logstash-filter-geoip 7.2.7-java → 7.2.11-java

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +15 -0
  3. data/docs/index.asciidoc +63 -23
  4. data/logstash-filter-geoip.gemspec +1 -1
  5. data/spec/filters/geoip_ecs_spec.rb +96 -16
  6. data/spec/filters/geoip_offline_spec.rb +53 -263
  7. data/vendor/jar-dependencies/org/logstash/filters/logstash-filter-geoip/6.0.0/logstash-filter-geoip-6.0.0.jar +0 -0
  8. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 7eb0e71f8a7e34725b9ed42e5839ad7015fd53672802b01c92c5c33c3acb55ce
4
- data.tar.gz: 71f871e60772fa2f21d5995ee93ac9b26d426463e4e87705e00028eb074bbe1a
3
+ metadata.gz: 4e1f0799be232e80ed3db8f0d31b4131c921d549183d2f47678af3fd9cdfd21f
4
+ data.tar.gz: e656dd5cd6440d13af48a7193f26962c4236267fcf2afd9bc0a9f4f8e8c5e3e5
5
5
  SHA512:
6
- metadata.gz: 1e062cbeb38a866831d9dd9c359605d3f2b883819299bffbbb685af54fb9891f6ec3d4a81cebbad357a2a0c6cecffecdc2cf2284c00b8711c5dd6283c9620702
7
- data.tar.gz: f83c4acfe3d702163d284cfae089d5deddcebe9754945dee22bf760e23d8b301f7dfcd2e4b98dfa509299f3f36993977cf94ee2d82df0fdf7fb9b05e3a5da7ed
6
+ metadata.gz: eadc947645031bd5539ac42e910da0c1230d2137936eec668f23da4e6de6e55b5ceaa2a6eb1cf0b7699a43d61c03c1e6df95b51681e61d3983471070d1cac9aa
7
+ data.tar.gz: 9a5ee36471512f5724ebc7013d3d21bce6d64db50ac6874f8c45d2e8a8facbad14a428e4ea2857cbeb20d438e363dbcdad79a6133b851c98c575a82da0e91a1f
data/CHANGELOG.md CHANGED
@@ -1,3 +1,18 @@
1
+ ## 7.2.11
2
+ - Improved compatibility with the Elastic Common Schema [#206](https://github.com/logstash-plugins/logstash-filter-geoip/pull/206)
3
+ - Added support for ECS's composite `region_iso_code` (`US-WA`), which _replaces_ the non-ECS `region_code` (`WA`) as a default field with City databases. To get the stand-alone `region_code` in ECS mode, you must include it in the `fields` directive.
4
+ - [DOC] Improve ECS-related documentation
5
+
6
+ ## 7.2.10
7
+ - [DOC] Air-gapped environment requires both ASN and City databases [#204](https://github.com/logstash-plugins/logstash-filter-geoip/pull/204)
8
+
9
+ ## 7.2.9
10
+ - Fix: red CI in Logstash 8.0 [#201](https://github.com/logstash-plugins/logstash-filter-geoip/pull/201)
11
+ - Update Log4j dependency to 2.17.1
12
+
13
+ ## 7.2.8
14
+ - Update Log4j dependency to 2.17.0
15
+
1
16
  ## 7.2.7
2
17
  - Ensure java 8 compatibility [#197](https://github.com/logstash-plugins/logstash-filter-geoip/pull/197)
3
18
 
data/docs/index.asciidoc CHANGED
@@ -86,10 +86,10 @@ a secure proxy. You can then specify the proxy endpoint URL in the
86
86
  If you work in air-gapped environment and can't update your databases from the Elastic endpoint,
87
87
  You can then download databases from MaxMind and bootstrap the service.
88
88
 
89
- . Download your `.mmdb` database files from the
89
+ . Download both `GeoLite2-ASN.mmdb` and `GeoLite2-City.mmdb` database files from the
90
90
  http://dev.maxmind.com/geoip/geoip2/geolite2[MaxMind site].
91
91
 
92
- . Copy your database files to a single directory.
92
+ . Copy both database files to a single directory.
93
93
 
94
94
  . https://www.elastic.co/downloads/elasticsearch[Download {es}].
95
95
 
@@ -169,14 +169,57 @@ Example response:
169
169
  }
170
170
  --------------------------------------------------
171
171
 
172
+ [id="plugins-{type}s-{plugin}-field-mapping"]
173
+ ==== Field mapping
174
+
175
+ When this plugin is run with <<plugins-{type}s-{plugin}-ecs_compatibility>> disabled, the MaxMind DB's fields are added directly to the <<plugins-{type}s-{plugin}-target>>.
176
+ When ECS compatibility is enabled, the fields are structured to fit into an ECS shape.
177
+
178
+ [cols="3,5,3"]
179
+ |===========================
180
+ | Database Field Name | ECS Field | Example
181
+
182
+ | `ip` | `[ip]` | `12.34.56.78`
183
+
184
+ | `city_name` | `[geo][city_name]` | `Seattle`
185
+ | `country_name` | `[geo][country_name]` | `United States`
186
+ | `continent_code` | `[geo][continent_code]` | `NA`
187
+ | `continent_name` | `[geo][continent_name]` | `North America`
188
+ | `country_code2` | `[geo][country_iso_code]` | `US`
189
+ | `country_code3` | _N/A_ | `US`
190
+
191
+ _maintained for legacy
192
+ support, but populated
193
+ with 2-character country
194
+ code_
195
+
196
+ | `postal_code` | `[geo][postal_code]` | `98106`
197
+ | `region_name` | `[geo][region_name]` | `Washington`
198
+ | `region_code` | `[geo][region_code]` | `WA`
199
+ | `region_iso_code`* | `[geo][region_iso_code]` | `US-WA`
200
+ | `timezone` | `[geo][timezone]` | `America/Los_Angeles`
201
+ | `location`* | `[geo][location]` | `{"lat": 47.6062, "lon": -122.3321}"`
202
+ | `latitude` | `[geo][location][lat]` | `47.6062`
203
+ | `longitude` | `[geo][location][lon]` | `-122.3321`
204
+
205
+ | `domain` | `[domain]` | `example.com`
206
+
207
+ | `asn` | `[as][number]` | `98765`
208
+ | `as_org` | `[as][organization][name]` | `Elastic, NV`
209
+
210
+ | `isp` | `[mmdb][isp]` | `InterLink Supra LLC`
211
+ | `dma_code` | `[mmdb][dma_code]` | `819`
212
+ | `organization` | `[mmdb][organization]` | `Elastic, NV`
213
+ |===========================
214
+
215
+ NOTE: `*` indicates a composite field, which is only populated if GeoIP lookup result contains all components.
216
+
172
217
  ==== Details
173
218
 
174
- A `[geoip][location]` field is created if
175
- the GeoIP lookup returns a latitude and longitude. The field is stored in
176
- http://geojson.org/geojson-spec.html[GeoJSON] format. Additionally,
177
- the default Elasticsearch template provided with the
178
- {logstash-ref}/plugins-outputs-elasticsearch.html[elasticsearch output] maps
179
- the `[geoip][location]` field to an {ref}/geo-point.html[Elasticsearch Geo_point datatype].
219
+ When using a City database, the enrichment is aborted if no latitude/longitude pair is available.
220
+
221
+ The `location` field combines the latitude and longitude into a structure called https://datatracker.ietf.org/doc/html/rfc7946[GeoJSON].
222
+ When you are using a default <<plugins-{type}s-{plugin}-target>>, the templates provided by the {logstash-ref}/plugins-outputs-elasticsearch.html[elasticsearch output] map the field to an {ref}/geo-point.html[Elasticsearch Geo_point datatype].
180
223
 
181
224
  As this field is a `geo_point` _and_ it is still valid GeoJSON, you get
182
225
  the awesomeness of Elasticsearch's geospatial query, facet and filter functions
@@ -242,16 +285,16 @@ number of cache misses and waste memory.
242
285
  ===== `database`
243
286
 
244
287
  * Value type is <<path,path>>
245
- * If not specified, the database defaults to the GeoLite2 City database that ships with Logstash.
288
+ * If not specified, the database defaults to the `GeoLite2 City` database that ships with Logstash.
246
289
 
247
- The path to MaxMind's database file that Logstash should use. The default database is GeoLite2-City.
248
- GeoLite2-City, GeoLite2-Country, GeoLite2-ASN are the free databases from MaxMind that are supported.
249
- GeoIP2-City, GeoIP2-ISP, GeoIP2-Country are the commercial databases from MaxMind that are supported.
290
+ The path to MaxMind's database file that Logstash should use.
291
+ The default database is `GeoLite2-City`.
292
+ This plugin supports several free databases (`GeoLite2-City`, `GeoLite2-Country`, `GeoLite2-ASN`)
293
+ and a selection of commercially-licensed databases (`GeoIP2-City`, `GeoIP2-ISP`, `GeoIP2-Country`).
250
294
 
251
- Database auto-update applies to default distribution. When `database` points to user's database path,
252
- auto-update will be disabled.
253
- See
254
- <<plugins-{type}s-{plugin}-database_license,Database License>> for more information.
295
+ Database auto-update applies to the default distribution.
296
+ When `database` points to user's database path, auto-update is disabled.
297
+ See <<plugins-{type}s-{plugin}-database_license,Database License>> for more information.
255
298
 
256
299
  [id="plugins-{type}s-{plugin}-default_database_type"]
257
300
  ===== `default_database_type`
@@ -270,13 +313,10 @@ This plugin now includes both the GeoLite2-City and GeoLite2-ASN databases. If
270
313
 
271
314
  An array of geoip fields to be included in the event.
272
315
 
273
- Possible fields depend on the database type. By default, all geoip fields
274
- are included in the event.
316
+ Possible fields depend on the database type.
317
+ By default, all geoip fields from the relevant database are included in the event.
275
318
 
276
- For the built-in GeoLite2 City database, the following are available:
277
- `city_name`, `continent_code`, `country_code2`, `country_code3`, `country_name`,
278
- `dma_code`, `ip`, `latitude`, `location`, `longitude`, `postal_code`, `region_code`,
279
- `region_name` and `timezone`.
319
+ For a complete list of available fields and how they map to an event's structure, see <<plugins-{type}s-{plugin}-field-mapping,field mapping>>.
280
320
 
281
321
  [id="plugins-{type}s-{plugin}-ecs_compatibility"]
282
322
  ===== `ecs_compatibility`
@@ -284,7 +324,7 @@ For the built-in GeoLite2 City database, the following are available:
284
324
  * Value type is <<string,string>>
285
325
  * Supported values are:
286
326
  ** `disabled`: unstructured geo data added at root level
287
- ** `v1`, `v8`: uses fields that are compatible with Elastic Common Schema (for example, `[client][geo][country_name]`)
327
+ ** `v1`, `v8`: use fields that are compatible with Elastic Common Schema. Example: `[client][geo][country_name]`. See <<plugins-{type}s-{plugin}-field-mapping,field mapping>> for more info.
288
328
  * Default value depends on which version of Logstash is running:
289
329
  ** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
290
330
  ** Otherwise, the default value is `disabled`.
data/logstash-filter-geoip.gemspec CHANGED
@@ -1,7 +1,7 @@
1
1
  Gem::Specification.new do |s|
2
2
 
3
3
  s.name = 'logstash-filter-geoip'
4
- s.version = '7.2.7'
4
+ s.version = '7.2.11'
5
5
  s.licenses = ['Apache License (2.0)']
6
6
  s.summary = "Adds geographical information about an IP address"
7
7
  s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
data/spec/filters/geoip_ecs_spec.rb CHANGED
@@ -27,6 +27,10 @@ describe LogStash::Filters::GeoIP do
27
27
  end
28
28
 
29
29
  context "with city database" do
30
+ # example.com, has been static for 10+ years
31
+ # and has city-level details
32
+ let(:ip) { "93.184.216.34" }
33
+
30
34
  let(:options) { common_options }
31
35
 
32
36
  it "should return geo in target" do
@@ -36,19 +40,26 @@ describe LogStash::Filters::GeoIP do
36
40
  expect( event.get ecs_select[disabled: "[#{target}][country_code2]", v1: "[#{target}][geo][country_iso_code]"] ).to eq 'US'
37
41
  expect( event.get ecs_select[disabled: "[#{target}][country_name]", v1: "[#{target}][geo][country_name]"] ).to eq 'United States'
38
42
  expect( event.get ecs_select[disabled: "[#{target}][continent_code]", v1: "[#{target}][geo][continent_code]"] ).to eq 'NA'
39
- expect( event.get ecs_select[disabled: "[#{target}][location][lat]", v1: "[#{target}][geo][location][lat]"] ).to eq 37.751
40
- expect( event.get ecs_select[disabled: "[#{target}][location][lon]", v1: "[#{target}][geo][location][lon]"] ).to eq -97.822
43
+ expect( event.get ecs_select[disabled: "[#{target}][location][lat]", v1: "[#{target}][geo][location][lat]"] ).to eq 42.1596
44
+ expect( event.get ecs_select[disabled: "[#{target}][location][lon]", v1: "[#{target}][geo][location][lon]"] ).to eq -70.8217
45
+ expect( event.get ecs_select[disabled: "[#{target}][city_name]", v1: "[#{target}][geo][city_name]"] ).to eq 'Norwell'
46
+ expect( event.get ecs_select[disabled: "[#{target}][dma_code]", v1: "[#{target}][mmdb][dma_code]"] ).to eq 506
47
+ expect( event.get ecs_select[disabled: "[#{target}][region_name]", v1: "[#{target}][geo][region_name]"] ).to eq 'Massachusetts'
41
48
 
42
49
  if ecs_select.active_mode == :disabled
43
50
  expect( event.get "[#{target}][country_code3]" ).to eq 'US'
51
+ expect( event.get "[#{target}][region_code]" ).to eq 'MA'
52
+ expect( event.get "[#{target}][region_iso_code]" ).to be_nil
44
53
  else
45
54
  expect( event.get "[#{target}][geo][country_code3]" ).to be_nil
46
55
  expect( event.get "[#{target}][country_code3]" ).to be_nil
56
+ expect( event.get "[#{target}][geo][region_iso_code]" ).to eq 'US-MA'
57
+ expect( event.get "[#{target}][region_code]" ).to be_nil
47
58
  end
59
+ puts event.to_hash.inspect
48
60
  end
49
61
  end
50
62
 
51
-
52
63
  context "with ASN database" do
53
64
  let(:options) { common_options.merge({"database" => ASNDB}) }
54
65
 
@@ -59,27 +70,96 @@ describe LogStash::Filters::GeoIP do
59
70
  expect( event.get ecs_select[disabled: "[#{target}][asn]", v1: "[#{target}][as][number]"] ).to eq 15169
60
71
  expect( event.get ecs_select[disabled: "[#{target}][as_org]", v1: "[#{target}][as][organization][name]"] ).to eq "Google LLC"
61
72
  end
73
+
74
+ context "with customize fields" do
75
+ let(:fields) { ["AUTONOMOUS_SYSTEM_NUMBER"] }
76
+ let(:options) { common_options.merge({"database" => ASNDB, "fields" => fields}) }
77
+
78
+ it "should give asn field" do
79
+ plugin.filter(event)
80
+
81
+ expect( event.get ecs_select[disabled: "[#{target}][ip]", v1: "[#{target}][ip]"] ).to be_nil
82
+ expect( event.get ecs_select[disabled: "[#{target}][as_org]", v1: "[#{target}][as][organization][name]"] ).to be_nil
83
+
84
+ expect( event.get ecs_select[disabled: "[#{target}][asn]", v1: "[#{target}][as][number]"] ).to eq 15169
85
+ end
86
+ end
62
87
  end
63
88
 
64
89
  context "with customize fields" do
65
- let(:fields) { ["continent_name", "timezone"] }
66
- let(:options) { common_options.merge({"fields" => fields}) }
90
+ context "continent_name and timezone" do
91
+ let(:fields) { ["continent_name", "timezone"] }
92
+ let(:options) { common_options.merge({"fields" => fields}) }
67
93
 
68
- it "should return fields" do
69
- plugin.filter(event)
94
+ it "should return fields in UTF8" do
95
+ plugin.filter(event)
96
+
97
+ expect( event.get ecs_select[disabled: "[#{target}][ip]", v1: "[#{target}][ip]"] ).to be_nil
98
+ expect( event.get ecs_select[disabled: "[#{target}][country_code2]", v1: "[#{target}][geo][country_iso_code]"] ).to be_nil
99
+ expect( event.get ecs_select[disabled: "[#{target}][country_name]", v1: "[#{target}][geo][country_name]"] ).to be_nil
100
+ expect( event.get ecs_select[disabled: "[#{target}][continent_code]", v1: "[#{target}][geo][continent_code]"] ).to be_nil
101
+ expect( event.get ecs_select[disabled: "[#{target}][location][lat]", v1: "[#{target}][geo][location][lat]"] ).to be_nil
102
+ expect( event.get ecs_select[disabled: "[#{target}][location][lon]", v1: "[#{target}][geo][location][lon]"] ).to be_nil
103
+
104
+ continent_name = event.get ecs_select[disabled: "[#{target}][continent_name]", v1: "[#{target}][geo][continent_name]"]
105
+ timezone = event.get ecs_select[disabled: "[#{target}][timezone]", v1: "[#{target}][geo][timezone]"]
106
+ expect( continent_name ).to eq "North America"
107
+ expect( timezone ).to eq "America/Chicago"
108
+ expect( continent_name.encoding ).to eq Encoding::UTF_8
109
+ expect( timezone.encoding ).to eq Encoding::UTF_8
110
+ end
111
+ end
112
+
113
+ context "location" do
114
+ shared_examples "provide location, lat and lon" do
115
+ it "should return location, lat and lon" do
116
+ plugin.filter(event)
117
+
118
+ expect( event.get ecs_select[disabled: "[#{target}][ip]", v1: "[#{target}][ip]"] ).to be_nil
119
+ expect( event.get ecs_select[disabled: "[#{target}][country_code2]", v1: "[#{target}][geo][country_iso_code]"] ).to be_nil
120
+ expect( event.get ecs_select[disabled: "[#{target}][country_name]", v1: "[#{target}][geo][country_name]"] ).to be_nil
121
+ expect( event.get ecs_select[disabled: "[#{target}][continent_code]", v1: "[#{target}][geo][continent_code]"] ).to be_nil
122
+ expect( event.get ecs_select[disabled: "[#{target}][continent_name]", v1: "[#{target}][geo][continent_name]"] ).to be_nil
123
+ expect( event.get ecs_select[disabled: "[#{target}][timezone]", v1: "[#{target}][geo][timezone]"] ).to be_nil
124
+
125
+ expect( event.get ecs_select[disabled: "[#{target}][location][lat]", v1: "[#{target}][geo][location][lat]"] ).not_to be_nil
126
+ expect( event.get ecs_select[disabled: "[#{target}][location][lon]", v1: "[#{target}][geo][location][lon]"] ).not_to be_nil
127
+ end
128
+ end
70
129
 
71
- expect( event.get ecs_select[disabled: "[#{target}][ip]", v1: "[#{target}][ip]"] ).to be_nil
72
- expect( event.get ecs_select[disabled: "[#{target}][country_code2]", v1: "[#{target}][geo][country_iso_code]"] ).to be_nil
73
- expect( event.get ecs_select[disabled: "[#{target}][country_name]", v1: "[#{target}][geo][country_name]"] ).to be_nil
74
- expect( event.get ecs_select[disabled: "[#{target}][continent_code]", v1: "[#{target}][geo][continent_code]"] ).to be_nil
75
- expect( event.get ecs_select[disabled: "[#{target}][location][lat]", v1: "[#{target}][geo][location][lat]"] ).to be_nil
76
- expect( event.get ecs_select[disabled: "[#{target}][location][lon]", v1: "[#{target}][geo][location][lon]"] ).to be_nil
130
+ context "location and longitude" do
131
+ let(:fields) { ["location", "longitude"] }
132
+ let(:options) { common_options.merge({"fields" => fields}) }
133
+ it_behaves_like "provide location, lat and lon"
134
+ end
77
135
 
78
- expect( event.get ecs_select[disabled: "[#{target}][continent_name]", v1: "[#{target}][geo][continent_name]"] ).to eq "North America"
79
- expect( event.get ecs_select[disabled: "[#{target}][timezone]", v1: "[#{target}][geo][timezone]"] ).to eq "America/Chicago"
136
+ context "location and latitude" do
137
+ let(:fields) { ["location", "latitude"] }
138
+ let(:options) { common_options.merge({"fields" => fields}) }
139
+ it_behaves_like "provide location, lat and lon"
140
+ end
80
141
  end
81
- end
82
142
 
143
+ context "continent_code and IP is IPv6 format" do
144
+ let(:ip) { "2607:f0d0:1002:51::4" }
145
+ let(:fields) { ["continent_code", "ip"] }
146
+ let(:options) { common_options.merge({"fields" => fields}) }
147
+
148
+ it "should return fields" do
149
+ plugin.filter(event)
150
+
151
+ expect( event.get ecs_select[disabled: "[#{target}][country_code2]", v1: "[#{target}][geo][country_iso_code]"] ).to be_nil
152
+ expect( event.get ecs_select[disabled: "[#{target}][country_name]", v1: "[#{target}][geo][country_name]"] ).to be_nil
153
+ expect( event.get ecs_select[disabled: "[#{target}][continent_name]", v1: "[#{target}][geo][continent_name]"] ).to be_nil
154
+ expect( event.get ecs_select[disabled: "[#{target}][location][lat]", v1: "[#{target}][geo][location][lat]"] ).to be_nil
155
+ expect( event.get ecs_select[disabled: "[#{target}][location][lon]", v1: "[#{target}][geo][location][lon]"] ).to be_nil
156
+ expect( event.get ecs_select[disabled: "[#{target}][timezone]", v1: "[#{target}][geo][timezone]"] ).to be_nil
157
+
158
+ expect( event.get ecs_select[disabled: "[#{target}][ip]", v1: "[#{target}][ip]"] ).to eq("2607:f0d0:1002:51:0:0:0:4")
159
+ expect( event.get ecs_select[disabled: "[#{target}][continent_code]", v1: "[#{target}][geo][continent_code]"] ).to eq("NA")
160
+ end
161
+ end
162
+ end
83
163
  end
84
164
  end
85
165
 
data/spec/filters/geoip_offline_spec.rb CHANGED
@@ -6,78 +6,33 @@ require "logstash/filters/geoip"
6
6
  CITYDB = ::Dir.glob(::File.expand_path(::File.join("..", "..", "..", "vendor", "GeoLite2-City.mmdb"), __FILE__)).first
7
7
  ASNDB = ::Dir.glob(::File.expand_path(::File.join("..", "..", "..", "vendor", "GeoLite2-ASN.mmdb"), __FILE__)).first
8
8
 
9
- describe LogStash::Filters::GeoIP do
10
- describe "defaults" do
11
- config <<-CONFIG
12
- filter {
13
- geoip {
14
- source => "ip"
15
- database => "#{CITYDB}"
16
- }
17
- }
18
- CONFIG
19
-
20
- sample("ip" => "8.8.8.8") do
21
- insist { subject }.include?("geoip")
22
-
23
- expected_fields = %w(ip country_code2 country_code3 country_name
24
- continent_code latitude longitude location)
25
- expected_fields.each do |f|
26
- insist { subject.get("geoip") }.include?(f)
27
- end
28
- end
29
9
 
30
- sample("ip" => "127.0.0.1") do
31
- # assume geoip fails on localhost lookups
32
- expect(subject.get("geoip")).to eq({})
10
+ describe LogStash::Filters::GeoIP do
11
+ shared_examples "invalid empty IP" do
12
+ it "should not give target field" do
13
+ expect(event.get(target)).to be_nil
14
+ expect(event.get("tags")).to include("_geoip_lookup_failure")
33
15
  end
34
16
  end
35
17
 
36
- describe "normal operations" do
37
- config <<-CONFIG
38
- filter {
39
- geoip {
40
- source => "ip"
41
- database => "#{CITYDB}"
42
- target => src_ip
43
- add_tag => "done"
44
- }
45
- }
46
- CONFIG
47
-
48
- context "when specifying the target" do
49
-
50
- sample("ip" => "8.8.8.8") do
51
- expect(subject).to include("src_ip")
52
-
53
- expected_fields = %w(ip country_code2 country_code3 country_name
54
- continent_code latitude longitude location)
55
- expected_fields.each do |f|
56
- expect(subject.get("src_ip")).to include(f)
57
- end
58
- end
59
-
60
- sample("ip" => "127.0.0.1") do
61
- # assume geoip fails on localhost lookups
62
- expect(subject.get("src_ip")).to eq({})
63
- end
64
- end
65
-
66
- context "when specifying add_tag" do
67
- sample("ip" => "8.8.8.8") do
68
- expect(subject.get("tags")).to include("done")
69
- end
18
+ shared_examples "invalid string IP" do
19
+ it "should give empty hash in target field" do
20
+ expect(event.get(target)).to eq({})
21
+ expect(event.get("tags")).to include("_geoip_lookup_failure")
70
22
  end
71
23
  end
72
24
 
73
- describe "source is derived from target" do
74
- subject(:event) { LogStash::Event.new("target" => { "ip" => "173.9.34.107" } ) }
25
+ let(:target) { "server" }
26
+
27
+ describe "invalid IP" do
28
+ let(:ip) { "173.9.34.107" }
29
+ let(:event) { LogStash::Event.new("client" => { "ip" => ip } ) }
75
30
  let(:plugin) {
76
31
  LogStash::Filters::GeoIP.new(
77
- "source" => "[target][ip]",
78
- "target" => "target",
79
- "fields" => [ "city_name", "region_name" ],
80
- "add_tag" => "done", "database" => CITYDB
32
+ "source" => "[client][ip]",
33
+ "target" => target,
34
+ "fields" => %w[country_name continent_code],
35
+ "database" => CITYDB
81
36
  )
82
37
  }
83
38
 
@@ -86,200 +41,71 @@ describe LogStash::Filters::GeoIP do
86
41
  plugin.filter(event)
87
42
  end
88
43
 
89
- context "when source field 'ip' is a subfield of 'target'" do
90
-
91
- it "should preserve value in [target][ip]" do
92
- expect(event.get("[target][ip]")).to eq("173.9.34.107")
44
+ context "when ip is 127.0.0.1" do
45
+ let(:ip) { "127.0.0.1" }
46
+ it "should give empty hash" do
47
+ expect(event.get(target)).to eq({})
93
48
  end
94
-
95
- it "should set other subfields of 'target' properly" do
96
- expect(event.get("target").to_hash.keys.sort).to eq(["city_name", "ip", "region_name"])
97
- expect(event.get("[target][city_name]")).to eq("Malden")
98
- expect(event.get("[target][region_name]")).to eq("Massachusetts")
99
- end
100
-
101
49
  end
102
50
 
103
- end
104
-
105
- describe "correct encodings with default db" do
106
- config <<-CONFIG
107
- filter {
108
- geoip {
109
- source => "ip"
110
- database => "#{CITYDB}"
111
- }
112
- }
113
- CONFIG
114
- expected_fields = %w(ip country_code2 country_code3 country_name
115
- continent_code region_name city_name postal_code
116
- dma_code timezone)
117
-
118
- sample("ip" => "1.1.1.1") do
119
- checked = 0
120
- expected_fields.each do |f|
121
- next unless subject.get("geoip")[f]
122
- checked += 1
123
- insist { subject.get("geoip")[f].encoding } == Encoding::UTF_8
124
- end
125
- insist { checked } > 0
51
+ context "when ip is empty string" do
52
+ let(:ip) { "" }
53
+ it_behaves_like "invalid empty IP"
126
54
  end
127
55
 
128
- sample("ip" => "189.2.0.0") do
129
- checked = 0
130
- expected_fields.each do |f|
131
- next unless subject.get("geoip")[f]
132
- checked += 1
133
- insist { subject.get("geoip")[f].encoding } == Encoding::UTF_8
134
- end
135
- insist { checked } > 0
56
+ context "when ip is space" do
57
+ let(:ip) { " " }
58
+ it_behaves_like "invalid empty IP"
136
59
  end
137
60
 
138
- end
139
-
140
- describe "location field" do
141
- shared_examples_for "an event with a [geoip][location] field" do
142
- subject(:event) { LogStash::Event.new("message" => "8.8.8.8") }
143
- let(:plugin) { LogStash::Filters::GeoIP.new("source" => "message", "fields" => fields, "database" => CITYDB) }
144
-
145
- before do
146
- plugin.register
147
- plugin.filter(event)
148
- end
149
-
150
- it "should have a location field" do
151
- expect(event.get("[geoip][location]")).not_to(be_nil)
152
- end
61
+ context "when ip is dash" do
62
+ let(:ip) { "-" }
63
+ it_behaves_like "invalid string IP"
153
64
  end
154
65
 
155
- context "when latitude field is excluded" do
156
- let(:fields) { ["country_name", "location", "longitude"] }
157
- it_behaves_like "an event with a [geoip][location] field"
66
+ context "when ip is N/A" do
67
+ let(:ip) { "N/A" }
68
+ it_behaves_like "invalid string IP"
158
69
  end
159
70
 
160
- context "when longitude field is excluded" do
161
- let(:fields) { ["country_name", "location", "latitude"] }
162
- it_behaves_like "an event with a [geoip][location] field"
71
+ context "when ip is two ip comma separated" do
72
+ let(:ip) { "123.45.67.89,61.160.232.222" }
73
+ it_behaves_like "invalid string IP"
163
74
  end
164
75
 
165
- context "when both latitude and longitude field are excluded" do
166
- let(:fields) { ["country_name", "location"] }
167
- it_behaves_like "an event with a [geoip][location] field"
76
+ context "when ip is not found in the DB" do
77
+ let(:ip) { "0.0.0.0" }
78
+ it_behaves_like "invalid string IP"
168
79
  end
169
- end
170
-
171
- describe "an invalid IP" do
172
- config <<-CONFIG
173
- filter {
174
- geoip {
175
- source => "ip"
176
- database => "#{CITYDB}"
177
- }
178
- }
179
- CONFIG
180
- describe "should not raise an error" do
181
- sample("ip" => "-") do
182
- expect{ subject }.to_not raise_error
183
- end
184
80
 
185
- sample("ip" => "~") do
186
- expect{ subject }.to_not raise_error
187
- end
188
-
189
- sample("ip" => "") do
190
- expect{ subject }.to_not raise_error
191
- end
192
-
193
- sample("ip" => " ") do
194
- expect{ subject }.to_not raise_error
195
- end
81
+ context "when ip is IPv6 format for localhost" do
82
+ let(:ip) { "::1" }
83
+ it_behaves_like "invalid string IP"
196
84
  end
85
+ end
197
86
 
198
- describe "empty database path" do
199
- let(:plugin) { LogStash::Filters::GeoIP.new("source" => "message") }
200
- let(:event) { LogStash::Event.new("message" => "8.8.8.8") }
201
-
202
- context "when database manager give nil database path" do
203
- it "should tag expired database" do
204
- expect(plugin).to receive(:select_database_path).and_return(nil)
205
-
206
- plugin.register
207
- plugin.filter(event)
208
-
209
- expect(event.get("tags")).to include("_geoip_expired_database")
210
- end
211
- end
212
- end
87
+ describe "database path is empty" do
88
+ let(:plugin) { LogStash::Filters::GeoIP.new("source" => "message", "target" => target) }
89
+ let(:event) { LogStash::Event.new("message" => "8.8.8.8") }
213
90
 
214
- describe "filter method outcomes" do
215
- let(:plugin) { LogStash::Filters::GeoIP.new("source" => "message", "add_tag" => "done", "database" => CITYDB) }
216
- let(:event) { LogStash::Event.new("message" => ipstring) }
91
+ context "when database manager give nil database path" do
92
+ it "should tag expired database" do
93
+ expect(plugin).to receive(:select_database_path).and_return(nil)
217
94
 
218
- before do
219
95
  plugin.register
220
96
  plugin.filter(event)
221
- end
222
-
223
- context "when the bad IP is N/A" do
224
- # regression test for issue https://github.com/logstash-plugins/logstash-filter-geoip/issues/50
225
- let(:ipstring) { "N/A" }
226
-
227
- it "should set the target field to an empty hash" do
228
- expect(event.get("geoip")).to eq({})
229
- end
230
-
231
- it "should add failure tags" do
232
- expect(event.get("tags")).to include("_geoip_lookup_failure")
233
- end
234
- end
235
-
236
- context "when the bad IP is two ip comma separated" do
237
- # regression test for issue https://github.com/logstash-plugins/logstash-filter-geoip/issues/51
238
- let(:ipstring) { "123.45.67.89,61.160.232.222" }
239
97
 
240
- it "should set the target field to an empty hash" do
241
- expect(event.get("geoip")).to eq({})
242
- end
98
+ expect(event.get("tags")).to include("_geoip_expired_database")
243
99
  end
244
-
245
- context "when a IP is not found in the DB" do
246
- let(:ipstring) { "0.0.0.0" }
247
-
248
- it "should set the target field to an empty hash" do
249
- expect(event.get("geoip")).to eq({})
250
- expect(event.get("tags")).to include("_geoip_lookup_failure")
251
- end
252
- end
253
-
254
- context "when IP is IPv6 format for localhost" do
255
- let(:ipstring) { "::1" }
256
-
257
- it "should set the target field to an empty hash" do
258
- expect(event.get("geoip")).to eq({})
259
- end
260
- end
261
-
262
- context "when IP is valid IPv6 format" do
263
- let(:ipstring) { "2607:f0d0:1002:51::4" }
264
-
265
- it "should set the target fields properly" do
266
- expect(event.get("geoip")).not_to be_empty
267
- expect(event.get("geoip")["ip"]).to eq("2607:f0d0:1002:51:0:0:0:4")
268
- expect(event.get("geoip").to_hash.keys.sort).to eq(
269
- ["continent_code", "country_code2", "country_code3", "country_name", "ip", "latitude", "location", "longitude", "timezone"]
270
- )
271
- end
272
- end
273
-
274
100
  end
275
-
276
101
  end
277
102
 
278
- describe "an invalid database" do
103
+ describe "database path is an invalid database file" do
279
104
  config <<-CONFIG
280
105
  filter {
281
106
  geoip {
282
107
  source => "ip"
108
+ target => "geo"
283
109
  database => "./Gemfile"
284
110
  }
285
111
  }
@@ -292,40 +118,4 @@ describe LogStash::Filters::GeoIP do
292
118
  end
293
119
  end
294
120
 
295
- describe "GeoIP2-ASN database" do
296
- config <<-CONFIG
297
- filter {
298
- geoip {
299
- source => "ip"
300
- database => "#{ASNDB}"
301
- default_database_type => "ASN"
302
- }
303
- }
304
- CONFIG
305
-
306
- sample("ip" => "8.8.8.8") do
307
- expect(subject.get("geoip")).not_to be_empty
308
- expect(subject.get("geoip")["asn"]).to eq(15169)
309
- expect(subject.get("geoip")["as_org"]).to eq("Google LLC")
310
- end
311
- end
312
-
313
- describe "GeoIP2-ASN database with fields" do
314
- config <<-CONFIG
315
- filter {
316
- geoip {
317
- source => "ip"
318
- database => "#{ASNDB}"
319
- default_database_type => "ASN"
320
- fields => [ "AUTONOMOUS_SYSTEM_NUMBER" ]
321
- }
322
- }
323
- CONFIG
324
-
325
- sample("ip" => "8.8.8.8") do
326
- expect(subject.get("geoip")).not_to be_empty
327
- expect(subject.get("geoip")["asn"]).to eq(15169)
328
- end
329
- end
330
-
331
121
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: logstash-filter-geoip
3
3
  version: !ruby/object:Gem::Version
4
- version: 7.2.7
4
+ version: 7.2.11
5
5
  platform: java
6
6
  authors:
7
7
  - Elastic
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-12-13 00:00:00.000000000 Z
11
+ date: 2022-01-26 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  requirement: !ruby/object:Gem::Requirement