logstash-input-beats 5.0.16-java → 5.1.0-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a82188053a0f6c9a5bac28e636be4e70ef4ba05cf9a0f48ece9be4d7ed671682
-  data.tar.gz: c093f210bf4c78acaee35fe86dd62d32c2e727b0629f20b03b788bff7d457d19
+  metadata.gz: 4b4133fa8d543e1581183df174b98370c4d146e46c1930d8c88b3802dc8ccffd
+  data.tar.gz: 8c6b3eaf5a1d30d06c3bf77dc6c23b95a6190e5c914fce41cdc684bf9a91b0d7
 SHA512:
-  metadata.gz: 889a0dd9812fc8e69996f83177241fcd7a480032737ae69b5c21585c785dd1d69ae9dfc92d73e4ea456dccbca32a040d9309902b0b2c53b02ce8273da801b9a0
-  data.tar.gz: 7b062cb5fe7abbab98abbd8eb840d966b8d227853aaf18e34deca687b3a311f4fdf868ce4c6be76e3a66edbe49abf3afeef00f25074e92ed74e071c268b56fb6
+  metadata.gz: 348964c7e65129fd4619104546e8f8d24ea8e0050c7479428698af85a8422090e6069bdaa8ad79b0c31586ec2996af8180066281985b5eca2b83535afc03710a
+  data.tar.gz: bb4a1e2b5fc2cfa516420695d44b4a79d2dacf00d028076f29ba3192a65e9792e1a18d65ba71e4b988a079c0350cc3462248e2c5a633496e967bf7935ba186a7

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 5.1.0 
+ - Added ssl_peer_metadata option. [#327](https://github.com/logstash-plugins/logstash-input-beats/pull/327) 
+ - Fixed ssl_verify_mode => peer. [#326](https://github.com/logstash-plugins/logstash-input-beats/pull/326)
+
 ## 5.0.16
  - [#289](https://github.com/logstash-plugins/logstash-input-beats/pull/289#issuecomment-394072063) Re-initialise Netty worker group on plugin restart
 

data/VERSION

@@ -1 +1 @@
-5.0.16
+5.1.0

data/docs/index.asciidoc

@@ -78,6 +78,7 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-ssl_key>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-ssl_key_passphrase>> |<<password,password>>|No
 | <<plugins-{type}s-{plugin}-ssl_verify_mode>> |<<string,string>>, one of `["none", "peer", "force_peer"]`|No
+| <<plugins-{type}s-{plugin}-ssl_peer_metadata>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-tls_max_version>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-tls_min_version>> |<<number,number>>|No
 |=======================================================================
@@ -88,7 +89,7 @@ input plugins.
 &nbsp;
 
 [id="plugins-{type}s-{plugin}-cipher_suites"]
-===== `cipher_suites` 
+===== `cipher_suites`
 
   * Value type is <<array,array>>
   * Default value is `java.lang.String[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]@459cfcca`
@@ -96,7 +97,7 @@ input plugins.
 The list of ciphers suite to use, listed by priorities.
 
 [id="plugins-{type}s-{plugin}-client_inactivity_timeout"]
-===== `client_inactivity_timeout` 
+===== `client_inactivity_timeout`
 
   * Value type is <<number,number>>
   * Default value is `60`
@@ -104,7 +105,7 @@ The list of ciphers suite to use, listed by priorities.
 Close Idle clients after X seconds of inactivity.
 
 [id="plugins-{type}s-{plugin}-host"]
-===== `host` 
+===== `host`
 
   * Value type is <<string,string>>
   * Default value is `"0.0.0.0"`
@@ -112,7 +113,7 @@ Close Idle clients after X seconds of inactivity.
 The IP address to listen on.
 
 [id="plugins-{type}s-{plugin}-include_codec_tag"]
-===== `include_codec_tag` 
+===== `include_codec_tag`
 
   * Value type is <<boolean,boolean>>
   * Default value is `true`
@@ -120,7 +121,7 @@ The IP address to listen on.
 
 
 [id="plugins-{type}s-{plugin}-port"]
-===== `port` 
+===== `port`
 
   * This is a required setting.
   * Value type is <<number,number>>
@@ -129,7 +130,7 @@ The IP address to listen on.
 The port to listen on.
 
 [id="plugins-{type}s-{plugin}-ssl"]
-===== `ssl` 
+===== `ssl`
 
   * Value type is <<boolean,boolean>>
   * Default value is `false`
@@ -139,7 +140,7 @@ enable encryption by setting `ssl` to true and configuring
 the `ssl_certificate` and `ssl_key` options.
 
 [id="plugins-{type}s-{plugin}-ssl_certificate"]
-===== `ssl_certificate` 
+===== `ssl_certificate`
 
   * Value type is <<path,path>>
   * There is no default value for this setting.
@@ -147,19 +148,19 @@ the `ssl_certificate` and `ssl_key` options.
 SSL certificate to use.
 
 [id="plugins-{type}s-{plugin}-ssl_certificate_authorities"]
-===== `ssl_certificate_authorities` 
+===== `ssl_certificate_authorities`
 
   * Value type is <<array,array>>
   * Default value is `[]`
 
-Validate client certificates against these authorities. 
+Validate client certificates against these authorities.
 You can define multiple files or paths. All the certificates will
 be read and added to the trust store. You need to configure the `ssl_verify_mode`
 to `peer` or `force_peer` to enable the verification.
 
 
 [id="plugins-{type}s-{plugin}-ssl_handshake_timeout"]
-===== `ssl_handshake_timeout` 
+===== `ssl_handshake_timeout`
 
   * Value type is <<number,number>>
   * Default value is `10000`
@@ -167,7 +168,7 @@ to `peer` or `force_peer` to enable the verification.
 Time in milliseconds for an incomplete ssl handshake to timeout
 
 [id="plugins-{type}s-{plugin}-ssl_key"]
-===== `ssl_key` 
+===== `ssl_key`
 
   * Value type is <<path,path>>
   * There is no default value for this setting.
@@ -177,7 +178,7 @@ NOTE: This key need to be in the PKCS8 format, you can convert it with https://w
 for more information.
 
 [id="plugins-{type}s-{plugin}-ssl_key_passphrase"]
-===== `ssl_key_passphrase` 
+===== `ssl_key_passphrase`
 
   * Value type is <<password,password>>
   * There is no default value for this setting.
@@ -185,14 +186,14 @@ for more information.
 SSL key passphrase to use.
 
 [id="plugins-{type}s-{plugin}-ssl_verify_mode"]
-===== `ssl_verify_mode` 
+===== `ssl_verify_mode`
 
   * Value can be any of: `none`, `peer`, `force_peer`
   * Default value is `"none"`
 
 By default the server doesn't do any client verification.
 
-`peer` will make the server ask the client to provide a certificate. 
+`peer` will make the server ask the client to provide a certificate.
 If the client provides a certificate, it will be validated.
 
 `force_peer` will make the server ask the client to provide a certificate.
@@ -200,8 +201,18 @@ If the client doesn't provide a certificate, the connection will be closed.
 
 This option needs to be used with `ssl_certificate_authorities` and a defined list of CAs.
 
+[id="plugins-{type}s-{plugin}-ssl_peer_metadata"]
+===== `ssl_peer_metadata`
+
+  * Value type is <<boolean,boolean>>
+  * Default value is `false`
+
+Enables storing client certificate information in event's metadata.
+
+This option is only valid when `ssl_verify_mode` is set to `peer` or `force_peer`.
+
 [id="plugins-{type}s-{plugin}-tls_max_version"]
-===== `tls_max_version` 
+===== `tls_max_version`
 
   * Value type is <<number,number>>
   * Default value is `1.2`
@@ -210,7 +221,7 @@ The maximum TLS version allowed for the encrypted connections. The value must be
 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2
 
 [id="plugins-{type}s-{plugin}-tls_min_version"]
-===== `tls_min_version` 
+===== `tls_min_version`
 
   * Value type is <<number,number>>
   * Default value is `1`
@@ -223,4 +234,4 @@ The minimum TLS version allowed for the encrypted connections. The value must be
 [id="plugins-{type}s-{plugin}-common-options"]
 include::{include_path}/{type}.asciidoc[]
 
-:default_codec!:
+:default_codec!:

data/lib/logstash-input-beats_jars.rb

@@ -9,4 +9,4 @@ require_jar('com.fasterxml.jackson.core', 'jackson-annotations', '2.9.5')
 require_jar('com.fasterxml.jackson.core', 'jackson-databind', '2.9.5')
 require_jar('com.fasterxml.jackson.module', 'jackson-module-afterburner', '2.9.5')
 require_jar('org.apache.logging.log4j', 'log4j-api', '2.6.2')
-require_jar('org.logstash.beats', 'logstash-input-beats', '5.0.16')
+require_jar('org.logstash.beats', 'logstash-input-beats', '5.1.0')

data/lib/logstash/inputs/beats.rb

@@ -93,6 +93,10 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
   # This option needs to be used with `ssl_certificate_authorities` and a defined list of CAs.
   config :ssl_verify_mode, :validate => ["none", "peer", "force_peer"], :default => "none"
 
+  # Enables storing client certificate information in event's metadata. You need 
+  # to configure the `ssl_verify_mode` to `peer` or `force_peer` to enable this.
+  config :ssl_peer_metadata, :validate => :boolean, :default => false
+
   config :include_codec_tag, :validate => :boolean, :default => true
 
   # Time in milliseconds for an incomplete ssl handshake to timeout
@@ -148,6 +152,10 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
       raise LogStash::ConfigurationError, "Using `verify_mode` set to PEER or FORCE_PEER, requires the configuration of `certificate_authorities`"
     end
 
+    if client_authentication_metadata? && !require_certificate_authorities?
+      raise LogStash::ConfigurationError, "Enabling `peer_metadata` requires using `verify_mode` set to PEER or FORCE_PEER"
+    end
+
     # Logstash 6.x breaking change (introduced with 4.0.0 of this gem)
     if @codec.kind_of? LogStash::Codecs::Multiline
       raise LogStash::ConfigurationError, "Multiline codec with beats input is not supported. Please refer to the beats documentation for how to best manage multiline data. See https://www.elastic.co/guide/en/beats/filebeat/current/multiline-examples.html"
@@ -175,6 +183,8 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
       if client_authentification?
         if @ssl_verify_mode.upcase == "FORCE_PEER"
             ssl_builder.setVerifyMode(org.logstash.netty.SslSimpleBuilder::SslClientVerifyMode::FORCE_PEER)
+        elsif @ssl_verify_mode.upcase == "PEER"
+            ssl_builder.setVerifyMode(org.logstash.netty.SslSimpleBuilder::SslClientVerifyMode::VERIFY_PEER)
         end
         ssl_builder.setCertificateAuthorities(@ssl_certificate_authorities)
       end
@@ -206,6 +216,14 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
     @ssl_certificate_authorities && @ssl_certificate_authorities.size > 0
   end
 
+  def client_authentication_metadata?
+    @ssl_peer_metadata && ssl_configured? && client_authentification? 
+  end
+
+  def client_authentication_required?
+    @ssl_verify_mode == "force_peer" 
+  end
+
   def require_certificate_authorities?
     @ssl_verify_mode == "force_peer" || @ssl_verify_mode == "peer"
   end

data/lib/logstash/inputs/beats/message_listener.rb

@@ -1,6 +1,7 @@
 # encoding: utf-8
 require "thread_safe"
 require "logstash-input-beats_jars"
+import "javax.net.ssl.SSLPeerUnverifiedException"
 import "org.logstash.beats.MessageListener"
 
 module LogStash module Inputs class Beats
@@ -33,6 +34,8 @@ module LogStash module Inputs class Beats
       hash['@metadata']['ip_address'] = ip_address unless ip_address.nil? || hash['@metadata'].nil?
       target_field = extract_target_field(hash)
 
+      extract_tls_peer(hash, ctx)
+
       if target_field.nil?
         event = LogStash::Event.new(hash)
         @nocodec_transformer.transform(event)
@@ -119,6 +122,38 @@ module LogStash module Inputs class Beats
       end
     end
 
+    def extract_tls_peer(hash, ctx)
+      if @input.client_authentication_metadata?
+        tls_session = ctx.channel().pipeline().get("ssl-handler").engine().getSession()
+        tls_verified = true
+
+        if not @input.client_authentication_required?
+          # throws SSLPeerUnverifiedException if unverified
+          begin
+            tls_session.getPeerCertificates()
+          rescue SSLPeerUnverifiedException => e
+            tls_verified = false
+            if input.logger.debug?
+              input.logger.debug("SSL peer unverified. This is normal with 'peer' verification and client does not presents a certificate.", :exception => e)
+            end
+          end
+        end
+
+        if tls_verified
+          hash['@metadata']['tls_peer'] = {
+            :status       => "verified",
+            :protocol     => tls_session.getProtocol(),
+            :subject      => tls_session.getPeerPrincipal().getName(),
+            :cipher_suite => tls_session.getCipherSuite()
+          }
+        else
+          hash['@metadata']['tls_peer'] = {
+            :status     => "unverified"
+          }
+        end
+      end
+    end
+
     def extract_target_field(hash)
       if from_filebeat?(hash)
         hash.delete(FILEBEAT_LOG_LINE_FIELD).to_s

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-input-beats
 version: !ruby/object:Gem::Version
-  version: 5.0.16
+  version: 5.1.0
 platform: java
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-06-04 00:00:00.000000000 Z
+date: 2018-06-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -266,7 +266,7 @@ files:
 - vendor/jar-dependencies/io/netty/netty-tcnative-boringssl-static/2.0.7.Final/netty-tcnative-boringssl-static-2.0.7.Final.jar
 - vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.6.2/log4j-api-2.6.2.jar
 - vendor/jar-dependencies/org/javassist/javassist/3.20.0-GA/javassist-3.20.0-GA.jar
-- vendor/jar-dependencies/org/logstash/beats/logstash-input-beats/5.0.16/logstash-input-beats-5.0.16.jar
+- vendor/jar-dependencies/org/logstash/beats/logstash-input-beats/5.1.0/logstash-input-beats-5.1.0.jar
 homepage: http://www.elastic.co/guide/en/logstash/current/index.html
 licenses:
 - Apache License (2.0)