logstash-filter-geoip 7.2.10-java → 7.2.11-java
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 4e1f0799be232e80ed3db8f0d31b4131c921d549183d2f47678af3fd9cdfd21f
|
|
4
|
+
data.tar.gz: e656dd5cd6440d13af48a7193f26962c4236267fcf2afd9bc0a9f4f8e8c5e3e5
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: eadc947645031bd5539ac42e910da0c1230d2137936eec668f23da4e6de6e55b5ceaa2a6eb1cf0b7699a43d61c03c1e6df95b51681e61d3983471070d1cac9aa
|
|
7
|
+
data.tar.gz: 9a5ee36471512f5724ebc7013d3d21bce6d64db50ac6874f8c45d2e8a8facbad14a428e4ea2857cbeb20d438e363dbcdad79a6133b851c98c575a82da0e91a1f
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,8 @@
|
|
|
1
|
+
## 7.2.11
|
|
2
|
+
- Improved compatibility with the Elastic Common Schema [#206](https://github.com/logstash-plugins/logstash-filter-geoip/pull/206)
|
|
3
|
+
- Added support for ECS's composite `region_iso_code` (`US-WA`), which _replaces_ the non-ECS `region_code` (`WA`) as a default field with City databases. To get the stand-alone `region_code` in ECS mode, you must include it in the `fields` directive.
|
|
4
|
+
- [DOC] Improve ECS-related documentation
|
|
5
|
+
|
|
1
6
|
## 7.2.10
|
|
2
7
|
- [DOC] Air-gapped environment requires both ASN and City databases [#204](https://github.com/logstash-plugins/logstash-filter-geoip/pull/204)
|
|
3
8
|
|
data/docs/index.asciidoc
CHANGED
|
@@ -169,14 +169,57 @@ Example response:
|
|
|
169
169
|
}
|
|
170
170
|
--------------------------------------------------
|
|
171
171
|
|
|
172
|
+
[id="plugins-{type}s-{plugin}-field-mapping"]
|
|
173
|
+
==== Field mapping
|
|
174
|
+
|
|
175
|
+
When this plugin is run with <<plugins-{type}s-{plugin}-ecs_compatibility>> disabled, the MaxMind DB's fields are added directly to the <<plugins-{type}s-{plugin}-target>>.
|
|
176
|
+
When ECS compatibility is enabled, the fields are structured to fit into an ECS shape.
|
|
177
|
+
|
|
178
|
+
[cols="3,5,3"]
|
|
179
|
+
|===========================
|
|
180
|
+
| Database Field Name | ECS Field | Example
|
|
181
|
+
|
|
182
|
+
| `ip` | `[ip]` | `12.34.56.78`
|
|
183
|
+
|
|
184
|
+
| `city_name` | `[geo][city_name]` | `Seattle`
|
|
185
|
+
| `country_name` | `[geo][country_name]` | `United States`
|
|
186
|
+
| `continent_code` | `[geo][continent_code]` | `NA`
|
|
187
|
+
| `continent_name` | `[geo][continent_name]` | `North America`
|
|
188
|
+
| `country_code2` | `[geo][country_iso_code]` | `US`
|
|
189
|
+
| `country_code3` | _N/A_ | `US`
|
|
190
|
+
|
|
191
|
+
_maintained for legacy
|
|
192
|
+
support, but populated
|
|
193
|
+
with 2-character country
|
|
194
|
+
code_
|
|
195
|
+
|
|
196
|
+
| `postal_code` | `[geo][postal_code]` | `98106`
|
|
197
|
+
| `region_name` | `[geo][region_name]` | `Washington`
|
|
198
|
+
| `region_code` | `[geo][region_code]` | `WA`
|
|
199
|
+
| `region_iso_code`* | `[geo][region_iso_code]` | `US-WA`
|
|
200
|
+
| `timezone` | `[geo][timezone]` | `America/Los_Angeles`
|
|
201
|
+
| `location`* | `[geo][location]` | `{"lat": 47.6062, "lon": -122.3321}"`
|
|
202
|
+
| `latitude` | `[geo][location][lat]` | `47.6062`
|
|
203
|
+
| `longitude` | `[geo][location][lon]` | `-122.3321`
|
|
204
|
+
|
|
205
|
+
| `domain` | `[domain]` | `example.com`
|
|
206
|
+
|
|
207
|
+
| `asn` | `[as][number]` | `98765`
|
|
208
|
+
| `as_org` | `[as][organization][name]` | `Elastic, NV`
|
|
209
|
+
|
|
210
|
+
| `isp` | `[mmdb][isp]` | `InterLink Supra LLC`
|
|
211
|
+
| `dma_code` | `[mmdb][dma_code]` | `819`
|
|
212
|
+
| `organization` | `[mmdb][organization]` | `Elastic, NV`
|
|
213
|
+
|===========================
|
|
214
|
+
|
|
215
|
+
NOTE: `*` indicates a composite field, which is only populated if GeoIP lookup result contains all components.
|
|
216
|
+
|
|
172
217
|
==== Details
|
|
173
218
|
|
|
174
|
-
|
|
175
|
-
|
|
176
|
-
|
|
177
|
-
|
|
178
|
-
{logstash-ref}/plugins-outputs-elasticsearch.html[elasticsearch output] maps
|
|
179
|
-
the `[geoip][location]` field to an {ref}/geo-point.html[Elasticsearch Geo_point datatype].
|
|
219
|
+
When using a City database, the enrichment is aborted if no latitude/longitude pair is available.
|
|
220
|
+
|
|
221
|
+
The `location` field combines the latitude and longitude into a structure called https://datatracker.ietf.org/doc/html/rfc7946[GeoJSON].
|
|
222
|
+
When you are using a default <<plugins-{type}s-{plugin}-target>>, the templates provided by the {logstash-ref}/plugins-outputs-elasticsearch.html[elasticsearch output] map the field to an {ref}/geo-point.html[Elasticsearch Geo_point datatype].
|
|
180
223
|
|
|
181
224
|
As this field is a `geo_point` _and_ it is still valid GeoJSON, you get
|
|
182
225
|
the awesomeness of Elasticsearch's geospatial query, facet and filter functions
|
|
@@ -242,16 +285,16 @@ number of cache misses and waste memory.
|
|
|
242
285
|
===== `database`
|
|
243
286
|
|
|
244
287
|
* Value type is <<path,path>>
|
|
245
|
-
* If not specified, the database defaults to the GeoLite2 City database that ships with Logstash.
|
|
288
|
+
* If not specified, the database defaults to the `GeoLite2 City` database that ships with Logstash.
|
|
246
289
|
|
|
247
|
-
The path to MaxMind's database file that Logstash should use.
|
|
248
|
-
|
|
249
|
-
|
|
290
|
+
The path to MaxMind's database file that Logstash should use.
|
|
291
|
+
The default database is `GeoLite2-City`.
|
|
292
|
+
This plugin supports several free databases (`GeoLite2-City`, `GeoLite2-Country`, `GeoLite2-ASN`)
|
|
293
|
+
and a selection of commercially-licensed databases (`GeoIP2-City`, `GeoIP2-ISP`, `GeoIP2-Country`).
|
|
250
294
|
|
|
251
|
-
Database auto-update applies to default distribution.
|
|
252
|
-
auto-update
|
|
253
|
-
See
|
|
254
|
-
<<plugins-{type}s-{plugin}-database_license,Database License>> for more information.
|
|
295
|
+
Database auto-update applies to the default distribution.
|
|
296
|
+
When `database` points to user's database path, auto-update is disabled.
|
|
297
|
+
See <<plugins-{type}s-{plugin}-database_license,Database License>> for more information.
|
|
255
298
|
|
|
256
299
|
[id="plugins-{type}s-{plugin}-default_database_type"]
|
|
257
300
|
===== `default_database_type`
|
|
@@ -270,13 +313,10 @@ This plugin now includes both the GeoLite2-City and GeoLite2-ASN databases. If
|
|
|
270
313
|
|
|
271
314
|
An array of geoip fields to be included in the event.
|
|
272
315
|
|
|
273
|
-
Possible fields depend on the database type.
|
|
274
|
-
are included in the event.
|
|
316
|
+
Possible fields depend on the database type.
|
|
317
|
+
By default, all geoip fields from the relevant database are included in the event.
|
|
275
318
|
|
|
276
|
-
For
|
|
277
|
-
`city_name`, `continent_code`, `country_code2`, `country_code3`, `country_name`,
|
|
278
|
-
`dma_code`, `ip`, `latitude`, `location`, `longitude`, `postal_code`, `region_code`,
|
|
279
|
-
`region_name` and `timezone`.
|
|
319
|
+
For a complete list of available fields and how they map to an event's structure, see <<plugins-{type}s-{plugin}-field-mapping,field mapping>>.
|
|
280
320
|
|
|
281
321
|
[id="plugins-{type}s-{plugin}-ecs_compatibility"]
|
|
282
322
|
===== `ecs_compatibility`
|
|
@@ -284,7 +324,7 @@ For the built-in GeoLite2 City database, the following are available:
|
|
|
284
324
|
* Value type is <<string,string>>
|
|
285
325
|
* Supported values are:
|
|
286
326
|
** `disabled`: unstructured geo data added at root level
|
|
287
|
-
** `v1`, `v8`:
|
|
327
|
+
** `v1`, `v8`: use fields that are compatible with Elastic Common Schema. Example: `[client][geo][country_name]`. See <<plugins-{type}s-{plugin}-field-mapping,field mapping>> for more info.
|
|
288
328
|
* Default value depends on which version of Logstash is running:
|
|
289
329
|
** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
|
|
290
330
|
** Otherwise, the default value is `disabled`.
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
Gem::Specification.new do |s|
|
|
2
2
|
|
|
3
3
|
s.name = 'logstash-filter-geoip'
|
|
4
|
-
s.version = '7.2.
|
|
4
|
+
s.version = '7.2.11'
|
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
|
6
6
|
s.summary = "Adds geographical information about an IP address"
|
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
|
@@ -27,6 +27,10 @@ describe LogStash::Filters::GeoIP do
|
|
|
27
27
|
end
|
|
28
28
|
|
|
29
29
|
context "with city database" do
|
|
30
|
+
# example.com, has been static for 10+ years
|
|
31
|
+
# and has city-level details
|
|
32
|
+
let(:ip) { "93.184.216.34" }
|
|
33
|
+
|
|
30
34
|
let(:options) { common_options }
|
|
31
35
|
|
|
32
36
|
it "should return geo in target" do
|
|
@@ -36,15 +40,23 @@ describe LogStash::Filters::GeoIP do
|
|
|
36
40
|
expect( event.get ecs_select[disabled: "[#{target}][country_code2]", v1: "[#{target}][geo][country_iso_code]"] ).to eq 'US'
|
|
37
41
|
expect( event.get ecs_select[disabled: "[#{target}][country_name]", v1: "[#{target}][geo][country_name]"] ).to eq 'United States'
|
|
38
42
|
expect( event.get ecs_select[disabled: "[#{target}][continent_code]", v1: "[#{target}][geo][continent_code]"] ).to eq 'NA'
|
|
39
|
-
expect( event.get ecs_select[disabled: "[#{target}][location][lat]", v1: "[#{target}][geo][location][lat]"] ).to eq
|
|
40
|
-
expect( event.get ecs_select[disabled: "[#{target}][location][lon]", v1: "[#{target}][geo][location][lon]"] ).to eq -
|
|
43
|
+
expect( event.get ecs_select[disabled: "[#{target}][location][lat]", v1: "[#{target}][geo][location][lat]"] ).to eq 42.1596
|
|
44
|
+
expect( event.get ecs_select[disabled: "[#{target}][location][lon]", v1: "[#{target}][geo][location][lon]"] ).to eq -70.8217
|
|
45
|
+
expect( event.get ecs_select[disabled: "[#{target}][city_name]", v1: "[#{target}][geo][city_name]"] ).to eq 'Norwell'
|
|
46
|
+
expect( event.get ecs_select[disabled: "[#{target}][dma_code]", v1: "[#{target}][mmdb][dma_code]"] ).to eq 506
|
|
47
|
+
expect( event.get ecs_select[disabled: "[#{target}][region_name]", v1: "[#{target}][geo][region_name]"] ).to eq 'Massachusetts'
|
|
41
48
|
|
|
42
49
|
if ecs_select.active_mode == :disabled
|
|
43
50
|
expect( event.get "[#{target}][country_code3]" ).to eq 'US'
|
|
51
|
+
expect( event.get "[#{target}][region_code]" ).to eq 'MA'
|
|
52
|
+
expect( event.get "[#{target}][region_iso_code]" ).to be_nil
|
|
44
53
|
else
|
|
45
54
|
expect( event.get "[#{target}][geo][country_code3]" ).to be_nil
|
|
46
55
|
expect( event.get "[#{target}][country_code3]" ).to be_nil
|
|
56
|
+
expect( event.get "[#{target}][geo][region_iso_code]" ).to eq 'US-MA'
|
|
57
|
+
expect( event.get "[#{target}][region_code]" ).to be_nil
|
|
47
58
|
end
|
|
59
|
+
puts event.to_hash.inspect
|
|
48
60
|
end
|
|
49
61
|
end
|
|
50
62
|
|
|
Binary file
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-filter-geoip
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 7.2.
|
|
4
|
+
version: 7.2.11
|
|
5
5
|
platform: java
|
|
6
6
|
authors:
|
|
7
7
|
- Elastic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-01-
|
|
11
|
+
date: 2022-01-26 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|