logstash-input-beats 6.3.0-java → 6.4.1-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e50f7332c2cc7d230b49310fd987ff4ed575b0d8eb4e62526899af20bfabe0d5
-  data.tar.gz: dfeb260b1a5c7866b624c769abc2c780efa194dbadd5c18d1f2cb282ff58537b
+  metadata.gz: 68a12c2391dc30949874806c2fc7fcda4466e9e61069743e59b86a5897db0adf
+  data.tar.gz: c45c2f91cc595fa038ca25001b86bd9f68808eb985c57c9660810e657ed50ceb
 SHA512:
-  metadata.gz: e4be1cf87358e1e02479c7692d8317382ffe96e497f9ea658ce2774f6583253ce9a05fb7ab322722eea0c59ca06cad09718f95ffce6b7b5a53dcfa9b8b4c24d7
-  data.tar.gz: dcb8dae4e25448aec7105bea439c7c04bfcdc49752c99624fc26722d2f056024cb8942f7af926b486f1c9eb00fb6b0b80ae636bdf3fb164084125b4636681b28
+  metadata.gz: f0a6672e755ddd5ca081213c88ac99f5f4d62fdd31bcd793a31e1873436a8b78eba730dfc331fadd38afb0ca63c62a2e056b9687b3f7ab910ee49e401c68e033
+  data.tar.gz: 0f350faaa0187da56c9d00107c66c27172ff13b357627fd0366bfba48572f4f59d843daa35911746ccb9b99fa8bae4a9c6aed8da532fc72e11744f9017c69260

data/CHANGELOG.md

@@ -1,3 +1,12 @@
+## 6.4.1
+  - [DOC] Add direct memory example [#454](https://github.com/logstash-plugins/logstash-input-beats/pull/454)
+
+## 6.4.0
+ - Feat: review and deprecate ssl protocol/cipher settings [#450](https://github.com/logstash-plugins/logstash-input-beats/pull/450)
+
+## 6.3.1
+ - Fix: Removed use of deprecated `import` of java classes in ruby [#449](https://github.com/logstash-plugins/logstash-input-beats/pull/449)
+
 ## 6.3.0
  - Added support for TLSv1.3. [#447](https://github.com/logstash-plugins/logstash-input-beats/pull/447)
 

data/VERSION

@@ -1 +1 @@
-6.3.0
+6.4.1

data/docs/index.asciidoc

@@ -88,6 +88,19 @@ will be similar to events directly indexed by {plugin-uc} into Elasticsearch.
 endif::[]
 
 
+[id="plugins-{type}s-{plugin}-memory"]
+===== Memory usage
+
+This plugin uses "off-heap" direct memory in addition to heap memory.
+By default, a JVM's off-heap direct memory limit is the same as the heap size.
+For example, setting `-Xmx10G` without setting the direct memory limit will allocate `10GB` for heap and an additional `10GB` for direct memory, for a total of `20GB` allocated. 
+You can set the amount of direct memory with `-XX:MaxDirectMemorySize` in {logstash-ref}/jvm-settings.html[Logstash JVM Settings]. 
+Consider setting direct memory to half of the heap size. 
+Setting direct memory too low decreases the performance of ingestion.
+
+NOTE: Be sure that heap and direct memory combined does not exceed the total memory available on the server to avoid an OutOfDirectMemoryError
+
+
 //Content for Beats
 ifeval::["{plugin}"=="beats"]
 [id="plugins-{type}s-{plugin}-multiline"]
@@ -101,6 +114,7 @@ plugin] to handle multiline events. Doing so will result in the failure to start
 Logstash.
 endif::[]
 
+
 //Content for Beats
 ifeval::["{plugin}"=="beats"]
 [id="plugins-{type}s-{plugin}-versioned-indexes"]
@@ -159,8 +173,8 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 [cols="<,<,<",options="header",]
 |=======================================================================
 |Setting |Input type|Required
-| <<plugins-{type}s-{plugin}-add_hostname>> |<<boolean,boolean>>|No
-| <<plugins-{type}s-{plugin}-cipher_suites>> |<<array,array>>|No
+| <<plugins-{type}s-{plugin}-add_hostname>> |<<boolean,boolean>>|__Deprecated__
+| <<plugins-{type}s-{plugin}-cipher_suites>> |<<array,array>>|__Deprecated__
 | <<plugins-{type}s-{plugin}-client_inactivity_timeout>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-ecs_compatibility>> | <<string,string>>|No
 | <<plugins-{type}s-{plugin}-executor_threads>> |<<number,number>>|No
@@ -173,10 +187,11 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-ssl_handshake_timeout>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-ssl_key>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-ssl_key_passphrase>> |<<password,password>>|No
-| <<plugins-{type}s-{plugin}-ssl_verify_mode>> |<<string,string>>, one of `["none", "peer", "force_peer"]`|No
 | <<plugins-{type}s-{plugin}-ssl_peer_metadata>> |<<boolean,boolean>>|No
-| <<plugins-{type}s-{plugin}-tls_max_version>> |<<number,number>>|No
-| <<plugins-{type}s-{plugin}-tls_min_version>> |<<number,number>>|No
+| <<plugins-{type}s-{plugin}-ssl_supported_protocols>> |<<array,array>>|No
+| <<plugins-{type}s-{plugin}-ssl_verify_mode>> |<<string,string>>, one of `["none", "peer", "force_peer"]`|No
+| <<plugins-{type}s-{plugin}-tls_max_version>> |<<number,number>>|__Deprecated__
+| <<plugins-{type}s-{plugin}-tls_min_version>> |<<number,number>>|__Deprecated__
 |=======================================================================
 
 Also see <<plugins-{type}s-{plugin}-common-options>> for a list of options supported by all
@@ -194,15 +209,13 @@ input plugins.
 
 Flag to determine whether to add `host` field to event using the value supplied by the {plugin-singular} in the `hostname` field.
 
-
 [id="plugins-{type}s-{plugin}-cipher_suites"]
 ===== `cipher_suites`
+deprecated[6.4.0, Replaced by <<plugins-{type}s-{plugin}-ssl_cipher_suites>>]
 
   * Value type is <<array,array>>
-  * Default value is `java.lang.String[TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]@459cfcca`
 
-The list of ciphers suite to use, listed by priorities.
-The default values applies for OpenJDK 11.0.14 and higher, for older versions the list does not include suites not supported by the JDK, such as the ChaCha20 family of ciphers.
+The list of cipher suites to use, listed by priorities.
 
 [id="plugins-{type}s-{plugin}-client_inactivity_timeout"]
 ===== `client_inactivity_timeout`
@@ -215,14 +228,14 @@ Close Idle clients after X seconds of inactivity.
 [id="plugins-{type}s-{plugin}-ecs_compatibility"]
 ===== `ecs_compatibility`
 
-* Value type is <<string,string>>
-* Supported values are:
-** `disabled`: unstructured connection metadata added at root level
-** `v1`: structured connection metadata added under ECS v1 compliant namespaces
-** `v8`: structured connection metadata added under ECS v8 compliant namespaces
-* Default value depends on which version of Logstash is running:
-** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
-** Otherwise, the default value is `disabled`.
+  * Value type is <<string,string>>
+  * Supported values are:
+    ** `disabled`: unstructured connection metadata added at root level
+    ** `v1`: structured connection metadata added under ECS v1 compliant namespaces
+    ** `v8`: structured connection metadata added under ECS v8 compliant namespaces
+  * Default value depends on which version of Logstash is running:
+    ** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
+    ** Otherwise, the default value is `disabled`.
 
 Refer to <<plugins-{type}s-{plugin}-ecs_metadata,ECS mapping>> for detailed information.
 
@@ -298,6 +311,16 @@ You can define multiple files or paths. All the certificates will
 be read and added to the trust store. You need to configure the `ssl_verify_mode`
 to `peer` or `force_peer` to enable the verification.
 
+[id="plugins-{type}s-{plugin}-ssl_cipher_suites"]
+===== `ssl_cipher_suites`
+
+  * Value type is <<array,array>>
+  * Default value is `['TLS_AES_256_GCM_SHA384', 'TLS_AES_128_GCM_SHA256', 'TLS_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256']`
+
+The list of cipher suites to use, listed by priorities.
+This default list applies for OpenJDK 11.0.14 and higher.
+For older JDK versions, the default list includes only suites supported by that version.
+For example, the ChaCha20 family of ciphers is not supported in older versions.
 
 [id="plugins-{type}s-{plugin}-ssl_handshake_timeout"]
 ===== `ssl_handshake_timeout`
@@ -331,6 +354,33 @@ openssl pkcs8 -inform PEM -in path/to/logstash.key -topk8 -nocrypt -outform PEM
 
 SSL key passphrase to use.
 
+[id="plugins-{type}s-{plugin}-ssl_peer_metadata"]
+===== `ssl_peer_metadata`
+
+  * Value type is <<boolean,boolean>>
+  * Default value is `false`
+
+Enables storing client certificate information in event's metadata.
+
+This option is only valid when `ssl_verify_mode` is set to `peer` or `force_peer`.
+
+[id="plugins-{type}s-{plugin}-ssl_supported_protocols"]
+===== `ssl_supported_protocols`
+
+  * Value type is <<array,array>>
+  * Allowed values are: `'TLSv1.1'`, `'TLSv1.2'`, `'TLSv1.3'`
+  * Default depends on the JDK being used. With up-to-date Logstash, the default is `['TLSv1.2', 'TLSv1.3']`.
+    `'TLSv1.1'` is not considered secure and is only provided for legacy applications.
+
+List of allowed SSL/TLS versions to use when establishing a connection to the HTTP endpoint.
+
+For Java 8 `'TLSv1.3'` is supported  only since **8u262** (AdoptOpenJDK), but requires that you set the
+`LS_JAVA_OPTS="-Djdk.tls.client.protocols=TLSv1.3"` system property in Logstash.
+
+NOTE: If you configure the plugin to use `'TLSv1.1'` on any recent JVM, such as the one packaged with Logstash,
+the protocol is disabled by default and needs to be enabled manually by changing `jdk.tls.disabledAlgorithms` in
+the *$JDK_HOME/conf/security/java.security* configuration file. That is, `TLSv1.1` needs to be removed from the list.
+
 [id="plugins-{type}s-{plugin}-ssl_verify_mode"]
 ===== `ssl_verify_mode`
 
@@ -347,33 +397,23 @@ If the client doesn't provide a certificate, the connection will be closed.
 
 This option needs to be used with `ssl_certificate_authorities` and a defined list of CAs.
 
-[id="plugins-{type}s-{plugin}-ssl_peer_metadata"]
-===== `ssl_peer_metadata`
-
-  * Value type is <<boolean,boolean>>
-  * Default value is `false`
-
-Enables storing client certificate information in event's metadata.
-
-This option is only valid when `ssl_verify_mode` is set to `peer` or `force_peer`.
-
 [id="plugins-{type}s-{plugin}-tls_max_version"]
 ===== `tls_max_version`
+deprecated[6.4.0, Replaced by <<plugins-{type}s-{plugin}-ssl_supported_protocols>>]
 
   * Value type is <<number,number>>
-  * Default value is `1.3`
 
-The maximum TLS version allowed for the encrypted connections. The value must be the one of the following:
-1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLS 1.3
+The maximum TLS version allowed for the encrypted connections.
+The value must be the one of the following: 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLSv1.3
 
 [id="plugins-{type}s-{plugin}-tls_min_version"]
 ===== `tls_min_version`
+deprecated[6.4.0, Replaced by <<plugins-{type}s-{plugin}-ssl_supported_protocols>>]
 
   * Value type is <<number,number>>
-  * Default value is `1`
 
-The minimum TLS version allowed for the encrypted connections. The value must be one of the following:
-1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLS 1.3
+The minimum TLS version allowed for the encrypted connections.
+The value must be one of the following: 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLS 1.3
 
 
 

data/lib/logstash/inputs/beats/message_listener.rb

@@ -1,8 +1,8 @@
 # encoding: utf-8
 require "thread_safe"
 require "logstash-input-beats_jars"
-import "javax.net.ssl.SSLPeerUnverifiedException"
-import "org.logstash.beats.MessageListener"
+java_import "javax.net.ssl.SSLPeerUnverifiedException"
+java_import "org.logstash.beats.MessageListener"
 
 module LogStash module Inputs class Beats
   class MessageListener

data/lib/logstash/inputs/beats.rb

@@ -51,6 +51,8 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
   require "logstash/inputs/beats/message_listener"
   require "logstash/inputs/beats/tls"
 
+  java_import 'org.logstash.netty.SslContextBuilder'
+
   # adds ecs_compatibility config which could be :disabled or :v1
   include LogStash::PluginMixins::ECSCompatibilitySupport(:disabled,:v1, :v8 => :v1)
 
@@ -89,9 +91,6 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
   # 
   config :ssl_certificate_authorities, :validate => :array, :default => []
 
-  # Flag to determine whether to add host information (provided by the beat in the 'hostname' field) to the event
-  config :add_hostname, :validate => :boolean, :default => false, :deprecated => 'This option will be removed in the future as beats determine the event schema'
-
   # By default the server doesn't do any client verification.
   # 
   # `peer` will make the server ask the client to provide a certificate. 
@@ -112,22 +111,31 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
   # Time in milliseconds for an incomplete ssl handshake to timeout
   config :ssl_handshake_timeout, :validate => :number, :default => 10000
 
-  # The minimum TLS version allowed for the encrypted connections. The value must be one of the following:
-  # 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2
-  config :tls_min_version, :validate => :number, :default => TLS.min.version
+  config :ssl_cipher_suites, :validate => SslContextBuilder::SUPPORTED_CIPHERS.to_a,
+         :default => SslContextBuilder.getDefaultCiphers, :list => true
 
-  # The maximum TLS version allowed for the encrypted connections. The value must be the one of the following:
-  # 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2
-  config :tls_max_version, :validate => :number, :default => TLS.max.version
+  config :ssl_supported_protocols, :validate => ['TLSv1.1', 'TLSv1.2', 'TLSv1.3'], :default => ['TLSv1.2', 'TLSv1.3'], :list => true
 
-  # The list of ciphers suite to use, listed by priorities.
-  config :cipher_suites, :validate => :array, :default => org.logstash.netty.SslContextBuilder.getDefaultCiphers
   # Close Idle clients after X seconds of inactivity.
   config :client_inactivity_timeout, :validate => :number, :default => 60
 
   # Beats handler executor thread
   config :executor_threads, :validate => :number, :default => LogStash::Config::CpuCoreStrategy.maximum
 
+  # Flag to determine whether to add host information (provided by the beat in the 'hostname' field) to the event
+  config :add_hostname, :validate => :boolean, :default => false, :deprecated => 'This option will be removed in the future as beats determine the event schema'
+
+  # The list of ciphers suite to use, listed by priorities.
+  config :cipher_suites, :validate => :array, :default => [], :deprecated => "Set 'ssl_cipher_suites' instead."
+
+  # The minimum TLS version allowed for the encrypted connections. The value must be one of the following:
+  # 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2
+  config :tls_min_version, :validate => :number, :default => TLS.min.version, :deprecated => "Set 'ssl_supported_protocols' instead."
+
+  # The maximum TLS version allowed for the encrypted connections. The value must be the one of the following:
+  # 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2
+  config :tls_max_version, :validate => :number, :default => TLS.max.version, :deprecated => "Set 'ssl_supported_protocols' instead."
+
   attr_reader :field_hostname, :field_hostip
   attr_reader :field_tls_protocol_version, :field_tls_peer_subject, :field_tls_cipher
 
@@ -156,6 +164,26 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
       if client_authentication_metadata? && !require_certificate_authorities?
         configuration_error "Configuring ssl_peer_metadata => true requires ssl_verify_mode => to be configured with 'peer' or 'force_peer'"
       end
+
+      if original_params.key?('cipher_suites') && original_params.key?('ssl_cipher_suites')
+        raise LogStash::ConfigurationError, "Both `ssl_cipher_suites` and (deprecated) `cipher_suites` were set. Use only `ssl_cipher_suites`."
+      elsif original_params.key?('cipher_suites')
+        @ssl_cipher_suites_final = @cipher_suites
+      else
+        @ssl_cipher_suites_final = @ssl_cipher_suites
+      end
+
+      if original_params.key?('tls_min_version') && original_params.key?('ssl_supported_protocols')
+        raise LogStash::ConfigurationError, "Both `ssl_supported_protocols` and (deprecated) `tls_min_ciphers` were set. Use only `ssl_supported_protocols`."
+      elsif original_params.key?('tls_max_version') && original_params.key?('ssl_supported_protocols')
+        raise LogStash::ConfigurationError, "Both `ssl_supported_protocols` and (deprecated) `tls_max_ciphers` were set. Use only `ssl_supported_protocols`."
+      else
+        if original_params.key?('tls_min_version') || original_params.key?('tls_max_version')
+          @ssl_supported_protocols_final = TLS.get_supported(tls_min_version..tls_max_version).map(&:name)
+        else
+          @ssl_supported_protocols_final = @ssl_supported_protocols
+        end
+      end
     else
       @logger.warn("configured ssl_certificate => #{@ssl_certificate.inspect} will not be used") if @ssl_certificate
       @logger.warn("configured ssl_key => #{@ssl_key.inspect} will not be used") if @ssl_key
@@ -184,9 +212,9 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
       ssl_context_builder = new_ssl_context_builder
       if client_authentification?
         if @ssl_verify_mode == "force_peer"
-          ssl_context_builder.setVerifyMode(org.logstash.netty.SslContextBuilder::SslClientVerifyMode::FORCE_PEER)
+          ssl_context_builder.setVerifyMode(SslContextBuilder::SslClientVerifyMode::FORCE_PEER)
         elsif @ssl_verify_mode == "peer"
-          ssl_context_builder.setVerifyMode(org.logstash.netty.SslContextBuilder::SslClientVerifyMode::VERIFY_PEER)
+          ssl_context_builder.setVerifyMode(SslContextBuilder::SslClientVerifyMode::VERIFY_PEER)
         end
         ssl_context_builder.setCertificateAuthorities(@ssl_certificate_authorities)
       end
@@ -247,20 +275,16 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
     passphrase = @ssl_key_passphrase.nil? ? nil : @ssl_key_passphrase.value
     begin
       org.logstash.netty.SslContextBuilder.new(@ssl_certificate, @ssl_key, passphrase)
-          .setProtocols(convert_protocols)
-          .setCipherSuites(normalized_ciphers)
+          .setProtocols(@ssl_supported_protocols_final)
+          .setCipherSuites(normalized_cipher_suites)
     rescue java.lang.IllegalArgumentException => e
       @logger.error("SSL configuration invalid", error_details(e))
       raise LogStash::ConfigurationError, e
     end
   end
 
-  def normalized_ciphers
-    @cipher_suites.map(&:upcase)
-  end
-
-  def convert_protocols
-    TLS.get_supported(@tls_min_version..@tls_max_version).map(&:name)
+  def normalized_cipher_suites
+    @ssl_cipher_suites_final.map(&:upcase)
   end
 
   def configuration_error(message)

data/lib/logstash-input-beats_jars.rb

@@ -7,4 +7,4 @@ require_jar('com.fasterxml.jackson.core', 'jackson-core', '2.9.10')
 require_jar('com.fasterxml.jackson.core', 'jackson-annotations', '2.9.10')
 require_jar('com.fasterxml.jackson.core', 'jackson-databind', '2.9.10.8')
 require_jar('com.fasterxml.jackson.module', 'jackson-module-afterburner', '2.9.10')
-require_jar('org.logstash.beats', 'logstash-input-beats', '6.3.0')
+require_jar('org.logstash.beats', 'logstash-input-beats', '6.4.1')

data/spec/inputs/beats_spec.rb

@@ -47,6 +47,9 @@ describe LogStash::Inputs::Beats do
     end
 
     context "with ssl enabled" do
+
+      let(:config) { { "ssl" => true, "port" => port, "ssl_key" => certificate.ssl_key, "ssl_certificate" => certificate.ssl_cert } }
+
       context "without certificate configuration" do
         let(:config) { { "port" => 0, "ssl" => true, "ssl_key" => certificate.ssl_key, "type" => "example" } }
 
@@ -78,7 +81,7 @@ describe LogStash::Inputs::Beats do
       end
 
       context "with invalid ciphers" do
-        let(:config) { super().merge("ssl" => true, "cipher_suites" => "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38") }
+        let(:config) { super().merge("cipher_suites" => "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38") }
 
         it "should raise a configuration error" do
           plugin = LogStash::Inputs::Beats.new(config)
@@ -92,7 +95,7 @@ describe LogStash::Inputs::Beats do
 
       context "verify_mode" do
         context "verify_mode configured to PEER" do
-          let(:config) { super().merge("ssl" => true, "ssl_verify_mode" => "peer") }
+          let(:config) { super().merge("ssl_verify_mode" => "peer") }
 
           it "raise a ConfigurationError when certificate_authorities is not set" do
             plugin = LogStash::Inputs::Beats.new(config)
@@ -107,7 +110,7 @@ describe LogStash::Inputs::Beats do
         end
 
         context "verify_mode configured to FORCE_PEER" do
-          let(:config) { super().merge("ssl" => true, "ssl_verify_mode" => "force_peer") }
+          let(:config) { super().merge("ssl_verify_mode" => "force_peer") }
 
           it "raise a ConfigurationError when certificate_authorities is not set" do
             plugin = LogStash::Inputs::Beats.new(config)
@@ -120,6 +123,40 @@ describe LogStash::Inputs::Beats do
             expect {plugin.register}.not_to raise_error
           end
         end
+
+        context "with ssl_cipher_suites and cipher_suites set" do
+          let(:config) do
+            super().merge('ssl_cipher_suites' => ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'],
+                          'cipher_suites' => ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'])
+          end
+
+          it "should raise a configuration error" do
+            plugin = LogStash::Inputs::Beats.new(config)
+            expect { plugin.register }.to raise_error LogStash::ConfigurationError, /Use only .?ssl_cipher_suites.?/i
+          end
+        end
+
+        context "with ssl_supported_protocols and tls_min_version set" do
+          let(:config) do
+            super().merge('ssl_supported_protocols' => ['TLSv1.2'], 'tls_min_version' => 1.2)
+          end
+
+          it "should raise a configuration error" do
+            plugin = LogStash::Inputs::Beats.new(config)
+            expect { plugin.register }.to raise_error LogStash::ConfigurationError, /Use only .?ssl_supported_protocols.?/i
+          end
+        end
+
+        context "with ssl_supported_protocols and tls_max_version set" do
+          let(:config) do
+            super().merge('ssl_supported_protocols' => ['TLSv1.2'], 'tls_max_version' => 1.2)
+          end
+
+          it "should raise a configuration error" do
+            plugin = LogStash::Inputs::Beats.new(config)
+            expect { plugin.register }.to raise_error LogStash::ConfigurationError, /Use only .?ssl_supported_protocols.?/i
+          end
+        end
       end
     end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-input-beats
 version: !ruby/object:Gem::Version
-  version: 6.3.0
+  version: 6.4.1
 platform: java
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-03-21 00:00:00.000000000 Z
+date: 2022-08-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -298,7 +298,7 @@ files:
 - vendor/jar-dependencies/com/fasterxml/jackson/module/jackson-module-afterburner/2.9.10/jackson-module-afterburner-2.9.10.jar
 - vendor/jar-dependencies/io/netty/netty-all/4.1.65.Final/netty-all-4.1.65.Final.jar
 - vendor/jar-dependencies/org/javassist/javassist/3.24.0-GA/javassist-3.24.0-GA.jar
-- vendor/jar-dependencies/org/logstash/beats/logstash-input-beats/6.3.0/logstash-input-beats-6.3.0.jar
+- vendor/jar-dependencies/org/logstash/beats/logstash-input-beats/6.4.1/logstash-input-beats-6.4.1.jar
 homepage: http://www.elastic.co/guide/en/logstash/current/index.html
 licenses:
 - Apache License (2.0)