logstash-input-okta_enterprise 0.5.0 → 0.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: ce6c6e85bc6e41ec22d49a462c890c236cd849d9
|
|
4
|
+
data.tar.gz: 35076593da897161c67f167c7e69c6cc7086bac3
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c66d8cd501e49cef03cc7c2f4f0c48983717a420cecd8e0265a81f605c27a2026703192d2c61605de6b044d08f58d26366e920d194f63ef8b9386bd416978a2b
|
|
7
|
+
data.tar.gz: ed20984c1ffad649c57e46b694234c3ccf77c53423240a61b7b8185bc12cbf53d6aab1e1a20ff4553535860cf8386baba68b4abf9157537e2f1eec6b216ed8c3
|
|
@@ -9,6 +9,7 @@ require "base64"
|
|
|
9
9
|
require "cgi"
|
|
10
10
|
|
|
11
11
|
MAX_AUTH_TOKEN_FILE_SIZE = 1 * 2**10
|
|
12
|
+
FIXNUM_RESET_SIZE = 2**63 - 100000000000000000 # Size at which to reset the noise counter
|
|
12
13
|
|
|
13
14
|
# This Logstash input plugin allows you to call an the Okta HTTP API to ship to other SIEMS.
|
|
14
15
|
# This plugin is based on the http_poller plugin, however the plugin needed to retain a state.
|
|
@@ -150,7 +151,7 @@ class LogStash::Inputs::OktaEnterprise < LogStash::Inputs::Base
|
|
|
150
151
|
# Format: File path
|
|
151
152
|
config :auth_token_env, :validate => :string
|
|
152
153
|
|
|
153
|
-
|
|
154
|
+
# The base filename to store the pointer to the current location in the logs
|
|
154
155
|
# This file will be renamed with each new reference to limit loss of this data
|
|
155
156
|
# The location will need at least write and execute privs for the logstash user
|
|
156
157
|
# This parameter is not required, however on start logstash will ship all logs to your SIEM.
|
|
@@ -168,6 +169,14 @@ class LogStash::Inputs::OktaEnterprise < LogStash::Inputs::Base
|
|
|
168
169
|
# If this setting is omitted, the data will be stored at the root (top level) of the event.
|
|
169
170
|
config :target, :validate => :string
|
|
170
171
|
|
|
172
|
+
# The throttle value to use for noisy log lines (at the info level)
|
|
173
|
+
# Currently just one log statement (successful HTTP connects)
|
|
174
|
+
# The value is used to mod a counter, so set it appropriately for log levels
|
|
175
|
+
# NOTE: This value will be ignored when the log level is debug or trace
|
|
176
|
+
#
|
|
177
|
+
# Format: Integer
|
|
178
|
+
config :log_throttle, :validate => :number, :required => false
|
|
179
|
+
|
|
171
180
|
public
|
|
172
181
|
Schedule_types = %w(cron every at in)
|
|
173
182
|
def register
|
|
@@ -233,6 +242,26 @@ class LogStash::Inputs::OktaEnterprise < LogStash::Inputs::Base
|
|
|
233
242
|
@filter = CGI.escape(@filter)
|
|
234
243
|
end
|
|
235
244
|
|
|
245
|
+
@noisy_log = method(:open_log)
|
|
246
|
+
if (@log_throttle)
|
|
247
|
+
if (@log_throttle > FIXNUM_RESET_SIZE)
|
|
248
|
+
raise LogStash::ConfigurationError, "Config log_throttle must be" +
|
|
249
|
+
"less than #{FIXNUM_RESET_SIZE}."
|
|
250
|
+
end
|
|
251
|
+
@noisy_log = method(:throttled_log)
|
|
252
|
+
@throttle_counter = 0
|
|
253
|
+
end
|
|
254
|
+
if (@logger.debug?)
|
|
255
|
+
@noisy_log = method(:open_log)
|
|
256
|
+
end
|
|
257
|
+
begin
|
|
258
|
+
if (@logger.trace?)
|
|
259
|
+
@noisy_log = method(:open_log)
|
|
260
|
+
end
|
|
261
|
+
rescue NoMethodError
|
|
262
|
+
# Do nothing b/c it doesn't really matter, it retains compatability with 2.4 vs higher
|
|
263
|
+
end
|
|
264
|
+
|
|
236
265
|
if (@state_file_base)
|
|
237
266
|
dir_name = File.dirname(@state_file_base)
|
|
238
267
|
## Generally the state file directory will have the correct permissions
|
|
@@ -459,7 +488,7 @@ class LogStash::Inputs::OktaEnterprise < LogStash::Inputs::Base
|
|
|
459
488
|
@logger.debug("Continue status", :continue => @continue )
|
|
460
489
|
end
|
|
461
490
|
|
|
462
|
-
@
|
|
491
|
+
@noisy_log.call("Successful response returned",:code => response.code, :headers => response.headers)
|
|
463
492
|
@logger.debug("Response body", :body => response.body)
|
|
464
493
|
|
|
465
494
|
when 401
|
|
@@ -592,6 +621,23 @@ class LogStash::Inputs::OktaEnterprise < LogStash::Inputs::Base
|
|
|
592
621
|
|
|
593
622
|
end
|
|
594
623
|
|
|
624
|
+
private
|
|
625
|
+
def throttled_log(message, vars = {})
|
|
626
|
+
if (@throttle_counter < 3 or @throttle_counter % @log_throttle == 0 or @throttle_counter >= FIXNUM_RESET_SIZE)
|
|
627
|
+
@logger.info(message, vars)
|
|
628
|
+
|
|
629
|
+
if (@throttle_counter >= FIXNUM_RESET_SIZE)
|
|
630
|
+
@throttle_counter = 0
|
|
631
|
+
end
|
|
632
|
+
end
|
|
633
|
+
@throttle_counter += 1
|
|
634
|
+
end
|
|
635
|
+
|
|
636
|
+
private
|
|
637
|
+
def open_log(message, vars)
|
|
638
|
+
@logger.info(message, vars)
|
|
639
|
+
end
|
|
640
|
+
|
|
595
641
|
public
|
|
596
642
|
def stop
|
|
597
643
|
# nothing to do in this case so it is not necessary to define stop
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Gem::Specification.new do |s|
|
|
2
2
|
s.name = 'logstash-input-okta_enterprise'
|
|
3
|
-
s.version = '0.
|
|
3
|
+
s.version = '0.6.0'
|
|
4
4
|
s.licenses = ['Apache License (2.0)']
|
|
5
5
|
s.summary = 'This plugin fetches log events from Okta'
|
|
6
6
|
s.description = 'This plugin fetches log events from Okta'
|
|
@@ -88,6 +88,49 @@ describe LogStash::Inputs::OktaEnterprise do
|
|
|
88
88
|
include_examples("configuration errors")
|
|
89
89
|
end
|
|
90
90
|
end
|
|
91
|
+
context "logger throttle management" do
|
|
92
|
+
let(:throttle_opts) {
|
|
93
|
+
throttle_opts = default_opts.merge({"log_throttle" => 100000}).clone
|
|
94
|
+
throttle_opts
|
|
95
|
+
}
|
|
96
|
+
|
|
97
|
+
context "a number too large is used" do
|
|
98
|
+
let(:opts) {
|
|
99
|
+
throttle_opts["log_throttle"] = 2**63-1
|
|
100
|
+
throttle_opts
|
|
101
|
+
}
|
|
102
|
+
include_examples("configuration errors")
|
|
103
|
+
end
|
|
104
|
+
context "when no throttle is set" do
|
|
105
|
+
let(:opts) { default_opts }
|
|
106
|
+
it "sets the logger function to open_log" do
|
|
107
|
+
subject.register
|
|
108
|
+
expect(subject.instance_variable_get("@noisy_log")).to eql(subject.method(:open_log))
|
|
109
|
+
end
|
|
110
|
+
end
|
|
111
|
+
context "when a throttle is set" do
|
|
112
|
+
let(:opts) { throttle_opts }
|
|
113
|
+
it "sets the logger function to throttled_log" do
|
|
114
|
+
subject.register
|
|
115
|
+
expect(subject.instance_variable_get("@noisy_log")).to eql(subject.method(:throttled_log))
|
|
116
|
+
end
|
|
117
|
+
|
|
118
|
+
context "when log level is debug" do
|
|
119
|
+
it "sets the logger function to open_log" do
|
|
120
|
+
allow(subject.instance_variable_get("@logger")).to receive(:debug?) { true }
|
|
121
|
+
subject.register
|
|
122
|
+
expect(subject.instance_variable_get("@noisy_log")).to eql(subject.method(:open_log))
|
|
123
|
+
end
|
|
124
|
+
end
|
|
125
|
+
context "when log level is trace" do
|
|
126
|
+
it "sets the logger function to open_log" do
|
|
127
|
+
allow(subject.instance_variable_get("@logger")).to receive(:trace?) { true }
|
|
128
|
+
subject.register
|
|
129
|
+
expect(subject.instance_variable_get("@noisy_log")).to eql(subject.method(:open_log))
|
|
130
|
+
end
|
|
131
|
+
end
|
|
132
|
+
end
|
|
133
|
+
end
|
|
91
134
|
end
|
|
92
135
|
|
|
93
136
|
describe "instances" do
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-input-okta_enterprise
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.6.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Security Risk Advisors
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2018-11-17 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|