def register
+    require "geoip"
+    if @database.nil?
+      @database = ::Dir.glob(::File.expand_path("../../../vendor/", ::File.dirname(__FILE__))+"/GeoLiteCity*.dat").first
+      if !File.exists?(@database)
+        raise "You must specify 'database => ...' in your geoip filter (I looked for '#{@database}'"
+      end
+    end
+    @logger.info("Using geoip database", :path => @database)
+    # For the purpose of initializing this filter, geoip is initialized here but
+    # not set as a global. The geoip module imposes a mutex, so the filter needs
+    # to re-initialize this later in the filter() thread, and save that access
+    # as a thread-local variable.
+    geoip_initialize = ::GeoIP.new(@database)
+
+    @geoip_type = case geoip_initialize.database_type
+    when GeoIP::GEOIP_CITY_EDITION_REV0, GeoIP::GEOIP_CITY_EDITION_REV1
+      :city
+    when GeoIP::GEOIP_COUNTRY_EDITION
+      :country
+    when GeoIP::GEOIP_ASNUM_EDITION
+      :asn
+    when GeoIP::GEOIP_ISP_EDITION, GeoIP::GEOIP_ORG_EDITION
+      :isp
+    else
+      raise RuntimeException.new "This GeoIP database is not currently supported"
+    end
+
+    @threadkey = "geoip-#{self.object_id}"
+  end # def register
+
+  public
+  def filter(event)
+    return unless filter?(event)
+    geo_data = nil
+
+    # Use thread-local access to GeoIP. The Ruby GeoIP module forces a mutex
+    # around access to the database, which can be overcome with :pread.
+    # Unfortunately, :pread requires the io-extra gem, with C extensions that
+    # aren't supported on JRuby. If / when :pread becomes available, we can stop
+    # needing thread-local access.
+    if !Thread.current.key?(@threadkey)
+      Thread.current[@threadkey] = ::GeoIP.new(@database)
+    end
+
+    begin
+      ip = event[@source]
+      ip = ip.first if ip.is_a? Array
+      geo_data = Thread.current[@threadkey].send(@geoip_type, ip)
+    rescue SocketError => e
+      @logger.error("IP Field contained invalid IP address or hostname", :field => @field, :event => event)
+    rescue Exception => e
+      @logger.error("Unknown error while looking up GeoIP data", :exception => e, :field => @field, :event => event)
+    end
+
+    return if geo_data.nil?
+
+    geo_data_hash = geo_data.to_hash
+    geo_data_hash.delete(:request)
+    event[@target] = {} if event[@target].nil?
+    geo_data_hash.each do |key, value|
+      next if value.nil? || (value.is_a?(String) && value.empty?)
+      if @fields.nil? || @fields.empty? || @fields.include?(key.to_s)
+        # convert key to string (normally a Symbol)
+        if value.is_a?(String)
+          # Some strings from GeoIP don't have the correct encoding...
+          value = case value.encoding
+            # I have found strings coming from GeoIP that are ASCII-8BIT are actually
+            # ISO-8859-1...
+            when Encoding::ASCII_8BIT; value.force_encoding(Encoding::ISO_8859_1).encode(Encoding::UTF_8)
+            when Encoding::ISO_8859_1, Encoding::US_ASCII;  value.encode(Encoding::UTF_8)
+            else; value
+          end
+        end
+        event[@target][key.to_s] = value
+      end
+    end # geo_data_hash.each
+    if event[@target].key?('latitude') && event[@target].key?('longitude')
+      # If we have latitude and longitude values, add the location field as GeoJSON array
+      event[@target]['location'] = [ event[@target]["longitude"].to_f, event[@target]["latitude"].to_f ]
+    end
+    filter_matched(event)
+  end # def filter
+end # class LogStash::Filters::GeoIP

data/logstash-filter-geoip.gemspec

@@ -0,0 +1,28 @@
+Gem::Specification.new do |s|
+
+  s.name            = 'logstash-filter-geoip'
+  s.version         = '0.1.0'
+  s.licenses        = ['Apache License (2.0)']
+  s.summary         = "$summary"
+  s.description     = "$description"
+  s.authors         = ["Elasticsearch"]
+  s.email           = 'richard.pijnenburg@elasticsearch.com'
+  s.homepage        = "http://logstash.net/"
+  s.require_paths = ["lib"]
+
+  # Files
+  s.files = `git ls-files`.split($\)+::Dir.glob('vendor/*')
+
+  # Tests
+  s.test_files = s.files.grep(%r{^(test|spec|features)/})
+
+  # Special flag to let us know this is actually a logstash plugin
+  s.metadata = { "logstash_plugin" => "true", "group" => "filter" }
+
+  # Gem dependencies
+  s.add_runtime_dependency 'logstash', '>= 1.4.0', '< 2.0.0'
+
+  s.add_runtime_dependency 'geoip', ['>= 1.3.2']
+
+end
+

data/rakelib/publish.rake

@@ -0,0 +1,9 @@
+require "gem_publisher"
+
+desc "Publish gem to RubyGems.org"
+task :publish_gem do |t|
+  gem_file = Dir.glob(File.expand_path('../*.gemspec',File.dirname(__FILE__))).first
+  gem = GemPublisher.publish_if_updated(gem_file, :rubygems)
+  puts "Published #{gem}" if gem
+end
+

data/rakelib/vendor.rake

@@ -0,0 +1,169 @@
+require "net/http"
+require "uri"
+require "digest/sha1"
+
+def vendor(*args)
+  return File.join("vendor", *args)
+end
+
+directory "vendor/" => ["vendor"] do |task, args|
+  mkdir task.name
+end
+
+def fetch(url, sha1, output)
+
+  puts "Downloading #{url}"
+  actual_sha1 = download(url, output)
+
+  if actual_sha1 != sha1
+    fail "SHA1 does not match (expected '#{sha1}' but got '#{actual_sha1}')"
+  end
+end # def fetch
+
+def file_fetch(url, sha1)
+  filename = File.basename( URI(url).path )
+  output = "vendor/#{filename}"
+  task output => [ "vendor/" ] do
+    begin
+      actual_sha1 = file_sha1(output)
+      if actual_sha1 != sha1
+        fetch(url, sha1, output)
+      end
+    rescue Errno::ENOENT
+      fetch(url, sha1, output)
+    end
+  end.invoke
+
+  return output
+end
+
+def file_sha1(path)
+  digest = Digest::SHA1.new
+  fd = File.new(path, "r")
+  while true
+    begin
+      digest << fd.sysread(16384)
+    rescue EOFError
+      break
+    end
+  end
+  return digest.hexdigest
+ensure
+  fd.close if fd
+end
+
+def download(url, output)
+  uri = URI(url)
+  digest = Digest::SHA1.new
+  tmp = "#{output}.tmp"
+  Net::HTTP.start(uri.host, uri.port, :use_ssl => (uri.scheme == "https")) do |http|
+    request = Net::HTTP::Get.new(uri.path)
+    http.request(request) do |response|
+      fail "HTTP fetch failed for #{url}. #{response}" if [200, 301].include?(response.code)
+      size = (response["content-length"].to_i || -1).to_f
+      count = 0
+      File.open(tmp, "w") do |fd|
+        response.read_body do |chunk|
+          fd.write(chunk)
+          digest << chunk
+          if size > 0 && $stdout.tty?
+            count += chunk.bytesize
+            $stdout.write(sprintf("\r%0.2f%%", count/size * 100))
+          end
+        end
+      end
+      $stdout.write("\r      \r") if $stdout.tty?
+    end
+  end
+
+  File.rename(tmp, output)
+
+  return digest.hexdigest
+rescue SocketError => e
+  puts "Failure while downloading #{url}: #{e}"
+  raise
+ensure
+  File.unlink(tmp) if File.exist?(tmp)
+end # def download
+
+def untar(tarball, &block)
+  require "archive/tar/minitar"
+  tgz = Zlib::GzipReader.new(File.open(tarball))
+  # Pull out typesdb
+  tar = Archive::Tar::Minitar::Input.open(tgz)
+  tar.each do |entry|
+    path = block.call(entry)
+    next if path.nil?
+    parent = File.dirname(path)
+    
+    mkdir_p parent unless File.directory?(parent)
+
+    # Skip this file if the output file is the same size
+    if entry.directory?
+      mkdir path unless File.directory?(path)
+    else
+      entry_mode = entry.instance_eval { @mode } & 0777
+      if File.exists?(path)
+        stat = File.stat(path)
+        # TODO(sissel): Submit a patch to archive-tar-minitar upstream to
+        # expose headers in the entry.
+        entry_size = entry.instance_eval { @size }
+        # If file sizes are same, skip writing.
+        next if stat.size == entry_size && (stat.mode & 0777) == entry_mode
+      end
+      puts "Extracting #{entry.full_name} from #{tarball} #{entry_mode.to_s(8)}"
+      File.open(path, "w") do |fd|
+        # eof? check lets us skip empty files. Necessary because the API provided by
+        # Archive::Tar::Minitar::Reader::EntryStream only mostly acts like an
+        # IO object. Something about empty files in this EntryStream causes
+        # IO.copy_stream to throw "can't convert nil into String" on JRuby
+        # TODO(sissel): File a bug about this.
+        while !entry.eof?
+          chunk = entry.read(16384)
+          fd.write(chunk)
+        end
+          #IO.copy_stream(entry, fd)
+      end
+      File.chmod(entry_mode, path)
+    end
+  end
+  tar.close
+  File.unlink(tarball) if File.file?(tarball)
+end # def untar
+
+def ungz(file)
+
+  outpath = file.gsub('.gz', '')
+  tgz = Zlib::GzipReader.new(File.open(file))
+  begin
+    File.open(outpath, "w") do |out|
+      IO::copy_stream(tgz, out)
+    end
+    File.unlink(file)
+  rescue
+    File.unlink(outpath) if File.file?(outpath)
+   raise
+  end
+  tgz.close
+end
+
+desc "Process any vendor files required for this plugin"
+task "vendor" do |task, args|
+
+  @files.each do |file| 
+    download = file_fetch(file['url'], file['sha1'])
+    if download =~ /.tar.gz/
+      prefix = download.gsub('.tar.gz', '').gsub('vendor/', '')
+      untar(download) do |entry|
+        if !file['files'].nil?
+          next unless file['files'].include?(entry.full_name.gsub(prefix, ''))
+          out = entry.full_name.split("/").last
+        end
+        File.join('vendor', out)
+      end
+    elsif download =~ /.gz/
+      ungz(download)
+    end
+  end
+
+end

data/spec/filters/geoip_spec.rb

@@ -0,0 +1,120 @@
+require "spec_helper"
+require "logstash/filters/geoip"
+
+describe LogStash::Filters::GeoIP do
+
+  describe "defaults" do
+    config <<-CONFIG
+      filter {
+        geoip { 
+          source => "ip"
+          #database => "vendor/geoip/GeoLiteCity.dat"
+        }
+      }
+    CONFIG
+
+    sample("ip" => "8.8.8.8") do
+      insist { subject }.include?("geoip")
+
+      expected_fields = %w(ip country_code2 country_code3 country_name
+                           continent_code region_name city_name postal_code
+                           latitude longitude dma_code area_code timezone
+                           location )
+      expected_fields.each do |f|
+        insist { subject["geoip"] }.include?(f)
+      end
+    end
+
+    sample("ip" => "127.0.0.1") do
+      # assume geoip fails on localhost lookups
+      reject { subject }.include?("geoip")
+    end
+  end
+
+  describe "Specify the target" do
+    config <<-CONFIG
+      filter {
+        geoip { 
+          source => "ip"
+          #database => "vendor/geoip/GeoLiteCity.dat"
+          target => src_ip
+        }
+      }
+    CONFIG
+
+    sample("ip" => "8.8.8.8") do
+      insist { subject }.include?("src_ip")
+
+      expected_fields = %w(ip country_code2 country_code3 country_name
+                           continent_code region_name city_name postal_code
+                           latitude longitude dma_code area_code timezone
+                           location )
+      expected_fields.each do |f|
+        insist { subject["src_ip"] }.include?(f)
+      end
+    end
+
+    sample("ip" => "127.0.0.1") do
+      # assume geoip fails on localhost lookups
+      reject { subject }.include?("src_ip")
+    end
+  end
+
+  describe "correct encodings with default db" do
+    config <<-CONFIG
+      filter {
+        geoip {
+          source => "ip"
+        }
+      }
+    CONFIG
+    expected_fields = %w(ip country_code2 country_code3 country_name
+                           continent_code region_name city_name postal_code
+                           dma_code area_code timezone)
+
+    sample("ip" => "1.1.1.1") do
+      checked = 0
+      expected_fields.each do |f|
+        next unless subject["geoip"][f]
+        checked += 1
+        insist { subject["geoip"][f].encoding } == Encoding::UTF_8
+      end
+      insist { checked } > 0
+    end
+    sample("ip" => "189.2.0.0") do
+      checked = 0
+      expected_fields.each do |f|
+        next unless subject["geoip"][f]
+        checked += 1
+        insist { subject["geoip"][f].encoding } == Encoding::UTF_8
+      end
+      insist { checked } > 0
+    end
+
+  end
+
+  describe "correct encodings with ASN db" do
+    config <<-CONFIG
+      filter {
+        geoip {
+          source => "ip"
+          database => "vendor/geoip/GeoIPASNum.dat"
+        }
+      }
+    CONFIG
+
+
+    sample("ip" => "1.1.1.1") do
+      insist { subject["geoip"]["asn"].encoding } == Encoding::UTF_8
+    end
+    sample("ip" => "187.2.0.0") do
+      insist { subject["geoip"]["asn"].encoding } == Encoding::UTF_8
+    end
+    sample("ip" => "189.2.0.0") do
+      insist { subject["geoip"]["asn"].encoding } == Encoding::UTF_8
+    end
+    sample("ip" => "161.24.0.0") do
+      insist { subject["geoip"]["asn"].encoding } == Encoding::UTF_8
+    end
+  end
+end

metadata

@@ -0,0 +1,90 @@
+--- !ruby/object:Gem::Specification
+name: logstash-filter-geoip
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Elasticsearch
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-11-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: logstash
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.4.0
+    - - <
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.4.0
+    - - <
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+- !ruby/object:Gem::Dependency
+  name: geoip
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.3.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.3.2
+description: $description
+email: richard.pijnenburg@elasticsearch.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- Rakefile
+- lib/logstash/filters/geoip.rb
+- logstash-filter-geoip.gemspec
+- rakelib/publish.rake
+- rakelib/vendor.rake
+- spec/filters/geoip_spec.rb
+- vendor/GeoIPASNum-2014-02-12.dat
+- vendor/GeoLiteCity-2013-01-18.dat
+homepage: http://logstash.net/
+licenses:
+- Apache License (2.0)
+metadata:
+  logstash_plugin: 'true'
+  group: filter
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.1
+signing_key: 
+specification_version: 4
+summary: $summary
+test_files:
+- spec/filters/geoip_spec.rb