logstash-input-beats 6.5.0-java → 6.6.1-java
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +8 -0
- data/VERSION +1 -1
- data/docs/index.asciidoc +37 -10
- data/lib/logstash/inputs/beats.rb +157 -59
- data/lib/logstash-input-beats_jars.rb +7 -7
- data/logstash-input-beats.gemspec +1 -0
- data/spec/inputs/beats_spec.rb +172 -29
- data/spec/integration/filebeat_spec.rb +4 -4
- data/spec/integration/logstash_forwarder_spec.rb +1 -1
- data/vendor/jar-dependencies/io/netty/netty-buffer/{4.1.87.Final/netty-buffer-4.1.87.Final.jar → 4.1.93.Final/netty-buffer-4.1.93.Final.jar} +0 -0
- data/vendor/jar-dependencies/io/netty/netty-codec/{4.1.87.Final/netty-codec-4.1.87.Final.jar → 4.1.93.Final/netty-codec-4.1.93.Final.jar} +0 -0
- data/vendor/jar-dependencies/io/netty/netty-common/{4.1.87.Final/netty-common-4.1.87.Final.jar → 4.1.93.Final/netty-common-4.1.93.Final.jar} +0 -0
- data/vendor/jar-dependencies/io/netty/netty-handler/{4.1.87.Final/netty-handler-4.1.87.Final.jar → 4.1.93.Final/netty-handler-4.1.93.Final.jar} +0 -0
- data/vendor/jar-dependencies/io/netty/netty-transport/{4.1.87.Final/netty-transport-4.1.87.Final.jar → 4.1.93.Final/netty-transport-4.1.93.Final.jar} +0 -0
- data/vendor/jar-dependencies/io/netty/netty-transport-native-unix-common/{4.1.87.Final/netty-transport-native-unix-common-4.1.87.Final.jar → 4.1.93.Final/netty-transport-native-unix-common-4.1.93.Final.jar} +0 -0
- data/vendor/jar-dependencies/org/logstash/beats/logstash-input-beats/6.6.1/logstash-input-beats-6.6.1.jar +0 -0
- metadata +24 -10
- data/vendor/jar-dependencies/org/logstash/beats/logstash-input-beats/6.5.0/logstash-input-beats-6.5.0.jar +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 6de1a5eb934d76788165fab317d164abcdc4f9cf400ee051a57b8f3ca7b40cad
|
4
|
+
data.tar.gz: 682eb9c33c9ae6d19f55e576d56b7078099fcfeb0335d719b197cc1e5c6e7123
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 64b3a6de77140fcc9e319d14fe12ae272c977e0fe7b9dc012807e11992cf64632acb0f5e5c200b4430f73306f503a7fb4b837bce64dc336c1bb28e055b1378d4
|
7
|
+
data.tar.gz: 2bee16a581bc69bbc40c4945e3eed727d47f64cbce6f2550bae6c79fd669f8b387db19707c3a89c23f75d95edae490f87ea9985d21be3907c2d8067b76478a58
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,11 @@
|
|
1
|
+
## 6.6.1
|
2
|
+
- update netty to 4.1.93 and jackson to 2.13.5 [#472](https://github.com/logstash-plugins/logstash-input-beats/pull/472)
|
3
|
+
|
4
|
+
## 6.6.0
|
5
|
+
- Reviewed and deprecated SSL settings to comply with Logstash's naming convention [#470](https://github.com/logstash-plugins/logstash-input-beats/pull/470)
|
6
|
+
- Deprecated `ssl` in favor of `ssl_enabled`
|
7
|
+
- Deprecated `ssl_verify_mode` in favor of `ssl_client_authentication`
|
8
|
+
|
1
9
|
## 6.5.0
|
2
10
|
- An enrichment `enrich` option added to control ECS passthrough. `ssl_peer_metadata` and `include_codec_tag` configurations are deprecated and can be managed through the `enrich` [#464](https://github.com/logstash-plugins/logstash-input-beats/pull/464)
|
3
11
|
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
6.
|
1
|
+
6.6.1
|
data/docs/index.asciidoc
CHANGED
@@ -221,15 +221,18 @@ This plugin supports the following configuration options plus the <<plugins-{typ
|
|
221
221
|
| <<plugins-{type}s-{plugin}-host>> |<<string,string>>|No
|
222
222
|
| <<plugins-{type}s-{plugin}-include_codec_tag>> |<<boolean,boolean>>|__Deprecated__
|
223
223
|
| <<plugins-{type}s-{plugin}-port>> |<<number,number>>|Yes
|
224
|
-
| <<plugins-{type}s-{plugin}-ssl>> |<<boolean,boolean>>|
|
224
|
+
| <<plugins-{type}s-{plugin}-ssl>> |<<boolean,boolean>>|__Deprecated__
|
225
225
|
| <<plugins-{type}s-{plugin}-ssl_certificate>> |a valid filesystem path|No
|
226
226
|
| <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> |<<array,array>>|No
|
227
|
+
| <<plugins-{type}s-{plugin}-ssl_cipher_suites>> |<<array,array>>|No
|
228
|
+
| <<plugins-{type}s-{plugin}-ssl_client_authentication>> |<<string,string>>, one of `["none", "optional", "required"]`|No
|
229
|
+
| <<plugins-{type}s-{plugin}-ssl_enabled>> |<<boolean,boolean>>|No
|
227
230
|
| <<plugins-{type}s-{plugin}-ssl_handshake_timeout>> |<<number,number>>|No
|
228
231
|
| <<plugins-{type}s-{plugin}-ssl_key>> |a valid filesystem path|No
|
229
232
|
| <<plugins-{type}s-{plugin}-ssl_key_passphrase>> |<<password,password>>|No
|
230
233
|
| <<plugins-{type}s-{plugin}-ssl_peer_metadata>> |<<boolean,boolean>>|__Deprecated__
|
231
234
|
| <<plugins-{type}s-{plugin}-ssl_supported_protocols>> |<<array,array>>|No
|
232
|
-
| <<plugins-{type}s-{plugin}-ssl_verify_mode>> |<<string,string>>, one of `["none", "peer", "force_peer"]`|
|
235
|
+
| <<plugins-{type}s-{plugin}-ssl_verify_mode>> |<<string,string>>, one of `["none", "peer", "force_peer"]`|__Deprecated__
|
233
236
|
| <<plugins-{type}s-{plugin}-tls_max_version>> |<<number,number>>|__Deprecated__
|
234
237
|
| <<plugins-{type}s-{plugin}-tls_min_version>> |<<number,number>>|__Deprecated__
|
235
238
|
|=======================================================================
|
@@ -283,7 +286,7 @@ Refer to <<plugins-{type}s-{plugin}-ecs_metadata,ECS mapping>> for detailed info
|
|
283
286
|
===== `enrich`
|
284
287
|
|
285
288
|
* Value type is <<string,string>>
|
286
|
-
**
|
289
|
+
** An <<array,array>> can also be provided
|
287
290
|
** Configures which enrichments are applied to each event
|
288
291
|
** Default value is `[codec_metadata, source_metadata]` that may be extended in future versions of this plugin to include additional enrichments.
|
289
292
|
** Supported values are:
|
@@ -293,7 +296,7 @@ Refer to <<plugins-{type}s-{plugin}-ecs_metadata,ECS mapping>> for detailed info
|
|
293
296
|
|Enrichment | Description
|
294
297
|
|
295
298
|
| codec_metadata | Information about how the codec transformed a sequence of bytes into
|
296
|
-
this Event, such as _which_ codec was used. Also, if no
|
299
|
+
this Event, such as _which_ codec was used. Also, if no codec is
|
297
300
|
explicitly specified, _excluding_ `codec_metadata` from `enrich` will
|
298
301
|
disable `ecs_compatibility` for this plugin.
|
299
302
|
| source_metadata | Information about the _source_ of the event, such as the IP address
|
@@ -305,7 +308,7 @@ Refer to <<plugins-{type}s-{plugin}-ecs_metadata,ECS mapping>> for detailed info
|
|
305
308
|
| all | _alias_ to include _all_ available enrichments (including additional
|
306
309
|
enrichments introduced in future versions of this plugin)
|
307
310
|
| none | _alias_ to _exclude_ all available enrichments. Note that, _explicitly_
|
308
|
-
defining
|
311
|
+
defining codec with this option will not disable the `ecs_compatibility`,
|
309
312
|
instead it relies on pipeline or codec `ecs_compatibility` configuration.
|
310
313
|
|=======================================================================
|
311
314
|
|
@@ -384,6 +387,7 @@ The port to listen on.
|
|
384
387
|
|
385
388
|
[id="plugins-{type}s-{plugin}-ssl"]
|
386
389
|
===== `ssl`
|
390
|
+
deprecated[6.6.0, Replaced by <<plugins-{type}s-{plugin}-ssl_enabled>>]
|
387
391
|
|
388
392
|
* Value type is <<boolean,boolean>>
|
389
393
|
* Default value is `false`
|
@@ -408,8 +412,8 @@ SSL certificate to use.
|
|
408
412
|
|
409
413
|
Validate client certificates against these authorities.
|
410
414
|
You can define multiple files or paths. All the certificates will
|
411
|
-
be read and added to the trust store. You need to configure the
|
412
|
-
to `
|
415
|
+
be read and added to the trust store. You need to configure the <<plugins-{type}s-{plugin}-ssl_client_authentication>>
|
416
|
+
to `optional` or `required` to enable the verification.
|
413
417
|
|
414
418
|
[id="plugins-{type}s-{plugin}-ssl_cipher_suites"]
|
415
419
|
===== `ssl_cipher_suites`
|
@@ -422,6 +426,27 @@ This default list applies for OpenJDK 11.0.14 and higher.
|
|
422
426
|
For older JDK versions, the default list includes only suites supported by that version.
|
423
427
|
For example, the ChaCha20 family of ciphers is not supported in older versions.
|
424
428
|
|
429
|
+
[id="plugins-{type}s-{plugin}-ssl_client_authentication"]
|
430
|
+
===== `ssl_client_authentication`
|
431
|
+
|
432
|
+
* Value can be any of: `none`, `optional`, `required`
|
433
|
+
* Default value is `"none"`
|
434
|
+
|
435
|
+
Controls the server's behavior in regard to requesting a certificate from client connections:
|
436
|
+
`required` forces a client to present a certificate, while `optional` requests a client certificate
|
437
|
+
but the client is not required to present one. Defaults to `none`, which disables the client authentication.
|
438
|
+
|
439
|
+
NOTE: This setting can be used only if <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> is set.
|
440
|
+
|
441
|
+
[id="plugins-{type}s-{plugin}-ssl_enabled"]
|
442
|
+
===== `ssl_enabled`
|
443
|
+
|
444
|
+
* Value type is <<boolean,boolean>>
|
445
|
+
* Default value is `false`
|
446
|
+
|
447
|
+
Events are by default sent in plain text. You can enable encryption by setting `ssl_enabled` to true and configuring
|
448
|
+
the <<plugins-{type}s-{plugin}-ssl_certificate>> and <<plugins-{type}s-{plugin}-ssl_key>> options.
|
449
|
+
|
425
450
|
[id="plugins-{type}s-{plugin}-ssl_handshake_timeout"]
|
426
451
|
===== `ssl_handshake_timeout`
|
427
452
|
|
@@ -464,7 +489,7 @@ deprecated[6.5.0, Replaced by <<plugins-{type}s-{plugin}-enrich>>]
|
|
464
489
|
|
465
490
|
Enables storing client certificate information in event's metadata.
|
466
491
|
|
467
|
-
This option is only valid when
|
492
|
+
This option is only valid when <<plugins-{type}s-{plugin}-ssl_client_authentication>> is set to `optional` or `required`.
|
468
493
|
|
469
494
|
[id="plugins-{type}s-{plugin}-ssl_supported_protocols"]
|
470
495
|
===== `ssl_supported_protocols`
|
@@ -485,11 +510,13 @@ the *$JDK_HOME/conf/security/java.security* configuration file. That is, `TLSv1.
|
|
485
510
|
|
486
511
|
[id="plugins-{type}s-{plugin}-ssl_verify_mode"]
|
487
512
|
===== `ssl_verify_mode`
|
513
|
+
deprecated[6.6.0, Replaced by <<plugins-{type}s-{plugin}-ssl_client_authentication>>]
|
488
514
|
|
489
515
|
* Value can be any of: `none`, `peer`, `force_peer`
|
490
516
|
* Default value is `"none"`
|
491
517
|
|
492
|
-
By default the server doesn't do any client verification.
|
518
|
+
By default, the server doesn't do any client verification. If the <<plugins-{type}s-{plugin}-ssl_certificate_authorities>>
|
519
|
+
is configured, and no value or `none` is provided for this option, it defaults to `force_peer` instead of `none`.
|
493
520
|
|
494
521
|
`peer` will make the server ask the client to provide a certificate.
|
495
522
|
If the client provides a certificate, it will be validated.
|
@@ -497,7 +524,7 @@ If the client provides a certificate, it will be validated.
|
|
497
524
|
`force_peer` will make the server ask the client to provide a certificate.
|
498
525
|
If the client doesn't provide a certificate, the connection will be closed.
|
499
526
|
|
500
|
-
This option needs to be used with
|
527
|
+
This option needs to be used with <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> and a defined list of CAs.
|
501
528
|
|
502
529
|
[id="plugins-{type}s-{plugin}-tls_max_version"]
|
503
530
|
===== `tls_max_version`
|
@@ -7,6 +7,7 @@ require "logstash/util"
|
|
7
7
|
require "logstash-input-beats_jars"
|
8
8
|
require "logstash/plugin_mixins/ecs_compatibility_support"
|
9
9
|
require 'logstash/plugin_mixins/plugin_factory_support'
|
10
|
+
require "logstash/plugin_mixins/normalize_config_support"
|
10
11
|
require 'logstash/plugin_mixins/event_support/event_factory_adapter'
|
11
12
|
require_relative "beats/patch"
|
12
13
|
|
@@ -61,6 +62,8 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
|
|
61
62
|
|
62
63
|
include LogStash::PluginMixins::PluginFactorySupport
|
63
64
|
|
65
|
+
include LogStash::PluginMixins::NormalizeConfigSupport
|
66
|
+
|
64
67
|
config_name "beats"
|
65
68
|
|
66
69
|
default :codec, "plain"
|
@@ -74,11 +77,16 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
|
|
74
77
|
# Events are by default sent in plain text. You can
|
75
78
|
# enable encryption by setting `ssl` to true and configuring
|
76
79
|
# the `ssl_certificate` and `ssl_key` options.
|
77
|
-
config :ssl, :validate => :boolean, :default => false
|
80
|
+
config :ssl, :validate => :boolean, :default => false, :deprecated => "Use 'ssl_enabled' instead."
|
78
81
|
|
79
82
|
# SSL certificate to use.
|
80
83
|
config :ssl_certificate, :validate => :path
|
81
84
|
|
85
|
+
# Events are by default sent in plain text. You can
|
86
|
+
# enable encryption by setting `ssl_enabled` to true and configuring
|
87
|
+
# the `ssl_certificate` and `ssl_key` options.
|
88
|
+
config :ssl_enabled, :validate => :boolean, :default => false
|
89
|
+
|
82
90
|
# SSL key to use.
|
83
91
|
# NOTE: This key need to be in the PKCS8 format, you can convert it with https://www.openssl.org/docs/man1.1.0/apps/pkcs8.html[OpenSSL]
|
84
92
|
# for more information.
|
@@ -94,6 +102,14 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
|
|
94
102
|
#
|
95
103
|
config :ssl_certificate_authorities, :validate => :array, :default => []
|
96
104
|
|
105
|
+
# Controls the server’s behavior in regard to requesting a certificate from client connections.
|
106
|
+
# `none`: No client authentication
|
107
|
+
# `optional`: Requests a client certificate but the client is not required to present one.
|
108
|
+
# `required`: Forces a client to present a certificate.
|
109
|
+
#
|
110
|
+
# This option needs to be used with `ssl_certificate_authorities` and a defined list of CAs.
|
111
|
+
config :ssl_client_authentication, :validate => %w[none optional required], :default => 'none'
|
112
|
+
|
97
113
|
# By default the server doesn't do any client verification.
|
98
114
|
#
|
99
115
|
# `peer` will make the server ask the client to provide a certificate.
|
@@ -103,7 +119,7 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
|
|
103
119
|
# If the client doesn't provide a certificate, the connection will be closed.
|
104
120
|
#
|
105
121
|
# This option needs to be used with `ssl_certificate_authorities` and a defined list of CAs.
|
106
|
-
config :ssl_verify_mode, :validate => ["none", "peer", "force_peer"], :default => "none"
|
122
|
+
config :ssl_verify_mode, :validate => ["none", "peer", "force_peer"], :default => "none", :deprecated => "Set 'ssl_client_authentication' instead."
|
107
123
|
|
108
124
|
# Enables storing client certificate information in event's metadata. You need
|
109
125
|
# to configure the `ssl_verify_mode` to `peer` or `force_peer` to enable this.
|
@@ -156,6 +172,28 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
|
|
156
172
|
attr_reader :field_tls_protocol_version, :field_tls_peer_subject, :field_tls_cipher
|
157
173
|
attr_reader :include_source_metadata
|
158
174
|
|
175
|
+
NON_PREFIXED_SSL_CONFIGS = Set[
|
176
|
+
'tls_min_version',
|
177
|
+
'tls_max_version',
|
178
|
+
'cipher_suites',
|
179
|
+
].freeze
|
180
|
+
|
181
|
+
SSL_CLIENT_AUTH_NONE = 'none'.freeze
|
182
|
+
SSL_CLIENT_AUTH_OPTIONAL = 'optional'.freeze
|
183
|
+
SSL_CLIENT_AUTH_REQUIRED = 'required'.freeze
|
184
|
+
|
185
|
+
SSL_VERIFY_MODE_TO_CLIENT_AUTHENTICATION_MAP = {
|
186
|
+
'none' => SSL_CLIENT_AUTH_NONE,
|
187
|
+
'peer' => SSL_CLIENT_AUTH_OPTIONAL,
|
188
|
+
'force_peer' => SSL_CLIENT_AUTH_REQUIRED
|
189
|
+
}.freeze
|
190
|
+
|
191
|
+
private_constant :SSL_CLIENT_AUTH_NONE
|
192
|
+
private_constant :SSL_CLIENT_AUTH_OPTIONAL
|
193
|
+
private_constant :SSL_CLIENT_AUTH_REQUIRED
|
194
|
+
private_constant :NON_PREFIXED_SSL_CONFIGS
|
195
|
+
private_constant :SSL_VERIFY_MODE_TO_CLIENT_AUTHENTICATION_MAP
|
196
|
+
|
159
197
|
def register
|
160
198
|
# For Logstash 2.4 we need to make sure that the logger is correctly set for the
|
161
199
|
# java classes before actually loading them.
|
@@ -166,45 +204,9 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
|
|
166
204
|
LogStash::Logger.setup_log4j(@logger)
|
167
205
|
end
|
168
206
|
|
169
|
-
|
170
|
-
if @ssl_key.nil? || @ssl_key.empty?
|
171
|
-
configuration_error "ssl_key => is a required setting when ssl => true is configured"
|
172
|
-
end
|
173
|
-
if @ssl_certificate.nil? || @ssl_certificate.empty?
|
174
|
-
configuration_error "ssl_certificate => is a required setting when ssl => true is configured"
|
175
|
-
end
|
207
|
+
setup_ssl_params!
|
176
208
|
|
177
|
-
|
178
|
-
configuration_error "ssl_certificate_authorities => is a required setting when ssl_verify_mode => '#{@ssl_verify_mode}' is configured"
|
179
|
-
end
|
180
|
-
|
181
|
-
if client_authentication_metadata? && !require_certificate_authorities?
|
182
|
-
configuration_error "Configuring ssl_peer_metadata => true requires ssl_verify_mode => to be configured with 'peer' or 'force_peer'"
|
183
|
-
end
|
184
|
-
|
185
|
-
if original_params.key?('cipher_suites') && original_params.key?('ssl_cipher_suites')
|
186
|
-
raise LogStash::ConfigurationError, "Both `ssl_cipher_suites` and (deprecated) `cipher_suites` were set. Use only `ssl_cipher_suites`."
|
187
|
-
elsif original_params.key?('cipher_suites')
|
188
|
-
@ssl_cipher_suites_final = @cipher_suites
|
189
|
-
else
|
190
|
-
@ssl_cipher_suites_final = @ssl_cipher_suites
|
191
|
-
end
|
192
|
-
|
193
|
-
if original_params.key?('tls_min_version') && original_params.key?('ssl_supported_protocols')
|
194
|
-
raise LogStash::ConfigurationError, "Both `ssl_supported_protocols` and (deprecated) `tls_min_ciphers` were set. Use only `ssl_supported_protocols`."
|
195
|
-
elsif original_params.key?('tls_max_version') && original_params.key?('ssl_supported_protocols')
|
196
|
-
raise LogStash::ConfigurationError, "Both `ssl_supported_protocols` and (deprecated) `tls_max_ciphers` were set. Use only `ssl_supported_protocols`."
|
197
|
-
else
|
198
|
-
if original_params.key?('tls_min_version') || original_params.key?('tls_max_version')
|
199
|
-
@ssl_supported_protocols_final = TLS.get_supported(tls_min_version..tls_max_version).map(&:name)
|
200
|
-
else
|
201
|
-
@ssl_supported_protocols_final = @ssl_supported_protocols
|
202
|
-
end
|
203
|
-
end
|
204
|
-
else
|
205
|
-
@logger.warn("configured ssl_certificate => #{@ssl_certificate.inspect} will not be used") if @ssl_certificate
|
206
|
-
@logger.warn("configured ssl_key => #{@ssl_key.inspect} will not be used") if @ssl_key
|
207
|
-
end
|
209
|
+
validate_ssl_config!
|
208
210
|
|
209
211
|
active_enrichments = resolve_enriches
|
210
212
|
|
@@ -242,18 +244,7 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
|
|
242
244
|
|
243
245
|
def create_server
|
244
246
|
server = org.logstash.beats.Server.new(@host, @port, @client_inactivity_timeout, @executor_threads)
|
245
|
-
if @
|
246
|
-
ssl_context_builder = new_ssl_context_builder
|
247
|
-
if client_authentification?
|
248
|
-
if @ssl_verify_mode == "force_peer"
|
249
|
-
ssl_context_builder.setVerifyMode(SslContextBuilder::SslClientVerifyMode::FORCE_PEER)
|
250
|
-
elsif @ssl_verify_mode == "peer"
|
251
|
-
ssl_context_builder.setVerifyMode(SslContextBuilder::SslClientVerifyMode::VERIFY_PEER)
|
252
|
-
end
|
253
|
-
ssl_context_builder.setCertificateAuthorities(@ssl_certificate_authorities)
|
254
|
-
end
|
255
|
-
server.setSslHandlerProvider(new_ssl_handshake_provider(ssl_context_builder))
|
256
|
-
end
|
247
|
+
server.setSslHandlerProvider(new_ssl_handshake_provider(new_ssl_context_builder)) if @ssl_enabled
|
257
248
|
server
|
258
249
|
end
|
259
250
|
|
@@ -275,20 +266,39 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
|
|
275
266
|
!@target_codec_on_field.empty?
|
276
267
|
end
|
277
268
|
|
278
|
-
def
|
269
|
+
def client_authentication_enabled?
|
270
|
+
if original_params.include?('ssl_client_authentication')
|
271
|
+
return client_authentication_optional? || client_authentication_required?
|
272
|
+
end
|
273
|
+
|
274
|
+
# Keep backward compatibility with the deprecated `ssl_verify_mode` until it's not removed.
|
275
|
+
# When it's explicitly set (or both settings are absent), it should use the ssl_certificate_authorities
|
276
|
+
# to enable/disable the client authentication. (even if ssl_verify_mode => none)
|
277
|
+
certificate_authorities_configured?
|
278
|
+
end
|
279
|
+
|
280
|
+
def certificate_authorities_configured?
|
279
281
|
@ssl_certificate_authorities && @ssl_certificate_authorities.size > 0
|
280
282
|
end
|
281
283
|
|
282
284
|
def client_authentication_metadata?
|
283
|
-
@ssl_peer_metadata && ssl_configured? &&
|
285
|
+
@ssl_enabled && @ssl_peer_metadata && ssl_configured? && client_authentication_enabled?
|
284
286
|
end
|
285
287
|
|
286
288
|
def client_authentication_required?
|
287
|
-
@
|
289
|
+
@ssl_client_authentication && @ssl_client_authentication.downcase == SSL_CLIENT_AUTH_REQUIRED
|
290
|
+
end
|
291
|
+
|
292
|
+
def client_authentication_optional?
|
293
|
+
@ssl_client_authentication && @ssl_client_authentication.downcase == SSL_CLIENT_AUTH_OPTIONAL
|
294
|
+
end
|
295
|
+
|
296
|
+
def client_authentication_none?
|
297
|
+
@ssl_client_authentication && @ssl_client_authentication.downcase == SSL_CLIENT_AUTH_NONE
|
288
298
|
end
|
289
299
|
|
290
300
|
def require_certificate_authorities?
|
291
|
-
|
301
|
+
client_authentication_required? || client_authentication_optional?
|
292
302
|
end
|
293
303
|
|
294
304
|
def include_source_metadata?
|
@@ -297,6 +307,75 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
|
|
297
307
|
|
298
308
|
private
|
299
309
|
|
310
|
+
def validate_ssl_config!
|
311
|
+
ssl_config_name = original_params.include?('ssl') ? 'ssl' : 'ssl_enabled'
|
312
|
+
|
313
|
+
unless @ssl_enabled
|
314
|
+
ignored_ssl_settings = original_params.select { |k| k != 'ssl_enabled' && k.start_with?('ssl_') || NON_PREFIXED_SSL_CONFIGS.include?(k) }
|
315
|
+
@logger.warn("Configured SSL settings are not used when `#{ssl_config_name}` is set to `false`: #{ignored_ssl_settings.keys}") if ignored_ssl_settings.any?
|
316
|
+
return
|
317
|
+
end
|
318
|
+
|
319
|
+
if @ssl_key.nil? || @ssl_key.empty?
|
320
|
+
configuration_error "ssl_key => is a required setting when #{ssl_config_name} => true is configured"
|
321
|
+
end
|
322
|
+
|
323
|
+
if @ssl_certificate.nil? || @ssl_certificate.empty?
|
324
|
+
configuration_error "ssl_certificate => is a required setting when #{ssl_config_name} => true is configured"
|
325
|
+
end
|
326
|
+
|
327
|
+
if require_certificate_authorities? && !certificate_authorities_configured?
|
328
|
+
config_name, config_value = provided_client_authentication_config
|
329
|
+
configuration_error "ssl_certificate_authorities => is a required setting when #{config_name} => '#{config_value}' is configured"
|
330
|
+
end
|
331
|
+
|
332
|
+
if client_authentication_metadata? && !require_certificate_authorities?
|
333
|
+
config_name, optional, required = provided_client_authentication_config([SSL_CLIENT_AUTH_OPTIONAL, SSL_CLIENT_AUTH_REQUIRED])
|
334
|
+
configuration_error "Configuring ssl_peer_metadata => true requires #{config_name} => to be configured with '#{optional}' or '#{required}'"
|
335
|
+
end
|
336
|
+
|
337
|
+
if original_params.include?('ssl_client_authentication') && certificate_authorities_configured? && !require_certificate_authorities?
|
338
|
+
configuration_error "Configuring ssl_certificate_authorities requires ssl_client_authentication => to be configured with '#{SSL_CLIENT_AUTH_OPTIONAL}' or '#{SSL_CLIENT_AUTH_REQUIRED}'"
|
339
|
+
end
|
340
|
+
end
|
341
|
+
|
342
|
+
def provided_client_authentication_config(values = [@ssl_client_authentication])
|
343
|
+
if original_params.include?('ssl_verify_mode')
|
344
|
+
['ssl_verify_mode', *values.map { |v| SSL_VERIFY_MODE_TO_CLIENT_AUTHENTICATION_MAP.key(v) }]
|
345
|
+
else
|
346
|
+
['ssl_client_authentication', *values]
|
347
|
+
end
|
348
|
+
end
|
349
|
+
|
350
|
+
def setup_ssl_params!
|
351
|
+
@ssl_enabled = normalize_config(:ssl_enabled) do |normalizer|
|
352
|
+
normalizer.with_deprecated_alias(:ssl)
|
353
|
+
end
|
354
|
+
|
355
|
+
@ssl_cipher_suites = normalize_config(:ssl_cipher_suites) do |normalizer|
|
356
|
+
normalizer.with_deprecated_alias(:cipher_suites)
|
357
|
+
end
|
358
|
+
|
359
|
+
@ssl_supported_protocols = normalize_config(:ssl_supported_protocols) do |normalizer|
|
360
|
+
normalizer.with_deprecated_mapping(:tls_min_version, :tls_max_version) do |tls_min_version, tls_max_version|
|
361
|
+
TLS.get_supported(tls_min_version..tls_max_version).map(&:name)
|
362
|
+
end
|
363
|
+
end
|
364
|
+
|
365
|
+
@ssl_client_authentication = normalize_config(:ssl_client_authentication) do |normalizer|
|
366
|
+
normalizer.with_deprecated_mapping(:ssl_verify_mode) do |ssl_verify_mode|
|
367
|
+
normalized_value = SSL_VERIFY_MODE_TO_CLIENT_AUTHENTICATION_MAP[ssl_verify_mode.downcase]
|
368
|
+
fail(LogStash::ConfigurationError, "Unsupported value #{ssl_verify_mode} for deprecated option `ssl_verify_mode`") unless normalized_value
|
369
|
+
normalized_value
|
370
|
+
end
|
371
|
+
end
|
372
|
+
|
373
|
+
params['ssl_enabled'] = @ssl_enabled unless @ssl_enabled.nil?
|
374
|
+
params['ssl_cipher_suites'] = @ssl_cipher_suites unless @ssl_cipher_suites.nil?
|
375
|
+
params['ssl_supported_protocols'] = @ssl_supported_protocols unless @ssl_supported_protocols.nil?
|
376
|
+
params['ssl_client_authentication'] = @ssl_client_authentication unless @ssl_client_authentication.nil?
|
377
|
+
end
|
378
|
+
|
300
379
|
def new_ssl_handshake_provider(ssl_context_builder)
|
301
380
|
begin
|
302
381
|
org.logstash.netty.SslHandlerProvider.new(ssl_context_builder.build_context, @ssl_handshake_timeout)
|
@@ -312,17 +391,36 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
|
|
312
391
|
def new_ssl_context_builder
|
313
392
|
passphrase = @ssl_key_passphrase.nil? ? nil : @ssl_key_passphrase.value
|
314
393
|
begin
|
315
|
-
org.logstash.netty.SslContextBuilder.new(@ssl_certificate, @ssl_key, passphrase)
|
316
|
-
.setProtocols(@
|
394
|
+
ssl_context_builder = org.logstash.netty.SslContextBuilder.new(@ssl_certificate, @ssl_key, passphrase)
|
395
|
+
.setProtocols(@ssl_supported_protocols)
|
317
396
|
.setCipherSuites(normalized_cipher_suites)
|
397
|
+
|
398
|
+
if client_authentication_enabled?
|
399
|
+
ssl_context_builder.setClientAuthentication(ssl_context_builder_verify_mode, @ssl_certificate_authorities)
|
400
|
+
end
|
401
|
+
|
402
|
+
ssl_context_builder
|
318
403
|
rescue java.lang.IllegalArgumentException => e
|
319
404
|
@logger.error("SSL configuration invalid", error_details(e))
|
320
405
|
raise LogStash::ConfigurationError, e
|
321
406
|
end
|
322
407
|
end
|
323
408
|
|
409
|
+
def ssl_context_builder_verify_mode
|
410
|
+
return SslContextBuilder::SslClientVerifyMode::OPTIONAL if client_authentication_optional?
|
411
|
+
return SslContextBuilder::SslClientVerifyMode::REQUIRED if client_authentication_required?
|
412
|
+
|
413
|
+
# Backward compatibility with the deprecated `ssl_verify_mode` and the current `none` overrides
|
414
|
+
if !original_params.include?('ssl_client_authentication') && certificate_authorities_configured?
|
415
|
+
return SslContextBuilder::SslClientVerifyMode::REQUIRED
|
416
|
+
end
|
417
|
+
|
418
|
+
return SslContextBuilder::SslClientVerifyMode::NONE if client_authentication_none?
|
419
|
+
configuration_error "Invalid `ssl_client_authentication` value #{@ssl_client_authentication}"
|
420
|
+
end
|
421
|
+
|
324
422
|
def normalized_cipher_suites
|
325
|
-
@
|
423
|
+
@ssl_cipher_suites.map(&:upcase)
|
326
424
|
end
|
327
425
|
|
328
426
|
def configuration_error(message)
|
@@ -1,11 +1,11 @@
|
|
1
1
|
# AUTOGENERATED BY THE GRADLE SCRIPT. DO NOT EDIT.
|
2
2
|
|
3
3
|
require 'jar_dependencies'
|
4
|
-
require_jar('io.netty', 'netty-buffer', '4.1.
|
5
|
-
require_jar('io.netty', 'netty-codec', '4.1.
|
6
|
-
require_jar('io.netty', 'netty-common', '4.1.
|
7
|
-
require_jar('io.netty', 'netty-transport', '4.1.
|
8
|
-
require_jar('io.netty', 'netty-handler', '4.1.
|
9
|
-
require_jar('io.netty', 'netty-transport-native-unix-common', '4.1.
|
4
|
+
require_jar('io.netty', 'netty-buffer', '4.1.93.Final')
|
5
|
+
require_jar('io.netty', 'netty-codec', '4.1.93.Final')
|
6
|
+
require_jar('io.netty', 'netty-common', '4.1.93.Final')
|
7
|
+
require_jar('io.netty', 'netty-transport', '4.1.93.Final')
|
8
|
+
require_jar('io.netty', 'netty-handler', '4.1.93.Final')
|
9
|
+
require_jar('io.netty', 'netty-transport-native-unix-common', '4.1.93.Final')
|
10
10
|
require_jar('org.javassist', 'javassist', '3.24.0-GA')
|
11
|
-
require_jar('org.logstash.beats', 'logstash-input-beats', '6.
|
11
|
+
require_jar('org.logstash.beats', 'logstash-input-beats', '6.6.1')
|
@@ -30,6 +30,7 @@ Gem::Specification.new do |s|
|
|
30
30
|
s.add_runtime_dependency 'logstash-mixin-ecs_compatibility_support', '~>1.3'
|
31
31
|
s.add_runtime_dependency 'logstash-mixin-event_support', '~>1.0'
|
32
32
|
s.add_runtime_dependency 'logstash-mixin-plugin_factory_support', '~>1.0'
|
33
|
+
s.add_runtime_dependency 'logstash-mixin-normalize_config_support', '~>1.0'
|
33
34
|
|
34
35
|
s.add_development_dependency "flores", "~>0.0.6"
|
35
36
|
s.add_development_dependency "rspec"
|
data/spec/inputs/beats_spec.rb
CHANGED
@@ -48,10 +48,10 @@ describe LogStash::Inputs::Beats do
|
|
48
48
|
|
49
49
|
context "with ssl enabled" do
|
50
50
|
|
51
|
-
let(:config) { { "
|
51
|
+
let(:config) { { "ssl_enabled" => true, "port" => port, "ssl_key" => certificate.ssl_key, "ssl_certificate" => certificate.ssl_cert } }
|
52
52
|
|
53
53
|
context "without certificate configuration" do
|
54
|
-
let(:config) { { "port" => 0, "
|
54
|
+
let(:config) { { "port" => 0, "ssl_enabled" => true, "ssl_key" => certificate.ssl_key, "type" => "example" } }
|
55
55
|
|
56
56
|
it "should fail to register the plugin with ConfigurationError" do
|
57
57
|
plugin = LogStash::Inputs::Beats.new(config)
|
@@ -60,7 +60,7 @@ describe LogStash::Inputs::Beats do
|
|
60
60
|
end
|
61
61
|
|
62
62
|
context "without key configuration" do
|
63
|
-
let(:config) { { "port" => 0, "
|
63
|
+
let(:config) { { "port" => 0, "ssl_enabled" => true, "ssl_certificate" => certificate.ssl_cert, "type" => "example" } }
|
64
64
|
it "should fail to register the plugin with ConfigurationError" do
|
65
65
|
plugin = LogStash::Inputs::Beats.new(config)
|
66
66
|
expect { plugin.register }.to raise_error(LogStash::ConfigurationError)
|
@@ -69,7 +69,7 @@ describe LogStash::Inputs::Beats do
|
|
69
69
|
|
70
70
|
context "with invalid key configuration" do
|
71
71
|
let(:p12_key) { certificate.p12_key }
|
72
|
-
let(:config) { { "port" => 0, "
|
72
|
+
let(:config) { { "port" => 0, "ssl_enabled" => true, "ssl_certificate" => certificate.ssl_cert, "ssl_key" => p12_key } }
|
73
73
|
it "should fail to register the plugin" do
|
74
74
|
plugin = LogStash::Inputs::Beats.new(config)
|
75
75
|
expect( plugin.logger ).to receive(:error) do |msg, opts|
|
@@ -93,34 +93,132 @@ describe LogStash::Inputs::Beats do
|
|
93
93
|
end
|
94
94
|
end
|
95
95
|
|
96
|
-
context "
|
97
|
-
|
98
|
-
let(:config) { super().merge("ssl_verify_mode" => "peer") }
|
96
|
+
context "deprecated ssl_verify_mode set to 'none'" do
|
97
|
+
let(:config) { super().merge("ssl_verify_mode" => "none") }
|
99
98
|
|
100
|
-
|
99
|
+
context "and ssl_certificate_authorities is set" do
|
100
|
+
let(:config) { super().merge("ssl_certificate_authorities" => [certificate.ssl_cert]) }
|
101
|
+
it "should ignore the ssl_verify_mode and use force_peer" do
|
102
|
+
plugin = LogStash::Inputs::Beats.new(config)
|
103
|
+
plugin.register
|
104
|
+
context_builder = plugin.send(:new_ssl_context_builder)
|
105
|
+
expect(context_builder.isClientAuthenticationRequired()).to be_truthy
|
106
|
+
end
|
107
|
+
end
|
108
|
+
end
|
109
|
+
|
110
|
+
context "ssl_client_authentication" do
|
111
|
+
context "normalized from ssl_verify_mode 'none'" do
|
112
|
+
let(:config) { super().merge("ssl_verify_mode" => "none") }
|
113
|
+
|
114
|
+
it "should transform the value to 'none'" do
|
101
115
|
plugin = LogStash::Inputs::Beats.new(config)
|
102
|
-
|
116
|
+
plugin.register
|
117
|
+
|
118
|
+
expect(plugin.params).to match hash_including("ssl_client_authentication" => "none")
|
119
|
+
expect(plugin.instance_variable_get(:@ssl_client_authentication)).to eql("none")
|
103
120
|
end
|
104
121
|
|
105
|
-
|
106
|
-
config.merge
|
122
|
+
context "and ssl_certificate_authorities is set" do
|
123
|
+
let(:config) { super().merge("ssl_certificate_authorities" => [certificate.ssl_cert]) }
|
124
|
+
it "should not raise an error" do
|
125
|
+
plugin = LogStash::Inputs::Beats.new(config)
|
126
|
+
expect { plugin.register }.to_not raise_error
|
127
|
+
end
|
128
|
+
end
|
129
|
+
end
|
130
|
+
|
131
|
+
context "normalized from ssl_verify_mode 'peer'" do
|
132
|
+
let(:config) { super().merge("ssl_verify_mode" => "peer", "ssl_certificate_authorities" => [certificate.ssl_cert]) }
|
133
|
+
|
134
|
+
it 'should transform the value to OPTIONAL' do
|
107
135
|
plugin = LogStash::Inputs::Beats.new(config)
|
108
|
-
|
136
|
+
plugin.register
|
137
|
+
|
138
|
+
expect(plugin.params).to match hash_including("ssl_client_authentication" => "optional")
|
139
|
+
expect(plugin.instance_variable_get(:@ssl_client_authentication)).to eql("optional")
|
140
|
+
end
|
141
|
+
|
142
|
+
context "with no ssl_certificate_authorities set " do
|
143
|
+
let(:config) { super().reject { |key| "ssl_certificate_authorities".eql?(key) } }
|
144
|
+
it "raise a configuration error" do
|
145
|
+
plugin = LogStash::Inputs::Beats.new(config)
|
146
|
+
expect {plugin.register}.to raise_error(LogStash::ConfigurationError, "ssl_certificate_authorities => is a required setting when ssl_verify_mode => 'peer' is configured")
|
147
|
+
end
|
148
|
+
end
|
149
|
+
end
|
150
|
+
|
151
|
+
context "normalized from ssl_verify_mode 'force_peer'" do
|
152
|
+
let(:config) { super().merge("ssl_verify_mode" => "force_peer", "ssl_certificate_authorities" => [certificate.ssl_cert]) }
|
153
|
+
|
154
|
+
it "should transform the value to 'required'" do
|
155
|
+
plugin = LogStash::Inputs::Beats.new(config)
|
156
|
+
plugin.register
|
157
|
+
|
158
|
+
expect(plugin.params).to match hash_including("ssl_client_authentication" => "required")
|
159
|
+
expect(plugin.instance_variable_get(:@ssl_client_authentication)).to eql("required")
|
160
|
+
end
|
161
|
+
|
162
|
+
context "with no ssl_certificate_authorities set " do
|
163
|
+
let(:config) { super().reject { |key| "ssl_certificate_authorities".eql?(key) } }
|
164
|
+
it "raise a configuration error" do
|
165
|
+
plugin = LogStash::Inputs::Beats.new(config)
|
166
|
+
expect {plugin.register}.to raise_error(LogStash::ConfigurationError, "ssl_certificate_authorities => is a required setting when ssl_verify_mode => 'force_peer' is configured")
|
167
|
+
end
|
168
|
+
end
|
169
|
+
end
|
170
|
+
|
171
|
+
context "configured to 'none'" do
|
172
|
+
let(:config) { super().merge("ssl_client_authentication" => "none") }
|
173
|
+
|
174
|
+
it "doesn't raise an error when certificate_authorities is not set" do
|
175
|
+
plugin = LogStash::Inputs::Beats.new(config)
|
176
|
+
expect {plugin.register}.to_not raise_error
|
177
|
+
end
|
178
|
+
|
179
|
+
context "with certificate_authorities set" do
|
180
|
+
let(:config) { super().merge("ssl_certificate_authorities" => [certificate.ssl_cert]) }
|
181
|
+
|
182
|
+
it "raise a configuration error" do
|
183
|
+
plugin = LogStash::Inputs::Beats.new(config)
|
184
|
+
expect {plugin.register}.to raise_error(LogStash::ConfigurationError, "Configuring ssl_certificate_authorities requires ssl_client_authentication => to be configured with 'optional' or 'required'")
|
185
|
+
end
|
109
186
|
end
|
110
187
|
end
|
111
188
|
|
112
|
-
context "
|
113
|
-
let(:config) { super().merge("
|
189
|
+
context "configured to 'required'" do
|
190
|
+
let(:config) { super().merge("ssl_client_authentication" => "required") }
|
114
191
|
|
115
192
|
it "raise a ConfigurationError when certificate_authorities is not set" do
|
116
193
|
plugin = LogStash::Inputs::Beats.new(config)
|
117
|
-
expect {plugin.register}.to raise_error(LogStash::ConfigurationError, "ssl_certificate_authorities => is a required setting when
|
194
|
+
expect {plugin.register}.to raise_error(LogStash::ConfigurationError, "ssl_certificate_authorities => is a required setting when ssl_client_authentication => 'required' is configured")
|
118
195
|
end
|
119
196
|
|
120
|
-
|
121
|
-
config.merge
|
197
|
+
context "with certificate_authorities set" do
|
198
|
+
let(:config) { super().merge("ssl_certificate_authorities" => [certificate.ssl_cert]) }
|
199
|
+
|
200
|
+
it "doesn't raise a configuration error" do
|
201
|
+
plugin = LogStash::Inputs::Beats.new(config)
|
202
|
+
expect {plugin.register}.not_to raise_error
|
203
|
+
end
|
204
|
+
end
|
205
|
+
end
|
206
|
+
|
207
|
+
context "configured to 'optional'" do
|
208
|
+
let(:config) { super().merge("ssl_client_authentication" => "optional") }
|
209
|
+
|
210
|
+
it "raise a ConfigurationError when certificate_authorities is not set" do
|
122
211
|
plugin = LogStash::Inputs::Beats.new(config)
|
123
|
-
expect {plugin.register}.
|
212
|
+
expect {plugin.register}.to raise_error(LogStash::ConfigurationError, "ssl_certificate_authorities => is a required setting when ssl_client_authentication => 'optional' is configured")
|
213
|
+
end
|
214
|
+
|
215
|
+
context "with certificate_authorities set" do
|
216
|
+
let(:config) { super().merge("ssl_certificate_authorities" => [certificate.ssl_cert]) }
|
217
|
+
|
218
|
+
it "doesn't raise a configuration error" do
|
219
|
+
plugin = LogStash::Inputs::Beats.new(config)
|
220
|
+
expect {plugin.register}.not_to raise_error
|
221
|
+
end
|
124
222
|
end
|
125
223
|
end
|
126
224
|
|
@@ -157,12 +255,28 @@ describe LogStash::Inputs::Beats do
|
|
157
255
|
expect { plugin.register }.to raise_error LogStash::ConfigurationError, /Use only .?ssl_supported_protocols.?/i
|
158
256
|
end
|
159
257
|
end
|
258
|
+
|
259
|
+
context "with ssl_client_authentication and ssl_verify_mode set" do
|
260
|
+
let(:config) { super().merge("ssl_verify_mode" => "none", "ssl_client_authentication" => "none") }
|
261
|
+
it "raise a configuration error" do
|
262
|
+
plugin = LogStash::Inputs::Beats.new(config)
|
263
|
+
expect { plugin.register }.to raise_error LogStash::ConfigurationError, /Use only .?ssl_client_authentication.?/i
|
264
|
+
end
|
265
|
+
end
|
266
|
+
end
|
267
|
+
|
268
|
+
context "with ssl and ssl_enabled set" do
|
269
|
+
let(:config) { super().merge("ssl" => true) }
|
270
|
+
it "raise a configuration error" do
|
271
|
+
plugin = LogStash::Inputs::Beats.new(config)
|
272
|
+
expect { plugin.register }.to raise_error LogStash::ConfigurationError, /Use only .?ssl_enabled.?/i
|
273
|
+
end
|
160
274
|
end
|
161
275
|
end
|
162
276
|
|
163
277
|
context "with ssl disabled" do
|
164
278
|
context "and certificate configuration" do
|
165
|
-
let(:config) { { "port" => 0, "
|
279
|
+
let(:config) { { "port" => 0, "ssl_enabled" => false, "ssl_certificate" => certificate.ssl_cert, "type" => "example", "tags" => "Beats" } }
|
166
280
|
|
167
281
|
it "should not fail" do
|
168
282
|
plugin = LogStash::Inputs::Beats.new(config)
|
@@ -171,7 +285,7 @@ describe LogStash::Inputs::Beats do
|
|
171
285
|
end
|
172
286
|
|
173
287
|
context "and certificate key configuration" do
|
174
|
-
let(:config) {{ "port" => 0, "
|
288
|
+
let(:config) {{ "port" => 0, "ssl_enabled" => false, "ssl_key" => certificate.ssl_key, "type" => "example", "tags" => "beats" }}
|
175
289
|
|
176
290
|
it "should not fail" do
|
177
291
|
plugin = LogStash::Inputs::Beats.new(config)
|
@@ -180,13 +294,25 @@ describe LogStash::Inputs::Beats do
|
|
180
294
|
end
|
181
295
|
|
182
296
|
context "and no certificate or key configured" do
|
183
|
-
let(:config) {{ "
|
297
|
+
let(:config) {{ "ssl_enabled" => false, "port" => 0, "type" => "example", "tags" => "beats" }}
|
184
298
|
|
185
299
|
it "should work just fine" do
|
186
300
|
plugin = LogStash::Inputs::Beats.new(config)
|
187
301
|
expect {plugin.register}.not_to raise_error
|
188
302
|
end
|
189
303
|
end
|
304
|
+
|
305
|
+
context "and `ssl_` settings provided" do
|
306
|
+
let(:config) { { "port" => 0, "ssl_enabled" => false, "ssl_certificate" => certificate.ssl_cert, "ssl_client_authentication" => "none", "cipher_suites" => ["FOO"] } }
|
307
|
+
|
308
|
+
it "should warn about not using the configs" do
|
309
|
+
plugin = LogStash::Inputs::Beats.new(config)
|
310
|
+
expect( plugin.logger ).to receive(:warn).with('Configured SSL settings are not used when `ssl_enabled` is set to `false`: ["ssl_certificate", "ssl_client_authentication", "cipher_suites"]')
|
311
|
+
|
312
|
+
plugin.register
|
313
|
+
|
314
|
+
end
|
315
|
+
end
|
190
316
|
end
|
191
317
|
|
192
318
|
context "with multiline codec" do
|
@@ -387,6 +513,8 @@ describe LogStash::Inputs::Beats do
|
|
387
513
|
let(:config) do
|
388
514
|
super().merge(
|
389
515
|
"host" => host,
|
516
|
+
"ssl_enabled" => true,
|
517
|
+
"ssl_verify_mode" => 'force_peer',
|
390
518
|
"ssl_peer_metadata" => true,
|
391
519
|
"ssl_certificate_authorities" => [ certificate.ssl_cert ],
|
392
520
|
"ecs_compatibility" => 'disabled'
|
@@ -447,18 +575,33 @@ describe LogStash::Inputs::Beats do
|
|
447
575
|
org.logstash.beats.Message.new(0, java.util.HashMap.new('foo' => 'bar'))
|
448
576
|
end
|
449
577
|
|
450
|
-
|
451
|
-
|
578
|
+
context 'with ssl enabled' do
|
579
|
+
it 'sets tls fields' do
|
580
|
+
@message_listener.onNewMessage(ctx, message)
|
452
581
|
|
453
|
-
|
454
|
-
|
582
|
+
expect( queue.size ).to be 1
|
583
|
+
expect( event = queue.pop ).to be_a LogStash::Event
|
455
584
|
|
456
|
-
|
585
|
+
expect( event.get('[@metadata][tls_peer][status]') ).to eql 'verified'
|
457
586
|
|
458
|
-
|
459
|
-
|
460
|
-
|
587
|
+
expect( event.get('[@metadata][tls_peer][protocol]') ).to eql 'TLS-Mock'
|
588
|
+
expect( event.get('[@metadata][tls_peer][cipher_suite]') ).to eql 'SSL_NULL_WITH_TEST_SPEC'
|
589
|
+
expect( event.get('[@metadata][tls_peer][subject]') ).to eql 'CN=TEST,OU=RSpec,O=Logstash,C=NL'
|
590
|
+
end
|
461
591
|
end
|
592
|
+
|
593
|
+
context 'with ssl disabled' do
|
594
|
+
let(:config) { super().merge("ssl_enabled" => false) }
|
595
|
+
|
596
|
+
it 'do not set tls fields' do
|
597
|
+
@message_listener.onNewMessage(ctx, message)
|
598
|
+
|
599
|
+
expect( queue.size ).to be 1
|
600
|
+
expect( event = queue.pop ).to be_a LogStash::Event
|
601
|
+
expect( event.get('[@metadata][tls_peer]') ).to be_nil
|
602
|
+
end
|
603
|
+
end
|
604
|
+
|
462
605
|
end
|
463
606
|
|
464
607
|
context "when interrupting the plugin" do
|
@@ -112,7 +112,7 @@ describe "Filebeat", :integration => true do
|
|
112
112
|
|
113
113
|
let(:input_config) do
|
114
114
|
super().merge({
|
115
|
-
"
|
115
|
+
"ssl_enabled" => true,
|
116
116
|
"ssl_certificate" => certificate_file,
|
117
117
|
"ssl_key" => certificate_key_file
|
118
118
|
})
|
@@ -146,7 +146,7 @@ describe "Filebeat", :integration => true do
|
|
146
146
|
|
147
147
|
let(:input_config) {
|
148
148
|
super().merge({
|
149
|
-
"
|
149
|
+
"ssl_cipher_suites" => [logstash_cipher],
|
150
150
|
"tls_min_version" => "1.2"
|
151
151
|
})
|
152
152
|
}
|
@@ -281,11 +281,11 @@ describe "Filebeat", :integration => true do
|
|
281
281
|
|
282
282
|
let(:input_config) do
|
283
283
|
super().merge({
|
284
|
-
"
|
284
|
+
"ssl_enabled" => true,
|
285
285
|
"ssl_certificate_authorities" => certificate_authorities,
|
286
286
|
"ssl_certificate" => server_certificate_file,
|
287
287
|
"ssl_key" => server_certificate_key_file,
|
288
|
-
"
|
288
|
+
"ssl_client_authentication" => "required"
|
289
289
|
})
|
290
290
|
end
|
291
291
|
|
@@ -75,7 +75,7 @@ describe "Logstash-Forwarder", :integration => true do
|
|
75
75
|
context "Server Verification" do
|
76
76
|
let(:input_config) do
|
77
77
|
super().merge({
|
78
|
-
"
|
78
|
+
"ssl_enabled" => true,
|
79
79
|
"ssl_certificate" => certificate_file,
|
80
80
|
"ssl_key" => certificate_key_file,
|
81
81
|
})
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-input-beats
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 6.
|
4
|
+
version: 6.6.1
|
5
5
|
platform: java
|
6
6
|
authors:
|
7
7
|
- Elastic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2023-01
|
11
|
+
date: 2023-06-01 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
@@ -148,6 +148,20 @@ dependencies:
|
|
148
148
|
- - "~>"
|
149
149
|
- !ruby/object:Gem::Version
|
150
150
|
version: '1.0'
|
151
|
+
- !ruby/object:Gem::Dependency
|
152
|
+
requirement: !ruby/object:Gem::Requirement
|
153
|
+
requirements:
|
154
|
+
- - "~>"
|
155
|
+
- !ruby/object:Gem::Version
|
156
|
+
version: '1.0'
|
157
|
+
name: logstash-mixin-normalize_config_support
|
158
|
+
prerelease: false
|
159
|
+
type: :runtime
|
160
|
+
version_requirements: !ruby/object:Gem::Requirement
|
161
|
+
requirements:
|
162
|
+
- - "~>"
|
163
|
+
- !ruby/object:Gem::Version
|
164
|
+
version: '1.0'
|
151
165
|
- !ruby/object:Gem::Dependency
|
152
166
|
requirement: !ruby/object:Gem::Requirement
|
153
167
|
requirements:
|
@@ -306,14 +320,14 @@ files:
|
|
306
320
|
- spec/support/integration_shared_context.rb
|
307
321
|
- spec/support/logstash_test.rb
|
308
322
|
- spec/support/shared_examples.rb
|
309
|
-
- vendor/jar-dependencies/io/netty/netty-buffer/4.1.
|
310
|
-
- vendor/jar-dependencies/io/netty/netty-codec/4.1.
|
311
|
-
- vendor/jar-dependencies/io/netty/netty-common/4.1.
|
312
|
-
- vendor/jar-dependencies/io/netty/netty-handler/4.1.
|
313
|
-
- vendor/jar-dependencies/io/netty/netty-transport-native-unix-common/4.1.
|
314
|
-
- vendor/jar-dependencies/io/netty/netty-transport/4.1.
|
323
|
+
- vendor/jar-dependencies/io/netty/netty-buffer/4.1.93.Final/netty-buffer-4.1.93.Final.jar
|
324
|
+
- vendor/jar-dependencies/io/netty/netty-codec/4.1.93.Final/netty-codec-4.1.93.Final.jar
|
325
|
+
- vendor/jar-dependencies/io/netty/netty-common/4.1.93.Final/netty-common-4.1.93.Final.jar
|
326
|
+
- vendor/jar-dependencies/io/netty/netty-handler/4.1.93.Final/netty-handler-4.1.93.Final.jar
|
327
|
+
- vendor/jar-dependencies/io/netty/netty-transport-native-unix-common/4.1.93.Final/netty-transport-native-unix-common-4.1.93.Final.jar
|
328
|
+
- vendor/jar-dependencies/io/netty/netty-transport/4.1.93.Final/netty-transport-4.1.93.Final.jar
|
315
329
|
- vendor/jar-dependencies/org/javassist/javassist/3.24.0-GA/javassist-3.24.0-GA.jar
|
316
|
-
- vendor/jar-dependencies/org/logstash/beats/logstash-input-beats/6.
|
330
|
+
- vendor/jar-dependencies/org/logstash/beats/logstash-input-beats/6.6.1/logstash-input-beats-6.6.1.jar
|
317
331
|
homepage: http://www.elastic.co/guide/en/logstash/current/index.html
|
318
332
|
licenses:
|
319
333
|
- Apache License (2.0)
|
@@ -336,7 +350,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
336
350
|
- !ruby/object:Gem::Version
|
337
351
|
version: '0'
|
338
352
|
requirements: []
|
339
|
-
rubygems_version: 3.
|
353
|
+
rubygems_version: 3.2.33
|
340
354
|
signing_key:
|
341
355
|
specification_version: 4
|
342
356
|
summary: Receives events from the Elastic Beats framework
|