RubyGems - logstash-input-beats - Versions diffs - 3.1.24-java → 5.1.9-java - Mend

logstash-input-beats 3.1.24-java → 5.1.9-java

Files changed (36) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 692a122e373c144a7bb94bc2a402dd63fbc87d26
-  data.tar.gz: 2408462f999bc58aab4091c26a5302f5b20ec83c
+SHA256:
+  metadata.gz: d9a0e0074ea17e1cc3771b987e5adf153ac7bac0ed260be4fa32aebcaf864bb8
+  data.tar.gz: 2d3359740c3bc9cd0142120e0edbbb27e92ae92b982440f6eb9f6bc1228903c5
 SHA512:
-  metadata.gz: 22ca5f6096bf553a70759ef7b6e9159d0117da8a66fac5b6eddb35ca4562c0317d829db3804497e722416c03bad47226fd1def3c035d52bbf9a297e49fe74a3a
-  data.tar.gz: 2dc230c6f9d68ab0e250bf3d8df3dcaf5acbd8a103a4f05c6951fdf2291f28831e24ef34e5b0c8c6051e84ac8a54278654afa35ddacd029762be1f345a03bbc4
+  metadata.gz: 7d5c2934d262dba8b5dd23a35a190a255c870919ddbed710aa3db7a06be3a9fc99ccb28c16c54dbdf574c0a13d1867782dab4bdbd93459179098749a4a45d029
+  data.tar.gz: db8cf9e01ab5159a6e36211d2a19449f2da44f0ca9fed86fb838e9f3f2560dd16a3b235c7383643860a138d9d8fa91e9ec3f3cfde27b47eec876fd4a10ffa689

data/CHANGELOG.md CHANGED Viewed

@@ -1,28 +1,125 @@
-## 3.1.24
- - Documentation changes
+## 5.1.9
+ - Backport [#366](https://github.com/logstash-plugins/logstash-input-beats/pull/366) and [#368](https://github.com/logstash-plugins/logstash-input-beats/pull/368) from 6.x
-## 3.1.23
- - Fix logging from Java #236
+## 5.1.8
+ - Loosen jar-dependencies manager gem dependency to allow plugin to work with JRubies that include a later version.
-## 3.1.22
+## 5.1.7
+ - Updated jar dependencies to reflect newer releases
+## 5.1.6
+ - Docs: Fixed broken link by removing extra space. [#347](https://github.com/logstash-plugins/logstash-input-beats/pull/347)
+## 5.1.5
+ - Docs: Fixed section ID that was causing doc build errors in the versioned
+plugin docs. [#346](https://github.com/logstash-plugins/logstash-input-beats/pull/346)
+## 5.1.4
+ - Added `add_hostname` flag to enable/disable the population of the `host` field from the beats.hostname field [#340](https://github.com/logstash-plugins/logstash-input-beats/pull/340)
+## 5.1.3
+ - Fixed handling of batches where the sequence numbers do not start with 1 [#342](https://github.com/logstash-plugins/logstash-input-beats/pull/342)
+## 5.1.2
+ - Changed project to use gradle version 4.8.1. [#334](https://github.com/logstash-plugins/logstash-input-beats/pull/334)
+   - This is an internal, non user-impacting, change to use a more modern version of gradle for building the plugin.
+## 5.1.1
+- Docs: Add more detail about creating versioned indexes for Beats data
+## 5.1.0
+ - Added ssl_peer_metadata option. [#327](https://github.com/logstash-plugins/logstash-input-beats/pull/327)
+ - Fixed ssl_verify_mode => peer. [#326](https://github.com/logstash-plugins/logstash-input-beats/pull/326)
+## 5.0.16
+ - [#289](https://github.com/logstash-plugins/logstash-input-beats/pull/289#issuecomment-394072063) Re-initialise Netty worker group on plugin restart
+## 5.0.15
+  - [Ensure that context is available before trace is made](https://github.com/logstash-plugins/logstash-input-beats/pull/319/files)
+## 5.0.14
+  - Update jackson deps to 2.9.5
+## 5.0.13
+  - Fix broken 5.0.12 release
+## 5.0.12
+  - Docs: Set the default_codec doc attribute.
+## 5.0.11
+  - Ensure that the keep-alive is sent for ALL pending batches when the pipeline is blocked, not only the batches attempting to write to the queue. #310
+## 5.0.10
+  - Update jackson deps to 2.9.4
+## 5.0.9
+  - Improvements to back pressure handling and memory management #299
+## 5.0.8
+  - Update jackson deps to 2.9.1
+## 5.0.7
+  - Docs: Deprecate `document_type` option
+## 5.0.6
+  - Re-order Netty pipeline to avoid NullPointerExceptions in KeepAliveHandler when Logstash is under load
+  - Improve exception logging
+  - Upgrade to Netty 4.1.18 with tcnative 2.0.7
+## 5.0.5
+  - Better handle case when remoteAddress is nil to reduce amount of warning messages in logs #269
+## 5.0.4
+  - Fix an issue with `close_wait` connection and making sure the keep alive are send back to the client all the time. #272
+## 5.0.3
+  - Update gemspec summary
+## 5.0.2
+  - Change IdleState strategy from `READER_IDLE` to `ALL_IDLE` #262
+  - Additional context when logging from the BeatsHandler #261
+  - Remove the `LoggingHandler` from the handler stack to reduce noise in the log.
+## 5.0.1
+  - Fix some documentation issues
+## 5.0.0
+ - Mark deprecated congestion_threshold and target_field_for_codec as obsolete
+## 4.0.5
  - Additional default cipher PR#242
+ - Fix logging from Java
-## 3.1.21
- - Remove duplicate jars
+## 4.0.4
+ - Documentation fixes
-## 3.1.20
- - Document changes
+## 4.0.3
+ - Include remote ip_address in metadata. #180
+ - Require Java 8 #221
+ - Fix ability to set SSL protocols  #228
-## 3.1.19
- - Fix ability to set SSL protocols #228
+## 4.0.2
+  - Relax version of concurrent-ruby to `~> 1.0` #216
-## 3.1.18
- - Relax version of concurrent-ruby to `~> 1.0`
+## 4.0.1
+ - Breaking change: Logstash will no longer start when multiline codec is used with the Beats input plugin #201
-## 3.1.17
+## 4.0.0
+ - Version yanked from RubyGems for packaging issues
+## 3.1.19
+   - Fix ability to set SSL protocols  #228
+## 3.1.18
+  - Relax version of concurrent-ruby to ~> 1.0 #216
+## 3.1.17
  - Docs: Add note indicating that the multiline codec should not be used with the Beats input plugin
  - Deprecate warning for multiline codec with the Beats input plugin
+## 3.1.16
+ - Version yanked from RubyGems for packaging issues
 ## 3.1.15
  - DEBUG: Add information about the remote when an exception is catched #192

data/Gemfile CHANGED Viewed

@@ -2,9 +2,10 @@ source 'https://rubygems.org'
 gemspec
-logstash_path = "../../logstash"
+logstash_path = ENV["LOGSTASH_PATH"] || "../../logstash"
+use_logstash_source = ENV["LOGSTASH_SOURCE"] && ENV["LOGSTASH_SOURCE"].to_s == "1"
-if Dir.exist?(logstash_path) && ENV["LOGSTASH_SOURCE"] == "1"
+if Dir.exist?(logstash_path) && use_logstash_source
   gem 'logstash-core', :path => "#{logstash_path}/logstash-core"
   gem 'logstash-core-plugin-api', :path => "#{logstash_path}/logstash-core-plugin-api"
 end

data/LICENSE CHANGED Viewed

@@ -1,4 +1,4 @@
-Copyright 2012–2016 Jordan Sissel, Elasticsearch and contributors.
+Copyright 2012-2018 Jordan Sissel, Elasticsearch and contributors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

data/VERSION CHANGED Viewed

	@@ -1 +1 @@
1	- 3.1.24
1	+ 5.1.9

data/docs/index.asciidoc CHANGED Viewed

@@ -1,5 +1,6 @@
 :plugin: beats
 :type: input
+:default_codec: plain
 ///////////////////////////////////////////
 START - GENERATED VARIABLES, DO NOT EDIT!
@@ -24,7 +25,7 @@ This input plugin enables Logstash to receive events from the
 https://www.elastic.co/products/beats[Elastic Beats] framework.
 The following example shows how to configure Logstash to listen on port
-5044 for incoming Beats connections and to index into Elasticsearch:
+5044 for incoming Beats connections and to index into Elasticsearch.
 [source,ruby]
 ------------------------------------------------------------------------------
@@ -38,23 +39,48 @@ output {
   elasticsearch {
     hosts => "localhost:9200"
     manage_template => false
-    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
-    document_type => "%{[@metadata][type]}"
+    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}" <1>
+    document_type => "%{[@metadata][type]}" <2>
   }
 }
 ------------------------------------------------------------------------------
-NOTE: The Beats shipper automatically sets the `type` field on the event.
-You cannot override this setting in the Logstash config. If you specify
-a setting for the <<plugins-inputs-beats-type,`type`>> config option in
-Logstash, it is ignored.
+<1> Specifies the index to write events to. See <<plugins-{type}s-{plugin}-versioned-indexes>> for
+more about this setting.
+<2> Starting with Logstash 6.0, the `document_type` option is
+deprecated due to the
+https://www.elastic.co/guide/en/elasticsearch/reference/6.0/removal-of-types.html[removal of types in Logstash 6.0].
+It will be removed in the next major version of Logstash. If you are running
+Logstash 6.0 or later, do not set `document_type` in your configuration because
+Logstash sets the type to `doc` by default.
 IMPORTANT: If you are shipping events that span multiple lines, you need to
 use the https://www.elastic.co/guide/en/beats/filebeat/current/multiline-examples.html[configuration options available in Filebeat] to handle multiline events
 before sending the event data to Logstash. You cannot use the
-<<plugins-codecs-multiline>> codec to handle multiline events. Doing so will
+{logstash-ref}/plugins-codecs-multiline.html[Multiline codec plugin] to handle multiline events. Doing so will
 result in the failure to start Logstash.
+[id="plugins-{type}s-{plugin}-versioned-indexes"]
+==== Versioned Beats Indices
+To minimize the impact of future schema changes on your existing indices and
+mappings in Elasticsearch, configure the Elasticsearch output to write to
+versioned indices. The pattern that you specify for the `index` setting
+controls the index name:
+[source,yaml]
+----
+index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
+----
+`%{[@metadata][beat]}`:: Sets the first part of the index name to the value of
+the `beat` metadata field, for example, `filebeat`.
+`%{[@metadata][version]}`:: Sets the second part of the name to the Beat
+version, for example, +{logstash_version}+.
+`%{+YYYY.MM.dd}`:: Sets the third part of the name to a date based on the
+Logstash `@timestamp` field.
+This configuration results in daily index names like
++filebeat-{logstash_version}-{localdate}+.
 [id="plugins-{type}s-{plugin}-options"]
 ==== Beats Input Configuration Options
@@ -64,6 +90,7 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 [cols="<,<,<",options="header",]
 |=======================================================================
 |Setting |Input type|Required
+| <<plugins-{type}s-{plugin}-add_hostname>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-cipher_suites>> |<<array,array>>|No
 | <<plugins-{type}s-{plugin}-client_inactivity_timeout>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-host>> |<<string,string>>|No
@@ -76,6 +103,7 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-ssl_key>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-ssl_key_passphrase>> |<<password,password>>|No
 | <<plugins-{type}s-{plugin}-ssl_verify_mode>> |<<string,string>>, one of `["none", "peer", "force_peer"]`|No
+| <<plugins-{type}s-{plugin}-ssl_peer_metadata>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-tls_max_version>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-tls_min_version>> |<<number,number>>|No
 |=======================================================================
@@ -85,8 +113,20 @@ input plugins.
 &nbsp;
+[id="plugins-{type}s-{plugin}-add_hostname"]
+===== `add_hostname`
+  added[5.1.4, Field was added to allow users to control whether or not the `host` field is automatically added to events.]
+  deprecated[5.1.4, In future versions of this plugin, this setting will be removed, and the 'hosts' field will not be added to events.]
+  * Value type is <<boolean,boolean>>
+  * Default value is `true`
+Flag to determine whether to add `host` field to event using the value supplied by the beat in the `hostname` field.
 [id="plugins-{type}s-{plugin}-cipher_suites"]
-===== `cipher_suites`
+===== `cipher_suites`
   * Value type is <<array,array>>
   * Default value is `java.lang.String[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]@459cfcca`
@@ -94,25 +134,15 @@ input plugins.
 The list of ciphers suite to use, listed by priorities.
 [id="plugins-{type}s-{plugin}-client_inactivity_timeout"]
-===== `client_inactivity_timeout`
+===== `client_inactivity_timeout`
   * Value type is <<number,number>>
   * Default value is `60`
 Close Idle clients after X seconds of inactivity.
-[id="plugins-{type}s-{plugin}-congestion_threshold"]
-===== `congestion_threshold`  (DEPRECATED)
-  * DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
-  * Value type is <<number,number>>
-  * Default value is `5`
-The number of seconds before we raise a timeout.
-This option is useful to control how much time to wait if something is blocking the pipeline.
 [id="plugins-{type}s-{plugin}-host"]
-===== `host`
+===== `host`
   * Value type is <<string,string>>
   * Default value is `"0.0.0.0"`
@@ -120,7 +150,7 @@ This option is useful to control how much time to wait if something is blocking
 The IP address to listen on.
 [id="plugins-{type}s-{plugin}-include_codec_tag"]
-===== `include_codec_tag`
+===== `include_codec_tag`
   * Value type is <<boolean,boolean>>
   * Default value is `true`
@@ -128,7 +158,7 @@ The IP address to listen on.
 [id="plugins-{type}s-{plugin}-port"]
-===== `port`
+===== `port`
   * This is a required setting.
   * Value type is <<number,number>>
@@ -137,7 +167,7 @@ The IP address to listen on.
 The port to listen on.
 [id="plugins-{type}s-{plugin}-ssl"]
-===== `ssl`
+===== `ssl`
   * Value type is <<boolean,boolean>>
   * Default value is `false`
@@ -147,7 +177,7 @@ enable encryption by setting `ssl` to true and configuring
 the `ssl_certificate` and `ssl_key` options.
 [id="plugins-{type}s-{plugin}-ssl_certificate"]
-===== `ssl_certificate`
+===== `ssl_certificate`
   * Value type is <<path,path>>
   * There is no default value for this setting.
@@ -155,19 +185,19 @@ the `ssl_certificate` and `ssl_key` options.
 SSL certificate to use.
 [id="plugins-{type}s-{plugin}-ssl_certificate_authorities"]
-===== `ssl_certificate_authorities`
+===== `ssl_certificate_authorities`
   * Value type is <<array,array>>
   * Default value is `[]`
-Validate client certificates against these authorities.
+Validate client certificates against these authorities.
 You can define multiple files or paths. All the certificates will
 be read and added to the trust store. You need to configure the `ssl_verify_mode`
 to `peer` or `force_peer` to enable the verification.
 [id="plugins-{type}s-{plugin}-ssl_handshake_timeout"]
-===== `ssl_handshake_timeout`
+===== `ssl_handshake_timeout`
   * Value type is <<number,number>>
   * Default value is `10000`
@@ -175,7 +205,7 @@ to `peer` or `force_peer` to enable the verification.
 Time in milliseconds for an incomplete ssl handshake to timeout
 [id="plugins-{type}s-{plugin}-ssl_key"]
-===== `ssl_key`
+===== `ssl_key`
   * Value type is <<path,path>>
   * There is no default value for this setting.
@@ -185,7 +215,7 @@ NOTE: This key need to be in the PKCS8 format, you can convert it with https://w
 for more information.
 [id="plugins-{type}s-{plugin}-ssl_key_passphrase"]
-===== `ssl_key_passphrase`
+===== `ssl_key_passphrase`
   * Value type is <<password,password>>
   * There is no default value for this setting.
@@ -193,14 +223,14 @@ for more information.
 SSL key passphrase to use.
 [id="plugins-{type}s-{plugin}-ssl_verify_mode"]
-===== `ssl_verify_mode`
+===== `ssl_verify_mode`
   * Value can be any of: `none`, `peer`, `force_peer`
   * Default value is `"none"`
 By default the server doesn't do any client verification.
-`peer` will make the server ask the client to provide a certificate.
+`peer` will make the server ask the client to provide a certificate.
 If the client provides a certificate, it will be validated.
 `force_peer` will make the server ask the client to provide a certificate.
@@ -208,17 +238,18 @@ If the client doesn't provide a certificate, the connection will be closed.
 This option needs to be used with `ssl_certificate_authorities` and a defined list of CAs.
-[id="plugins-{type}s-{plugin}-target_field_for_codec"]
-===== `target_field_for_codec`  (DEPRECATED)
+[id="plugins-{type}s-{plugin}-ssl_peer_metadata"]
+===== `ssl_peer_metadata`
-  * DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
-  * Value type is <<string,string>>
-  * Default value is `"message"`
+  * Value type is <<boolean,boolean>>
+  * Default value is `false`
-This is the default field to which the specified codec will be applied.
+Enables storing client certificate information in event's metadata.
+This option is only valid when `ssl_verify_mode` is set to `peer` or `force_peer`.
 [id="plugins-{type}s-{plugin}-tls_max_version"]
-===== `tls_max_version`
+===== `tls_max_version`
   * Value type is <<number,number>>
   * Default value is `1.2`
@@ -227,7 +258,7 @@ The maximum TLS version allowed for the encrypted connections. The value must be
 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2
 [id="plugins-{type}s-{plugin}-tls_min_version"]
-===== `tls_min_version`
+===== `tls_min_version`
   * Value type is <<number,number>>
   * Default value is `1`
@@ -239,3 +270,5 @@ The minimum TLS version allowed for the encrypted connections. The value must be
 [id="plugins-{type}s-{plugin}-common-options"]
 include::{include_path}/{type}.asciidoc[]
+:default_codec!:

data/lib/logstash/inputs/beats/event_transform_common.rb CHANGED Viewed

@@ -12,6 +12,7 @@ module LogStash module Inputs class Beats
     # Copies the beat.hostname field into the host field unless
     # the host field is already defined
     def copy_beat_hostname(event)
+      return unless @input.add_hostname
       host = event.get("[beat][hostname]")
       if host && event.get("host").nil?

data/lib/logstash/inputs/beats/message_listener.rb CHANGED Viewed

@@ -1,6 +1,7 @@
 # encoding: utf-8
 require "thread_safe"
 require "logstash-input-beats_jars"
+import "javax.net.ssl.SSLPeerUnverifiedException"
 import "org.logstash.beats.MessageListener"
 module LogStash module Inputs class Beats
@@ -10,7 +11,7 @@ module LogStash module Inputs class Beats
     FILEBEAT_LOG_LINE_FIELD = "message".freeze
     LSF_LOG_LINE_FIELD = "line".freeze
-    ConnectionState = Struct.new(:ctx, :codec)
+    ConnectionState = Struct.new(:ctx, :codec, :ip_address)
     attr_reader :logger, :input, :connections_list
@@ -27,10 +28,14 @@ module LogStash module Inputs class Beats
     end
     def onNewMessage(ctx, message)
-      hash = message.getData()
+      hash = message.getData
+      ip_address = ip_address(ctx)
+      hash['@metadata']['ip_address'] = ip_address unless ip_address.nil? || hash['@metadata'].nil?
       target_field = extract_target_field(hash)
+      extract_tls_peer(hash, ctx)
       if target_field.nil?
         event = LogStash::Event.new(hash)
         @nocodec_transformer.transform(event)
@@ -58,9 +63,9 @@ module LogStash module Inputs class Beats
       # This is mostly due to a bad certificate or keys, running Logstash in debug mode will show more information
       if cause.is_a?(Java::JavaLang::IllegalArgumentException)
         if input.logger.debug?
-          input.logger.error("Looks like you either have an invalid key or your private key was not in PKCS8 format.")
+          input.logger.error("Looks like you either have a bad certificate, an invalid key or your private key was not in PKCS8 format.", :exception => cause)
         else
-          input.logger.error("Looks like you either have an invalid key or your private key was not in PKCS8 format.", :exception => cause)
+          input.logger.error("Looks like you either have a bad certificate, an invalid key or your private key was not in PKCS8 format.")
         end
       else
         input.logger.warn("Error when creating a connection", :exception => cause.to_s)
@@ -77,8 +82,29 @@ module LogStash module Inputs class Beats
       connections_list[ctx].codec
     end
+    def ip_address(ctx)
+      return if connections_list[ctx].nil?
+      connections_list[ctx].ip_address
+    end
     def register_connection(ctx)
-      connections_list[ctx] = ConnectionState.new(ctx, input.codec.dup)
+      connections_list[ctx] = ConnectionState.new(ctx, input.codec.clone, ip_address_from_ctx(ctx))
+    end
+    def ip_address_from_ctx(ctx)
+      begin
+        remote_address = ctx.channel.remoteAddress
+        # Netty allows remoteAddress to be nil, which can cause a lot of log entries - see
+        # https://github.com/logstash-plugins/logstash-input-beats/issues/269
+        if remote_address.nil?
+          input.logger.debug("Cannot retrieve remote IP address for beats input - remoteAddress is nil")
+          return nil
+        end
+        remote_address.getAddress.getHostAddress
+      rescue => e # This should not happen, but should not block the beats input
+        input.logger.warn("Could not retrieve remote IP address for beats input.", :error => e)
+        nil
+      end
     end
     def unregister_connection(ctx)
@@ -96,6 +122,38 @@ module LogStash module Inputs class Beats
       end
     end
+    def extract_tls_peer(hash, ctx)
+      if @input.client_authentication_metadata?
+        tls_session = ctx.channel().pipeline().get("ssl-handler").engine().getSession()
+        tls_verified = true
+        if not @input.client_authentication_required?
+          # throws SSLPeerUnverifiedException if unverified
+          begin
+            tls_session.getPeerCertificates()
+          rescue SSLPeerUnverifiedException => e
+            tls_verified = false
+            if input.logger.debug?
+              input.logger.debug("SSL peer unverified. This is normal with 'peer' verification and client does not presents a certificate.", :exception => e)
+            end
+          end
+        end
+        if tls_verified
+          hash['@metadata']['tls_peer'] = {
+            :status       => "verified",
+            :protocol     => tls_session.getProtocol(),
+            :subject      => tls_session.getPeerPrincipal().getName(),
+            :cipher_suite => tls_session.getCipherSuite()
+          }
+        else
+          hash['@metadata']['tls_peer'] = {
+            :status     => "unverified"
+          }
+        end
+      end
+    end
     def extract_target_field(hash)
       if from_filebeat?(hash)
         hash.delete(FILEBEAT_LOG_LINE_FIELD).to_s