logstash-input-beats 6.1.5-java → 6.2.2-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dfd025acbb07379ea0d9fa66d381cd0aa88e92b7e3f0d162efff407cd27763b5
-  data.tar.gz: f4071900f9e42da024156f3215699ecda37027ec137c6f5bb01d47daf9153562
+  metadata.gz: 187ef06d14ac3b4ccab2dffde80f1f54e0dc0c08ddcf5383022d1181200626c1
+  data.tar.gz: e4d0d2f120146186225a3e239e589691b7a051ca5b67b476e34c1b4a997950eb
 SHA512:
-  metadata.gz: 902a418a13e1cf18e8c8125ed04a4f77f945786dcb9af0cfabb581ea5afe96199614bd3f240eba758897e677adc34948866394673550c061f19cf5b6bac5b4be
-  data.tar.gz: aa57f6663812fece5e775878d10904d003654c25cd4931fcf02cb692ab6fcb235d9cbbf3925450df8078abc71c613b1b95d8d251d65f9e2d3fd4011ac4c3a161
+  metadata.gz: fb532b95ec66cf1fa7a7df02f2b7f9286298974deef2ac75633a6bdb12abd7a1ef7c51f72b3b90e64f822e96bac20d5280ade15fabcb1e3734e8e9e4218d9623
+  data.tar.gz: 7d1bdd0693e3b00e6401efbfee45728566eef845630dfbb69ba0f5224d254747a159890b186187675e6bb29cc62b74c5e99b20a9439cd06806a4b067c3842504

data/CHANGELOG.md

@@ -1,5 +1,22 @@
+## 6.2.2
+ - Fix: update to Gradle 7 [#432](https://github.com/logstash-plugins/logstash-input-beats/pull/432)
+ - [DOC] Edit documentation for `executor_threads` [#435](https://github.com/logstash-plugins/logstash-input-beats/pull/435)
+
+## 6.2.1
+ - Fix: LS failing with `ssl_peer_metadata => true` [#431](https://github.com/logstash-plugins/logstash-input-beats/pull/431)
+ - [DOC] described `executor_threads` configuration parameter [#421](https://github.com/logstash-plugins/logstash-input-beats/pull/421)
+
+## 6.2.0
+ - ECS compatibility enablement: Adds alias to support upcoming ECS v8 with the existing ECS v1 implementation
+
+## 6.1.7
+ - [DOC] Remove limitations topic and link [#428](https://github.com/logstash-plugins/logstash-input-beats/pull/428)
+
+## 6.1.6
+ - [DOC] Applied more attributes to manage plugin name in doc content, and implemented conditional text processing. [#423](https://github.com/logstash-plugins/logstash-input-http/pull/423)
+
 ## 6.1.5
- - Changed jar dependencies to reflect newer versions [#425](https://github.com/logstash-plugins/logstash-input-http/pull/425)
+ - Changed jar dependencies to reflect newer versions [#425](https://github.com/logstash-plugins/logstash-input-beats/pull/425)
 
 ## 6.1.4
  - Fix: reduce error logging on connection resets [#424](https://github.com/logstash-plugins/logstash-input-beats/pull/424)

data/VERSION

@@ -1 +1 @@
-6.1.5
+6.2.2

data/docs/index.asciidoc

@@ -2,6 +2,7 @@
 :type: input
 :default_codec: plain
 :plugin-uc: Beats
+:plugin-singular: Beat
 
 ///////////////////////////////////////////
 START - GENERATED VARIABLES, DO NOT EDIT!
@@ -19,18 +20,21 @@ END - GENERATED VARIABLES, DO NOT EDIT!
 === {plugin-uc} input plugin
 
 NOTE: The `input-elastic_agent` plugin is the next generation of the
-`input-beats` plugin. They currently share a common codebase.
+`input-beats` plugin. 
+They currently share code and a https://github.com/logstash-plugins/logstash-input-beats[common codebase].
 
 include::{include_path}/plugin_header.asciidoc[]
 
 ==== Description
 
 This input plugin enables Logstash to receive events from the
-https://www.elastic.co/products/beats[Elastic Beats] framework.
+{plugin-uc} framework.
 
 The following example shows how to configure Logstash to listen on port
 5044 for incoming {plugin-uc} connections and to index into Elasticsearch.
 
+//Example for Beats
+ifeval::["{plugin}"=="beats"]
 ["source","sh",subs="attributes"]
 -----
 
@@ -48,9 +52,8 @@ output {
 }
 -----
 <1> `%{[@metadata][beat]}` sets the first part of the index name to the value
-of the `beat` metadata field and `%{[@metadata][version]}` sets the second part to
-the {plugin-uc} version. For example:
-metricbeat-7.4.0.
+of the metadata field and `%{[@metadata][version]}` sets the second part to
+the {plugin-singular} version. For example: metricbeat-6.1.6.
 
 Events indexed into Elasticsearch with the Logstash configuration shown here
 will be similar to events directly indexed by {plugin-uc} into Elasticsearch.
@@ -59,14 +62,47 @@ NOTE: If ILM is not being used, set `index` to
 `%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}` instead so
 Logstash creates an index per day, based on the `@timestamp` value of the events
 coming from {plugin-uc}.
+endif::[]
 
-IMPORTANT: If you are shipping events that span multiple lines, you need to use
+//Example for Elastic Agent
+ifeval::["{plugin}"!="beats"]
+["source","sh",subs="attributes"]
+-----
+
+input {
+  {plugin} {
+    port => 5044
+  }
+}
+
+output {
+  elasticsearch {
+    hosts => ["http://localhost:9200"]
+    data_stream => "true"
+  }
+}
+-----
+
+Events indexed into Elasticsearch with the Logstash configuration shown here
+will be similar to events directly indexed by {plugin-uc} into Elasticsearch.
+endif::[]
+
+
+//Content for Beats
+ifeval::["{plugin}"=="beats"]
+[id="plugins-{type}s-{plugin}-multiline"]
+===== Multi-line events
+
+If you are shipping events that span multiple lines, you need to use
 the {filebeat-ref}/multiline-examples.html[configuration options available in
 Filebeat] to handle multiline events before sending the event data to Logstash.
 You cannot use the {logstash-ref}/plugins-codecs-multiline.html[Multiline codec
 plugin] to handle multiline events. Doing so will result in the failure to start
 Logstash.
+endif::[]
 
+//Content for Beats
+ifeval::["{plugin}"=="beats"]
 [id="plugins-{type}s-{plugin}-versioned-indexes"]
 ==== Versioned indices
 
@@ -89,6 +125,7 @@ Logstash `@timestamp` field.
 
 This configuration results in daily index names like
 +filebeat-{logstash_version}-{localdate}+.
+endif::[]
 
 
 [id="plugins-{type}s-{plugin}-ecs_metadata"]
@@ -104,18 +141,18 @@ output.
 
 [cols="<l,<l,e,<e"]
 |=======================================================================
-|ECS disabled |ECS v1 |Availability |Description
+|ECS `disabled` |ECS `v1`, `v8` |Availability |Description
 
-|[host]                  |[@metadata][input][beats][host][name]   |Always       |Name or address of the beat host
-|[@metadata][ip_address] |[@metadata][input][beats][host][ip]     |Always       |IP address of the Beats client
-|[@metadata][tls_peer][status] | [@metadata][tls_peer][status] | When SSL related fields are populated | Contains "verified"/"unverified" labels in `disabled`, `true`/`false` in `v1`
+|[host]                  |[@metadata][input][beats][host][name]   |Always       |Name or address of the {plugin-singular} host
+|[@metadata][ip_address] |[@metadata][input][beats][host][ip]     |Always       |IP address of the {plugin-uc} client
+|[@metadata][tls_peer][status] | [@metadata][tls_peer][status] | When SSL related fields are populated | Contains "verified"/"unverified" labels in `disabled`, `true`/`false` in `v1`/`v8`
 |[@metadata][tls_peer][protocol] | [@metadata][input][beats][tls][version_protocol] | When SSL status is "verified" | Contains the TLS version used (e.g. `TLSv1.2`)
 |[@metadata][tls_peer][subject] | [@metadata][input][beats][tls][client][subject] | When SSL status is "verified" | Contains the identity name of the remote end (e.g. `CN=artifacts-no-kpi.elastic.co`)
 |[@metadata][tls_peer][cipher_suite] | [@metadata][input][beats][tls][cipher] | When SSL status is "verified" | Contains the name of cipher suite used (e.g. `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`)
 |=======================================================================
 
 [id="plugins-{type}s-{plugin}-options"]
-==== {plugin-uc} Input Configuration Options
+==== {plugin-uc} input configuration options
 
 This plugin supports the following configuration options plus the <<plugins-{type}s-{plugin}-common-options>> described later.
 
@@ -126,6 +163,7 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-cipher_suites>> |<<array,array>>|No
 | <<plugins-{type}s-{plugin}-client_inactivity_timeout>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-ecs_compatibility>> | <<string,string>>|No
+| <<plugins-{type}s-{plugin}-executor_threads>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-host>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-include_codec_tag>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-port>> |<<number,number>>|Yes
@@ -154,7 +192,7 @@ input plugins.
   * Value type is <<boolean,boolean>>
   * Default value is `false`
 
-Flag to determine whether to add `host` field to event using the value supplied by the beat in the `hostname` field.
+Flag to determine whether to add `host` field to event using the value supplied by the {plugin-singular} in the `hostname` field.
 
 
 [id="plugins-{type}s-{plugin}-cipher_suites"]
@@ -179,13 +217,32 @@ Close Idle clients after X seconds of inactivity.
 * Value type is <<string,string>>
 * Supported values are:
 ** `disabled`: unstructured connection metadata added at root level
-** `v1`: structured connection metadata added under ECS compliant namespaces
+** `v1`: structured connection metadata added under ECS v1 compliant namespaces
+** `v8`: structured connection metadata added under ECS v8 compliant namespaces
 * Default value depends on which version of Logstash is running:
 ** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
 ** Otherwise, the default value is `disabled`.
 
 Refer to <<plugins-{type}s-{plugin}-ecs_metadata,ECS mapping>> for detailed information.
 
+[id="plugins-{type}s-{plugin}-executor_threads"]
+===== `executor_threads`
+
+  * Value type is <<number,number>>
+  * Default value is 1 executor thread per CPU core
+
+The number of threads to be used to process incoming beats requests.
+By default the Beats input creates a number of threads equal to 2*CPU cores.
+These threads handle incoming connections, reading from established sockets, and executing most of the tasks related to network connection management. 
+Parsing the Lumberjack protocol is offloaded to a dedicated thread pool.
+
+Generally you don't need to touch this setting.
+In case you are sending very large events and observing "OutOfDirectMemory" exceptions,
+you may want to reduce this number to half or 1/4 of the CPU cores.
+This change reduces the number of threads decompressing batches of data into direct memory.
+However, this will only be a mitigating tweak, as the proper solution may require resizing your Logstash deployment,
+either by increasing number of Logstash nodes or increasing the JVM's Direct Memory.
+
 [id="plugins-{type}s-{plugin}-host"]
 ===== `host`
 
@@ -317,3 +374,4 @@ The minimum TLS version allowed for the encrypted connections. The value must be
 include::{include_path}/{type}.asciidoc[]
 
 :default_codec!:
+

data/lib/logstash/inputs/beats/message_listener.rb

@@ -15,6 +15,8 @@ module LogStash module Inputs class Beats
 
     attr_reader :logger, :input, :connections_list
 
+    attr_reader :event_factory
+
     def initialize(queue, input)
       @connections_list = ThreadSafe::Hash.new
       @queue = queue
@@ -25,6 +27,7 @@ module LogStash module Inputs class Beats
 
       @nocodec_transformer = RawEventTransform.new(@input)
       @codec_transformer = DecodedEventTransform.new(@input)
+      @event_factory = input.event_factory
     end
 
     def onNewMessage(ctx, message)
@@ -39,7 +42,7 @@ module LogStash module Inputs class Beats
       extract_tls_peer(hash, ctx)
 
       if target_field.nil?
-        event = LogStash::Event.new(hash)
+        event = event_factory.new_event(hash)
         @nocodec_transformer.transform(event)
         @queue << event
       else
@@ -129,7 +132,7 @@ module LogStash module Inputs class Beats
         tls_session = ctx.channel().pipeline().get("ssl-handler").engine().getSession()
         tls_verified = true
 
-        if not @input.client_authentication_required?
+        unless @input.client_authentication_required?
           # throws SSLPeerUnverifiedException if unverified
           begin
             tls_session.getPeerCertificates()
@@ -141,18 +144,16 @@ module LogStash module Inputs class Beats
           end
         end
 
+        meta_data = hash['@metadata'] ||= {}
+
         if tls_verified
-          set_nested(hash, @field_tls_protocol_version, tls_session.getProtocol())
-          set_nested(hash, @field_tls_peer_subject, tls_session.getPeerPrincipal().getName())
-          set_nested(hash, @field_tls_cipher, tls_session.getCipherSuite())
+          meta_data['tls_peer'] = { :status => "verified" }
 
-          hash['@metadata']['tls_peer'] = {
-            :status       => "verified"
-          }
+          set_nested(hash, input.field_tls_protocol_version, tls_session.getProtocol())
+          set_nested(hash, input.field_tls_peer_subject, tls_session.getPeerPrincipal().getName())
+          set_nested(hash, input.field_tls_cipher, tls_session.getCipherSuite())
         else
-          hash['@metadata']['tls_peer'] = {
-            :status     => "unverified"
-          }
+          meta_data['tls_peer'] = { :status => "unverified" }
         end
       end
     end
@@ -163,9 +164,6 @@ module LogStash module Inputs class Beats
       field_ref = Java::OrgLogstash::FieldReference.from(field_name)
       # create @metadata sub-hash if needed
       if field_ref.type == Java::OrgLogstash::FieldReference::META_CHILD
-        unless hash.key?("@metadata")
-          hash["@metadata"] = {}
-        end
         nesting_hash = hash["@metadata"]
       else
         nesting_hash = hash

data/lib/logstash/inputs/beats.rb

@@ -6,6 +6,7 @@ require "logstash/codecs/multiline"
 require "logstash/util"
 require "logstash-input-beats_jars"
 require "logstash/plugin_mixins/ecs_compatibility_support"
+require 'logstash/plugin_mixins/event_support/event_factory_adapter'
 require_relative "beats/patch"
 
 # This input plugin enables Logstash to receive events from the
@@ -51,7 +52,9 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
   require "logstash/inputs/beats/tls"
 
   # adds ecs_compatibility config which could be :disabled or :v1
-  include LogStash::PluginMixins::ECSCompatibilitySupport(:disabled,:v1)
+  include LogStash::PluginMixins::ECSCompatibilitySupport(:disabled,:v1, :v8 => :v1)
+
+  include LogStash::PluginMixins::EventSupport::EventFactoryAdapter
 
   config_name "beats"
 
@@ -126,6 +129,7 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
   config :executor_threads, :validate => :number, :default => LogStash::Config::CpuCoreStrategy.maximum
 
   attr_reader :field_hostname, :field_hostip
+  attr_reader :field_tls_protocol_version, :field_tls_peer_subject, :field_tls_cipher
 
   def register
     # For Logstash 2.4 we need to make sure that the logger is correctly set for the
@@ -164,10 +168,10 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
 
     # define ecs name mapping
     @field_hostname = ecs_select[disabled: "host", v1: "[@metadata][input][beats][host][name]"]
-    @field_hostip   = ecs_select[disabled: "[@metadata][ip_address]", v1: "[@metadata][input][beats][host][ip]"]
-    @field_tls_protocol_version   = ecs_select[disabled: "[@metadata][tls_peer][protocol]", v1: "[@metadata][input][beats][tls][version_protocol]"]
-    @field_tls_peer_subject   = ecs_select[disabled: "[@metadata][tls_peer][subject]", v1: "[@metadata][input][beats][tls][client][subject]"]
-    @field_tls_cipher   = ecs_select[disabled: "[@metadata][tls_peer][cipher_suite]", v1: "[@metadata][input][beats][tls][cipher]"]
+    @field_hostip = ecs_select[disabled: "[@metadata][ip_address]", v1: "[@metadata][input][beats][host][ip]"]
+    @field_tls_protocol_version = ecs_select[disabled: "[@metadata][tls_peer][protocol]", v1: "[@metadata][input][beats][tls][version_protocol]"]
+    @field_tls_peer_subject = ecs_select[disabled: "[@metadata][tls_peer][subject]", v1: "[@metadata][input][beats][tls][client][subject]"]
+    @field_tls_cipher = ecs_select[disabled: "[@metadata][tls_peer][cipher_suite]", v1: "[@metadata][input][beats][tls][cipher]"]
 
     @logger.info("Starting input listener", :address => "#{@host}:#{@port}")
 

data/lib/logstash-input-beats_jars.rb

@@ -8,4 +8,4 @@ require_jar('com.fasterxml.jackson.core', 'jackson-annotations', '2.9.10')
 require_jar('com.fasterxml.jackson.core', 'jackson-databind', '2.9.10.8')
 require_jar('com.fasterxml.jackson.module', 'jackson-module-afterburner', '2.9.10')
 require_jar('org.apache.logging.log4j', 'log4j-api', '2.11.1')
-require_jar('org.logstash.beats', 'logstash-input-beats', '6.1.5')
+require_jar('org.logstash.beats', 'logstash-input-beats', '6.2.2')

data/logstash-input-beats.gemspec

@@ -27,7 +27,8 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency "thread_safe", "~> 0.3.5"
   s.add_runtime_dependency "logstash-codec-multiline", ">= 2.0.5"
   s.add_runtime_dependency 'jar-dependencies', '~> 0.3', '>= 0.3.4'
-  s.add_runtime_dependency 'logstash-mixin-ecs_compatibility_support', '~>1.1'
+  s.add_runtime_dependency 'logstash-mixin-ecs_compatibility_support', '~>1.3'
+  s.add_runtime_dependency 'logstash-mixin-event_support', '~>1.0'
 
   s.add_development_dependency "flores", "~>0.0.6"
   s.add_development_dependency "rspec"

data/spec/inputs/beats/decoded_event_transform_spec.rb

@@ -31,6 +31,7 @@ describe LogStash::Inputs::Beats::DecodedEventTransform do
 
   include_examples "Common Event Transformation", :disabled, "host"
   include_examples "Common Event Transformation", :v1, "[@metadata][input][beats][host][name]"
+  include_examples "Common Event Transformation", :v8, "[@metadata][input][beats][host][name]"
 
   it "tags the event" do
     expect(subject.get("tags")).to include("beats_input_codec_plain_applied")

data/spec/inputs/beats/event_transform_common_spec.rb

@@ -9,4 +9,5 @@ describe LogStash::Inputs::Beats::EventTransformCommon do
 
   include_examples "Common Event Transformation", :disabled, "host"
   include_examples "Common Event Transformation", :v1, "[@metadata][input][beats][host][name]"
+  include_examples "Common Event Transformation", :v8, "[@metadata][input][beats][host][name]"
 end

data/spec/inputs/beats/message_listener_spec.rb

@@ -211,6 +211,7 @@ describe LogStash::Inputs::Beats::MessageListener do
 
     it_behaves_like "when the message is from any libbeat", :disabled, "[@metadata][ip_address]"
     it_behaves_like "when the message is from any libbeat", :v1, "[@metadata][input][beats][host][ip]"
+    it_behaves_like "when the message is from any libbeat", :v8, "[@metadata][input][beats][host][ip]"
   end
 
   context "onException" do

data/spec/inputs/beats/raw_event_transform_spec.rb

@@ -20,6 +20,7 @@ describe LogStash::Inputs::Beats::RawEventTransform do
 
   include_examples "Common Event Transformation", :disabled, "host"
   include_examples "Common Event Transformation", :v1, "[@metadata][input][beats][host][name]"
+  include_examples "Common Event Transformation", :v8, "[@metadata][input][beats][host][name]"
 
   it "tags the event" do
     expect(subject.get("tags")).to include("beats_input_raw_event")

data/spec/inputs/beats_spec.rb

@@ -12,26 +12,28 @@ describe LogStash::Inputs::Beats do
   let(:connection) { double("connection") }
   let(:certificate) { BeatsInputTest.certificate }
   let(:port) { BeatsInputTest.random_port }
+  let(:client_inactivity_timeout) { 400 }
+  let(:threads) { 1 + rand(9) }
   let(:queue)  { Queue.new }
   let(:config)   do
     {
-        "port" => 0,
+        "port" => port,
         "ssl_certificate" => certificate.ssl_cert,
         "ssl_key" => certificate.ssl_key,
+        "client_inactivity_timeout" => client_inactivity_timeout,
+        "executor_threads" => threads,
         "type" => "example",
         "tags" => "beats"
     }
   end
 
+  subject(:plugin) { LogStash::Inputs::Beats.new(config) }
+
   context "#register" do
     context "host related configuration" do
-      let(:config) { super().merge("host" => host, "port" => port, "client_inactivity_timeout" => client_inactivity_timeout, "executor_threads" => threads) }
+      let(:config) { super().merge("host" => host, "port" => port) }
       let(:host) { "192.168.1.20" }
-      let(:port) { 9000 }
-      let(:client_inactivity_timeout) { 400 }
-      let(:threads) { 10 }
-
-      subject(:plugin) { LogStash::Inputs::Beats.new(config) }
+      let(:port) { 9001 }
 
       it "sends the required options to the server" do
         expect(org.logstash.beats.Server).to receive(:new).with(host, port, client_inactivity_timeout, threads)
@@ -158,9 +160,80 @@ describe LogStash::Inputs::Beats do
 
       it "raise a ConfigurationError when multiline codec is set" do
         plugin = LogStash::Inputs::Beats.new(config)
-        expect {plugin.register}.to raise_error(LogStash::ConfigurationError, "Multiline codec with beats input is not supported. Please refer to the beats documentation for how to best manage multiline data. See https://www.elastic.co/guide/en/beats/filebeat/current/multiline-examples.html")
+        expect { plugin.register }.to raise_error(LogStash::ConfigurationError, "Multiline codec with beats input is not supported. Please refer to the beats documentation for how to best manage multiline data. See https://www.elastic.co/guide/en/beats/filebeat/current/multiline-examples.html")
+      end
+    end
+  end
+
+  context "tls meta-data" do
+    let(:config) { super().merge("host" => host, "ssl_peer_metadata" => true, "ssl_certificate_authorities" => [ certificate.ssl_cert ]) }
+    let(:host) { "192.168.1.20" }
+    let(:port) { 9002 }
+
+    let(:queue) { Queue.new }
+    let(:event) { LogStash::Event.new }
+
+    subject(:plugin) { LogStash::Inputs::Beats.new(config) }
+
+    before do
+      @server = org.logstash.beats.Server.new(host, port, client_inactivity_timeout, threads)
+      expect( org.logstash.beats.Server ).to receive(:new).with(host, port, client_inactivity_timeout, threads).and_return @server
+      expect( @server ).to receive(:listen)
+
+      subject.register
+      subject.run(queue) # listen does nothing
+      @message_listener = @server.getMessageListener
+
+      allow( ssl_engine = double('ssl_engine') ).to receive(:getSession).and_return ssl_session
+      allow( ssl_handler = double('ssl-handler') ).to receive(:engine).and_return ssl_engine
+      allow( pipeline = double('pipeline') ).to receive(:get).and_return ssl_handler
+      allow( @channel = double('channel') ).to receive(:pipeline).and_return pipeline
+    end
+
+    let(:ctx) do
+      Java::io.netty.channel.ChannelHandlerContext.impl do |method, *args|
+        fail("unexpected #{method}( #{args} )") unless method.eql?(:channel)
+        @channel
       end
     end
+
+    let(:ssl_session) do
+      Java::javax.net.ssl.SSLSession.impl do |method, *args|
+        case method
+        when :getPeerCertificates
+          [].to_java(java.security.cert.Certificate)
+        when :getProtocol
+          'TLS-Mock'
+        when :getCipherSuite
+          'SSL_NULL_WITH_TEST_SPEC'
+        when :getPeerPrincipal
+          javax.security.auth.x500.X500Principal.new('CN=TEST, OU=RSpec, O=Logstash, C=NL', {})
+        else
+          fail("unexpected #{method}( #{args} )")
+        end
+      end
+    end
+
+    let(:ssl_session_peer_principal) do
+      javax.security.auth.x500.X500Principal
+    end
+
+    let(:message) do
+      org.logstash.beats.Message.new(0, java.util.HashMap.new('foo' => 'bar'))
+    end
+
+    it 'sets tls fields' do
+      @message_listener.onNewMessage(ctx, message)
+
+      expect( queue.size ).to be 1
+      expect( event = queue.pop ).to be_a LogStash::Event
+
+      expect( event.get('[@metadata][tls_peer][status]') ).to eql 'verified'
+
+      expect( event.get('[@metadata][tls_peer][protocol]') ).to eql 'TLS-Mock'
+      expect( event.get('[@metadata][tls_peer][cipher_suite]') ).to eql 'SSL_NULL_WITH_TEST_SPEC'
+      expect( event.get('[@metadata][tls_peer][subject]') ).to eql 'CN=TEST,OU=RSpec,O=Logstash,C=NL'
+    end
   end
 
   context "when interrupting the plugin" do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-input-beats
 version: !ruby/object:Gem::Version
-  version: 6.1.5
+  version: 6.2.2
 platform: java
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-06-21 00:00:00.000000000 Z
+date: 2021-11-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -111,7 +111,7 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '1.3'
   name: logstash-mixin-ecs_compatibility_support
   prerelease: false
   type: :runtime
@@ -119,7 +119,21 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  name: logstash-mixin-event_support
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
@@ -285,7 +299,7 @@ files:
 - vendor/jar-dependencies/io/netty/netty-all/4.1.65.Final/netty-all-4.1.65.Final.jar
 - vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.11.1/log4j-api-2.11.1.jar
 - vendor/jar-dependencies/org/javassist/javassist/3.24.0-GA/javassist-3.24.0-GA.jar
-- vendor/jar-dependencies/org/logstash/beats/logstash-input-beats/6.1.5/logstash-input-beats-6.1.5.jar
+- vendor/jar-dependencies/org/logstash/beats/logstash-input-beats/6.2.2/logstash-input-beats-6.2.2.jar
 homepage: http://www.elastic.co/guide/en/logstash/current/index.html
 licenses:
 - Apache License (2.0)
@@ -308,8 +322,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.6.13
+rubygems_version: 3.1.6
 signing_key:
 specification_version: 4
 summary: Receives events from the Elastic Beats framework