logstash-filter-geoip 7.2.9-java → 7.2.12-java
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8016c2fb0b715fc6452e41ab3d36598c5fab654317362b52dc7974aba5d1dbe0
|
|
4
|
+
data.tar.gz: 9e97baedf9827069590d33a18999118401f42565e90304b127e4ab0eba111740
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 8985a3708143ff541037379491ec98c592766a0fd6d06dd43247cbea8b2675c754475fd37300eebd247c2cd2562174acdb3f3fd19057a716550969988b560b9b
|
|
7
|
+
data.tar.gz: 5dd029823bab8ff4c816b379e9f1fe258c62a81058fda64e18f0a93d12e475750b5b62ea6bc1b5edfbe385eb93b9cfcd135389f5aa3f73518203362cdf6178ba
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,14 @@
|
|
|
1
|
+
## 7.2.12
|
|
2
|
+
- [DOC] Add `http_proxy` environment variable for GeoIP service endpoint. The feature is included in 8.1.0, and was back-ported to 7.17.2 [#207](https://github.com/logstash-plugins/logstash-filter-geoip/pull/207)
|
|
3
|
+
|
|
4
|
+
## 7.2.11
|
|
5
|
+
- Improved compatibility with the Elastic Common Schema [#206](https://github.com/logstash-plugins/logstash-filter-geoip/pull/206)
|
|
6
|
+
- Added support for ECS's composite `region_iso_code` (`US-WA`), which _replaces_ the non-ECS `region_code` (`WA`) as a default field with City databases. To get the stand-alone `region_code` in ECS mode, you must include it in the `fields` directive.
|
|
7
|
+
- [DOC] Improve ECS-related documentation
|
|
8
|
+
|
|
9
|
+
## 7.2.10
|
|
10
|
+
- [DOC] Air-gapped environment requires both ASN and City databases [#204](https://github.com/logstash-plugins/logstash-filter-geoip/pull/204)
|
|
11
|
+
|
|
1
12
|
## 7.2.9
|
|
2
13
|
- Fix: red CI in Logstash 8.0 [#201](https://github.com/logstash-plugins/logstash-filter-geoip/pull/201)
|
|
3
14
|
- Update Log4j dependency to 2.17.1
|
data/docs/index.asciidoc
CHANGED
|
@@ -75,21 +75,25 @@ TIP: When possible, allow Logstash to access the internet to download databases
|
|
|
75
75
|
[id="plugins-{type}s-{plugin}-manage_update"]
|
|
76
76
|
==== Manage your own database updates
|
|
77
77
|
|
|
78
|
-
**Use
|
|
78
|
+
**Use an HTTP proxy**
|
|
79
79
|
|
|
80
80
|
If you can't connect directly to the Elastic GeoIP endpoint, consider setting up
|
|
81
|
-
|
|
82
|
-
|
|
81
|
+
an HTTP proxy server. You can then specify the proxy with `http_proxy` environment variable.
|
|
82
|
+
|
|
83
|
+
[source,sh]
|
|
84
|
+
----
|
|
85
|
+
export http_proxy="http://PROXY_IP:PROXY_PORT"
|
|
86
|
+
----
|
|
83
87
|
|
|
84
88
|
**Use a custom endpoint (air-gapped environments)**
|
|
85
89
|
|
|
86
90
|
If you work in air-gapped environment and can't update your databases from the Elastic endpoint,
|
|
87
91
|
You can then download databases from MaxMind and bootstrap the service.
|
|
88
92
|
|
|
89
|
-
. Download
|
|
93
|
+
. Download both `GeoLite2-ASN.mmdb` and `GeoLite2-City.mmdb` database files from the
|
|
90
94
|
http://dev.maxmind.com/geoip/geoip2/geolite2[MaxMind site].
|
|
91
95
|
|
|
92
|
-
. Copy
|
|
96
|
+
. Copy both database files to a single directory.
|
|
93
97
|
|
|
94
98
|
. https://www.elastic.co/downloads/elasticsearch[Download {es}].
|
|
95
99
|
|
|
@@ -169,14 +173,57 @@ Example response:
|
|
|
169
173
|
}
|
|
170
174
|
--------------------------------------------------
|
|
171
175
|
|
|
176
|
+
[id="plugins-{type}s-{plugin}-field-mapping"]
|
|
177
|
+
==== Field mapping
|
|
178
|
+
|
|
179
|
+
When this plugin is run with <<plugins-{type}s-{plugin}-ecs_compatibility>> disabled, the MaxMind DB's fields are added directly to the <<plugins-{type}s-{plugin}-target>>.
|
|
180
|
+
When ECS compatibility is enabled, the fields are structured to fit into an ECS shape.
|
|
181
|
+
|
|
182
|
+
[cols="3,5,3"]
|
|
183
|
+
|===========================
|
|
184
|
+
| Database Field Name | ECS Field | Example
|
|
185
|
+
|
|
186
|
+
| `ip` | `[ip]` | `12.34.56.78`
|
|
187
|
+
|
|
188
|
+
| `city_name` | `[geo][city_name]` | `Seattle`
|
|
189
|
+
| `country_name` | `[geo][country_name]` | `United States`
|
|
190
|
+
| `continent_code` | `[geo][continent_code]` | `NA`
|
|
191
|
+
| `continent_name` | `[geo][continent_name]` | `North America`
|
|
192
|
+
| `country_code2` | `[geo][country_iso_code]` | `US`
|
|
193
|
+
| `country_code3` | _N/A_ | `US`
|
|
194
|
+
|
|
195
|
+
_maintained for legacy
|
|
196
|
+
support, but populated
|
|
197
|
+
with 2-character country
|
|
198
|
+
code_
|
|
199
|
+
|
|
200
|
+
| `postal_code` | `[geo][postal_code]` | `98106`
|
|
201
|
+
| `region_name` | `[geo][region_name]` | `Washington`
|
|
202
|
+
| `region_code` | `[geo][region_code]` | `WA`
|
|
203
|
+
| `region_iso_code`* | `[geo][region_iso_code]` | `US-WA`
|
|
204
|
+
| `timezone` | `[geo][timezone]` | `America/Los_Angeles`
|
|
205
|
+
| `location`* | `[geo][location]` | `{"lat": 47.6062, "lon": -122.3321}"`
|
|
206
|
+
| `latitude` | `[geo][location][lat]` | `47.6062`
|
|
207
|
+
| `longitude` | `[geo][location][lon]` | `-122.3321`
|
|
208
|
+
|
|
209
|
+
| `domain` | `[domain]` | `example.com`
|
|
210
|
+
|
|
211
|
+
| `asn` | `[as][number]` | `98765`
|
|
212
|
+
| `as_org` | `[as][organization][name]` | `Elastic, NV`
|
|
213
|
+
|
|
214
|
+
| `isp` | `[mmdb][isp]` | `InterLink Supra LLC`
|
|
215
|
+
| `dma_code` | `[mmdb][dma_code]` | `819`
|
|
216
|
+
| `organization` | `[mmdb][organization]` | `Elastic, NV`
|
|
217
|
+
|===========================
|
|
218
|
+
|
|
219
|
+
NOTE: `*` indicates a composite field, which is only populated if GeoIP lookup result contains all components.
|
|
220
|
+
|
|
172
221
|
==== Details
|
|
173
222
|
|
|
174
|
-
|
|
175
|
-
|
|
176
|
-
|
|
177
|
-
|
|
178
|
-
{logstash-ref}/plugins-outputs-elasticsearch.html[elasticsearch output] maps
|
|
179
|
-
the `[geoip][location]` field to an {ref}/geo-point.html[Elasticsearch Geo_point datatype].
|
|
223
|
+
When using a City database, the enrichment is aborted if no latitude/longitude pair is available.
|
|
224
|
+
|
|
225
|
+
The `location` field combines the latitude and longitude into a structure called https://datatracker.ietf.org/doc/html/rfc7946[GeoJSON].
|
|
226
|
+
When you are using a default <<plugins-{type}s-{plugin}-target>>, the templates provided by the {logstash-ref}/plugins-outputs-elasticsearch.html[elasticsearch output] map the field to an {ref}/geo-point.html[Elasticsearch Geo_point datatype].
|
|
180
227
|
|
|
181
228
|
As this field is a `geo_point` _and_ it is still valid GeoJSON, you get
|
|
182
229
|
the awesomeness of Elasticsearch's geospatial query, facet and filter functions
|
|
@@ -242,16 +289,16 @@ number of cache misses and waste memory.
|
|
|
242
289
|
===== `database`
|
|
243
290
|
|
|
244
291
|
* Value type is <<path,path>>
|
|
245
|
-
* If not specified, the database defaults to the GeoLite2 City database that ships with Logstash.
|
|
292
|
+
* If not specified, the database defaults to the `GeoLite2 City` database that ships with Logstash.
|
|
246
293
|
|
|
247
|
-
The path to MaxMind's database file that Logstash should use.
|
|
248
|
-
|
|
249
|
-
|
|
294
|
+
The path to MaxMind's database file that Logstash should use.
|
|
295
|
+
The default database is `GeoLite2-City`.
|
|
296
|
+
This plugin supports several free databases (`GeoLite2-City`, `GeoLite2-Country`, `GeoLite2-ASN`)
|
|
297
|
+
and a selection of commercially-licensed databases (`GeoIP2-City`, `GeoIP2-ISP`, `GeoIP2-Country`).
|
|
250
298
|
|
|
251
|
-
Database auto-update applies to default distribution.
|
|
252
|
-
auto-update
|
|
253
|
-
See
|
|
254
|
-
<<plugins-{type}s-{plugin}-database_license,Database License>> for more information.
|
|
299
|
+
Database auto-update applies to the default distribution.
|
|
300
|
+
When `database` points to user's database path, auto-update is disabled.
|
|
301
|
+
See <<plugins-{type}s-{plugin}-database_license,Database License>> for more information.
|
|
255
302
|
|
|
256
303
|
[id="plugins-{type}s-{plugin}-default_database_type"]
|
|
257
304
|
===== `default_database_type`
|
|
@@ -270,13 +317,10 @@ This plugin now includes both the GeoLite2-City and GeoLite2-ASN databases. If
|
|
|
270
317
|
|
|
271
318
|
An array of geoip fields to be included in the event.
|
|
272
319
|
|
|
273
|
-
Possible fields depend on the database type.
|
|
274
|
-
are included in the event.
|
|
320
|
+
Possible fields depend on the database type.
|
|
321
|
+
By default, all geoip fields from the relevant database are included in the event.
|
|
275
322
|
|
|
276
|
-
For
|
|
277
|
-
`city_name`, `continent_code`, `country_code2`, `country_code3`, `country_name`,
|
|
278
|
-
`dma_code`, `ip`, `latitude`, `location`, `longitude`, `postal_code`, `region_code`,
|
|
279
|
-
`region_name` and `timezone`.
|
|
323
|
+
For a complete list of available fields and how they map to an event's structure, see <<plugins-{type}s-{plugin}-field-mapping,field mapping>>.
|
|
280
324
|
|
|
281
325
|
[id="plugins-{type}s-{plugin}-ecs_compatibility"]
|
|
282
326
|
===== `ecs_compatibility`
|
|
@@ -284,7 +328,7 @@ For the built-in GeoLite2 City database, the following are available:
|
|
|
284
328
|
* Value type is <<string,string>>
|
|
285
329
|
* Supported values are:
|
|
286
330
|
** `disabled`: unstructured geo data added at root level
|
|
287
|
-
** `v1`, `v8`:
|
|
331
|
+
** `v1`, `v8`: use fields that are compatible with Elastic Common Schema. Example: `[client][geo][country_name]`. See <<plugins-{type}s-{plugin}-field-mapping,field mapping>> for more info.
|
|
288
332
|
* Default value depends on which version of Logstash is running:
|
|
289
333
|
** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
|
|
290
334
|
** Otherwise, the default value is `disabled`.
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
Gem::Specification.new do |s|
|
|
2
2
|
|
|
3
3
|
s.name = 'logstash-filter-geoip'
|
|
4
|
-
s.version = '7.2.
|
|
4
|
+
s.version = '7.2.12'
|
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
|
6
6
|
s.summary = "Adds geographical information about an IP address"
|
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
|
@@ -27,6 +27,10 @@ describe LogStash::Filters::GeoIP do
|
|
|
27
27
|
end
|
|
28
28
|
|
|
29
29
|
context "with city database" do
|
|
30
|
+
# example.com, has been static for 10+ years
|
|
31
|
+
# and has city-level details
|
|
32
|
+
let(:ip) { "93.184.216.34" }
|
|
33
|
+
|
|
30
34
|
let(:options) { common_options }
|
|
31
35
|
|
|
32
36
|
it "should return geo in target" do
|
|
@@ -36,15 +40,23 @@ describe LogStash::Filters::GeoIP do
|
|
|
36
40
|
expect( event.get ecs_select[disabled: "[#{target}][country_code2]", v1: "[#{target}][geo][country_iso_code]"] ).to eq 'US'
|
|
37
41
|
expect( event.get ecs_select[disabled: "[#{target}][country_name]", v1: "[#{target}][geo][country_name]"] ).to eq 'United States'
|
|
38
42
|
expect( event.get ecs_select[disabled: "[#{target}][continent_code]", v1: "[#{target}][geo][continent_code]"] ).to eq 'NA'
|
|
39
|
-
expect( event.get ecs_select[disabled: "[#{target}][location][lat]", v1: "[#{target}][geo][location][lat]"] ).to eq
|
|
40
|
-
expect( event.get ecs_select[disabled: "[#{target}][location][lon]", v1: "[#{target}][geo][location][lon]"] ).to eq -
|
|
43
|
+
expect( event.get ecs_select[disabled: "[#{target}][location][lat]", v1: "[#{target}][geo][location][lat]"] ).to eq 42.1596
|
|
44
|
+
expect( event.get ecs_select[disabled: "[#{target}][location][lon]", v1: "[#{target}][geo][location][lon]"] ).to eq -70.8217
|
|
45
|
+
expect( event.get ecs_select[disabled: "[#{target}][city_name]", v1: "[#{target}][geo][city_name]"] ).to eq 'Norwell'
|
|
46
|
+
expect( event.get ecs_select[disabled: "[#{target}][dma_code]", v1: "[#{target}][mmdb][dma_code]"] ).to eq 506
|
|
47
|
+
expect( event.get ecs_select[disabled: "[#{target}][region_name]", v1: "[#{target}][geo][region_name]"] ).to eq 'Massachusetts'
|
|
41
48
|
|
|
42
49
|
if ecs_select.active_mode == :disabled
|
|
43
50
|
expect( event.get "[#{target}][country_code3]" ).to eq 'US'
|
|
51
|
+
expect( event.get "[#{target}][region_code]" ).to eq 'MA'
|
|
52
|
+
expect( event.get "[#{target}][region_iso_code]" ).to be_nil
|
|
44
53
|
else
|
|
45
54
|
expect( event.get "[#{target}][geo][country_code3]" ).to be_nil
|
|
46
55
|
expect( event.get "[#{target}][country_code3]" ).to be_nil
|
|
56
|
+
expect( event.get "[#{target}][geo][region_iso_code]" ).to eq 'US-MA'
|
|
57
|
+
expect( event.get "[#{target}][region_code]" ).to be_nil
|
|
47
58
|
end
|
|
59
|
+
puts event.to_hash.inspect
|
|
48
60
|
end
|
|
49
61
|
end
|
|
50
62
|
|
|
Binary file
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-filter-geoip
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 7.2.
|
|
4
|
+
version: 7.2.12
|
|
5
5
|
platform: java
|
|
6
6
|
authors:
|
|
7
7
|
- Elastic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-
|
|
11
|
+
date: 2022-03-18 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|