logstash-filter-geoip 3.0.0.beta2-java → 3.0.0.beta3-java
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +3 -0
- data/lib/logstash/filters/geoip.rb +69 -51
- data/logstash-filter-geoip.gemspec +1 -1
- data/spec/filters/geoip_spec.rb +29 -2
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: cb67c00c5522d0ee47841e2e0c190cf31bec3b39
|
|
4
|
+
data.tar.gz: 57f746ef6d54bc23cab08c3bd936f19ddbc6e33c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 2f8d34ddce2f3bf78912b8936bd92dd03e5be5bca6a2ddba7c791d846a82b29f8479f5d908302e75f3893264c94e43a0ef067bbfed1e971212133b13b056a989
|
|
7
|
+
data.tar.gz: 7cc2e5fc6fff4156eaecda1996cb02bc5ffed209092920651916edbb87a1e32dcd57199c37346688c80cd046d208e92522e121376c037c46a97b5b8d017147c8
|
data/CHANGELOG.md
CHANGED
|
@@ -119,6 +119,9 @@ class LogStash::Filters::GeoIP < LogStash::Filters::Base
|
|
|
119
119
|
# to having multiple caches for different instances at different points in the pipeline, that would just increase the
|
|
120
120
|
# number of cache misses and waste memory.
|
|
121
121
|
config :lru_cache_size, :validate => :number, :default => 1000
|
|
122
|
+
|
|
123
|
+
# Tags the event on failure to look up geo information. This can be used in later analysis.
|
|
124
|
+
config :tag_on_failure, :validate => :array, :default => ["_geoip_lookup_failure"]
|
|
122
125
|
|
|
123
126
|
public
|
|
124
127
|
def register
|
|
@@ -150,69 +153,84 @@ class LogStash::Filters::GeoIP < LogStash::Filters::Base
|
|
|
150
153
|
begin
|
|
151
154
|
ip = event[@source]
|
|
152
155
|
ip = ip.first if ip.is_a? Array
|
|
156
|
+
geo_data_hash = Hash.new
|
|
153
157
|
ip_address = InetAddress.getByName(ip)
|
|
154
158
|
response = @parser.city(ip_address)
|
|
155
|
-
|
|
156
|
-
subdivision = response.getMostSpecificSubdivision()
|
|
157
|
-
city = response.getCity()
|
|
158
|
-
postal = response.getPostal()
|
|
159
|
-
location = response.getLocation()
|
|
160
|
-
|
|
161
|
-
geo_data_hash = Hash.new()
|
|
162
|
-
|
|
163
|
-
@fields.each do |field|
|
|
164
|
-
case field
|
|
165
|
-
when "city_name"
|
|
166
|
-
geo_data_hash["city_name"] = city.getName()
|
|
167
|
-
when "country_name"
|
|
168
|
-
geo_data_hash["country_name"] = country.getName()
|
|
169
|
-
when "continent_code"
|
|
170
|
-
geo_data_hash["continent_code"] = response.getContinent().getCode()
|
|
171
|
-
when "continent_name"
|
|
172
|
-
geo_data_hash["continent_name"] = response.getContinent().getName()
|
|
173
|
-
when "country_code2"
|
|
174
|
-
geo_data_hash["country_code2"] = country.getIsoCode()
|
|
175
|
-
when "country_code3"
|
|
176
|
-
geo_data_hash["country_code3"] = country.getIsoCode()
|
|
177
|
-
when "ip"
|
|
178
|
-
geo_data_hash["ip"] = ip_address.getHostAddress()
|
|
179
|
-
when "postal_code"
|
|
180
|
-
geo_data_hash["postal_code"] = postal.getCode()
|
|
181
|
-
when "dma_code"
|
|
182
|
-
geo_data_hash["dma_code"] = location.getMetroCode()
|
|
183
|
-
when "region_name"
|
|
184
|
-
geo_data_hash["region_name"] = subdivision.getName()
|
|
185
|
-
when "region_code"
|
|
186
|
-
geo_data_hash["region_code"] = subdivision.getIsoCode()
|
|
187
|
-
when "timezone"
|
|
188
|
-
geo_data_hash["timezone"] = location.getTimeZone()
|
|
189
|
-
when "location"
|
|
190
|
-
geo_data_hash["location"] = [ location.getLongitude(), location.getLatitude() ]
|
|
191
|
-
when "latitude"
|
|
192
|
-
geo_data_hash["latitude"] = location.getLatitude()
|
|
193
|
-
when "longitude"
|
|
194
|
-
geo_data_hash["longitude"] = location.getLongitude()
|
|
195
|
-
else
|
|
196
|
-
raise Exception.new("[#{field}] is not a supported field option.")
|
|
197
|
-
end
|
|
198
|
-
end
|
|
199
|
-
|
|
159
|
+
populate_geo_data(response, ip_address, geo_data_hash)
|
|
200
160
|
rescue com.maxmind.geoip2.exception.AddressNotFoundException => e
|
|
201
161
|
@logger.debug("IP not found!", :exception => e, :field => @source, :event => event)
|
|
202
|
-
event[@target] = {}
|
|
203
|
-
return
|
|
204
162
|
rescue java.net.UnknownHostException => e
|
|
205
163
|
@logger.error("IP Field contained invalid IP address or hostname", :exception => e, :field => @source, :event => event)
|
|
206
|
-
event[@target] = {}
|
|
207
|
-
return
|
|
208
164
|
rescue Exception => e
|
|
209
165
|
@logger.error("Unknown error while looking up GeoIP data", :exception => e, :field => @source, :event => event)
|
|
210
|
-
|
|
211
|
-
|
|
166
|
+
# Dont' swallow this, bubble up for unknown issue
|
|
167
|
+
raise e
|
|
212
168
|
end
|
|
213
169
|
|
|
214
170
|
event[@target] = geo_data_hash
|
|
215
171
|
|
|
172
|
+
if geo_data_hash.empty?
|
|
173
|
+
tag_unsuccessful_lookup(event)
|
|
174
|
+
return
|
|
175
|
+
end
|
|
176
|
+
|
|
216
177
|
filter_matched(event)
|
|
217
178
|
end # def filter
|
|
179
|
+
|
|
180
|
+
def populate_geo_data(response, ip_address, geo_data_hash)
|
|
181
|
+
country = response.getCountry()
|
|
182
|
+
subdivision = response.getMostSpecificSubdivision()
|
|
183
|
+
city = response.getCity()
|
|
184
|
+
postal = response.getPostal()
|
|
185
|
+
location = response.getLocation()
|
|
186
|
+
|
|
187
|
+
# if location is empty, there is no point populating geo data
|
|
188
|
+
# and most likely all other fields are empty as well
|
|
189
|
+
if location.getLatitude().nil? && location.getLongitude().nil?
|
|
190
|
+
return
|
|
191
|
+
end
|
|
192
|
+
|
|
193
|
+
@fields.each do |field|
|
|
194
|
+
case field
|
|
195
|
+
when "city_name"
|
|
196
|
+
geo_data_hash["city_name"] = city.getName()
|
|
197
|
+
when "country_name"
|
|
198
|
+
geo_data_hash["country_name"] = country.getName()
|
|
199
|
+
when "continent_code"
|
|
200
|
+
geo_data_hash["continent_code"] = response.getContinent().getCode()
|
|
201
|
+
when "continent_name"
|
|
202
|
+
geo_data_hash["continent_name"] = response.getContinent().getName()
|
|
203
|
+
when "country_code2"
|
|
204
|
+
geo_data_hash["country_code2"] = country.getIsoCode()
|
|
205
|
+
when "country_code3"
|
|
206
|
+
geo_data_hash["country_code3"] = country.getIsoCode()
|
|
207
|
+
when "ip"
|
|
208
|
+
geo_data_hash["ip"] = ip_address.getHostAddress()
|
|
209
|
+
when "postal_code"
|
|
210
|
+
geo_data_hash["postal_code"] = postal.getCode()
|
|
211
|
+
when "dma_code"
|
|
212
|
+
geo_data_hash["dma_code"] = location.getMetroCode()
|
|
213
|
+
when "region_name"
|
|
214
|
+
geo_data_hash["region_name"] = subdivision.getName()
|
|
215
|
+
when "region_code"
|
|
216
|
+
geo_data_hash["region_code"] = subdivision.getIsoCode()
|
|
217
|
+
when "timezone"
|
|
218
|
+
geo_data_hash["timezone"] = location.getTimeZone()
|
|
219
|
+
when "location"
|
|
220
|
+
geo_data_hash["location"] = [ location.getLongitude(), location.getLatitude() ]
|
|
221
|
+
when "latitude"
|
|
222
|
+
geo_data_hash["latitude"] = location.getLatitude()
|
|
223
|
+
when "longitude"
|
|
224
|
+
geo_data_hash["longitude"] = location.getLongitude()
|
|
225
|
+
else
|
|
226
|
+
raise Exception.new("[#{field}] is not a supported field option.")
|
|
227
|
+
end
|
|
228
|
+
end
|
|
229
|
+
end
|
|
230
|
+
|
|
231
|
+
def tag_unsuccessful_lookup(event)
|
|
232
|
+
@logger.debug? && @logger.debug("IP #{event[@source]} was not found in the database", :event => event)
|
|
233
|
+
@tag_on_failure.each{|tag| event.tag(tag)}
|
|
234
|
+
end
|
|
235
|
+
|
|
218
236
|
end # class LogStash::Filters::GeoIP
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
Gem::Specification.new do |s|
|
|
2
2
|
|
|
3
3
|
s.name = 'logstash-filter-geoip'
|
|
4
|
-
s.version = '3.0.0.
|
|
4
|
+
s.version = '3.0.0.beta3'
|
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
|
6
6
|
s.summary = "$summary"
|
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
data/spec/filters/geoip_spec.rb
CHANGED
|
@@ -173,8 +173,8 @@ describe LogStash::Filters::GeoIP do
|
|
|
173
173
|
expect(event["geoip"]).to eq({})
|
|
174
174
|
end
|
|
175
175
|
|
|
176
|
-
it "should
|
|
177
|
-
expect(event["tags"]).to
|
|
176
|
+
it "should add failure tags" do
|
|
177
|
+
expect(event["tags"]).to include("_geoip_lookup_failure")
|
|
178
178
|
end
|
|
179
179
|
end
|
|
180
180
|
|
|
@@ -186,6 +186,33 @@ describe LogStash::Filters::GeoIP do
|
|
|
186
186
|
expect(event["geoip"]).to eq({})
|
|
187
187
|
end
|
|
188
188
|
end
|
|
189
|
+
|
|
190
|
+
context "when a IP is not found in the DB" do
|
|
191
|
+
let(:ipstring) { "113.208.89.21" }
|
|
192
|
+
|
|
193
|
+
it "should set the target field to an empty hash" do
|
|
194
|
+
expect(event["geoip"]).to eq({})
|
|
195
|
+
expect(event["tags"]).to include("_geoip_lookup_failure")
|
|
196
|
+
end
|
|
197
|
+
end
|
|
198
|
+
|
|
199
|
+
context "when IP is IPv6 format for localhost" do
|
|
200
|
+
let(:ipstring) { "::1" }
|
|
201
|
+
|
|
202
|
+
it "should set the target field to an empty hash" do
|
|
203
|
+
expect(event["geoip"]).to eq({})
|
|
204
|
+
end
|
|
205
|
+
end
|
|
206
|
+
|
|
207
|
+
context "when IP is IPv6 format" do
|
|
208
|
+
let(:ipstring) { "2607:f0d0:1002:51::4" }
|
|
209
|
+
|
|
210
|
+
it "should set the target field to an empty hash" do
|
|
211
|
+
expect(event["geoip"]).not_to be_empty
|
|
212
|
+
expect(event["geoip"]["city_name"]).not_to be_nil
|
|
213
|
+
end
|
|
214
|
+
end
|
|
215
|
+
|
|
189
216
|
end
|
|
190
217
|
|
|
191
218
|
context "should return the correct source field in the logging message" do
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-filter-geoip
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.0.0.
|
|
4
|
+
version: 3.0.0.beta3
|
|
5
5
|
platform: java
|
|
6
6
|
authors:
|
|
7
7
|
- Elastic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-04-
|
|
11
|
+
date: 2016-04-29 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|