logstash-filter-geoip 2.0.3 → 2.0.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +3 -0
- data/lib/logstash/filters/geoip.rb +51 -34
- data/logstash-filter-geoip.gemspec +1 -1
- data/spec/filters/geoip_spec.rb +4 -5
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 72506d5a7ea9264ac61e27b0b43fc845fc612d1a
|
|
4
|
+
data.tar.gz: e0086cf1590ddcf4158e254d3731d96d585ea90c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f9903608de6535b87cfae39756fa5d774681ff7ab6ae0d279de1c514648cbec2dd4ca37b3e3dc120553b96efb0e95115f303cd4857f9b82bdc8107b02fd53891
|
|
7
|
+
data.tar.gz: 150e64d646233afba52aac986f1fcf1e514c26e2611f74d1f08039ced40cb0aaffd85c01f125ad4bd05c597d4611fe047730a25e4b11ca9fb0ff3beb0b19e2e6
|
data/CHANGELOG.md
CHANGED
|
@@ -120,50 +120,32 @@ class LogStash::Filters::GeoIP < LogStash::Filters::Base
|
|
|
120
120
|
LOOKUP_CACHE_INIT_MUTEX.synchronize do
|
|
121
121
|
self.lookup_cache = LOOKUP_CACHES[@geoip_type] ||= LruRedux::ThreadSafeCache.new(1000)
|
|
122
122
|
end
|
|
123
|
+
|
|
124
|
+
@no_fields = @fields.nil? || @fields.empty?
|
|
123
125
|
end # def register
|
|
124
126
|
|
|
125
127
|
public
|
|
126
128
|
def filter(event)
|
|
127
|
-
|
|
128
|
-
|
|
129
|
-
|
|
130
|
-
geo_data = get_geo_data(event)
|
|
131
|
-
|
|
132
|
-
# defense against GeoIP code returning something that can't be made a hash
|
|
133
|
-
return unless geo_data.respond_to?(:to_hash)
|
|
134
|
-
|
|
135
|
-
event[@target] = {} if event[@target].nil?
|
|
136
|
-
geo_data_hash = geo_data.to_hash
|
|
137
|
-
# don't do anything more if the lookup result is empty
|
|
138
|
-
if !geo_data_hash.empty?
|
|
139
|
-
apply_geodata(geo_data_hash, event)
|
|
129
|
+
geo_data_hash = get_geo_data(event)
|
|
130
|
+
if apply_geodata(geo_data_hash, event)
|
|
140
131
|
filter_matched(event)
|
|
141
132
|
end
|
|
142
133
|
end # def filter
|
|
143
134
|
|
|
144
135
|
def apply_geodata(geo_data_hash, event)
|
|
145
|
-
|
|
146
|
-
|
|
147
|
-
|
|
148
|
-
|
|
149
|
-
|
|
136
|
+
# don't do anything more if the lookup result is nil?
|
|
137
|
+
return false if geo_data_hash.nil?
|
|
138
|
+
# only set the event[@target] if the lookup result is not nil: BWC
|
|
139
|
+
event[@target] = {} if event[@target].nil?
|
|
140
|
+
# don't do anything more if the lookup result is empty?
|
|
141
|
+
return false if geo_data_hash.empty?
|
|
150
142
|
geo_data_hash.each do |key, value|
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
if value.is_a?(String)
|
|
155
|
-
# Some strings from GeoIP don't have the correct encoding...
|
|
156
|
-
value = case value.encoding
|
|
157
|
-
# I have found strings coming from GeoIP that are ASCII-8BIT are actually
|
|
158
|
-
# ISO-8859-1...
|
|
159
|
-
when Encoding::ASCII_8BIT; value.force_encoding(Encoding::ISO_8859_1).encode(Encoding::UTF_8)
|
|
160
|
-
when Encoding::ISO_8859_1, Encoding::US_ASCII; value.encode(Encoding::UTF_8)
|
|
161
|
-
else; value.dup
|
|
162
|
-
end
|
|
163
|
-
end
|
|
164
|
-
event[@target][key.to_s] = value
|
|
143
|
+
if @no_fields || @fields.include?(key)
|
|
144
|
+
# can't dup numerics
|
|
145
|
+
event[@target][key] = value.is_a?(Numeric) ? value : value.dup
|
|
165
146
|
end
|
|
166
147
|
end # geo_data_hash.each
|
|
148
|
+
true
|
|
167
149
|
end
|
|
168
150
|
|
|
169
151
|
def get_geo_data(event)
|
|
@@ -171,6 +153,7 @@ class LogStash::Filters::GeoIP < LogStash::Filters::Base
|
|
|
171
153
|
result = {}
|
|
172
154
|
ip = event[@source]
|
|
173
155
|
ip = ip.first if ip.is_a? Array
|
|
156
|
+
return nil if ip.nil?
|
|
174
157
|
begin
|
|
175
158
|
result = get_geo_data_for_ip(ip)
|
|
176
159
|
rescue SocketError => e
|
|
@@ -187,11 +170,45 @@ class LogStash::Filters::GeoIP < LogStash::Filters::Base
|
|
|
187
170
|
cached
|
|
188
171
|
else
|
|
189
172
|
geo_data = Thread.current[threadkey].send(@geoip_type, ip)
|
|
190
|
-
|
|
191
|
-
|
|
173
|
+
converted = prepare_geodata_for_cache(geo_data)
|
|
174
|
+
lookup_cache[ip] = converted
|
|
175
|
+
converted
|
|
192
176
|
end
|
|
193
177
|
end
|
|
194
178
|
|
|
179
|
+
def prepare_geodata_for_cache(geo_data)
|
|
180
|
+
# GeoIP returns a nil or a Struct subclass
|
|
181
|
+
return nil if !geo_data.respond_to?(:each_pair)
|
|
182
|
+
#lets just do this once before caching
|
|
183
|
+
result = {}
|
|
184
|
+
geo_data.each_pair do |k, v|
|
|
185
|
+
next if v.nil? || k == :request
|
|
186
|
+
if v.is_a?(String)
|
|
187
|
+
next if v.empty?
|
|
188
|
+
# Some strings from GeoIP don't have the correct encoding...
|
|
189
|
+
result[k.to_s] = case v.encoding
|
|
190
|
+
# I have found strings coming from GeoIP that are ASCII-8BIT are actually
|
|
191
|
+
# ISO-8859-1...
|
|
192
|
+
when Encoding::ASCII_8BIT
|
|
193
|
+
v.force_encoding(Encoding::ISO_8859_1).encode(Encoding::UTF_8)
|
|
194
|
+
when Encoding::ISO_8859_1, Encoding::US_ASCII
|
|
195
|
+
v.encode(Encoding::UTF_8)
|
|
196
|
+
else
|
|
197
|
+
v
|
|
198
|
+
end
|
|
199
|
+
else
|
|
200
|
+
result[k.to_s] = v
|
|
201
|
+
end
|
|
202
|
+
end
|
|
203
|
+
|
|
204
|
+
lat, lng = result.values_at("latitude", "longitude")
|
|
205
|
+
if lat && lng
|
|
206
|
+
result["location"] = [ lng.to_f, lat.to_f ]
|
|
207
|
+
end
|
|
208
|
+
|
|
209
|
+
result
|
|
210
|
+
end
|
|
211
|
+
|
|
195
212
|
def ensure_database!
|
|
196
213
|
# Use thread-local access to GeoIP. The Ruby GeoIP module forces a mutex
|
|
197
214
|
# around access to the database, which can be overcome with :pread.
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
Gem::Specification.new do |s|
|
|
2
2
|
|
|
3
3
|
s.name = 'logstash-filter-geoip'
|
|
4
|
-
s.version = '2.0.
|
|
4
|
+
s.version = '2.0.4'
|
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
|
6
6
|
s.summary = "$summary"
|
|
7
7
|
s.description = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program"
|
data/spec/filters/geoip_spec.rb
CHANGED
|
@@ -264,17 +264,16 @@ describe LogStash::Filters::GeoIP do
|
|
|
264
264
|
|
|
265
265
|
describe "returned object identities" do
|
|
266
266
|
let(:plugin) { LogStash::Filters::GeoIP.new("source" => "message") }
|
|
267
|
-
let(:
|
|
267
|
+
let(:event) { LogStash::Event.new("message" => "8.8.8.8") }
|
|
268
|
+
let(:alt_event) { LogStash::Event.new("message" => "8.8.8.8") }
|
|
268
269
|
|
|
269
270
|
before do
|
|
270
271
|
plugin.register
|
|
271
272
|
end
|
|
272
273
|
|
|
273
274
|
it "should dup the objects" do
|
|
274
|
-
event
|
|
275
|
-
alt_event
|
|
276
|
-
plugin.apply_geodata(geo_data.to_hash, event)
|
|
277
|
-
plugin.apply_geodata(geo_data.to_hash, alt_event)
|
|
275
|
+
plugin.apply_geodata(plugin.get_geo_data(event), event)
|
|
276
|
+
plugin.apply_geodata(plugin.get_geo_data(alt_event), alt_event)
|
|
278
277
|
|
|
279
278
|
event["geoip"].each do |k,v|
|
|
280
279
|
alt_v = alt_event["geoip"][k]
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-filter-geoip
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.0.
|
|
4
|
+
version: 2.0.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Elastic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2015-11-
|
|
11
|
+
date: 2015-11-18 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: logstash-core
|
|
@@ -83,8 +83,8 @@ files:
|
|
|
83
83
|
- vendor/GeoLiteCity-2013-01-18.dat
|
|
84
84
|
- vendor/GeoIPASNum-2014-02-12.dat
|
|
85
85
|
- logstash-filter-geoip.gemspec
|
|
86
|
-
- CHANGELOG.md
|
|
87
86
|
- README.md
|
|
87
|
+
- CHANGELOG.md
|
|
88
88
|
- CONTRIBUTORS
|
|
89
89
|
- Gemfile
|
|
90
90
|
- LICENSE
|