logstash-input-crowdstrike_fdr 2.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/CHANGELOG.md +141 -0
- data/CONTRIBUTORS +14 -0
- data/Gemfile +11 -0
- data/LICENSE +13 -0
- data/NOTICE.TXT +5 -0
- data/README.md +147 -0
- data/lib/logstash/inputs/codec_factory.rb +37 -0
- data/lib/logstash/inputs/crowdstrike_fdr.rb +343 -0
- data/lib/logstash/inputs/mime/magic_gzip_validator.rb +53 -0
- data/lib/logstash/inputs/s3/client_factory.rb +59 -0
- data/lib/logstash/inputs/s3/downloader.rb +57 -0
- data/lib/logstash/inputs/s3snssqs/log_processor.rb +143 -0
- data/lib/logstash/inputs/s3sqs/patch.rb +22 -0
- data/lib/logstash/inputs/sqs/poller.rb +218 -0
- data/logstash-input-crowdstrike_fdr.gemspec +28 -0
- data/spec/inputs/crowdstrike_fdr_spec.rb +66 -0
- metadata +141 -0
@@ -0,0 +1,28 @@
|
|
1
|
+
Gem::Specification.new do |s|
|
2
|
+
s.name = 'logstash-input-crowdstrike_fdr'
|
3
|
+
s.version = '2.1.2'
|
4
|
+
s.licenses = ['Apache-2.0']
|
5
|
+
s.summary = "Get logs from AWS s3 buckets as issued by Crowdstrike Falcon Data Replicator"
|
6
|
+
s.description = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program"
|
7
|
+
s.authors = ["Christian Herweg","Hugh Kelley"]
|
8
|
+
s.email = 'christian.herweg@gmail.com'
|
9
|
+
s.homepage = "https://github.com/hkelley/logstash-input-crowdstrike_fdr"
|
10
|
+
s.require_paths = ["lib"]
|
11
|
+
|
12
|
+
# Files
|
13
|
+
s.files = Dir['lib/**/*','spec/**/*','vendor/**/*','*.gemspec','*.md','CONTRIBUTORS','Gemfile','LICENSE','NOTICE.TXT']
|
14
|
+
|
15
|
+
# Tests
|
16
|
+
s.test_files = s.files.grep(%r{^(test|spec|features)/})
|
17
|
+
|
18
|
+
# Special flag to let us know this is actually a logstash plugin
|
19
|
+
s.metadata = { "logstash_plugin" => "true", "logstash_group" => "input" }
|
20
|
+
|
21
|
+
# Gem dependencies
|
22
|
+
s.add_runtime_dependency "logstash-core-plugin-api", ">= 2.1.12", "<= 2.99"
|
23
|
+
|
24
|
+
s.add_runtime_dependency 'logstash-codec-json', '~> 3.0'
|
25
|
+
s.add_runtime_dependency 'logstash-mixin-aws', '~> 4.3'
|
26
|
+
s.add_development_dependency 'logstash-codec-json_stream', '~> 1.0'
|
27
|
+
s.add_development_dependency 'logstash-devutils', '~> 1.3'
|
28
|
+
end
|
@@ -0,0 +1,66 @@
|
|
1
|
+
# encoding: utf-8
|
2
|
+
require "logstash/devutils/rspec/spec_helper"
|
3
|
+
require "logstash/plugin"
|
4
|
+
require "logstash/inputs/crowdstrike_fdr"
|
5
|
+
require "fileutils"
|
6
|
+
require "logstash/errors"
|
7
|
+
require "logstash/event"
|
8
|
+
require "logstash/json"
|
9
|
+
require "logstash/codecs/base"
|
10
|
+
require "logstash/codecs/json_stream"
|
11
|
+
require 'rspec'
|
12
|
+
require 'rspec/expectations'
|
13
|
+
|
14
|
+
|
15
|
+
|
16
|
+
describe LogStash::Inputs::CrowdStrikeFDR do
|
17
|
+
class LogStash::Inputs::CrowdStrikeFDR
|
18
|
+
public :process # use method without error logging for better visibility of errors
|
19
|
+
end
|
20
|
+
let(:codec_options) { {} }
|
21
|
+
|
22
|
+
let(:input) { LogStash::Inputs::CrowdStrikeFDR.new(config) }
|
23
|
+
|
24
|
+
let(:codec_factory) { CodecFactory.new(@logger, { default_codec: @codec, codec_by_folder: @codec_by_folder }) }
|
25
|
+
subject { input }
|
26
|
+
|
27
|
+
context "default parser choice" do
|
28
|
+
it "should return true" do
|
29
|
+
expect(true).to be true
|
30
|
+
end
|
31
|
+
end
|
32
|
+
|
33
|
+
let(:record) {{"local_file" => File.join(File.dirname(__FILE__), '..', '..', 'fixtures', 'log-stream.real-formatted') }}
|
34
|
+
let(:key) { "arn:aws:iam::123456789012:role/AuthorizedRole" }
|
35
|
+
let(:folder) { "arn:aws:iam::123456789012:role/AuthorizedRole" }
|
36
|
+
let(:instance_codec) { "json" }
|
37
|
+
let(:logstash_event_queue) { "arn:aws:iam::123456789012:role/AuthorizedRole" }
|
38
|
+
let(:bucket) { "arn:aws:iam::123456789012:role/AuthorizedRole" }
|
39
|
+
let(:message) { "arn:aws:iam::123456789012:role/AuthorizedRole" }
|
40
|
+
let(:size) { "123344" }
|
41
|
+
let(:temporary_directory) { Stud::Temporary.pathname }
|
42
|
+
let(:config) { {"queue" => queue, "codec" => "json", "temporary_directory" => temporary_directory } }
|
43
|
+
context 'compressed_log_file' do
|
44
|
+
|
45
|
+
subject do
|
46
|
+
LogStash::Inputs::CrowdStrikeFDR.new(config)
|
47
|
+
end
|
48
|
+
# end
|
49
|
+
let(:queue) { [] }
|
50
|
+
before do
|
51
|
+
@codec = LogStash::Codecs::JSONStream.new
|
52
|
+
@codec.charset = "UTF-8"
|
53
|
+
@codec_factory = CodecFactory.new(@logger, {
|
54
|
+
default_codec: @codec,
|
55
|
+
codec_by_folder: @codec_by_folder
|
56
|
+
})
|
57
|
+
expect( subject.process(record, logstash_event_queue) ).to be true
|
58
|
+
$stderr.puts "method #{queue.to_s}"
|
59
|
+
end
|
60
|
+
|
61
|
+
#it '.process_local_log => process compressed log file and verfied logstash event queue with the correct number of events' do
|
62
|
+
# expect( queue.size ).to eq(38)
|
63
|
+
# expect( queue.clear).to be_empty
|
64
|
+
#end
|
65
|
+
end
|
66
|
+
end
|
metadata
ADDED
@@ -0,0 +1,141 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: logstash-input-crowdstrike_fdr
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 2.1.2
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- Christian Herweg
|
8
|
+
- Hugh Kelley
|
9
|
+
autorequire:
|
10
|
+
bindir: bin
|
11
|
+
cert_chain: []
|
12
|
+
date: 2021-03-13 00:00:00.000000000 Z
|
13
|
+
dependencies:
|
14
|
+
- !ruby/object:Gem::Dependency
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
16
|
+
requirements:
|
17
|
+
- - ">="
|
18
|
+
- !ruby/object:Gem::Version
|
19
|
+
version: 2.1.12
|
20
|
+
- - "<="
|
21
|
+
- !ruby/object:Gem::Version
|
22
|
+
version: '2.99'
|
23
|
+
name: logstash-core-plugin-api
|
24
|
+
prerelease: false
|
25
|
+
type: :runtime
|
26
|
+
version_requirements: !ruby/object:Gem::Requirement
|
27
|
+
requirements:
|
28
|
+
- - ">="
|
29
|
+
- !ruby/object:Gem::Version
|
30
|
+
version: 2.1.12
|
31
|
+
- - "<="
|
32
|
+
- !ruby/object:Gem::Version
|
33
|
+
version: '2.99'
|
34
|
+
- !ruby/object:Gem::Dependency
|
35
|
+
requirement: !ruby/object:Gem::Requirement
|
36
|
+
requirements:
|
37
|
+
- - "~>"
|
38
|
+
- !ruby/object:Gem::Version
|
39
|
+
version: '3.0'
|
40
|
+
name: logstash-codec-json
|
41
|
+
prerelease: false
|
42
|
+
type: :runtime
|
43
|
+
version_requirements: !ruby/object:Gem::Requirement
|
44
|
+
requirements:
|
45
|
+
- - "~>"
|
46
|
+
- !ruby/object:Gem::Version
|
47
|
+
version: '3.0'
|
48
|
+
- !ruby/object:Gem::Dependency
|
49
|
+
requirement: !ruby/object:Gem::Requirement
|
50
|
+
requirements:
|
51
|
+
- - "~>"
|
52
|
+
- !ruby/object:Gem::Version
|
53
|
+
version: '4.3'
|
54
|
+
name: logstash-mixin-aws
|
55
|
+
prerelease: false
|
56
|
+
type: :runtime
|
57
|
+
version_requirements: !ruby/object:Gem::Requirement
|
58
|
+
requirements:
|
59
|
+
- - "~>"
|
60
|
+
- !ruby/object:Gem::Version
|
61
|
+
version: '4.3'
|
62
|
+
- !ruby/object:Gem::Dependency
|
63
|
+
requirement: !ruby/object:Gem::Requirement
|
64
|
+
requirements:
|
65
|
+
- - "~>"
|
66
|
+
- !ruby/object:Gem::Version
|
67
|
+
version: '1.0'
|
68
|
+
name: logstash-codec-json_stream
|
69
|
+
prerelease: false
|
70
|
+
type: :development
|
71
|
+
version_requirements: !ruby/object:Gem::Requirement
|
72
|
+
requirements:
|
73
|
+
- - "~>"
|
74
|
+
- !ruby/object:Gem::Version
|
75
|
+
version: '1.0'
|
76
|
+
- !ruby/object:Gem::Dependency
|
77
|
+
requirement: !ruby/object:Gem::Requirement
|
78
|
+
requirements:
|
79
|
+
- - "~>"
|
80
|
+
- !ruby/object:Gem::Version
|
81
|
+
version: '1.3'
|
82
|
+
name: logstash-devutils
|
83
|
+
prerelease: false
|
84
|
+
type: :development
|
85
|
+
version_requirements: !ruby/object:Gem::Requirement
|
86
|
+
requirements:
|
87
|
+
- - "~>"
|
88
|
+
- !ruby/object:Gem::Version
|
89
|
+
version: '1.3'
|
90
|
+
description: This gem is a logstash plugin required to be installed on top of the
|
91
|
+
Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not
|
92
|
+
a stand-alone program
|
93
|
+
email: christian.herweg@gmail.com
|
94
|
+
executables: []
|
95
|
+
extensions: []
|
96
|
+
extra_rdoc_files: []
|
97
|
+
files:
|
98
|
+
- CHANGELOG.md
|
99
|
+
- CONTRIBUTORS
|
100
|
+
- Gemfile
|
101
|
+
- LICENSE
|
102
|
+
- NOTICE.TXT
|
103
|
+
- README.md
|
104
|
+
- lib/logstash/inputs/codec_factory.rb
|
105
|
+
- lib/logstash/inputs/crowdstrike_fdr.rb
|
106
|
+
- lib/logstash/inputs/mime/magic_gzip_validator.rb
|
107
|
+
- lib/logstash/inputs/s3/client_factory.rb
|
108
|
+
- lib/logstash/inputs/s3/downloader.rb
|
109
|
+
- lib/logstash/inputs/s3snssqs/log_processor.rb
|
110
|
+
- lib/logstash/inputs/s3sqs/patch.rb
|
111
|
+
- lib/logstash/inputs/sqs/poller.rb
|
112
|
+
- logstash-input-crowdstrike_fdr.gemspec
|
113
|
+
- spec/inputs/crowdstrike_fdr_spec.rb
|
114
|
+
homepage: https://github.com/hkelley/logstash-input-crowdstrike_fdr
|
115
|
+
licenses:
|
116
|
+
- Apache-2.0
|
117
|
+
metadata:
|
118
|
+
logstash_plugin: 'true'
|
119
|
+
logstash_group: input
|
120
|
+
post_install_message:
|
121
|
+
rdoc_options: []
|
122
|
+
require_paths:
|
123
|
+
- lib
|
124
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
125
|
+
requirements:
|
126
|
+
- - ">="
|
127
|
+
- !ruby/object:Gem::Version
|
128
|
+
version: '0'
|
129
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
130
|
+
requirements:
|
131
|
+
- - ">="
|
132
|
+
- !ruby/object:Gem::Version
|
133
|
+
version: '0'
|
134
|
+
requirements: []
|
135
|
+
rubyforge_project:
|
136
|
+
rubygems_version: 2.6.14.1
|
137
|
+
signing_key:
|
138
|
+
specification_version: 4
|
139
|
+
summary: Get logs from AWS s3 buckets as issued by Crowdstrike Falcon Data Replicator
|
140
|
+
test_files:
|
141
|
+
- spec/inputs/crowdstrike_fdr_spec.rb
|