logstash-input-okta_enterprise 0.5.0 → 0.6.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 1d974e643ea6fdb2db49ce72df98178204b06c19
4
- data.tar.gz: 97c6674bfc1266e7fbb3e8399ca89d7357470070
3
+ metadata.gz: ce6c6e85bc6e41ec22d49a462c890c236cd849d9
4
+ data.tar.gz: 35076593da897161c67f167c7e69c6cc7086bac3
5
5
  SHA512:
6
- metadata.gz: 662645fd23e65b811a0435c6da01c44d494e4352d6e46618e825406150ee187329f3878cb46d7bc6ee617572861fe8af35c3b434047d20e77beb76e1ac95f30a
7
- data.tar.gz: f8c76352d65ca9acd5b123fb93133906b54bf05333cdcd8f554e1558f4f3a39b8244b8da136771d7dd09172e8b0e834a74da049cdc7f78036c9e13ea592c916e
6
+ metadata.gz: c66d8cd501e49cef03cc7c2f4f0c48983717a420cecd8e0265a81f605c27a2026703192d2c61605de6b044d08f58d26366e920d194f63ef8b9386bd416978a2b
7
+ data.tar.gz: ed20984c1ffad649c57e46b694234c3ccf77c53423240a61b7b8185bc12cbf53d6aab1e1a20ff4553535860cf8386baba68b4abf9157537e2f1eec6b216ed8c3
@@ -9,6 +9,7 @@ require "base64"
9
9
  require "cgi"
10
10
 
11
11
  MAX_AUTH_TOKEN_FILE_SIZE = 1 * 2**10
12
+ FIXNUM_RESET_SIZE = 2**63 - 100000000000000000 # Size at which to reset the noise counter
12
13
 
13
14
  # This Logstash input plugin allows you to call an the Okta HTTP API to ship to other SIEMS.
14
15
  # This plugin is based on the http_poller plugin, however the plugin needed to retain a state.
@@ -150,7 +151,7 @@ class LogStash::Inputs::OktaEnterprise < LogStash::Inputs::Base
150
151
  # Format: File path
151
152
  config :auth_token_env, :validate => :string
152
153
 
153
- # The base filename to store the pointer to the current location in the logs
154
+ # The base filename to store the pointer to the current location in the logs
154
155
  # This file will be renamed with each new reference to limit loss of this data
155
156
  # The location will need at least write and execute privs for the logstash user
156
157
  # This parameter is not required, however on start logstash will ship all logs to your SIEM.
@@ -168,6 +169,14 @@ class LogStash::Inputs::OktaEnterprise < LogStash::Inputs::Base
168
169
  # If this setting is omitted, the data will be stored at the root (top level) of the event.
169
170
  config :target, :validate => :string
170
171
 
172
+ # The throttle value to use for noisy log lines (at the info level)
173
+ # Currently just one log statement (successful HTTP connects)
174
+ # The value is used to mod a counter, so set it appropriately for log levels
175
+ # NOTE: This value will be ignored when the log level is debug or trace
176
+ #
177
+ # Format: Integer
178
+ config :log_throttle, :validate => :number, :required => false
179
+
171
180
  public
172
181
  Schedule_types = %w(cron every at in)
173
182
  def register
@@ -233,6 +242,26 @@ class LogStash::Inputs::OktaEnterprise < LogStash::Inputs::Base
233
242
  @filter = CGI.escape(@filter)
234
243
  end
235
244
 
245
+ @noisy_log = method(:open_log)
246
+ if (@log_throttle)
247
+ if (@log_throttle > FIXNUM_RESET_SIZE)
248
+ raise LogStash::ConfigurationError, "Config log_throttle must be" +
249
+ "less than #{FIXNUM_RESET_SIZE}."
250
+ end
251
+ @noisy_log = method(:throttled_log)
252
+ @throttle_counter = 0
253
+ end
254
+ if (@logger.debug?)
255
+ @noisy_log = method(:open_log)
256
+ end
257
+ begin
258
+ if (@logger.trace?)
259
+ @noisy_log = method(:open_log)
260
+ end
261
+ rescue NoMethodError
262
+ # Do nothing b/c it doesn't really matter, it retains compatability with 2.4 vs higher
263
+ end
264
+
236
265
  if (@state_file_base)
237
266
  dir_name = File.dirname(@state_file_base)
238
267
  ## Generally the state file directory will have the correct permissions
@@ -459,7 +488,7 @@ class LogStash::Inputs::OktaEnterprise < LogStash::Inputs::Base
459
488
  @logger.debug("Continue status", :continue => @continue )
460
489
  end
461
490
 
462
- @logger.info("Successful response returned", :code => response.code, :headers => response.headers)
491
+ @noisy_log.call("Successful response returned",:code => response.code, :headers => response.headers)
463
492
  @logger.debug("Response body", :body => response.body)
464
493
 
465
494
  when 401
@@ -592,6 +621,23 @@ class LogStash::Inputs::OktaEnterprise < LogStash::Inputs::Base
592
621
 
593
622
  end
594
623
 
624
+ private
625
+ def throttled_log(message, vars = {})
626
+ if (@throttle_counter < 3 or @throttle_counter % @log_throttle == 0 or @throttle_counter >= FIXNUM_RESET_SIZE)
627
+ @logger.info(message, vars)
628
+
629
+ if (@throttle_counter >= FIXNUM_RESET_SIZE)
630
+ @throttle_counter = 0
631
+ end
632
+ end
633
+ @throttle_counter += 1
634
+ end
635
+
636
+ private
637
+ def open_log(message, vars)
638
+ @logger.info(message, vars)
639
+ end
640
+
595
641
  public
596
642
  def stop
597
643
  # nothing to do in this case so it is not necessary to define stop
@@ -1,6 +1,6 @@
1
1
  Gem::Specification.new do |s|
2
2
  s.name = 'logstash-input-okta_enterprise'
3
- s.version = '0.5.0'
3
+ s.version = '0.6.0'
4
4
  s.licenses = ['Apache License (2.0)']
5
5
  s.summary = 'This plugin fetches log events from Okta'
6
6
  s.description = 'This plugin fetches log events from Okta'
@@ -88,6 +88,49 @@ describe LogStash::Inputs::OktaEnterprise do
88
88
  include_examples("configuration errors")
89
89
  end
90
90
  end
91
+ context "logger throttle management" do
92
+ let(:throttle_opts) {
93
+ throttle_opts = default_opts.merge({"log_throttle" => 100000}).clone
94
+ throttle_opts
95
+ }
96
+
97
+ context "a number too large is used" do
98
+ let(:opts) {
99
+ throttle_opts["log_throttle"] = 2**63-1
100
+ throttle_opts
101
+ }
102
+ include_examples("configuration errors")
103
+ end
104
+ context "when no throttle is set" do
105
+ let(:opts) { default_opts }
106
+ it "sets the logger function to open_log" do
107
+ subject.register
108
+ expect(subject.instance_variable_get("@noisy_log")).to eql(subject.method(:open_log))
109
+ end
110
+ end
111
+ context "when a throttle is set" do
112
+ let(:opts) { throttle_opts }
113
+ it "sets the logger function to throttled_log" do
114
+ subject.register
115
+ expect(subject.instance_variable_get("@noisy_log")).to eql(subject.method(:throttled_log))
116
+ end
117
+
118
+ context "when log level is debug" do
119
+ it "sets the logger function to open_log" do
120
+ allow(subject.instance_variable_get("@logger")).to receive(:debug?) { true }
121
+ subject.register
122
+ expect(subject.instance_variable_get("@noisy_log")).to eql(subject.method(:open_log))
123
+ end
124
+ end
125
+ context "when log level is trace" do
126
+ it "sets the logger function to open_log" do
127
+ allow(subject.instance_variable_get("@logger")).to receive(:trace?) { true }
128
+ subject.register
129
+ expect(subject.instance_variable_get("@noisy_log")).to eql(subject.method(:open_log))
130
+ end
131
+ end
132
+ end
133
+ end
91
134
  end
92
135
 
93
136
  describe "instances" do
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: logstash-input-okta_enterprise
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.5.0
4
+ version: 0.6.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Security Risk Advisors
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-12-14 00:00:00.000000000 Z
11
+ date: 2018-11-17 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  requirement: !ruby/object:Gem::Requirement