logstash-input-cloudflareLogs 0.1.12

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 28d0995d61b932719e3ee8a7065150c8e2a67366
+  data.tar.gz: b28e8c05d13aff2fa4ea40bc4d59084583150a19
+SHA512:
+  metadata.gz: 7b74302b4bee0d546573fe64a9ebb531a8bc4f9007e339a7f90aeb887433364213a6657386f24bdf001e5aec86038df77662a2dfa21ac452f7b9e7a52fee8c84
+  data.tar.gz: fa538869441bfcc352ae1f99bfeb32456d8aeee8cdda5946fd01e137c0279e45253f46598ad696e9e9176dc6a6f7d1110a8e8fc24d393325f508cadfb1fbf863

data/CHANGELOG.md

@@ -0,0 +1,2 @@
+## 0.1.0
+  - Plugin created with the logstash plugin generator

data/CONTRIBUTORS

@@ -0,0 +1,10 @@
+The following is a list of people who have contributed ideas, code, bug
+reports, or in general have helped logstash along its way.
+
+Contributors:
+* Josh Moore - joshsmoore@gmail.com
+
+Note: If you've sent us patches, bug reports, or otherwise contributed to
+Logstash, and you aren't on the list above and want to be, please let us know
+and we'll make sure you're here. Contributions from folks like you are what make
+open source awesome.

data/DEVELOPER.md

@@ -0,0 +1,2 @@
+# logstash-input-cloudflare-logs
+Example input plugin. This should help bootstrap your effort to write your own input plugin!

data/Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gemspec

data/LICENSE

@@ -0,0 +1,11 @@
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/README.md

@@ -0,0 +1,86 @@
+# Logstash Plugin
+
+This is a plugin for [Logstash](https://github.com/elastic/logstash).
+
+It is fully free and fully open source. The license is Apache 2.0, meaning you are pretty much free to use it however you want in whatever way.
+
+## Documentation
+
+Logstash provides infrastructure to automatically generate documentation for this plugin. We use the asciidoc format to write documentation so any comments in the source code will be first converted into asciidoc and then into html. All plugin documentation are placed under one [central location](http://www.elastic.co/guide/en/logstash/current/).
+
+- For formatting code or config example, you can use the asciidoc `[source,ruby]` directive
+- For more asciidoc formatting tips, see the excellent reference here https://github.com/elastic/docs#asciidoc-guide
+
+## Need Help?
+
+Need help? Try #logstash on freenode IRC or the https://discuss.elastic.co/c/logstash discussion forum.
+
+## Developing
+
+### 1. Plugin Developement and Testing
+
+#### Code
+- To get started, you'll need JRuby with the Bundler gem installed.
+
+- Create a new plugin or clone and existing from the GitHub [logstash-plugins](https://github.com/logstash-plugins) organization. We also provide [example plugins](https://github.com/logstash-plugins?query=example).
+
+- Install dependencies
+```sh
+bundle install
+```
+
+#### Test
+
+- Update your dependencies
+
+```sh
+bundle install
+```
+
+- Run tests
+
+```sh
+bundle exec rspec
+```
+
+### 2. Running your unpublished Plugin in Logstash
+
+#### 2.1 Run in a local Logstash clone
+
+- Edit Logstash `Gemfile` and add the local plugin path, for example:
+```ruby
+gem "logstash-filter-awesome", :path => "/your/local/logstash-filter-awesome"
+```
+- Install plugin
+```sh
+bin/logstash-plugin install --no-verify
+```
+- Run Logstash with your plugin
+```sh
+bin/logstash -e 'filter {awesome {}}'
+```
+At this point any modifications to the plugin code will be applied to this local Logstash setup. After modifying the plugin, simply rerun Logstash.
+
+#### 2.2 Run in an installed Logstash
+
+You can use the same **2.1** method to run your plugin in an installed Logstash by editing its `Gemfile` and pointing the `:path` to your local plugin development directory or you can build the gem and install it using:
+
+- Build your plugin gem
+```sh
+gem build logstash-filter-awesome.gemspec
+```
+- Install the plugin from the Logstash home
+```sh
+bin/logstash-plugin install /your/local/plugin/logstash-filter-awesome.gem
+```
+- Start Logstash and proceed to test the plugin
+
+## Contributing
+
+All contributions are welcome: ideas, patches, documentation, bug reports, complaints, and even something you drew up on a napkin.
+
+Programming is not a required skill. Whatever you've seen about open source and maintainers or community members  saying "send patches or die" - you will not see that here.
+
+It is more important to the community that you are able to contribute.
+
+For more information about contributing, see the [CONTRIBUTING](https://github.com/elastic/logstash/blob/master/CONTRIBUTING.md) file.

data/lib/logstash/inputs/cloudflareLogs.rb

@@ -0,0 +1,130 @@
+# encoding: utf-8
+
+require 'logstash/inputs/base'
+require 'logstash/namespace'
+require 'stud/interval'
+require 'socket' # for Socket.gethostname
+require 'rest-client'
+require 'json'
+
+class CloudflareAccess
+  DEFAULT_FIELDS = %w(CacheCacheStatus CacheResponseBytes CacheResponseStatus ClientASN ClientCountry ClientDeviceType ClientIP ClientIPClass ClientRequestBytes ClientRequestHost ClientRequestMethod ClientRequestProtocol ClientRequestReferer ClientRequestURI ClientRequestUserAgent ClientSSLCipher ClientSSLProtocol ClientSrcPort EdgeColoID EdgeEndTimestamp EdgePathingStatus EdgeResponseBytes EdgeResponseCompressionRatio EdgeResponseStatus EdgeStartTimestamp OriginIP OriginResponseBytes OriginResponseHTTPExpires OriginResponseHTTPLastModified OriginResponseStatus OriginResponseTime RayID WAFAction WAFRuleID ZoneID).freeze
+
+  attr_accessor :auth_email, :auth_key, :domain, :fields, :metadata_file, :logger
+  def initialize(arguments)
+    @auth_email = arguments[:auth_email]
+    @auth_key = arguments[:auth_key]
+    @domain = arguments[:domain]
+    @fields = arguments[:fields] || DEFAULT_FIELDS
+    @metadata_file = arguments[:metadata_file]
+    @logger = arguments[:logger]
+  end
+
+  def start_time
+    if File.exist?(metadata_file)
+      begin
+        start_time = Time.parse(JSON.parse(File.read(metadata_file))['start_time']).to_datetime.rfc3339.to_s.gsub(/[-+]00:00/, 'Z')
+      rescue JSON::ParserError
+        start_time = (Time.now - (15 * 60)).to_datetime.rfc3339.to_s.gsub(/[-+]00:00/, 'Z')
+      end
+    else
+      start_time = (Time.now - (15 * 60)).to_datetime.rfc3339.to_s.gsub(/[-+]00:00/, 'Z')
+    end
+    start_time
+  end
+
+  def end_time
+    @end_time ||= (Time.now - (5 * 60)).to_datetime.rfc3339.to_s.gsub(/[-+]00:00/, 'Z')
+  end
+
+  def update_metadata_file(key, value)
+    key = key.to_s
+    meta_data = {}
+
+    if File.exist?(metadata_file)
+      begin
+        meta_data = JSON.parse(File.read(metadata_file))
+      rescue JSON::ParserError
+      end
+    end
+
+    meta_data[key] = value
+
+    File.open(metadata_file, 'w+') { |file| file.write(meta_data.to_json) }
+  end
+
+  def logs
+    begin
+      results = RestClient.get("https://api.cloudflare.com/client/v4/zones/#{domain}/logs/received?start=#{start_time}&end=#{end_time}&fields=#{fields.join(',')}", 'X-Auth-Email' => auth_email, 'X-Auth-Key' => auth_key)
+      results.body.split("\n").collect { |raw_log| JSON.parse(raw_log) }
+    rescue RestClient::BadRequest => error
+      @logger.error(error.response.strip)
+      @logger.error("https://api.cloudflare.com/client/v4/zones/#{domain}/logs/received?start=#{start_time}&end=#{end_time}&fields=#{fields.join(',')}")
+      @logger.error({'X-Auth-Email' => auth_email, 'X-Auth-Key' => auth_key}.inspect)
+
+      raise error
+    end
+  end
+end
+
+class LogStash::Inputs::CloudflareLogs < LogStash::Inputs::Base
+  config_name 'cloudflareLogs'
+
+  # If undefined, Logstash will complain, even if codec is unused.
+  default :codec, 'json'
+
+  config :auth_email, validate: :string, required: true
+  config :auth_key, validates: :string, required: true
+  config :domain_key, validates: :string, required: true
+  config :metadata_file, validates: :string, default: '/etc/logstash/cf_metadata.json'
+  config :environment_name, validates: :string
+
+  config :interval, validate: :number, default: 600
+
+  def register
+    @host = Socket.gethostname
+  end # def register
+
+  def cloudflare_access
+    @access ||= CloudflareAccess.new(auth_key: @auth_key,
+                                     auth_email: @auth_email,
+                                     domain: @domain_key,
+                                     logger: @logger,
+                                     metadata_file: @metadata_file)
+  end
+
+  def process_logs(queue)
+    cloudflare_access.logs.each do |log|
+      log['fields.type'] = 'cloudflare'
+      log['fields.env'] = @environment_name
+      event = LogStash::Event.new(log)
+      event.timestamp= LogStash::Timestamp.at(log['EdgeStartTimestamp'].to_i / 1_000_000_000)
+      decorate(event)
+      queue << event
+    end
+
+    cloudflare_access.update_metadata_file('start_time', cloudflare_access.end_time)
+    @access = nil
+  end
+
+  def run(queue)
+    # we can abort the loop if stop? becomes true
+    until stop?
+      process_logs(queue)
+
+      # because the sleep interval can be big, when shutdown happens
+      # we want to be able to abort the sleep
+      # Stud.stoppable_sleep will frequently evaluate the given block
+      # and abort the sleep(@interval) if the return value is true
+      Stud.stoppable_sleep(@interval) { stop? }
+    end # loop
+  end # def run
+
+  def stop
+    # nothing to do in this case so it is not necessary to define stop
+    # examples of common 'stop' tasks:
+    #  * close sockets (unblocking blocking reads/accepts)
+    #  * cleanup temporary files
+    #  * terminate spawned threads
+  end
+end # class LogStash::Inputs::CloudflareLogs

data/logstash-input-cloudflare-logs.gemspec

@@ -0,0 +1,43 @@
+Gem::Specification.new do |s|
+  s.name          = 'logstash-input-cloudflareLogs'
+  s.version       = '0.1.12'
+  s.licenses      = ['Apache License (2.0)']
+  s.summary       = 'write cloudflare logs to logstash'
+  s.description   = 'Write cloudflare lgos to logstash.' \
+                    ' This requires an Enterprise account with cloudflare'
+  s.homepage      = 'https://github.com/resumecompanion/logstash-input-cloudflare-logs'
+  s.authors       = ['Josh Moore']
+  s.email         = 'joshsmoore@gmail.com'
+  s.require_paths = ['lib']
+
+  # Files
+  s.files = Dir[
+    'lib/**/*',
+    'spec/**/*',
+    'vendor/**/*',
+    '*.gemspec',
+    '*.md',
+    'CONTRIBUTORS',
+    'Gemfile',
+    'LICENSE',
+    'NOTICE.TXT'
+  ]
+
+  # Tests
+  s.test_files = s.files.grep(%r{^(test|spec|features)/})
+
+  # Special flag to let us know this is actually a logstash plugin
+  s.metadata = { 'logstash_plugin' => 'true', 'logstash_group' => 'input' }
+
+  # Gem dependencies
+  s.add_runtime_dependency 'logstash-core-plugin-api', '~> 2.0'
+  s.add_runtime_dependency 'logstash-codec-json'
+  s.add_runtime_dependency 'stud', '>= 0.0.22'
+  # s.add_runtime_dependency 'rest-client', '>= 2.0.2'
+  s.add_runtime_dependency 'rest-client', '~> 1.8.0'
+  s.add_development_dependency 'logstash-devutils', '>= 0.0.16'
+  s.add_development_dependency 'webmock'
+  s.add_development_dependency 'vcr', '> 3.0.0', '< 4.0.0'
+  s.add_development_dependency 'timecop'
+  s.add_development_dependency 'pry'
+end

data/spec/fixtures/vcr_cassettes/error.yml

@@ -0,0 +1,52 @@
+---
+http_interactions:
+- request:
+    method: get
+    uri: https://api.cloudflare.com/client/v4/zones/11/logs/received?end=2017-10-9T23:55:00Z&fields=CacheCacheStatus,CacheResponseBytes,CacheResponseStatus,ClientASN,ClientCountry,ClientDeviceType,ClientIP,ClientIPClass,ClientRequestBytes,ClientRequestHost,ClientRequestMethod,ClientRequestProtocol,ClientRequestReferer,ClientRequestURI,ClientRequestUserAgent,ClientSSLCipher,ClientSSLProtocol,ClientSrcPort,EdgeColoID,EdgeEndTimestamp,EdgePathingStatus,EdgeResponseBytes,EdgeResponseCompressionRatio,EdgeResponseStatus,EdgeStartTimestamp,OriginIP,OriginResponseBytes,OriginResponseHTTPExpires,OriginResponseHTTPLastModified,OriginResponseStatus,OriginResponseTime,RayID,WAFAction,WAFRuleID,ZoneID&start=2017-10-10T23:54:57Z
+    body:
+      encoding: US-ASCII
+      string: ''
+    headers:
+      Accept:
+      - "*/*; q=0.5, application/xml"
+      Accept-Encoding:
+      - gzip, deflate
+      X-Auth-Email:
+      - test@test.com
+      X-Auth-Key:
+      - secret
+      User-Agent:
+      - Ruby
+  response:
+    status:
+      code: 400
+      message: Bad Request
+    headers:
+      Date:
+      - Tue, 21 Nov 2017 15:06:13 GMT
+      Content-Type:
+      - application/json
+      Transfer-Encoding:
+      - chunked
+      Connection:
+      - keep-alive
+      Set-Cookie:
+      - __cfduid=dbe9fc98db8aa0e054f739756baf7f9c51511276772; expires=Wed, 21-Nov-18
+        15:06:12 GMT; path=/; domain=.cloudflare.com; HttpOnly
+      Strict-Transport-Security:
+      - max-age=15780000; includeSubDomains
+      Served-In-Seconds:
+      - '0.112'
+      Server:
+      - cloudflare-nginx
+      Cf-Ray:
+      - 3c148d370c0838ac-ATL
+    body:
+      encoding: UTF-8
+      string: '{"success":false,"errors":[{"code":10000,"message":"Authentication
+        error"}]}
+
+        '
+    http_version:
+  recorded_at: Tue, 21 Nov 2017 15:06:13 GMT
+recorded_with: VCR 3.0.3

data/spec/fixtures/vcr_cassettes/logs.yml

@@ -0,0 +1,57 @@
+---
+http_interactions:
+- request:
+    method: get
+    uri: https://api.cloudflare.com/client/v4/zones/11/logs/received?end=2017-10-10T23:55:00Z&fields=CacheCacheStatus,CacheResponseBytes,CacheResponseStatus,ClientASN,ClientCountry,ClientDeviceType,ClientIP,ClientIPClass,ClientRequestBytes,ClientRequestHost,ClientRequestMethod,ClientRequestProtocol,ClientRequestReferer,ClientRequestURI,ClientRequestUserAgent,ClientSSLCipher,ClientSSLProtocol,ClientSrcPort,EdgeColoID,EdgeEndTimestamp,EdgePathingStatus,EdgeResponseBytes,EdgeResponseCompressionRatio,EdgeResponseStatus,EdgeStartTimestamp,OriginIP,OriginResponseBytes,OriginResponseHTTPExpires,OriginResponseHTTPLastModified,OriginResponseStatus,OriginResponseTime,RayID,WAFAction,WAFRuleID,ZoneID&start=2017-10-10T23:54:57Z
+    body:
+      encoding: US-ASCII
+      string: ''
+    headers:
+      Accept:
+      - "*/*"
+      Accept-Encoding:
+      - gzip, deflate
+      User-Agent:
+      - rest-client/2.0.2 (darwin x86_64) jruby/9.1.8.0 (2.3.1p0)
+      X-Auth-Email:
+      - test@test.com
+      X-Auth-Key:
+      - secret
+      Host:
+      - api.cloudflare.com
+  response:
+    status:
+      code: 200
+      message: OK
+    headers:
+      Date:
+      - Fri, 13 Oct 2017 20:56:45 GMT
+      Content-Type:
+      - application/json
+      Transfer-Encoding:
+      - chunked
+      Connection:
+      - keep-alive
+      Set-Cookie:
+      - __cfduid=d3a9abc4cc5f499fefc56e6a17d7ef1fe1507928203; expires=Sat, 13-Oct-18
+        20:56:43 GMT; path=/; domain=.cloudflare.com; HttpOnly
+      Cf-Version:
+      - 2017.9.14
+      Content-Encoding:
+      - txt
+      Vary:
+      - Accept-Encoding
+      Strict-Transport-Security:
+      - max-age=31536000
+      Served-In-Seconds:
+      - '2.217'
+      Server:
+      - cloudflare-nginx
+      Cf-Ray:
+      - 3ad53504de493882-ATL
+    body:
+      encoding: UTF-8
+      string: "{\"CacheCacheStatus\":\"unknown\",\"CacheResponseBytes\":8361,\"CacheResponseStatus\":200,\"ClientASN\":7922,\"ClientCountry\":\"us\",\"ClientDeviceType\":\"desktop\",\"ClientIP\":\"2601:181:c380:7d77:69a8:cc6e:391a:5a23\",\"ClientIPClass\":\"noRecord\",\"ClientRequestBytes\":3155,\"ClientRequestHost\":\"app.resumegenius.com\",\"ClientRequestMethod\":\"GET\",\"ClientRequestProtocol\":\"HTTP/2\",\"ClientRequestReferer\":\"https://app.resumegenius.com/resumes/12709185/edit\",\"ClientRequestURI\":\"/api/v1/templates?template_type=resume\",\"ClientRequestUserAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36\",\"ClientSSLCipher\":\"ECDHE-ECDSA-AES128-GCM-SHA256\",\"ClientSSLProtocol\":\"TLSv1.2\",\"ClientSrcPort\":54582,\"EdgeColoID\":106,\"EdgeEndTimestamp\":1507679695560000000,\"EdgePathingStatus\":\"nr\",\"EdgeResponseBytes\":8948,\"EdgeResponseCompressionRatio\":0,\"EdgeResponseStatus\":200,\"EdgeStartTimestamp\":1507679695346999808,\"OriginIP\":\"104.237.135.192\",\"OriginResponseBytes\":0,\"OriginResponseHTTPExpires\":\"\",\"OriginResponseHTTPLastModified\":\"Tue, 10 Oct 2017 23:54:55 UTC\",\"OriginResponseStatus\":200,\"OriginResponseTime\":0,\"RayID\":\"3abd81efef015a4a\",\"WAFAction\":\"unknown\",\"WAFRuleID\":\"\",\"ZoneID\":2963680}\n{\"CacheCacheStatus\":\"unknown\",\"CacheResponseBytes\":1483,\"CacheResponseStatus\":200,\"ClientASN\":7922,\"ClientCountry\":\"us\",\"ClientDeviceType\":\"desktop\",\"ClientIP\":\"2601:1c0:cc01:1f6:35de:7ca2:d7b2:8389\",\"ClientIPClass\":\"noRecord\",\"ClientRequestBytes\":2457,\"ClientRequestHost\":\"app.resumegenius.com\",\"ClientRequestMethod\":\"PUT\",\"ClientRequestProtocol\":\"HTTP/2\",\"ClientRequestReferer\":\"https://app.resumegenius.com/letter-v2/1633229/personalize-preview\",\"ClientRequestURI\":\"/api/v1/letters/1633229\",\"ClientRequestUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.1.2 Safari/603.3.8\",\"ClientSSLCipher\":\"ECDHE-ECDSA-AES128-GCM-SHA256\",\"ClientSSLProtocol\":\"TLSv1.2\",\"ClientSrcPort\":52995,\"EdgeColoID\":119,\"EdgeEndTimestamp\":1507679695801000192,\"EdgePathingStatus\":\"nr\",\"EdgeResponseBytes\":1989,\"EdgeResponseCompressionRatio\":0,\"EdgeResponseStatus\":200,\"EdgeStartTimestamp\":1507679695681999872,\"OriginIP\":\"104.237.135.192\",\"OriginResponseBytes\":0,\"OriginResponseHTTPExpires\":\"\",\"OriginResponseHTTPLastModified\":\"Tue, 10 Oct 2017 23:54:55 UTC\",\"OriginResponseStatus\":200,\"OriginResponseTime\":0,\"RayID\":\"3abd81f208cf8d0b\",\"WAFAction\":\"unknown\",\"WAFRuleID\":\"\",\"ZoneID\":2963680}\n{\"CacheCacheStatus\":\"hit\",\"CacheResponseBytes\":3135,\"CacheResponseStatus\":200,\"ClientASN\":7018,\"ClientCountry\":\"us\",\"ClientDeviceType\":\"desktop\",\"ClientIP\":\"12.227.213.34\",\"ClientIPClass\":\"noRecord\",\"ClientRequestBytes\":1374,\"ClientRequestHost\":\"resumegenius.com\",\"ClientRequestMethod\":\"GET\",\"ClientRequestProtocol\":\"HTTP/2\",\"ClientRequestReferer\":\"https://resumegenius.com/\",\"ClientRequestURI\":\"/wp-content/themes/genesis-rg/images/favicons/favicon-192.png\",\"ClientRequestUserAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36\",\"ClientSSLCipher\":\"ECDHE-ECDSA-AES128-GCM-SHA256\",\"ClientSSLProtocol\":\"TLSv1.2\",\"ClientSrcPort\":56207,\"EdgeColoID\":27,\"EdgeEndTimestamp\":1507679696020999936,\"EdgePathingStatus\":\"nr\",\"EdgeResponseBytes\":3587,\"EdgeResponseCompressionRatio\":0,\"EdgeResponseStatus\":200,\"EdgeStartTimestamp\":1507679696020000000,\"OriginIP\":\"\",\"OriginResponseBytes\":0,\"OriginResponseHTTPExpires\":\"\",\"OriginResponseHTTPLastModified\":\"\",\"OriginResponseStatus\":0,\"OriginResponseTime\":0,\"RayID\":\"3abd81f42f0f8291\",\"WAFAction\":\"unknown\",\"WAFRuleID\":\"\",\"ZoneID\":2963680}\n{\"CacheCacheStatus\":\"hit\",\"CacheResponseBytes\":9752,\"CacheResponseStatus\":200,\"ClientASN\":25640,\"ClientCountry\":\"us\",\"ClientDeviceType\":\"desktop\",\"ClientIP\":\"66.27.46.31\",\"ClientIPClass\":\"noRecord\",\"ClientRequestBytes\":1615,\"ClientRequestHost\":\"resumegenius.com\",\"ClientRequestMethod\":\"GET\",\"ClientRequestProtocol\":\"HTTP/2\",\"ClientRequestReferer\":\"https://resumegenius.com/\",\"ClientRequestURI\":\"/wp-content/uploads/2015/02/Dublin-Green-Template-e1437465375594-225x291.jpg\",\"ClientRequestUserAgent\":\"Mozilla/5.0 (X11; CrOS x86_64 9693.1.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3144.0 Safari/537.36\",\"ClientSSLCipher\":\"ECDHE-ECDSA-CHACHA20-POLY1305\",\"ClientSSLProtocol\":\"TLSv1.2\",\"ClientSrcPort\":52826,\"EdgeColoID\":12,\"EdgeEndTimestamp\":1507679696856000000,\"EdgePathingStatus\":\"nr\",\"EdgeResponseBytes\":10264,\"EdgeResponseCompressionRatio\":0,\"EdgeResponseStatus\":200,\"EdgeStartTimestamp\":1507679696852000000,\"OriginIP\":\"\",\"OriginResponseBytes\":0,\"OriginResponseHTTPExpires\":\"\",\"OriginResponseHTTPLastModified\":\"\",\"OriginResponseStatus\":0,\"OriginResponseTime\":0,\"RayID\":\"3abd81f95caf7844\",\"WAFAction\":\"unknown\",\"WAFRuleID\":\"\",\"ZoneID\":2963680}"
+    http_version:
+  recorded_at: Fri, 13 Oct 2017 20:56:46 GMT
+recorded_with: VCR 3.0.3

data/spec/inputs/cloudflare-logs_spec.rb

@@ -0,0 +1,51 @@
+# encoding: utf-8
+
+require "#{File.expand_path(File.dirname(__FILE__))}/../spec_helper"
+require 'logstash/inputs/cloudflareLogs'
+require 'pry'
+
+describe LogStash::Inputs::CloudflareLogs do
+  describe '#run' do
+    before(:each) do
+      allow_any_instance_of(LogStash::Inputs::CloudflareLogs).to receive(:process_logs).and_return([])
+    end
+    it_behaves_like 'an interruptible input plugin' do
+      let(:config) { { 'metadata_file' => "#{File.expand_path(File.dirname(__FILE__))}/../tmp/metadata.json", 'interval' => 100, 'auth_email' => 'test@test.com', 'auth_key' => 'test', 'domain_key' => 'asdf' } }
+    end
+  end
+
+  describe '#process_logs' do
+    let(:config) { { 'metadata_file' => "#{File.expand_path(File.dirname(__FILE__))}/../tmp/metadata.json", 'interval' => 100, 'auth_email' => 'test@test.com', 'auth_key' => 'test', 'domain_key' => 'asdf' } }
+    let(:queue) { double(:queue, :<< => 'test') }
+    before(:each) { allow_any_instance_of(CloudflareAccess).to receive(:logs).and_return([{ a: 1 }]) }
+    let(:plugin) { described_class.new(config) }
+    subject { plugin.process_logs(queue) }
+    before :each do
+      event = double(LogStash::Event)
+      allow(event).to receive(:timestamp=)
+      # allow(LogStash::Event).to receive(:new).and_return(event)
+    end
+
+    it 'should create each log event' do
+      expect(LogStash::Event).to receive(:new).with(a: 1, 'fields.type' => 'cloudflare', 'fields.env' => nil).and_return(LogStash::Event.new)
+      subject
+    end
+
+    it 'should create each log event' do
+      expect(LogStash::Event).to receive(:new).with(a: 1, 'fields.type' => 'cloudflare', 'fields.env' => nil).and_return(LogStash::Event.new)
+      subject
+    end
+
+    it 'should decorate the event' do
+      expect(plugin).to receive(:decorate).with(instance_of(LogStash::Event))
+
+      subject
+    end
+
+    it 'should add the event to the queue' do
+      expect(queue).to receive(:<<).with(instance_of(LogStash::Event))
+
+      subject
+    end
+  end
+end

data/spec/inputs/cloudflare_access_spec.rb

@@ -0,0 +1,131 @@
+# encoding: utf-8
+require 'json'
+require "#{File.expand_path(File.dirname(__FILE__))}/../spec_helper"
+require 'logstash/inputs/cloudflareLogs'
+require 'pry'
+
+describe CloudflareAccess do
+  let(:meta_filename) { "#{File.expand_path(File.dirname(__FILE__))}/../tmp/metadata.json" }
+  let(:logger) { logger = double() }
+
+  let(:cloudflare_access) do
+    CloudflareAccess.new(auth_email: 'test@test.com',
+                         auth_key: 'secret',
+                         domain: '11',
+                         logger: logger,
+                         metadata_file: meta_filename)
+  end
+
+  describe '#start_time' do
+    subject { cloudflare_access.start_time }
+    it 'should return current time - 15 min if metadata file is not there' do
+      `rm #{meta_filename}`
+      Timecop.freeze do
+        expect(subject).to eq((Time.now - (15 * 60)).to_datetime.rfc3339)
+      end
+    end
+
+    it 'should return the default time meta file is there but is empty' do
+      `rm #{meta_filename}`
+      `touch #{meta_filename}`
+
+      Timecop.freeze do
+        expect(subject).to eq((Time.now - (15 * 60)).to_datetime.rfc3339)
+      end
+    end
+
+    it 'should return the start time in the file if it is correct' do
+      Timecop.freeze do
+        File.open(meta_filename, 'w+') { |file| file.write({ start_time: Time.now - (24 * 60 * 60) }.to_json) }
+        expect(subject).to eq((Time.now - (24 * 60 * 60)).to_datetime.rfc3339)
+      end
+    end
+  end
+
+  describe '#end_time' do
+    subject { cloudflare_access.end_time }
+
+    it 'should return 5 min before current time' do
+      Timecop.freeze do
+        expect(subject).to eq((Time.now - (5 * 60)).to_datetime.rfc3339)
+      end
+    end
+  end
+
+  describe '#update_metadata_file' do
+    def read_meta_data
+      Time.parse(JSON.parse(File.read(meta_filename))['start_time']).to_datetime.rfc3339
+    end
+
+    before(:all) { Timecop.freeze }
+    after(:all) { Timecop.freeze }
+    subject { cloudflare_access.update_metadata_file(:start_time, Time.now) }
+
+    it 'should set time if the metadata file does not exist' do
+      `rm #{meta_filename}`
+
+      subject
+
+      expect(read_meta_data).to eq Time.now.to_datetime.rfc3339
+    end
+
+    it 'should set the value of the meta data if the file exists' do
+      subject
+      @value = Time.now - (14 * 60)
+      cloudflare_access.update_metadata_file(:start_time, @value)
+
+      expect(read_meta_data).to eq((Time.now - (14 * 60)).to_datetime.rfc3339)
+    end
+
+    it 'should work correctly if the meta data file is there and blank' do
+      `rm #{meta_filename}`
+      `touch #{meta_filename}`
+      subject
+
+      expect(read_meta_data).to eq Time.now.to_datetime.rfc3339
+    end
+  end
+
+  describe '#logs' do
+    before :each do
+      allow(cloudflare_access).to receive(:start_time).and_return('2017-10-10T23:54:57Z')
+      allow(cloudflare_access).to receive(:end_time).and_return('2017-10-10T23:55:00Z')
+    end
+
+    subject do
+      VCR.use_cassette(:logs) do
+        cloudflare_access.logs
+      end
+    end
+
+    it 'it should return the 4 log hashes' do
+      expect(subject.count).to eq(4)
+    end
+
+    it 'should return each item as a hash' do
+      expect(subject.first).to be_instance_of(Hash)
+    end
+
+    describe 'connection failure' do
+      before do
+        allow(cloudflare_access).to receive(:end_time).and_return('2017-10-9T23:55:00Z')
+      end
+
+      subject do
+        VCR.use_cassette(:error) do
+          cloudflare_access.logs
+        end
+      end
+
+      it 'should raise an error' do
+        allow(logger).to receive(:error)
+        expect { subject }.to raise_error(RestClient::BadRequest)
+      end
+
+      it 'should log a descriptive error' do
+        expect(logger).to receive(:error).with("{\"success\":false,\"errors\":[{\"code\":10000,\"message\":\"Authentication error\"}]}")
+        expect { subject }.to raise_error(RestClient::BadRequest)
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,62 @@
+# require 'webmock/rspec'
+require 'vcr'
+require 'timecop'
+
+VCR.configure do |config|
+  config.before_record do |i|
+    i.response.body.force_encoding('UTF-8')
+  end
+  config.cassette_serializers[:json]
+  config.cassette_library_dir = 'spec/fixtures/vcr_cassettes'
+  config.hook_into :webmock
+end
+
+if ENV['COVERAGE']
+  require 'simplecov'
+  require 'coveralls'
+
+  SimpleCov.formatter = SimpleCov::Formatter::MultiFormatter[
+    SimpleCov::Formatter::HTMLFormatter,
+    Coveralls::SimpleCov::Formatter
+  ]
+  SimpleCov.start do
+    add_filter 'spec/'
+    add_filter 'vendor/'
+  end
+end
+
+require 'logstash-core'
+require 'logstash/logging'
+require 'logstash/environment'
+require 'logstash/devutils/rspec/logstash_helpers'
+require 'logstash/devutils/rspec/shared_examples'
+require 'insist'
+
+Thread.abort_on_exception = true
+
+RSpec.configure do |config|
+  # for now both include and extend are required because the newly refactored
+  # 'input' helper method need to be visible in a 'it' block
+  # and this is only possible by calling include on LogStashHelper
+  config.include LogStashHelper
+  config.extend LogStashHelper
+
+  exclude_tags = {
+    redis: true,
+    socket: true,
+    performance: true,
+    couchdb: true,
+    elasticsearch: true,
+    elasticsearch_secure: true,
+    export_cypher: true,
+    integration: true
+  }
+
+  config.filter_run_excluding exclude_tags
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = :random
+end

data/spec/tmp/metadata.json

@@ -0,0 +1 @@
+{"start_time":"2018-04-18 11:22:11 -0400"}

metadata

@@ -0,0 +1,198 @@
+--- !ruby/object:Gem::Specification
+name: logstash-input-cloudflareLogs
+version: !ruby/object:Gem::Version
+  version: 0.1.12
+platform: ruby
+authors:
+- Josh Moore
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2018-04-18 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  name: logstash-core-plugin-api
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  name: logstash-codec-json
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.0.22
+  name: stud
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.0.22
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.8.0
+  name: rest-client
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.8.0
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.0.16
+  name: logstash-devutils
+  prerelease: false
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.0.16
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  name: webmock
+  prerelease: false
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">"
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 4.0.0
+  name: vcr
+  prerelease: false
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">"
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 4.0.0
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  name: timecop
+  prerelease: false
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  name: pry
+  prerelease: false
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Write cloudflare lgos to logstash. This requires an Enterprise account
+  with cloudflare
+email: joshsmoore@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- CONTRIBUTORS
+- DEVELOPER.md
+- Gemfile
+- LICENSE
+- README.md
+- lib/logstash/inputs/cloudflareLogs.rb
+- logstash-input-cloudflare-logs.gemspec
+- spec/fixtures/vcr_cassettes/error.yml
+- spec/fixtures/vcr_cassettes/logs.yml
+- spec/inputs/cloudflare-logs_spec.rb
+- spec/inputs/cloudflare_access_spec.rb
+- spec/spec_helper.rb
+- spec/tmp/metadata.json
+homepage: https://github.com/resumecompanion/logstash-input-cloudflare-logs
+licenses:
+- Apache License (2.0)
+metadata:
+  logstash_plugin: 'true'
+  logstash_group: input
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.6.8
+signing_key:
+specification_version: 4
+summary: write cloudflare logs to logstash
+test_files:
+- spec/fixtures/vcr_cassettes/error.yml
+- spec/fixtures/vcr_cassettes/logs.yml
+- spec/inputs/cloudflare-logs_spec.rb
+- spec/inputs/cloudflare_access_spec.rb
+- spec/spec_helper.rb
+- spec/tmp/metadata.json