logstash-input-akamai-siem 1.0.0

data/lib/logstash/inputs/akamai_siem.rb

@@ -0,0 +1,410 @@
+# encoding: utf-8
+require "logstash/inputs/base"
+require "logstash/namespace"
+require "logstash/json"
+require "logstash/event"
+require "socket" # for Socket.gethostname
+require "addressable/template"
+require "manticore"
+require "logstash/plugin_mixins/http_client"
+require "logstash/plugin_mixins/ecs_compatibility_support"
+require 'logstash/plugin_mixins/ecs_compatibility_support/target_check'
+require 'logstash/plugin_mixins/validator_support/field_reference_validation_adapter'
+require 'logstash/plugin_mixins/event_support/event_factory_adapter'
+require 'logstash/plugin_mixins/event_support/from_json_helper'
+require 'logstash/plugin_mixins/scheduler'
+
+class LogStash::Inputs::AkamaiSiem < LogStash::Inputs::Base
+  require 'logstash/inputs/akamai_siem/headers'
+  require 'logstash/inputs/akamai_siem/middleware_registry'
+  require 'logstash/inputs/akamai_siem/exception'
+  require 'logstash/inputs/akamai_siem/request'
+  require 'logstash/inputs/akamai_siem/base'
+
+  include LogStash::Inputs::AkamaiSiem::Base[with_deprecated: true, with_akamai_siem: true]
+  include LogStash::PluginMixins::ECSCompatibilitySupport(:disabled, :v1, v8: :v1)
+  include LogStash::PluginMixins::ECSCompatibilitySupport::TargetCheck
+  include LogStash::PluginMixins::EventSupport::EventFactoryAdapter
+
+  extend LogStash::PluginMixins::ValidatorSupport::FieldReferenceValidationAdapter
+
+  include LogStash::PluginMixins::EventSupport::EventFactoryAdapter
+  include LogStash::PluginMixins::EventSupport::FromJsonHelper
+
+  include LogStash::PluginMixins::Scheduler
+
+  config_name "akamai_siem"
+
+  QUERY_PARAMETERS = [
+    %w[offset],
+    %w[offset limit],
+    %w[from],
+    %w[from limit],
+    %w[from to],
+    %w[from to limit],
+  ]
+  # Schedule of when to periodically poll from the urls
+  # Format: A hash with
+  #   + key: "cron" | "every" | "in" | "at"
+  #   + value: string
+  # Examples:
+  #   a) { "every" => "1h" }
+  #   b) { "cron" => "* * * * * UTC" }
+  # See: rufus/scheduler for details about different schedule options and value string format
+  config :schedule, validate: :hash, default: { "every" => "5s" }
+
+  # Define the target field for placing the received data. If this setting is omitted, the data will be stored at the root (top level) of the event.
+  config :target, validate: :field_reference
+
+  ###### settings for akamai siem ######
+  # Examples:
+  #  { "configs_ids" => ['123456','32164','4567'] }
+  config :configs_ids, validate: :array, require: true
+
+  # mode to get security events data from your security configurations
+  # https://techdocs.akamai.com/siem-integration/reference/query-parameter-combinations
+  # Examples:
+  #   a) { "query_mode" => ['offset'] }
+  #   b) { "query_mode" => ['offset', 'limit'] }
+  #   c) { "query_mode" => ['from', 'limit'] }
+  config :query_mode, validate: :array, default: ['offset']
+
+  # If you'd like to work with the request/response metadata.
+  # Set this value to the name of the field you'd like to store a nested
+  # hash of metadata.
+  config :metadata_target, validate: :string, default: '@metadata'
+
+  config :stub, validate: :boolean, default: false
+  config :stub_response, validate: :string
+
+  attr_reader :template
+  public
+
+  def register
+    @host = Socket.gethostname.force_encoding(Encoding::UTF_8)
+    @offset = nil
+    @from = nil
+    @to = nil
+    @limit = nil
+
+    @template = Addressable::Template.new(File.join(base_url, "siem/v1/configs", "{configs_ids}", "{?query*}"))
+
+    setup_ecs_field!
+    query_validation!
+    LogStash::Logging::Logger::configure_logging('debug')
+  end
+
+  # @overload
+  def stop
+    close_client
+  end
+
+  # @overload
+  def close
+    close_client
+  end
+
+  def close_client
+    @logger.debug("closing http client", client: client)
+    begin
+      client.close # since Manticore 0.9.0 this shuts-down/closes all resources
+    rescue => e
+      details = { exception: e.class, message: e.message }
+      details[:backtrace] = e.backtrace if @logger.debug?
+      @logger.warn "failed closing http client", details
+    end
+  end
+  private :close_client
+
+  private
+
+  def query_validation!
+    query_validation =  false
+    QUERY_PARAMETERS.select do |query|
+      query_validation = true if (query - query_mode).empty?
+    end
+    raise LogStash::ConfigurationError, "query mode (#{url_or_spec.join(',')}) is not valid see https://techdocs.akamai.com/siem-integration/reference/query-parameter-combinations" unless query_validation
+  end
+
+  private
+
+  # In the context of ECS, there are two type of events in this plugin, valid HTTP response and failure
+  # For a valid HTTP response, `url`, `request_method` and `host` are metadata of request.
+  #   The call could retrieve event which contain `[url]`, `[http][request][method]`, `[host][hostname]` data
+  #   Therefore, metadata should not write to those fields
+  # For a failure, `url`, `request_method` and `host` are primary data of the event because the plugin owns this event,
+  #   so it writes to url.*, http.*, host.*
+  def setup_ecs_field!
+    @request_host_field = ecs_select[disabled: "[#{metadata_target}][host]", v1: "[#{metadata_target}][input][akamai_siem][request][host][hostname]"]
+    @response_code_field = ecs_select[disabled: "[#{metadata_target}][code]", v1: "[#{metadata_target}][input][akamai_siem][response][status_code]"]
+    @response_headers_field = ecs_select[disabled: "[#{metadata_target}][response_headers]", v1: "[#{metadata_target}][input][akamai_siem][response][headers]"]
+    @response_message_field = ecs_select[disabled: "[#{metadata_target}][response_message]", v1: "[#{metadata_target}][input][akamai_siem][response][status_message]"]
+    @response_time_s_field = ecs_select[disabled: "[#{metadata_target}][runtime_seconds]", v1: nil]
+    @response_time_ns_field = ecs_select[disabled: nil, v1: "[#{metadata_target}][input][akamai_siem][response][elapsed_time_ns]"]
+    @request_retry_count_field = ecs_select[disabled: "[#{metadata_target}][times_retried]", v1: "[#{metadata_target}][input][akamai_siem][request][retry_count]"]
+    @original_request_field = ecs_select[disabled: "[#{metadata_target}][request]", v1: "[#{metadata_target}][input][akamai_siem][request][original]"]
+
+    @error_msg_field = ecs_select[disabled: "[http_request_failure][error]", v1: "[error][message]"]
+    @stack_trace_field = ecs_select[disabled: "[http_request_failure][backtrace]", v1: "[error][stack_trace]"]
+    @fail_original_request_field = ecs_select[disabled: "[http_request_failure][request]", v1: nil]
+    @fail_response_time_s_field = ecs_select[disabled: "[http_request_failure][runtime_seconds]", v1: nil]
+    @fail_response_time_ns_field = ecs_select[disabled: nil, v1: "[event][duration]"]
+    @fail_request_url_field = ecs_select[disabled: nil, v1: "[url][full]"]
+    @fail_request_method_field = ecs_select[disabled: nil, v1: "[http][request][method]"]
+    @fail_request_host_field = ecs_select[disabled: nil, v1: "[host][hostname]"]
+  end
+
+  public
+
+  def run(queue)
+    setup_schedule(queue)
+  end
+
+  def setup_schedule(queue)
+    # schedule hash must contain exactly one of the allowed keys
+    msg_invalid_schedule = "Invalid config. schedule hash must contain " +
+      "exactly one of the following keys - cron, at, every or in"
+    raise Logstash::ConfigurationError, msg_invalid_schedule if @schedule.keys.length != 1
+    schedule_type = @schedule.keys.first
+    schedule_value = @schedule[schedule_type]
+    raise LogStash::ConfigurationError, msg_invalid_schedule unless %w(cron every at in).include?(schedule_type)
+
+    opts = schedule_type == "every" ? { first_in: 0.01 } : {}
+    scheduler.public_send(schedule_type, schedule_value, opts) { run_once(queue) }
+    scheduler.join
+  end
+
+  def run_once(queue)
+    url = template.expand({
+                      "configs_ids" => configs_ids.join(';'),
+                      "query" => normalize_query,
+                    },
+    )
+
+
+    timestamp = eg_timestamp
+    nonce = new_nonce
+    headers.update({
+      "accept" => "application/json",
+    })
+    options = {}
+    method = 'get'
+
+    request = build_request(method) do |req|
+      req.update_uri(url)         if url
+      req.headers.update(headers) if headers
+      yield(req) if block_given?
+    end
+
+    request[KEY] = make_auth_header(request, timestamp, nonce)
+
+    request_async(
+      queue,
+      request
+    )
+    client.execute! unless stop?
+  end
+
+  private
+  def build_request(method)
+    Request.create(method) do |req|
+      req.headers = headers.dup
+      yield(req) if block_given?
+    end
+  end
+
+  def normalize_query
+    query = Hash.new
+    query_mode.each do |query_name|
+      query.merge!(query_name => instance_variable_get("@#{query_name}").nil? ? 'null' : instance_variable_get("@#{query_name}") )
+    end
+    query
+  end
+
+  def request_async(queue, request)
+    @logger.debug? && @logger.debug("async queueing fetching url", url: request)
+    started = Time.now
+
+    method, *request_opts = request.to_a
+    client.async.send(method, *request_opts).
+      on_success { |response| handle_success(queue, request, response, Time.now - started) }.
+      on_failure { |exception| handle_failure(queue, request, exception, Time.now - started) }
+  end
+
+  # time diff in float to nanoseconds
+  def to_nanoseconds(time_diff)
+    (time_diff * 1000000).to_i
+  end
+
+  def handle_success(queue, request, response, execution_time)
+    @logger.debug? && @logger.debug("success fetching url", url: request)
+    code = {
+      '416': ->(queue, request, response, execution_time) { status_416(queue, request, response, execution_time) },
+      '200': ->(queue, request, response, execution_time) { status_200(queue, request, response, execution_time) },
+    }
+    code.default = ->(queue, request, response, execution_time) { status_default(queue, request, response, execution_time) }
+    code[response.code.to_s.to_sym].call(queue, request, response, execution_time)
+  end
+
+  def status_200(queue, request, response, execution_time)
+    body = response.body
+    if body && body.size > 0
+      events = body.split("\n")
+      offset_event = events.pop
+      events.each do |data|
+        decode(data) do |decoded|
+          @logger.debug? && @logger.debug("decoded event", event: decoded)
+          event = targeted_event_factory.new_event(decoded)
+          handle_decoded_event(queue, request, response, event, execution_time)
+        end
+      end
+      decode_offset(offset_event) do |decode|
+        @offset = decode['offset']
+        @logger.debug? && @logger.debug("decoded offset", offset: @offset)
+      end
+    else
+      event = event_factory.new_event
+      handle_decoded_event(queue, request, response, event, execution_time)
+    end
+  end
+
+  def status_416(queue, request, response, execution_time)
+    @offset = nil
+    exception = build_exception(response.body)
+    handle_failure(queue, request, exception, execution_time)
+  end
+
+  def status_default(queue, request, response, execution_time)
+    exception = build_exception(response.body)
+    handle_failure(queue, request, exception, execution_time)
+  end
+
+  def parse_json(body)
+    ::LogStash::Json.jruby_load(body)
+  end
+  def decode_offset(body)
+    parse_json(body)
+  end
+
+  def decode(body)
+    event = parse_json(body)
+    if attack_section = event['attackData']
+      rules_array = []
+      attack_section.each do |member_name, value|
+        next if !member_name.match '^rule'
+        member_as_singular = member_name.gsub(/s$/, '')
+        url_decoded = Addressable::URI.unencode(value)
+        member_array = url_decoded.split(";")
+        if rules_array.empty?
+          rules_array = Array.new(member_array.count) {Hash.new}
+        end
+        if member_array.empty?
+          rules_array.map { |rule| rule[member_as_singular] = '' }
+        else
+          member_array.each_with_index do |member, index|
+            bits = Base64.decode64(member)
+            rules_array[index][member_as_singular] = bits
+          end
+        end
+
+      end
+      attack_section.delete('ruleMessages')
+      attack_section.delete('ruleSelectors')
+      attack_section.delete('rules')
+      attack_section.delete('ruleActions')
+      attack_section.delete('ruleVersions')
+      attack_section.delete('ruleData')
+      attack_section.delete('ruleTags')
+      attack_section['rules'] = rules_array
+      event['attackData'] = attack_section
+    else
+      event['attackData'] = {}
+    end
+    yield event
+  end
+
+  def handle_decoded_event(queue, request, response, event, execution_time)
+    apply_metadata(event, request, response, execution_time)
+    decorate(event)
+    queue << event
+  rescue StandardError, java.lang.Exception => e
+    @logger.error? && @logger.error("Error eventifying response!",
+                                    :exception => e,
+                                    :exception_message => e.message,
+                                    :url => request,
+                                    :response => response
+    )
+  end
+
+  def build_exception(body)
+    Exception.create(body) do |exception|
+      yield(exception) if block_given?
+    end
+  end
+
+  # Beware, on old versions of manticore some uncommon failures are not handled
+  def handle_failure(queue, request, exception, execution_time)
+    @logger.debug? && @logger.debug("failed fetching url", url: request)
+    event = event_factory.new_event
+    event.tag("_http_request_failure")
+    apply_metadata(event, request, nil, execution_time)
+    apply_failure_fields(event, request, exception, execution_time)
+
+    queue << event
+  rescue StandardError, java.lang.Exception => e
+    @logger.error? && @logger.error("Cannot read URL or send the error as an event!",
+                                    :exception => e,
+                                    :exception_message => e.message,
+                                    :exception_backtrace => e.backtrace)
+
+    # If we are running in debug mode we can display more information about the
+    # specific request which could give more details about the connection.
+    @logger.debug? && @logger.debug("Cannot read URL or send the error as an event!",
+                                    :exception => e,
+                                    :exception_message => e.message,
+                                    :exception_backtrace => e.backtrace,
+                                    :url => request)
+  end
+
+  def apply_metadata(event, request, response, execution_time)
+    return unless @metadata_target
+
+    event.set(@request_host_field, @host)
+    event.set(@response_time_s_field, execution_time) if @response_time_s_field
+    event.set(@response_time_ns_field, to_nanoseconds(execution_time)) if @response_time_ns_field
+    event.set(@original_request_field, structure_request(request))
+
+    if response
+      event.set(@response_code_field, response.code)
+      event.set(@response_headers_field, response.headers)
+      event.set(@response_message_field, response.message)
+      event.set(@request_retry_count_field, response.times_retried)
+    end
+  end
+
+  def apply_failure_fields(event, request, exception, execution_time)
+    # This is also in the metadata, but we send it anyone because we want this
+    # persisted by default, whereas metadata isn't. People don't like mysterious errors
+    event.set(@fail_original_request_field, structure_request(request)) if @fail_original_request_field
+
+    method, url, _ = request
+    event.set(@fail_request_url_field, url) if @fail_request_url_field
+    event.set(@fail_request_method_field, method.to_s) if @fail_request_method_field
+    event.set(@fail_request_host_field, @host) if @fail_request_host_field
+
+    event.set(@fail_response_time_s_field, execution_time) if @fail_response_time_s_field
+    event.set(@fail_response_time_ns_field, to_nanoseconds(execution_time)) if @fail_response_time_ns_field
+    event.set(@error_msg_field, exception.to_s)
+    event.set(@stack_trace_field, exception.backtrace)
+  end
+
+  # Turn [method, url, spec] requests into a hash for friendlier logging / ES indexing
+  def structure_request(request)
+    method, url, spec = request
+    # Flatten everything into the 'spec' hash, also stringify any keys to normalize
+    Hash[(spec || {}).merge({
+                              "method" => method.to_s,
+                              "url" => url,
+                            }).map { |k, v| [k.to_s, v] }]
+  end
+end

data/logstash-input-akamai-siem.gemspec

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+Gem::Specification.new do |s|
+  s.name = 'logstash-input-akamai-siem'
+  s.version = '1.0.0'
+  s.licenses = ['Apache-2.0']
+  s.summary = "akamai siem input streams logs at a definable interval."
+  s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install logstash-input-akamai-siem. This gem is not a stand-alone program"
+  s.authors = ["Hans Moulron"]
+  s.email = 'hans.moulron@francetv.fr'
+  s.homepage = "https://github.com/francetv/logstash-input-akamai-siem"
+  s.require_paths = ["lib"]
+
+  # Files
+  # s.files = Dir['lib/**/*', 'spec/**/*', 'vendor/**/*', '*.gemspec', '*.md', 'CONTRIBUTORS', 'Gemfile', 'LICENSE', 'NOTICE.TXT']
+  s.files = Dir['lib/**/*', 'vendor/**/*', '*.gemspec', '*.md', 'CONTRIBUTORS', 'Gemfile', 'LICENSE', 'NOTICE.TXT']
+  # Tests
+  s.test_files = s.files.grep(%r{^(test|spec|features)/})
+
+  # Special flag to let us know this is actually a logstash plugin
+  s.metadata = { "logstash_plugin" => "true", "logstash_group" => "input" }
+
+  # Gem dependencies
+  s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
+  s.add_runtime_dependency "logstash-mixin-http_client", ">= 7.4.0", "< 8.0.0"
+  s.add_runtime_dependency 'logstash-mixin-scheduler', '~> 1.0'
+  s.add_runtime_dependency 'logstash-mixin-ecs_compatibility_support', '~>1.3'
+  s.add_runtime_dependency 'logstash-mixin-event_support', '~> 1.0', '>= 1.0.1'
+  s.add_runtime_dependency 'logstash-mixin-validator_support', '~> 1.0'
+  s.add_runtime_dependency 'akamai-edgegrid', '~> 1.0', '>= 1.0.7'
+  s.add_runtime_dependency('addressable', ['= 2.7.0'])
+
+  s.add_development_dependency 'logstash-devutils'
+  s.add_development_dependency 'flores'
+  s.add_development_dependency 'timecop'
+end

metadata

@@ -0,0 +1,238 @@
+--- !ruby/object:Gem::Specification
+name: logstash-input-akamai-siem
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Hans Moulron
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2024-10-06 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.60'
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: '2.99'
+  name: logstash-core-plugin-api
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.60'
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: '2.99'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 7.4.0
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 8.0.0
+  name: logstash-mixin-http_client
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 7.4.0
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 8.0.0
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  name: logstash-mixin-scheduler
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  name: logstash-mixin-ecs_compatibility_support
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.1
+  name: logstash-mixin-event_support
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.1
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  name: logstash-mixin-validator_support
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.7
+  name: akamai-edgegrid
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.7
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 2.7.0
+  name: addressable
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 2.7.0
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  name: logstash-devutils
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  name: flores
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  name: timecop
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: This gem is a Logstash plugin required to be installed on top of the
+  Logstash core pipeline using $LS_HOME/bin/logstash-plugin install logstash-input-akamai-siem.
+  This gem is not a stand-alone program
+email: hans.moulron@francetv.fr
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- DEVELOPER.md
+- Gemfile
+- LICENSE
+- NOTICE.TXT
+- README.md
+- lib/logstash/inputs/akamai_siem.rb
+- lib/logstash/inputs/akamai_siem/base.rb
+- lib/logstash/inputs/akamai_siem/edge_grid.rb
+- lib/logstash/inputs/akamai_siem/exception.rb
+- lib/logstash/inputs/akamai_siem/headers.rb
+- lib/logstash/inputs/akamai_siem/middleware_registry.rb
+- lib/logstash/inputs/akamai_siem/request.rb
+- logstash-input-akamai-siem.gemspec
+homepage: https://github.com/francetv/logstash-input-akamai-siem
+licenses:
+- Apache-2.0
+metadata:
+  logstash_plugin: 'true'
+  logstash_group: input
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.3.26
+signing_key:
+specification_version: 4
+summary: akamai siem input streams logs at a definable interval.
+test_files: []