logstash-filter-linelookup 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: e05f8ed58a5a3da6b96b39e003aa564d78ebd3d13fbc0caf73c0d71eb4e444c9
+  data.tar.gz: a49de6db640b18c72345e626ac63ebdeee5437d3b538fdfa90367a12a954cb75
+SHA512:
+  metadata.gz: d32fde2a7a298ba98741efe296a90381faa6d5f76eb93146eaaa75670450d664322919cad1c072b7da76263fe47e9b171352c87e43b48d1c44475004fd1e3155
+  data.tar.gz: d44589afe4fa35c8005a8d2a3b710900136e1b04ead85aa9949d8f352797630e65f5a7550b582c54aa80fb5e5a91e92498f6890d92c3632740f9f060382f233c

data/CHANGELOG.md

@@ -0,0 +1,2 @@
+## 0.1.0
+  - Init release

data/Gemfile

@@ -0,0 +1,10 @@
+source 'https://rubygems.org'
+gemspec
+
+logstash_path = ENV['LOGSTASH_PATH'] || '/usr/share/logstash'
+
+if Dir.exist?(logstash_path)
+  gem 'logstash-core', :path => "#{logstash_path}/logstash-core"
+  gem 'logstash-core-plugin-api', :path => "#{logstash_path}/logstash-core-plugin-api"
+end
+

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Julian Wecke
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,37 @@
+# Logstash Plugin for lookups via line based protocol
+
+This is a plugin for [Logstash](https://github.com/elastic/logstash).
+
+It is fully free and fully open source. The license is [MIT](LICENSE).
+
+
+## Documentation
+This filter plugin does simple lookups for enrichment via a line based protocol. A query(1 line) is send via a socket and a response(1 line) is received and stored at the *target* field.
+
+The query is dynamicly build and can use *%{...}* style variables
+
+
+### Configuration Options
+
+
+|  Setting    |  Type  |  Required |
+| ----------- | ------ | ----------|
+| query       | string | yes       |
+| target      | string | yes       |
+| socket_path | string | yes       |
+
+
+
+### Example config
+
+
+```
+filter {
+ linelookup {
+  query => "%{[source][ip]}"
+  target => "[source][geo][name]"
+  socket_path => "/var/run/lookup.sock"
+ }
+}
+
+```

data/lib/logstash/filters/linelookup.rb

@@ -0,0 +1,61 @@
+# encoding: utf-8
+require "logstash/filters/base"
+require "socket"
+
+class LogStash::Filters::Linelookup < LogStash::Filters::Base
+
+  #
+  # filter {
+  #   linelookup {
+  #     query => "%{[source][ip]}"
+  #     socket_path => "/var/run/lookup.sock"
+  #   }
+  # }
+  #
+  config_name "linelookup"
+
+  config :query, :validate => :string, :required => true
+  config :target, :validate => :string, :required => true
+  config :miss_value, :validate => :string, :default => ""
+  config :socket_path, :validate => :string, :default => ""
+
+  public
+  def register
+    @lookupconn = nil
+
+  end
+
+  public
+  def filter(event)
+    retries = 2  
+    begin
+      @lookupconn ||= connect
+
+      @lookupconn.puts(event.sprintf(@query))
+
+      response = @lookupconn.gets.chop
+
+      if response != @miss_value
+        event.set(@target, response)
+        filter_matched(event)
+      end
+
+    rescue => e
+      @lookupconn = nil
+      retries -= 1
+      unless retries < 0
+        retry
+      else
+        @logger.warn("Failed to query lookup service", :event => event, :exception => e)
+        event.tag("_linelookup_failure")
+      end
+    end
+
+  end # def filter
+  
+  private
+  def connect
+
+    Socket.unix(@socket_path)
+  end
+end # class LogStash::Filters::Linelookup

data/logstash-filter-linelookup.gemspec

@@ -0,0 +1,24 @@
+Gem::Specification.new do |s|
+  s.name          = 'logstash-filter-linelookup'
+  s.version       = '0.1.0'
+  s.licenses      = ['MIT']
+  s.summary       = 'Logstash Filter Plugin for Linelookup'
+  s.description   = 'A logstash filter for enrichment via a simple line-protocol over a socket'
+  s.homepage      = 'https://github.com/securitym0nkey/logstash-filter-linelookup'
+  s.authors       = ['Julian Wecke']
+  s.email         = 'julian@wecke.me'
+  s.require_paths = ['lib']
+
+
+  # Files
+  s.files = Dir['lib/**/*','spec/**/*','vendor/**/*','*.gemspec','*.md','CONTRIBUTORS','Gemfile','LICENSE','NOTICE.TXT']
+   # Tests
+  s.test_files = s.files.grep(%r{^(test|spec|features)/})
+
+  # Special flag to let us know this is actually a logstash plugin
+  s.metadata = { "logstash_plugin" => "true", "logstash_group" => "filter" }
+
+  # Gem dependencies
+  s.add_runtime_dependency "logstash-core-plugin-api", "~> 2.0"
+  s.add_development_dependency 'logstash-devutils', '~> 0'
+end

data/spec/spec_helper.rb

@@ -0,0 +1,18 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+require "logstash/devutils/rspec/spec_helper"

metadata

@@ -0,0 +1,80 @@
+--- !ruby/object:Gem::Specification
+name: logstash-filter-linelookup
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Julian Wecke
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2024-05-24 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: logstash-core-plugin-api
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: logstash-devutils
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+description: A logstash filter for enrichment via a simple line-protocol over a socket
+email: julian@wecke.me
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- Gemfile
+- LICENSE
+- README.md
+- lib/logstash/filters/linelookup.rb
+- logstash-filter-linelookup.gemspec
+- spec/spec_helper.rb
+homepage: https://github.com/securitym0nkey/logstash-filter-linelookup
+licenses:
+- MIT
+metadata:
+  logstash_plugin: 'true'
+  logstash_group: filter
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.3.25
+signing_key:
+specification_version: 4
+summary: Logstash Filter Plugin for Linelookup
+test_files:
+- spec/spec_helper.rb