logstash-input-crowdstrike_fdr 2.1.2

data/logstash-input-crowdstrike_fdr.gemspec

@@ -0,0 +1,28 @@
+Gem::Specification.new do |s|
+  s.name            = 'logstash-input-crowdstrike_fdr'
+  s.version         = '2.1.2'
+  s.licenses        = ['Apache-2.0']
+  s.summary         = "Get logs from AWS s3 buckets as issued by Crowdstrike Falcon Data Replicator"
+  s.description     = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program"
+  s.authors         = ["Christian Herweg","Hugh Kelley"]
+  s.email           = 'christian.herweg@gmail.com'
+  s.homepage        = "https://github.com/hkelley/logstash-input-crowdstrike_fdr"
+  s.require_paths = ["lib"]
+
+  # Files
+  s.files = Dir['lib/**/*','spec/**/*','vendor/**/*','*.gemspec','*.md','CONTRIBUTORS','Gemfile','LICENSE','NOTICE.TXT']
+
+  # Tests
+  s.test_files = s.files.grep(%r{^(test|spec|features)/})
+
+  # Special flag to let us know this is actually a logstash plugin
+  s.metadata = { "logstash_plugin" => "true", "logstash_group" => "input" }
+
+  # Gem dependencies
+  s.add_runtime_dependency "logstash-core-plugin-api", ">= 2.1.12", "<= 2.99"
+
+  s.add_runtime_dependency 'logstash-codec-json', '~> 3.0'
+  s.add_runtime_dependency 'logstash-mixin-aws', '~> 4.3'
+  s.add_development_dependency 'logstash-codec-json_stream', '~> 1.0'
+  s.add_development_dependency 'logstash-devutils', '~> 1.3'
+end

data/spec/inputs/crowdstrike_fdr_spec.rb

@@ -0,0 +1,66 @@
+# encoding: utf-8
+require "logstash/devutils/rspec/spec_helper"
+require "logstash/plugin"
+require "logstash/inputs/crowdstrike_fdr"
+require "fileutils"
+require "logstash/errors"
+require "logstash/event"
+require "logstash/json"
+require "logstash/codecs/base"
+require "logstash/codecs/json_stream"
+require 'rspec'
+require 'rspec/expectations'
+
+
+
+describe LogStash::Inputs::CrowdStrikeFDR do
+  class LogStash::Inputs::CrowdStrikeFDR
+    public :process # use method without error logging for better visibility of errors
+  end
+  let(:codec_options) { {} }
+
+  let(:input) { LogStash::Inputs::CrowdStrikeFDR.new(config) }
+
+  let(:codec_factory) { CodecFactory.new(@logger, { default_codec: @codec, codec_by_folder: @codec_by_folder }) }
+  subject { input }
+
+  context "default parser choice" do
+    it "should return true" do
+      expect(true).to be true
+    end
+  end
+
+  let(:record) {{"local_file" => File.join(File.dirname(__FILE__), '..', '..', 'fixtures', 'log-stream.real-formatted') }}
+  let(:key) { "arn:aws:iam::123456789012:role/AuthorizedRole" }
+  let(:folder) { "arn:aws:iam::123456789012:role/AuthorizedRole" }
+  let(:instance_codec) { "json" }
+  let(:logstash_event_queue) { "arn:aws:iam::123456789012:role/AuthorizedRole" }
+  let(:bucket) { "arn:aws:iam::123456789012:role/AuthorizedRole" }
+  let(:message) { "arn:aws:iam::123456789012:role/AuthorizedRole" }
+  let(:size) { "123344" }
+  let(:temporary_directory) { Stud::Temporary.pathname }
+  let(:config) { {"queue" => queue, "codec" => "json", "temporary_directory" => temporary_directory } }
+  context 'compressed_log_file' do
+
+    subject do
+      LogStash::Inputs::CrowdStrikeFDR.new(config)
+    end
+ #   end
+    let(:queue) { [] }
+    before do
+      @codec = LogStash::Codecs::JSONStream.new
+      @codec.charset = "UTF-8"
+      @codec_factory = CodecFactory.new(@logger, {
+          default_codec: @codec,
+          codec_by_folder: @codec_by_folder
+      })
+      expect( subject.process(record, logstash_event_queue) ).to be true
+      $stderr.puts "method #{queue.to_s}"
+    end
+
+    #it '.process_local_log => process compressed log file and verfied logstash event queue with the correct number of events' do
+    #  expect( queue.size ).to eq(38)
+    #  expect( queue.clear).to be_empty
+    #end
+  end
+end

metadata

@@ -0,0 +1,141 @@
+--- !ruby/object:Gem::Specification
+name: logstash-input-crowdstrike_fdr
+version: !ruby/object:Gem::Version
+  version: 2.1.2
+platform: ruby
+authors:
+- Christian Herweg
+- Hugh Kelley
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2021-03-13 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.1.12
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: '2.99'
+  name: logstash-core-plugin-api
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.1.12
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: '2.99'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  name: logstash-codec-json
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.3'
+  name: logstash-mixin-aws
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.3'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  name: logstash-codec-json_stream
+  prerelease: false
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  name: logstash-devutils
+  prerelease: false
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+description: This gem is a logstash plugin required to be installed on top of the
+  Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not
+  a stand-alone program
+email: christian.herweg@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- CONTRIBUTORS
+- Gemfile
+- LICENSE
+- NOTICE.TXT
+- README.md
+- lib/logstash/inputs/codec_factory.rb
+- lib/logstash/inputs/crowdstrike_fdr.rb
+- lib/logstash/inputs/mime/magic_gzip_validator.rb
+- lib/logstash/inputs/s3/client_factory.rb
+- lib/logstash/inputs/s3/downloader.rb
+- lib/logstash/inputs/s3snssqs/log_processor.rb
+- lib/logstash/inputs/s3sqs/patch.rb
+- lib/logstash/inputs/sqs/poller.rb
+- logstash-input-crowdstrike_fdr.gemspec
+- spec/inputs/crowdstrike_fdr_spec.rb
+homepage: https://github.com/hkelley/logstash-input-crowdstrike_fdr
+licenses:
+- Apache-2.0
+metadata:
+  logstash_plugin: 'true'
+  logstash_group: input
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.6.14.1
+signing_key:
+specification_version: 4
+summary: Get logs from AWS s3 buckets as issued by Crowdstrike Falcon Data Replicator
+test_files:
+- spec/inputs/crowdstrike_fdr_spec.rb