logstash-filter-geoip 2.0.2 → 2.0.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +11 -2
- data/CONTRIBUTORS +1 -0
- data/README.md +3 -0
- data/lib/logstash/filters/geoip.rb +22 -15
- data/logstash-filter-geoip.gemspec +1 -1
- data/spec/filters/geoip_spec.rb +65 -26
- metadata +28 -28
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: e4fabe098f9ced70d73a826e6c9d85e50092b0ec
|
4
|
+
data.tar.gz: d73e071f69b23f2d19ad414a7b01e1d697c8f567
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 1836cb3e6392c03892624d5c95fbfedeee16f50f99b0eeaeea63d0f1a3bf5b1ac72089902151a2cdfa5e2abd5e1ba907b24aadf6351f519c0ff504b01cfc7423
|
7
|
+
data.tar.gz: d7ca6a1a6e2745b599c5f2470e6ef023fff8d4bef0690d02feba9735a0e766bcea52465f65c3a1658e6cae1f666d2241a510c732d5fae198bb3bab1f4f8d3255
|
data/CHANGELOG.md
CHANGED
@@ -1,5 +1,14 @@
|
|
1
|
+
## 2.0.3
|
2
|
+
- Fix Issue 50, incorrect data returned when geo lookup fails
|
3
|
+
|
4
|
+
## 2.0.2
|
5
|
+
- Update core dependency in gemspec
|
6
|
+
|
7
|
+
## 2.0.1
|
8
|
+
- Remove filter? call
|
9
|
+
|
1
10
|
## 2.0.0
|
2
|
-
- Plugins were updated to follow the new shutdown semantic, this mainly allows Logstash to instruct input plugins to terminate gracefully,
|
11
|
+
- Plugins were updated to follow the new shutdown semantic, this mainly allows Logstash to instruct input plugins to terminate gracefully,
|
3
12
|
instead of using Thread.raise on the plugins' threads. Ref: https://github.com/elastic/logstash/pull/3895
|
4
13
|
- Dependency on logstash-core update to 2.0
|
5
14
|
|
@@ -8,4 +17,4 @@
|
|
8
17
|
* 1.1.1
|
9
18
|
- Lazy-load LRU cache
|
10
19
|
* 1.1.0
|
11
|
-
- Add LRU cache
|
20
|
+
- Add LRU cache
|
data/CONTRIBUTORS
CHANGED
@@ -16,6 +16,7 @@ Contributors:
|
|
16
16
|
* Suyog Rao (suyograo)
|
17
17
|
* Vincent Batts (vbatts)
|
18
18
|
* avleen
|
19
|
+
* Guy Boertje (guyboertje)
|
19
20
|
|
20
21
|
Note: If you've sent us patches, bug reports, or otherwise contributed to
|
21
22
|
Logstash, and you aren't on the list above and want to be, please let us know
|
data/README.md
CHANGED
@@ -1,5 +1,8 @@
|
|
1
1
|
# Logstash Plugin
|
2
2
|
|
3
|
+
[![Build
|
4
|
+
Status](http://build-eu-00.elastic.co/view/LS%20Plugins/view/LS%20Filters/job/logstash-plugin-filter-geoip-unit/badge/icon)](http://build-eu-00.elastic.co/view/LS%20Plugins/view/LS%20Filters/job/logstash-plugin-filter-geoip-unit/)
|
5
|
+
|
3
6
|
This is a plugin for [Logstash](https://github.com/elastic/logstash).
|
4
7
|
|
5
8
|
It is fully free and fully open source. The license is Apache 2.0, meaning you are pretty much free to use it however you want in whatever way.
|
@@ -12,7 +12,7 @@ require "lru_redux"
|
|
12
12
|
# http://geojson.org/geojson-spec.html[GeoJSON] format. Additionally,
|
13
13
|
# the default Elasticsearch template provided with the
|
14
14
|
# <<plugins-outputs-elasticsearch,`elasticsearch` output>> maps
|
15
|
-
# the `[geoip][location]` field to an https://www.elastic.co/guide/en/elasticsearch/reference/
|
15
|
+
# the `[geoip][location]` field to an https://www.elastic.co/guide/en/elasticsearch/reference/1.7/mapping-geo-point-type.html#_mapping_options[Elasticsearch geo_point].
|
16
16
|
#
|
17
17
|
# As this field is a `geo_point` _and_ it is still valid GeoJSON, you get
|
18
18
|
# the awesomeness of Elasticsearch's geospatial query, facet and filter functions
|
@@ -124,22 +124,25 @@ class LogStash::Filters::GeoIP < LogStash::Filters::Base
|
|
124
124
|
|
125
125
|
public
|
126
126
|
def filter(event)
|
127
|
-
|
127
|
+
|
128
128
|
geo_data = nil
|
129
129
|
|
130
130
|
geo_data = get_geo_data(event)
|
131
131
|
|
132
|
-
|
133
|
-
|
134
|
-
apply_geodata(geo_data, event)
|
132
|
+
# defense against GeoIP code returning something that can't be made a hash
|
133
|
+
return unless geo_data.respond_to?(:to_hash)
|
135
134
|
|
136
|
-
|
135
|
+
event[@target] = {} if event[@target].nil?
|
136
|
+
geo_data_hash = geo_data.to_hash
|
137
|
+
# don't do anything more if the lookup result is empty
|
138
|
+
if !geo_data_hash.empty?
|
139
|
+
apply_geodata(geo_data_hash, event)
|
140
|
+
filter_matched(event)
|
141
|
+
end
|
137
142
|
end # def filter
|
138
143
|
|
139
|
-
def apply_geodata(
|
140
|
-
geo_data_hash = geo_data.to_hash
|
144
|
+
def apply_geodata(geo_data_hash, event)
|
141
145
|
geo_data_hash.delete(:request)
|
142
|
-
event[@target] = {} if event[@target].nil?
|
143
146
|
if geo_data_hash.key?(:latitude) && geo_data_hash.key?(:longitude)
|
144
147
|
# If we have latitude and longitude values, add the location field as GeoJSON array
|
145
148
|
geo_data_hash[:location] = [ geo_data_hash[:longitude].to_f, geo_data_hash[:latitude].to_f ]
|
@@ -164,14 +167,18 @@ class LogStash::Filters::GeoIP < LogStash::Filters::Base
|
|
164
167
|
end
|
165
168
|
|
166
169
|
def get_geo_data(event)
|
170
|
+
# pure function, must control return value
|
171
|
+
result = {}
|
167
172
|
ip = event[@source]
|
168
173
|
ip = ip.first if ip.is_a? Array
|
169
|
-
|
170
|
-
|
171
|
-
|
172
|
-
|
173
|
-
|
174
|
-
|
174
|
+
begin
|
175
|
+
result = get_geo_data_for_ip(ip)
|
176
|
+
rescue SocketError => e
|
177
|
+
@logger.error("IP Field contained invalid IP address or hostname", :field => @source, :event => event)
|
178
|
+
rescue StandardError => e
|
179
|
+
@logger.error("Unknown error while looking up GeoIP data", :exception => e, :field => @source, :event => event)
|
180
|
+
end
|
181
|
+
result
|
175
182
|
end
|
176
183
|
|
177
184
|
def get_geo_data_for_ip(ip)
|
@@ -1,7 +1,7 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
2
|
|
3
3
|
s.name = 'logstash-filter-geoip'
|
4
|
-
s.version = '2.0.
|
4
|
+
s.version = '2.0.3'
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
6
6
|
s.summary = "$summary"
|
7
7
|
s.description = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program"
|
data/spec/filters/geoip_spec.rb
CHANGED
@@ -2,6 +2,7 @@ require "logstash/devutils/rspec/spec_helper"
|
|
2
2
|
require "logstash/filters/geoip"
|
3
3
|
|
4
4
|
ASNDB = ::Dir.glob(::File.expand_path("../../vendor/", ::File.dirname(__FILE__))+"/GeoIPASNum*.dat").first
|
5
|
+
CITYDB = ::Dir.glob(::File.expand_path("../../vendor/", ::File.dirname(__FILE__))+"/GeoLiteCity*.dat").first
|
5
6
|
|
6
7
|
describe LogStash::Filters::GeoIP do
|
7
8
|
|
@@ -31,7 +32,7 @@ describe LogStash::Filters::GeoIP do
|
|
31
32
|
filter {
|
32
33
|
geoip {
|
33
34
|
source => "ip"
|
34
|
-
#database => "
|
35
|
+
#database => "#{CITYDB}"
|
35
36
|
}
|
36
37
|
}
|
37
38
|
CONFIG
|
@@ -54,32 +55,42 @@ describe LogStash::Filters::GeoIP do
|
|
54
55
|
end
|
55
56
|
end
|
56
57
|
|
57
|
-
describe "
|
58
|
+
describe "normal operations" do
|
58
59
|
config <<-CONFIG
|
59
60
|
filter {
|
60
61
|
geoip {
|
61
62
|
source => "ip"
|
62
|
-
#database => "
|
63
|
+
#database => "#{CITYDB}"
|
63
64
|
target => src_ip
|
65
|
+
add_tag => "done"
|
64
66
|
}
|
65
67
|
}
|
66
68
|
CONFIG
|
67
69
|
|
68
|
-
|
69
|
-
insist { subject }.include?("src_ip")
|
70
|
+
context "when specifying the target" do
|
70
71
|
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
72
|
+
sample("ip" => "8.8.8.8") do
|
73
|
+
expect(subject).to include("src_ip")
|
74
|
+
|
75
|
+
expected_fields = %w(ip country_code2 country_code3 country_name
|
76
|
+
continent_code region_name city_name postal_code
|
77
|
+
latitude longitude dma_code area_code timezone
|
78
|
+
location )
|
79
|
+
expected_fields.each do |f|
|
80
|
+
expect(subject["src_ip"]).to include(f)
|
81
|
+
end
|
82
|
+
end
|
83
|
+
|
84
|
+
sample("ip" => "127.0.0.1") do
|
85
|
+
# assume geoip fails on localhost lookups
|
86
|
+
expect(subject).not_to include("src_ip")
|
77
87
|
end
|
78
88
|
end
|
79
89
|
|
80
|
-
|
81
|
-
|
82
|
-
|
90
|
+
context "when specifying add_tag" do
|
91
|
+
sample("ip" => "8.8.8.8") do
|
92
|
+
expect(subject["tags"]).to include("done")
|
93
|
+
end
|
83
94
|
end
|
84
95
|
end
|
85
96
|
|
@@ -104,6 +115,7 @@ describe LogStash::Filters::GeoIP do
|
|
104
115
|
end
|
105
116
|
insist { checked } > 0
|
106
117
|
end
|
118
|
+
|
107
119
|
sample("ip" => "189.2.0.0") do
|
108
120
|
checked = 0
|
109
121
|
expected_fields.each do |f|
|
@@ -181,18 +193,45 @@ describe LogStash::Filters::GeoIP do
|
|
181
193
|
}
|
182
194
|
}
|
183
195
|
CONFIG
|
184
|
-
|
185
|
-
context "should not raise an error" do
|
196
|
+
describe "should not raise an error" do
|
186
197
|
sample("ip" => "-") do
|
187
|
-
expect{
|
188
|
-
subject
|
189
|
-
}.to_not raise_error
|
198
|
+
expect{ subject }.to_not raise_error
|
190
199
|
end
|
191
200
|
|
192
201
|
sample("ip" => "~") do
|
193
|
-
expect{
|
194
|
-
|
195
|
-
|
202
|
+
expect{ subject }.to_not raise_error
|
203
|
+
end
|
204
|
+
end
|
205
|
+
|
206
|
+
describe "filter method outcomes" do
|
207
|
+
let(:plugin) { LogStash::Filters::GeoIP.new("source" => "message", "add_tag" => "done", "database" => ASNDB) }
|
208
|
+
let(:event) { LogStash::Event.new("message" => ipstring) }
|
209
|
+
|
210
|
+
before do
|
211
|
+
plugin.register
|
212
|
+
plugin.filter(event)
|
213
|
+
end
|
214
|
+
|
215
|
+
context "when the bad IP is N/A" do
|
216
|
+
# regression test for issue https://github.com/logstash-plugins/logstash-filter-geoip/issues/50
|
217
|
+
let(:ipstring) { "N/A" }
|
218
|
+
|
219
|
+
it "should set the target field to an empty hash" do
|
220
|
+
expect(event["geoip"]).to eq({})
|
221
|
+
end
|
222
|
+
|
223
|
+
it "should not have added any tags" do
|
224
|
+
expect(event["tags"]).to be_nil
|
225
|
+
end
|
226
|
+
end
|
227
|
+
|
228
|
+
context "when the bad IP is two ip comma separated" do
|
229
|
+
# regression test for issue https://github.com/logstash-plugins/logstash-filter-geoip/issues/51
|
230
|
+
let(:ipstring) { "123.45.67.89,61.160.232.222" }
|
231
|
+
|
232
|
+
it "should set the target field to an empty hash" do
|
233
|
+
expect(event["geoip"]).to eq({})
|
234
|
+
end
|
196
235
|
end
|
197
236
|
end
|
198
237
|
|
@@ -232,10 +271,10 @@ describe LogStash::Filters::GeoIP do
|
|
232
271
|
end
|
233
272
|
|
234
273
|
it "should dup the objects" do
|
235
|
-
event = {}
|
236
|
-
alt_event = {}
|
237
|
-
plugin.apply_geodata(geo_data, event)
|
238
|
-
plugin.apply_geodata(geo_data, alt_event)
|
274
|
+
event = { "geoip" => {} }
|
275
|
+
alt_event = { "geoip" => {} }
|
276
|
+
plugin.apply_geodata(geo_data.to_hash, event)
|
277
|
+
plugin.apply_geodata(geo_data.to_hash, alt_event)
|
239
278
|
|
240
279
|
event["geoip"].each do |k,v|
|
241
280
|
alt_v = alt_event["geoip"][k]
|
metadata
CHANGED
@@ -1,17 +1,18 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-filter-geoip
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.0.
|
4
|
+
version: 2.0.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Elastic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2015-
|
11
|
+
date: 2015-11-16 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
|
-
|
14
|
+
name: logstash-core
|
15
|
+
version_requirements: !ruby/object:Gem::Requirement
|
15
16
|
requirements:
|
16
17
|
- - '>='
|
17
18
|
- !ruby/object:Gem::Version
|
@@ -19,10 +20,7 @@ dependencies:
|
|
19
20
|
- - <
|
20
21
|
- !ruby/object:Gem::Version
|
21
22
|
version: 3.0.0
|
22
|
-
|
23
|
-
prerelease: false
|
24
|
-
type: :runtime
|
25
|
-
version_requirements: !ruby/object:Gem::Requirement
|
23
|
+
requirement: !ruby/object:Gem::Requirement
|
26
24
|
requirements:
|
27
25
|
- - '>='
|
28
26
|
- !ruby/object:Gem::Version
|
@@ -30,65 +28,67 @@ dependencies:
|
|
30
28
|
- - <
|
31
29
|
- !ruby/object:Gem::Version
|
32
30
|
version: 3.0.0
|
31
|
+
prerelease: false
|
32
|
+
type: :runtime
|
33
33
|
- !ruby/object:Gem::Dependency
|
34
|
+
name: geoip
|
35
|
+
version_requirements: !ruby/object:Gem::Requirement
|
36
|
+
requirements:
|
37
|
+
- - '>='
|
38
|
+
- !ruby/object:Gem::Version
|
39
|
+
version: 1.3.2
|
34
40
|
requirement: !ruby/object:Gem::Requirement
|
35
41
|
requirements:
|
36
42
|
- - '>='
|
37
43
|
- !ruby/object:Gem::Version
|
38
44
|
version: 1.3.2
|
39
|
-
name: geoip
|
40
45
|
prerelease: false
|
41
46
|
type: :runtime
|
47
|
+
- !ruby/object:Gem::Dependency
|
48
|
+
name: lru_redux
|
42
49
|
version_requirements: !ruby/object:Gem::Requirement
|
43
50
|
requirements:
|
44
|
-
- -
|
51
|
+
- - ~>
|
45
52
|
- !ruby/object:Gem::Version
|
46
|
-
version: 1.
|
47
|
-
- !ruby/object:Gem::Dependency
|
53
|
+
version: 1.1.0
|
48
54
|
requirement: !ruby/object:Gem::Requirement
|
49
55
|
requirements:
|
50
56
|
- - ~>
|
51
57
|
- !ruby/object:Gem::Version
|
52
58
|
version: 1.1.0
|
53
|
-
name: lru_redux
|
54
59
|
prerelease: false
|
55
60
|
type: :runtime
|
61
|
+
- !ruby/object:Gem::Dependency
|
62
|
+
name: logstash-devutils
|
56
63
|
version_requirements: !ruby/object:Gem::Requirement
|
57
64
|
requirements:
|
58
|
-
- -
|
65
|
+
- - '>='
|
59
66
|
- !ruby/object:Gem::Version
|
60
|
-
version:
|
61
|
-
- !ruby/object:Gem::Dependency
|
67
|
+
version: '0'
|
62
68
|
requirement: !ruby/object:Gem::Requirement
|
63
69
|
requirements:
|
64
70
|
- - '>='
|
65
71
|
- !ruby/object:Gem::Version
|
66
72
|
version: '0'
|
67
|
-
name: logstash-devutils
|
68
73
|
prerelease: false
|
69
74
|
type: :development
|
70
|
-
version_requirements: !ruby/object:Gem::Requirement
|
71
|
-
requirements:
|
72
|
-
- - '>='
|
73
|
-
- !ruby/object:Gem::Version
|
74
|
-
version: '0'
|
75
75
|
description: This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program
|
76
76
|
email: info@elastic.co
|
77
77
|
executables: []
|
78
78
|
extensions: []
|
79
79
|
extra_rdoc_files: []
|
80
80
|
files:
|
81
|
+
- lib/logstash/filters/geoip.rb
|
82
|
+
- spec/filters/geoip_spec.rb
|
83
|
+
- vendor/GeoLiteCity-2013-01-18.dat
|
84
|
+
- vendor/GeoIPASNum-2014-02-12.dat
|
85
|
+
- logstash-filter-geoip.gemspec
|
81
86
|
- CHANGELOG.md
|
87
|
+
- README.md
|
82
88
|
- CONTRIBUTORS
|
83
89
|
- Gemfile
|
84
90
|
- LICENSE
|
85
91
|
- NOTICE.TXT
|
86
|
-
- README.md
|
87
|
-
- lib/logstash/filters/geoip.rb
|
88
|
-
- logstash-filter-geoip.gemspec
|
89
|
-
- spec/filters/geoip_spec.rb
|
90
|
-
- vendor/GeoIPASNum-2014-02-12.dat
|
91
|
-
- vendor/GeoLiteCity-2013-01-18.dat
|
92
92
|
homepage: http://www.elastic.co/guide/en/logstash/current/index.html
|
93
93
|
licenses:
|
94
94
|
- Apache License (2.0)
|
@@ -111,7 +111,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
111
111
|
version: '0'
|
112
112
|
requirements: []
|
113
113
|
rubyforge_project:
|
114
|
-
rubygems_version: 2.
|
114
|
+
rubygems_version: 2.1.9
|
115
115
|
signing_key:
|
116
116
|
specification_version: 4
|
117
117
|
summary: $summary
|