logstash-filter-geoip2 3.0.0-java

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: f6d0a06e9957b67fa3340d637493e4411ac679c0
+  data.tar.gz: ce3978802ccf43fe78e5d0e22c6d7297c0a3345c
+SHA512:
+  metadata.gz: f3397663e70461a490f449b374c1d2251702408c516e7c266c13e1e22d767aa6aad21b9a721371eb91df281b1fb390763aeddd3f7463c9587d48039732d1f486
+  data.tar.gz: 15c9209954939b615a2018bac9b60cf4025ff182e3c90cb696fb8f905717a8eadc5c493af7b48e1c68a0fcb371c742d53fcc026b132d00cfbffac266fd95a507

data/CHANGELOG.md

@@ -0,0 +1,33 @@
+# 3.0.0-beta1
+ - Changed plugin to use GeoIP2 database. See http://dev.maxmind.com/geoip/geoip2/whats-new-in-geoip2/
+
+# 2.0.7
+  - Depend on logstash-core-plugin-api instead of logstash-core, removing the need to mass update plugins on major releases of logstash
+# 2.0.6
+  - New dependency requirements for logstash-core for the 5.0 release
+## 2.0.5
+ - Use proper field references
+
+## 2.0.4
+ - Refactor GeoIP Struct to hash conversion to minimise repeated manipulation
+
+## 2.0.3
+ - Fix Issue 50, incorrect data returned when geo lookup fails
+
+## 2.0.2
+ - Update core dependency in gemspec
+
+## 2.0.1
+ - Remove filter? call
+
+## 2.0.0
+ - Plugins were updated to follow the new shutdown semantic, this mainly allows Logstash to instruct input plugins to terminate gracefully,
+   instead of using Thread.raise on the plugins' threads. Ref: https://github.com/elastic/logstash/pull/3895
+ - Dependency on logstash-core update to 2.0
+
+* 1.1.2
+  - Be more defensive with threadsafety, mostly for specs
+* 1.1.1
+  - Lazy-load LRU cache
+* 1.1.0
+  - Add LRU cache

data/CONTRIBUTORS

@@ -0,0 +1,26 @@
+The following is a list of people who have contributed ideas, code, bug
+reports, or in general have helped logstash along its way.
+
+Contributors:
+* Aaron Mildenstein (untergeek)
+* Avishai Ish-Shalom (avishai-ish-shalom)
+* Brad Fritz (bfritz)
+* Colin Surprenant (colinsurprenant)
+* Jordan Sissel (jordansissel)
+* Kurt Hurtado (kurtado)
+* Leandro Moreira (leandromoreira)
+* Nick Ethier (nickethier)
+* Pier-Hugues Pellerin (ph)
+* Pieter Lexis (pieterlexis)
+* Richard Pijnenburg (electrical)
+* Suyog Rao (suyograo)
+* Vincent Batts (vbatts)
+* avleen
+* Guy Boertje (guyboertje)
+* Thomas Decaux (qwant)
+* Gary Gao (garyelephant)
+
+Note: If you've sent us patches, bug reports, or otherwise contributed to
+Logstash, and you aren't on the list above and want to be, please let us know
+and we'll make sure you're here. Contributions from folks like you are what make
+open source awesome.

data/Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gemspec

data/LICENSE

@@ -0,0 +1,13 @@
+Copyright (c) 2012–2016 Elasticsearch <http://www.elastic.co>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/NOTICE.TXT

@@ -0,0 +1,5 @@
+Elasticsearch
+Copyright 2012-2015 Elasticsearch
+
+This product includes software developed by The Apache Software
+Foundation (http://www.apache.org/).

data/README.md

@@ -0,0 +1,110 @@
+# Logstash Plugin
+
+[![Travis Build Status](https://travis-ci.org/logstash-plugins/logstash-filter-geoip.svg)](https://travis-ci.org/logstash-plugins/logstash-filter-geoip)
+
+This is a plugin for [Logstash](https://github.com/elastic/logstash).
+
+It is fully free and fully open source. The license is Apache 2.0, meaning you are pretty much free to use it however you want in whatever way.
+
+## Documentation
+
+Logstash provides infrastructure to automatically generate documentation for this plugin. We use the asciidoc format to write documentation so any comments in the source code will be first converted into asciidoc and then into html. All plugin documentation are placed under one [central location](http://www.elastic.co/guide/en/logstash/current/).
+
+- For formatting code or config example, you can use the asciidoc `[source,ruby]` directive
+- For more asciidoc formatting tips, see the excellent reference here https://github.com/elastic/docs#asciidoc-guide
+
+## Need Help?
+
+Need help? Try #logstash on freenode IRC or the https://discuss.elastic.co/c/logstash discussion forum.
+
+## Developing
+
+### 1. Plugin Developement and Testing
+
+#### Code
+- To get started, you'll need JRuby with the Bundler gem installed.
+
+- Create a new plugin or clone and existing from the GitHub [logstash-plugins](https://github.com/logstash-plugins) organization. We also provide [example plugins](https://github.com/logstash-plugins?query=example).
+
+- Install dependencies
+```sh
+bundle install
+```
+
+#### Test
+
+- Update your dependencies
+
+```sh
+bundle install
+```
+
+- Pull down GeoIP database files
+
+```sh
+bundle exec rake vendor
+```
+
+- Install jar dependencies
+
+```
+bundle exec rake install_jars
+```
+
+- Run tests
+
+```sh
+bundle exec rspec
+```
+
+### 2. Running your unpublished Plugin in Logstash
+
+#### 2.1 Run in a local Logstash clone
+
+- Edit Logstash `Gemfile` and add the local plugin path, for example:
+```ruby
+gem "logstash-filter-awesome", :path => "/your/local/logstash-filter-awesome"
+```
+- Install plugin
+```sh
+# Logstash 2.3 and higher
+bin/logstash-plugin install --no-verify
+
+# Prior to Logstash 2.3
+bin/plugin install --no-verify
+
+```
+- Run Logstash with your plugin
+```sh
+bin/logstash -e 'filter {awesome {}}'
+```
+At this point any modifications to the plugin code will be applied to this local Logstash setup. After modifying the plugin, simply rerun Logstash.
+
+#### 2.2 Run in an installed Logstash
+
+You can use the same **2.1** method to run your plugin in an installed Logstash by editing its `Gemfile` and pointing the `:path` to your local plugin development directory or you can build the gem and install it using:
+
+- Build your plugin gem
+```sh
+gem build logstash-filter-awesome.gemspec
+```
+- Install the plugin from the Logstash home
+```sh
+# Logstash 2.3 and higher
+bin/logstash-plugin install --no-verify
+
+# Prior to Logstash 2.3
+bin/plugin install --no-verify
+
+```
+- Start Logstash and proceed to test the plugin
+
+## Contributing
+
+All contributions are welcome: ideas, patches, documentation, bug reports, complaints, and even something you drew up on a napkin.
+
+Programming is not a required skill. Whatever you've seen about open source and maintainers or community members  saying "send patches or die" - you will not see that here.
+
+It is more important to the community that you are able to contribute.
+
+For more information about contributing, see the [CONTRIBUTING](https://github.com/elastic/logstash/blob/master/CONTRIBUTING.md) file.

data/lib/logstash-filter-geoip2_jars.rb

@@ -0,0 +1,8 @@
+# this is a generated file, to avoid over-writing it just delete this comment
+require 'jar_dependencies'
+
+require_jar( 'com.fasterxml.jackson.core', 'jackson-databind', '2.6.4' )
+require_jar( 'com.maxmind.db', 'maxmind-db', '1.1.0' )
+require_jar( 'com.maxmind.geoip2', 'geoip2', '2.5.0' )
+require_jar( 'com.fasterxml.jackson.core', 'jackson-annotations', '2.6.0' )
+require_jar( 'com.fasterxml.jackson.core', 'jackson-core', '2.6.4' )

data/lib/logstash/filters/geoip2.rb

@@ -0,0 +1,218 @@
+# encoding: utf-8
+require "logstash/filters/base"
+require "logstash/namespace"
+
+require "logstash-filter-geoip2_jars"
+
+java_import "java.net.InetAddress"
+java_import "com.maxmind.geoip2.DatabaseReader"
+java_import "com.maxmind.geoip2.model.CityResponse"
+java_import "com.maxmind.geoip2.record.Country"
+java_import "com.maxmind.geoip2.record.Subdivision"
+java_import "com.maxmind.geoip2.record.City"
+java_import "com.maxmind.geoip2.record.Postal"
+java_import "com.maxmind.geoip2.record.Location"
+java_import "com.maxmind.db.CHMCache"
+
+def suppress_all_warnings
+  old_verbose = $VERBOSE
+  begin
+    $VERBOSE = nil
+    yield if block_given?
+  ensure
+    # always re-set to old value, even if block raises an exception
+    $VERBOSE = old_verbose
+  end
+end
+
+# create a new instance of the Java class File without shadowing the Ruby version of the File class
+module JavaIO
+  include_package "java.io"
+end
+
+
+# The GeoIP2 filter adds information about the geographical location of IP addresses,
+# based on data from the Maxmind database.
+#
+# Starting with version 1.3.0 of Logstash, a `[geoip][location]` field is created if
+# the GeoIP lookup returns a latitude and longitude. The field is stored in
+# http://geojson.org/geojson-spec.html[GeoJSON] format. Additionally,
+# the default Elasticsearch template provided with the
+# <<plugins-outputs-elasticsearch,`elasticsearch` output>> maps
+# the `[geoip][location]` field to an http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/mapping-geo-point-type.html#_mapping_options[Elasticsearch geo_point].
+#
+# As this field is a `geo_point` _and_ it is still valid GeoJSON, you get
+# the awesomeness of Elasticsearch's geospatial query, facet and filter functions
+# and the flexibility of having GeoJSON for all other applications (like Kibana's
+# map visualization).
+#
+# This product includes GeoLite2 data created by MaxMind, available from
+# <http://dev.maxmind.com/geoip/geoip2/geolite2/>.
+class LogStash::Filters::GeoIP2 < LogStash::Filters::Base
+  config_name "geoip2"
+
+  # The path to the GeoIP2 database file which Logstash should use. Only City database is supported by now.
+  #
+  # If not specified, this will default to the GeoLiteCity database that ships
+  # with Logstash.
+  config :database, :validate => :path
+
+  # The field containing the IP address or hostname to map via geoip. If
+  # this field is an array, only the first value will be used.
+  config :source, :validate => :string, :required => true
+
+  # An array of geoip fields to be included in the event.
+  #
+  # Possible fields depend on the database type. By default, all geoip fields
+  # are included in the event.
+  #
+  # For the built-in GeoLiteCity database, the following are available:
+  # `city_name`, `continent_code`, `country_code2`, `country_code3`, `country_name`,
+  # `dma_code`, `ip`, `latitude`, `longitude`, `postal_code`, `region_name` and `timezone`.
+  config :fields, :validate => :array, :default => ['city_name', 'continent_code',
+                                                    'country_code2', 'country_code3', 'country_name',
+                                                    'dma_code', 'ip', 'latitude',
+                                                    'longitude', 'postal_code', 'region_name',
+                                                    'region_code', 'timezone', 'location']
+
+  # Specify the field into which Logstash should store the geoip data.
+  # This can be useful, for example, if you have `src\_ip` and `dst\_ip` fields and
+  # would like the GeoIP information of both IPs.
+  #
+  # If you save the data to a target field other than `geoip` and want to use the
+  # `geo\_point` related functions in Elasticsearch, you need to alter the template
+  # provided with the Elasticsearch output and configure the output to use the
+  # new template.
+  #
+  # Even if you don't use the `geo\_point` mapping, the `[target][location]` field
+  # is still valid GeoJSON.
+  config :target, :validate => :string, :default => 'geoip'
+
+  # GeoIP lookup is surprisingly expensive. This filter uses an cache to take advantage of the fact that
+  # IPs agents are often found adjacent to one another in log files and rarely have a random distribution.
+  # The higher you set this the more likely an item is to be in the cache and the faster this filter will run.
+  # However, if you set this too high you can use more memory than desired.
+  # Since the Geoip API upgraded to v2, there is not any eviction policy so far, if cache is full, no more record can be added.
+  # Experiment with different values for this option to find the best performance for your dataset.
+  #
+  # This MUST be set to a value > 0. There is really no reason to not want this behavior, the overhead is minimal
+  # and the speed gains are large.
+  #
+  # It is important to note that this config value is global to the geoip_type. That is to say all instances of the geoip filter
+  # of the same geoip_type share the same cache. The last declared cache size will 'win'. The reason for this is that there would be no benefit
+  # to having multiple caches for different instances at different points in the pipeline, that would just increase the
+  # number of cache misses and waste memory.
+  config :cache_size, :validate => :number, :default => 1000
+
+  # GeoIP lookup is surprisingly expensive. This filter uses an LRU cache to take advantage of the fact that
+  # IPs agents are often found adjacent to one another in log files and rarely have a random distribution.
+  # The higher you set this the more likely an item is to be in the cache and the faster this filter will run.
+  # However, if you set this too high you can use more memory than desired.
+  #
+  # Experiment with different values for this option to find the best performance for your dataset.
+  #
+  # This MUST be set to a value > 0. There is really no reason to not want this behavior, the overhead is minimal
+  # and the speed gains are large.
+  #
+  # It is important to note that this config value is global to the geoip_type. That is to say all instances of the geoip filter
+  # of the same geoip_type share the same cache. The last declared cache size will 'win'. The reason for this is that there would be no benefit
+  # to having multiple caches for different instances at different points in the pipeline, that would just increase the
+  # number of cache misses and waste memory.
+  config :lru_cache_size, :validate => :number, :default => 1000
+
+  public
+  def register
+    suppress_all_warnings do
+      if @database.nil?
+        @database = ::Dir.glob(::File.join(::File.expand_path("../../../vendor/", ::File.dirname(__FILE__)),"GeoLite2-City.mmdb")).first
+
+        if @database.nil? || !File.exists?(@database)
+          raise "You must specify 'database => ...' in your geoip filter (I looked for '#{@database}')"
+        end
+      end
+
+      @logger.info("Using geoip database", :path => @database)
+
+      db_file = JavaIO::File.new(@database)
+      begin
+        @parser = DatabaseReader::Builder.new(db_file).withCache(CHMCache.new(@cache_size)).build();
+      rescue Java::ComMaxmindDb::InvalidDatabaseException => e
+        @logger.error("The Geoip2 MMDB database provided is invalid or corrupted.", :exception => e, :field => @source)
+        raise e
+      end
+    end
+  end # def register
+
+  public
+  def filter(event)
+    return unless filter?(event)
+
+    begin
+      ip = event[@source]
+      ip = ip.first if ip.is_a? Array
+      ip_address = InetAddress.getByName(ip)
+      response = @parser.city(ip_address)
+      country = response.getCountry()
+      subdivision = response.getMostSpecificSubdivision()
+      city = response.getCity()
+      postal = response.getPostal()
+      location = response.getLocation()
+
+      geo_data_hash = Hash.new()
+
+      @fields.each do |field|
+        case field
+        when "city_name"
+          geo_data_hash["city_name"] = city.getName()
+        when "country_name"
+          geo_data_hash["country_name"] = country.getName()
+        when "continent_code"
+          geo_data_hash["continent_code"] = response.getContinent().getCode()
+        when "continent_name"
+          geo_data_hash["continent_name"] = response.getContinent().getName()
+        when "country_code2"
+          geo_data_hash["country_code2"] = country.getIsoCode()
+        when "country_code3"
+          geo_data_hash["country_code3"] = country.getIsoCode()
+        when "ip"
+          geo_data_hash["ip"] = ip_address.getHostAddress()
+        when "postal_code"
+          geo_data_hash["postal_code"] = postal.getCode()
+        when "dma_code"
+          geo_data_hash["dma_code"] = location.getMetroCode()
+        when "region_name"
+          geo_data_hash["region_name"] = subdivision.getName()
+        when "region_code"
+          geo_data_hash["region_code"] = subdivision.getIsoCode()
+        when "timezone"
+          geo_data_hash["timezone"] = location.getTimeZone()
+        when "location"
+          geo_data_hash["location"] = [ location.getLongitude(), location.getLatitude() ]
+        when "latitude"
+          geo_data_hash["latitude"] = location.getLatitude()
+        when "longitude"
+          geo_data_hash["longitude"] = location.getLongitude()
+        else
+          raise Exception.new("[#{field}] is not a supported field option.")
+        end
+      end
+
+    rescue com.maxmind.geoip2.exception.AddressNotFoundException => e
+      @logger.debug("IP not found!", :exception => e, :field => @source, :event => event)
+      event[@target] = {}
+      return
+    rescue java.net.UnknownHostException => e
+      @logger.error("IP Field contained invalid IP address or hostname", :exception => e, :field => @source, :event => event)
+      event[@target] = {}
+      return
+    rescue Exception => e
+      @logger.error("Unknown error while looking up GeoIP data", :exception => e, :field => @source, :event => event)
+      event[@target] = {}
+      return
+    end
+
+    event[@target] = geo_data_hash
+
+    filter_matched(event)
+  end # def filter
+end # class LogStash::Filters::GeoIP

data/logstash-filter-geoip.gemspec

@@ -0,0 +1,34 @@
+Gem::Specification.new do |s|
+
+  s.name            = 'logstash-filter-geoip2'
+  s.version         = '3.0.0'
+  s.licenses        = ['Apache License (2.0)']
+  s.summary         = "$summary"
+  s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program. Config key is geoip2."
+  s.authors         = ["Elastic"]
+  s.email           = 'ebuildy@gmail.com'
+  s.homepage        = "https://github.com/ebuildy/logstash-filter-geoip"
+  s.require_paths = ["lib"]
+  s.platform      = "java"
+
+  # Files
+  s.files = Dir['lib/**/*','spec/**/*','vendor/**/*','*.gemspec','*.md','CONTRIBUTORS','Gemfile','LICENSE','NOTICE.TXT']
+
+  # Tests
+  s.test_files = s.files.grep(%r{^(test|spec|features)/})
+
+  # Special flag to let us know this is actually a logstash plugin
+  s.metadata = { "logstash_plugin" => "true", "logstash_group" => "filter" }
+
+  # Gem dependencies
+  s.add_runtime_dependency "logstash-core-plugin-api", "~> 1.0"
+
+  s.requirements << "jar com.maxmind.geoip2:geoip2, 2.5.0, :exclusions=> [com.google.http-client:google-http-client]"
+
+  s.add_development_dependency "jar-dependencies"
+  
+  s.add_development_dependency 'ruby-maven', '~> 3.3'
+
+  s.add_development_dependency 'logstash-devutils'
+end
+

data/spec/filters/geoip_spec.rb

@@ -0,0 +1,218 @@
+require "logstash/devutils/rspec/spec_helper"
+require "logstash/filters/geoip"
+
+CITYDB = ::Dir.glob(::File.expand_path("../../vendor/", ::File.dirname(__FILE__))+"/GeoLite2-City.mmdb").first
+
+describe LogStash::Filters::GeoIP do
+
+  describe "defaults" do
+    config <<-CONFIG
+      filter {
+        geoip {
+          source => "ip"
+          #database => "#{CITYDB}"
+        }
+      }
+    CONFIG
+
+    sample("ip" => "8.8.8.8") do
+      insist { subject }.include?("geoip")
+
+      expected_fields = %w(ip country_code2 country_code3 country_name
+                           continent_code region_name city_name postal_code
+                           latitude longitude dma_code timezone
+                           location )
+      expected_fields.each do |f|
+        insist { subject["geoip"] }.include?(f)
+      end
+    end
+
+    sample("ip" => "127.0.0.1") do
+      # assume geoip fails on localhost lookups
+      expect(subject["geoip"]).to eq({})
+    end
+  end
+
+  describe "normal operations" do
+    config <<-CONFIG
+      filter {
+        geoip {
+          source => "ip"
+          #database => "#{CITYDB}"
+          target => src_ip
+          add_tag => "done"
+        }
+      }
+    CONFIG
+
+    context "when specifying the target" do
+
+      sample("ip" => "8.8.8.8") do
+        expect(subject).to include("src_ip")
+
+        expected_fields = %w(ip country_code2 country_code3 country_name
+                             continent_code region_name city_name postal_code
+                             latitude longitude dma_code timezone
+                             location )
+        expected_fields.each do |f|
+          expect(subject["src_ip"]).to include(f)
+        end
+      end
+
+      sample("ip" => "127.0.0.1") do
+        # assume geoip fails on localhost lookups
+        expect(subject["src_ip"]).to eq({})
+      end
+    end
+
+    context "when specifying add_tag" do
+      sample("ip" => "8.8.8.8") do
+        expect(subject["tags"]).to include("done")
+      end
+    end
+  end
+
+  describe "correct encodings with default db" do
+    config <<-CONFIG
+      filter {
+        geoip {
+          source => "ip"
+        }
+      }
+    CONFIG
+    expected_fields = %w(ip country_code2 country_code3 country_name
+                           continent_code region_name city_name postal_code
+                           dma_code timezone)
+
+    sample("ip" => "1.1.1.1") do
+      checked = 0
+      expected_fields.each do |f|
+        next unless subject["geoip"][f]
+        checked += 1
+        insist { subject["geoip"][f].encoding } == Encoding::UTF_8
+      end
+      insist { checked } > 0
+    end
+
+    sample("ip" => "189.2.0.0") do
+      checked = 0
+      expected_fields.each do |f|
+        next unless subject["geoip"][f]
+        checked += 1
+        insist { subject["geoip"][f].encoding } == Encoding::UTF_8
+      end
+      insist { checked } > 0
+    end
+
+  end
+
+  describe "location field" do
+    shared_examples_for "an event with a [geoip][location] field" do
+      subject(:event) { LogStash::Event.new("message" => "8.8.8.8") }
+      let(:plugin) { LogStash::Filters::GeoIP.new("source" => "message", "fields" => ["country_name", "location", "longitude"]) }
+
+      before do
+        plugin.register
+        plugin.filter(event)
+      end
+
+      it "should have a location field" do
+        expect(event["[geoip][location]"]).not_to(be_nil)
+      end
+    end
+
+    context "when latitude field is excluded" do
+      let(:fields) { ["country_name", "location", "longitude"] }
+      it_behaves_like "an event with a [geoip][location] field"
+    end
+
+    context "when longitude field is excluded" do
+      let(:fields) { ["country_name", "location", "latitude"] }
+      it_behaves_like "an event with a [geoip][location] field"
+    end
+
+    context "when both latitude and longitude field are excluded" do
+      let(:fields) { ["country_name", "location"] }
+      it_behaves_like "an event with a [geoip][location] field"
+    end
+  end
+
+  describe "an invalid IP" do
+    config <<-CONFIG
+          filter {
+            geoip {
+              source => "ip"
+              database => "#{CITYDB}"
+            }
+          }
+        CONFIG
+    describe "should not raise an error" do
+      sample("ip" => "-") do
+        expect{ subject }.to_not raise_error
+      end
+
+      sample("ip" => "~") do
+        expect{ subject }.to_not raise_error
+      end
+    end
+
+    describe "filter method outcomes" do
+      let(:plugin) { LogStash::Filters::GeoIP.new("source" => "message", "add_tag" => "done", "database" => CITYDB) }
+      let(:event) { LogStash::Event.new("message" => ipstring) }
+
+      before do
+        plugin.register
+        plugin.filter(event)
+      end
+
+      context "when the bad IP is N/A" do
+        # regression test for issue https://github.com/logstash-plugins/logstash-filter-geoip/issues/50
+        let(:ipstring) { "N/A" }
+
+        it "should set the target field to an empty hash" do
+          expect(event["geoip"]).to eq({})
+        end
+
+        it "should not have added any tags" do
+          expect(event["tags"]).to be_nil
+        end
+      end
+
+      context "when the bad IP is two ip comma separated" do
+        # regression test for issue https://github.com/logstash-plugins/logstash-filter-geoip/issues/51
+        let(:ipstring) { "123.45.67.89,61.160.232.222" }
+
+        it "should set the target field to an empty hash" do
+          expect(event["geoip"]).to eq({})
+        end
+      end
+    end
+
+    context "should return the correct source field in the logging message" do
+      sample("ip" => "-") do
+        expect(LogStash::Filters::GeoIP.logger).to receive(:error).with(anything, include(:field => "ip"))
+        subject
+      end
+    end
+
+  end
+
+  describe "an invalid database" do
+    config <<-CONFIG
+          filter {
+            geoip {
+              source => "ip"
+              database => "./Gemfile"
+            }
+          }
+        CONFIG
+
+    context "should return the correct sourcefield in the logging message" do
+      sample("ip" => "8.8.8.8") do
+        expect(LogStash::Filters::GeoIP.logger).to receive(:error).with(anything, include(:field => "ip"))
+        expect { subject }.to raise_error
+      end
+    end
+  end
+
+end

metadata

@@ -0,0 +1,124 @@
+--- !ruby/object:Gem::Specification
+name: logstash-filter-geoip2
+version: !ruby/object:Gem::Version
+  version: 3.0.0
+platform: java
+authors:
+- Elastic
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2016-04-22 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  name: logstash-core-plugin-api
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  name: jar-dependencies
+  prerelease: false
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+  name: ruby-maven
+  prerelease: false
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  name: logstash-devutils
+  prerelease: false
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program. Config key is geoip2.
+email: ebuildy@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- CONTRIBUTORS
+- Gemfile
+- LICENSE
+- NOTICE.TXT
+- README.md
+- lib/com/fasterxml/jackson/core/jackson-annotations/2.6.0/jackson-annotations-2.6.0.jar
+- lib/com/fasterxml/jackson/core/jackson-annotations/2.7.0/jackson-annotations-2.7.0.jar
+- lib/com/fasterxml/jackson/core/jackson-core/2.6.4/jackson-core-2.6.4.jar
+- lib/com/fasterxml/jackson/core/jackson-core/2.7.0/jackson-core-2.7.0.jar
+- lib/com/fasterxml/jackson/core/jackson-databind/2.6.4/jackson-databind-2.6.4.jar
+- lib/com/fasterxml/jackson/core/jackson-databind/2.7.0/jackson-databind-2.7.0.jar
+- lib/com/maxmind/db/maxmind-db/1.1.0/maxmind-db-1.1.0.jar
+- lib/com/maxmind/db/maxmind-db/1.2.0/maxmind-db-1.2.0.jar
+- lib/com/maxmind/geoip2/geoip2/2.5.0/geoip2-2.5.0.jar
+- lib/com/maxmind/geoip2/geoip2/2.6.0/geoip2-2.6.0.jar
+- lib/logstash-filter-geoip2_jars.rb
+- lib/logstash/filters/geoip2.rb
+- logstash-filter-geoip.gemspec
+- spec/filters/geoip_spec.rb
+- vendor/GeoLite2-City.mmdb
+homepage: https://github.com/ebuildy/logstash-filter-geoip
+licenses:
+- Apache License (2.0)
+metadata:
+  logstash_plugin: 'true'
+  logstash_group: filter
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements:
+- jar com.maxmind.geoip2:geoip2, 2.5.0, :exclusions=> [com.google.http-client:google-http-client]
+rubyforge_project:
+rubygems_version: 2.4.8
+signing_key:
+specification_version: 4
+summary: "$summary"
+test_files:
+- spec/filters/geoip_spec.rb