logstash-filter-geoip 7.2.10-java → 7.2.11-java
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 4e1f0799be232e80ed3db8f0d31b4131c921d549183d2f47678af3fd9cdfd21f
|
|
4
|
+
data.tar.gz: e656dd5cd6440d13af48a7193f26962c4236267fcf2afd9bc0a9f4f8e8c5e3e5
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: eadc947645031bd5539ac42e910da0c1230d2137936eec668f23da4e6de6e55b5ceaa2a6eb1cf0b7699a43d61c03c1e6df95b51681e61d3983471070d1cac9aa
|
|
7
|
+
data.tar.gz: 9a5ee36471512f5724ebc7013d3d21bce6d64db50ac6874f8c45d2e8a8facbad14a428e4ea2857cbeb20d438e363dbcdad79a6133b851c98c575a82da0e91a1f
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,8 @@
|
|
|
1
|
+
## 7.2.11
|
|
2
|
+
- Improved compatibility with the Elastic Common Schema [#206](https://github.com/logstash-plugins/logstash-filter-geoip/pull/206)
|
|
3
|
+
- Added support for ECS's composite `region_iso_code` (`US-WA`), which _replaces_ the non-ECS `region_code` (`WA`) as a default field with City databases. To get the stand-alone `region_code` in ECS mode, you must include it in the `fields` directive.
|
|
4
|
+
- [DOC] Improve ECS-related documentation
|
|
5
|
+
|
|
1
6
|
## 7.2.10
|
|
2
7
|
- [DOC] Air-gapped environment requires both ASN and City databases [#204](https://github.com/logstash-plugins/logstash-filter-geoip/pull/204)
|
|
3
8
|
|
data/docs/index.asciidoc
CHANGED
|
@@ -169,14 +169,57 @@ Example response:
|
|
|
169
169
|
}
|
|
170
170
|
--------------------------------------------------
|
|
171
171
|
|
|
172
|
+
[id="plugins-{type}s-{plugin}-field-mapping"]
|
|
173
|
+
==== Field mapping
|
|
174
|
+
|
|
175
|
+
When this plugin is run with <<plugins-{type}s-{plugin}-ecs_compatibility>> disabled, the MaxMind DB's fields are added directly to the <<plugins-{type}s-{plugin}-target>>.
|
|
176
|
+
When ECS compatibility is enabled, the fields are structured to fit into an ECS shape.
|
|
177
|
+
|
|
178
|
+
[cols="3,5,3"]
|
|
179
|
+
|===========================
|
|
180
|
+
| Database Field Name | ECS Field | Example
|
|
181
|
+
|
|
182
|
+
| `ip` | `[ip]` | `12.34.56.78`
|
|
183
|
+
|
|
184
|
+
| `city_name` | `[geo][city_name]` | `Seattle`
|
|
185
|
+
| `country_name` | `[geo][country_name]` | `United States`
|
|
186
|
+
| `continent_code` | `[geo][continent_code]` | `NA`
|
|
187
|
+
| `continent_name` | `[geo][continent_name]` | `North America`
|
|
188
|
+
| `country_code2` | `[geo][country_iso_code]` | `US`
|
|
189
|
+
| `country_code3` | _N/A_ | `US`
|
|
190
|
+
|
|
191
|
+
_maintained for legacy
|
|
192
|
+
support, but populated
|
|
193
|
+
with 2-character country
|
|
194
|
+
code_
|
|
195
|
+
|
|
196
|
+
| `postal_code` | `[geo][postal_code]` | `98106`
|
|
197
|
+
| `region_name` | `[geo][region_name]` | `Washington`
|
|
198
|
+
| `region_code` | `[geo][region_code]` | `WA`
|
|
199
|
+
| `region_iso_code`* | `[geo][region_iso_code]` | `US-WA`
|
|
200
|
+
| `timezone` | `[geo][timezone]` | `America/Los_Angeles`
|
|
201
|
+
| `location`* | `[geo][location]` | `{"lat": 47.6062, "lon": -122.3321}"`
|
|
202
|
+
| `latitude` | `[geo][location][lat]` | `47.6062`
|
|
203
|
+
| `longitude` | `[geo][location][lon]` | `-122.3321`
|
|
204
|
+
|
|
205
|
+
| `domain` | `[domain]` | `example.com`
|
|
206
|
+
|
|
207
|
+
| `asn` | `[as][number]` | `98765`
|
|
208
|
+
| `as_org` | `[as][organization][name]` | `Elastic, NV`
|
|
209
|
+
|
|
210
|
+
| `isp` | `[mmdb][isp]` | `InterLink Supra LLC`
|
|
211
|
+
| `dma_code` | `[mmdb][dma_code]` | `819`
|
|
212
|
+
| `organization` | `[mmdb][organization]` | `Elastic, NV`
|
|
213
|
+
|===========================
|
|
214
|
+
|
|
215
|
+
NOTE: `*` indicates a composite field, which is only populated if GeoIP lookup result contains all components.
|
|
216
|
+
|
|
172
217
|
==== Details
|
|
173
218
|
|
|
174
|
-
|
|
175
|
-
|
|
176
|
-
|
|
177
|
-
|
|
178
|
-
{logstash-ref}/plugins-outputs-elasticsearch.html[elasticsearch output] maps
|
|
179
|
-
the `[geoip][location]` field to an {ref}/geo-point.html[Elasticsearch Geo_point datatype].
|
|
219
|
+
When using a City database, the enrichment is aborted if no latitude/longitude pair is available.
|
|
220
|
+
|
|
221
|
+
The `location` field combines the latitude and longitude into a structure called https://datatracker.ietf.org/doc/html/rfc7946[GeoJSON].
|
|
222
|
+
When you are using a default <<plugins-{type}s-{plugin}-target>>, the templates provided by the {logstash-ref}/plugins-outputs-elasticsearch.html[elasticsearch output] map the field to an {ref}/geo-point.html[Elasticsearch Geo_point datatype].
|
|
180
223
|
|
|
181
224
|
As this field is a `geo_point` _and_ it is still valid GeoJSON, you get
|
|
182
225
|
the awesomeness of Elasticsearch's geospatial query, facet and filter functions
|
|
@@ -242,16 +285,16 @@ number of cache misses and waste memory.
|
|
|
242
285
|
===== `database`
|
|
243
286
|
|
|
244
287
|
* Value type is <<path,path>>
|
|
245
|
-
* If not specified, the database defaults to the GeoLite2 City database that ships with Logstash.
|
|
288
|
+
* If not specified, the database defaults to the `GeoLite2 City` database that ships with Logstash.
|
|
246
289
|
|
|
247
|
-
The path to MaxMind's database file that Logstash should use.
|
|
248
|
-
|
|
249
|
-
|
|
290
|
+
The path to MaxMind's database file that Logstash should use.
|
|
291
|
+
The default database is `GeoLite2-City`.
|
|
292
|
+
This plugin supports several free databases (`GeoLite2-City`, `GeoLite2-Country`, `GeoLite2-ASN`)
|
|
293
|
+
and a selection of commercially-licensed databases (`GeoIP2-City`, `GeoIP2-ISP`, `GeoIP2-Country`).
|
|
250
294
|
|
|
251
|
-
Database auto-update applies to default distribution.
|
|
252
|
-
auto-update
|
|
253
|
-
See
|
|
254
|
-
<<plugins-{type}s-{plugin}-database_license,Database License>> for more information.
|
|
295
|
+
Database auto-update applies to the default distribution.
|
|
296
|
+
When `database` points to user's database path, auto-update is disabled.
|
|
297
|
+
See <<plugins-{type}s-{plugin}-database_license,Database License>> for more information.
|
|
255
298
|
|
|
256
299
|
[id="plugins-{type}s-{plugin}-default_database_type"]
|
|
257
300
|
===== `default_database_type`
|
|
@@ -270,13 +313,10 @@ This plugin now includes both the GeoLite2-City and GeoLite2-ASN databases. If
|
|
|
270
313
|
|
|
271
314
|
An array of geoip fields to be included in the event.
|
|
272
315
|
|
|
273
|
-
Possible fields depend on the database type.
|
|
274
|
-
are included in the event.
|
|
316
|
+
Possible fields depend on the database type.
|
|
317
|
+
By default, all geoip fields from the relevant database are included in the event.
|
|
275
318
|
|
|
276
|
-
For
|
|
277
|
-
`city_name`, `continent_code`, `country_code2`, `country_code3`, `country_name`,
|
|
278
|
-
`dma_code`, `ip`, `latitude`, `location`, `longitude`, `postal_code`, `region_code`,
|
|
279
|
-
`region_name` and `timezone`.
|
|
319
|
+
For a complete list of available fields and how they map to an event's structure, see <<plugins-{type}s-{plugin}-field-mapping,field mapping>>.
|
|
280
320
|
|
|
281
321
|
[id="plugins-{type}s-{plugin}-ecs_compatibility"]
|
|
282
322
|
===== `ecs_compatibility`
|
|
@@ -284,7 +324,7 @@ For the built-in GeoLite2 City database, the following are available:
|
|
|
284
324
|
* Value type is <<string,string>>
|
|
285
325
|
* Supported values are:
|
|
286
326
|
** `disabled`: unstructured geo data added at root level
|
|
287
|
-
** `v1`, `v8`:
|
|
327
|
+
** `v1`, `v8`: use fields that are compatible with Elastic Common Schema. Example: `[client][geo][country_name]`. See <<plugins-{type}s-{plugin}-field-mapping,field mapping>> for more info.
|
|
288
328
|
* Default value depends on which version of Logstash is running:
|
|
289
329
|
** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
|
|
290
330
|
** Otherwise, the default value is `disabled`.
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
Gem::Specification.new do |s|
|
|
2
2
|
|
|
3
3
|
s.name = 'logstash-filter-geoip'
|
|
4
|
-
s.version = '7.2.
|
|
4
|
+
s.version = '7.2.11'
|
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
|
6
6
|
s.summary = "Adds geographical information about an IP address"
|
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
|
@@ -27,6 +27,10 @@ describe LogStash::Filters::GeoIP do
|
|
|
27
27
|
end
|
|
28
28
|
|
|
29
29
|
context "with city database" do
|
|
30
|
+
# example.com, has been static for 10+ years
|
|
31
|
+
# and has city-level details
|
|
32
|
+
let(:ip) { "93.184.216.34" }
|
|
33
|
+
|
|
30
34
|
let(:options) { common_options }
|
|
31
35
|
|
|
32
36
|
it "should return geo in target" do
|
|
@@ -36,15 +40,23 @@ describe LogStash::Filters::GeoIP do
|
|
|
36
40
|
expect( event.get ecs_select[disabled: "[#{target}][country_code2]", v1: "[#{target}][geo][country_iso_code]"] ).to eq 'US'
|
|
37
41
|
expect( event.get ecs_select[disabled: "[#{target}][country_name]", v1: "[#{target}][geo][country_name]"] ).to eq 'United States'
|
|
38
42
|
expect( event.get ecs_select[disabled: "[#{target}][continent_code]", v1: "[#{target}][geo][continent_code]"] ).to eq 'NA'
|
|
39
|
-
expect( event.get ecs_select[disabled: "[#{target}][location][lat]", v1: "[#{target}][geo][location][lat]"] ).to eq
|
|
40
|
-
expect( event.get ecs_select[disabled: "[#{target}][location][lon]", v1: "[#{target}][geo][location][lon]"] ).to eq -
|
|
43
|
+
expect( event.get ecs_select[disabled: "[#{target}][location][lat]", v1: "[#{target}][geo][location][lat]"] ).to eq 42.1596
|
|
44
|
+
expect( event.get ecs_select[disabled: "[#{target}][location][lon]", v1: "[#{target}][geo][location][lon]"] ).to eq -70.8217
|
|
45
|
+
expect( event.get ecs_select[disabled: "[#{target}][city_name]", v1: "[#{target}][geo][city_name]"] ).to eq 'Norwell'
|
|
46
|
+
expect( event.get ecs_select[disabled: "[#{target}][dma_code]", v1: "[#{target}][mmdb][dma_code]"] ).to eq 506
|
|
47
|
+
expect( event.get ecs_select[disabled: "[#{target}][region_name]", v1: "[#{target}][geo][region_name]"] ).to eq 'Massachusetts'
|
|
41
48
|
|
|
42
49
|
if ecs_select.active_mode == :disabled
|
|
43
50
|
expect( event.get "[#{target}][country_code3]" ).to eq 'US'
|
|
51
|
+
expect( event.get "[#{target}][region_code]" ).to eq 'MA'
|
|
52
|
+
expect( event.get "[#{target}][region_iso_code]" ).to be_nil
|
|
44
53
|
else
|
|
45
54
|
expect( event.get "[#{target}][geo][country_code3]" ).to be_nil
|
|
46
55
|
expect( event.get "[#{target}][country_code3]" ).to be_nil
|
|
56
|
+
expect( event.get "[#{target}][geo][region_iso_code]" ).to eq 'US-MA'
|
|
57
|
+
expect( event.get "[#{target}][region_code]" ).to be_nil
|
|
47
58
|
end
|
|
59
|
+
puts event.to_hash.inspect
|
|
48
60
|
end
|
|
49
61
|
end
|
|
50
62
|
|
|
Binary file
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-filter-geoip
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 7.2.
|
|
4
|
+
version: 7.2.11
|
|
5
5
|
platform: java
|
|
6
6
|
authors:
|
|
7
7
|
- Elastic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-01-
|
|
11
|
+
date: 2022-01-26 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|