logstash-input-okta_enterprise 0.5.0 → 0.6.0
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: ce6c6e85bc6e41ec22d49a462c890c236cd849d9
|
|
4
|
+
data.tar.gz: 35076593da897161c67f167c7e69c6cc7086bac3
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c66d8cd501e49cef03cc7c2f4f0c48983717a420cecd8e0265a81f605c27a2026703192d2c61605de6b044d08f58d26366e920d194f63ef8b9386bd416978a2b
|
|
7
|
+
data.tar.gz: ed20984c1ffad649c57e46b694234c3ccf77c53423240a61b7b8185bc12cbf53d6aab1e1a20ff4553535860cf8386baba68b4abf9157537e2f1eec6b216ed8c3
|
|
@@ -9,6 +9,7 @@ require "base64"
|
|
|
9
9
|
require "cgi"
|
|
10
10
|
|
|
11
11
|
MAX_AUTH_TOKEN_FILE_SIZE = 1 * 2**10
|
|
12
|
+
FIXNUM_RESET_SIZE = 2**63 - 100000000000000000 # Size at which to reset the noise counter
|
|
12
13
|
|
|
13
14
|
# This Logstash input plugin allows you to call an the Okta HTTP API to ship to other SIEMS.
|
|
14
15
|
# This plugin is based on the http_poller plugin, however the plugin needed to retain a state.
|
|
@@ -150,7 +151,7 @@ class LogStash::Inputs::OktaEnterprise < LogStash::Inputs::Base
|
|
|
150
151
|
# Format: File path
|
|
151
152
|
config :auth_token_env, :validate => :string
|
|
152
153
|
|
|
153
|
-
|
|
154
|
+
# The base filename to store the pointer to the current location in the logs
|
|
154
155
|
# This file will be renamed with each new reference to limit loss of this data
|
|
155
156
|
# The location will need at least write and execute privs for the logstash user
|
|
156
157
|
# This parameter is not required, however on start logstash will ship all logs to your SIEM.
|
|
@@ -168,6 +169,14 @@ class LogStash::Inputs::OktaEnterprise < LogStash::Inputs::Base
|
|
|
168
169
|
# If this setting is omitted, the data will be stored at the root (top level) of the event.
|
|
169
170
|
config :target, :validate => :string
|
|
170
171
|
|
|
172
|
+
# The throttle value to use for noisy log lines (at the info level)
|
|
173
|
+
# Currently just one log statement (successful HTTP connects)
|
|
174
|
+
# The value is used to mod a counter, so set it appropriately for log levels
|
|
175
|
+
# NOTE: This value will be ignored when the log level is debug or trace
|
|
176
|
+
#
|
|
177
|
+
# Format: Integer
|
|
178
|
+
config :log_throttle, :validate => :number, :required => false
|
|
179
|
+
|
|
171
180
|
public
|
|
172
181
|
Schedule_types = %w(cron every at in)
|
|
173
182
|
def register
|
|
@@ -233,6 +242,26 @@ class LogStash::Inputs::OktaEnterprise < LogStash::Inputs::Base
|
|
|
233
242
|
@filter = CGI.escape(@filter)
|
|
234
243
|
end
|
|
235
244
|
|
|
245
|
+
@noisy_log = method(:open_log)
|
|
246
|
+
if (@log_throttle)
|
|
247
|
+
if (@log_throttle > FIXNUM_RESET_SIZE)
|
|
248
|
+
raise LogStash::ConfigurationError, "Config log_throttle must be" +
|
|
249
|
+
"less than #{FIXNUM_RESET_SIZE}."
|
|
250
|
+
end
|
|
251
|
+
@noisy_log = method(:throttled_log)
|
|
252
|
+
@throttle_counter = 0
|
|
253
|
+
end
|
|
254
|
+
if (@logger.debug?)
|
|
255
|
+
@noisy_log = method(:open_log)
|
|
256
|
+
end
|
|
257
|
+
begin
|
|
258
|
+
if (@logger.trace?)
|
|
259
|
+
@noisy_log = method(:open_log)
|
|
260
|
+
end
|
|
261
|
+
rescue NoMethodError
|
|
262
|
+
# Do nothing b/c it doesn't really matter, it retains compatability with 2.4 vs higher
|
|
263
|
+
end
|
|
264
|
+
|
|
236
265
|
if (@state_file_base)
|
|
237
266
|
dir_name = File.dirname(@state_file_base)
|
|
238
267
|
## Generally the state file directory will have the correct permissions
|
|
@@ -459,7 +488,7 @@ class LogStash::Inputs::OktaEnterprise < LogStash::Inputs::Base
|
|
|
459
488
|
@logger.debug("Continue status", :continue => @continue )
|
|
460
489
|
end
|
|
461
490
|
|
|
462
|
-
@
|
|
491
|
+
@noisy_log.call("Successful response returned",:code => response.code, :headers => response.headers)
|
|
463
492
|
@logger.debug("Response body", :body => response.body)
|
|
464
493
|
|
|
465
494
|
when 401
|
|
@@ -592,6 +621,23 @@ class LogStash::Inputs::OktaEnterprise < LogStash::Inputs::Base
|
|
|
592
621
|
|
|
593
622
|
end
|
|
594
623
|
|
|
624
|
+
private
|
|
625
|
+
def throttled_log(message, vars = {})
|
|
626
|
+
if (@throttle_counter < 3 or @throttle_counter % @log_throttle == 0 or @throttle_counter >= FIXNUM_RESET_SIZE)
|
|
627
|
+
@logger.info(message, vars)
|
|
628
|
+
|
|
629
|
+
if (@throttle_counter >= FIXNUM_RESET_SIZE)
|
|
630
|
+
@throttle_counter = 0
|
|
631
|
+
end
|
|
632
|
+
end
|
|
633
|
+
@throttle_counter += 1
|
|
634
|
+
end
|
|
635
|
+
|
|
636
|
+
private
|
|
637
|
+
def open_log(message, vars)
|
|
638
|
+
@logger.info(message, vars)
|
|
639
|
+
end
|
|
640
|
+
|
|
595
641
|
public
|
|
596
642
|
def stop
|
|
597
643
|
# nothing to do in this case so it is not necessary to define stop
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Gem::Specification.new do |s|
|
|
2
2
|
s.name = 'logstash-input-okta_enterprise'
|
|
3
|
-
s.version = '0.
|
|
3
|
+
s.version = '0.6.0'
|
|
4
4
|
s.licenses = ['Apache License (2.0)']
|
|
5
5
|
s.summary = 'This plugin fetches log events from Okta'
|
|
6
6
|
s.description = 'This plugin fetches log events from Okta'
|
|
@@ -88,6 +88,49 @@ describe LogStash::Inputs::OktaEnterprise do
|
|
|
88
88
|
include_examples("configuration errors")
|
|
89
89
|
end
|
|
90
90
|
end
|
|
91
|
+
context "logger throttle management" do
|
|
92
|
+
let(:throttle_opts) {
|
|
93
|
+
throttle_opts = default_opts.merge({"log_throttle" => 100000}).clone
|
|
94
|
+
throttle_opts
|
|
95
|
+
}
|
|
96
|
+
|
|
97
|
+
context "a number too large is used" do
|
|
98
|
+
let(:opts) {
|
|
99
|
+
throttle_opts["log_throttle"] = 2**63-1
|
|
100
|
+
throttle_opts
|
|
101
|
+
}
|
|
102
|
+
include_examples("configuration errors")
|
|
103
|
+
end
|
|
104
|
+
context "when no throttle is set" do
|
|
105
|
+
let(:opts) { default_opts }
|
|
106
|
+
it "sets the logger function to open_log" do
|
|
107
|
+
subject.register
|
|
108
|
+
expect(subject.instance_variable_get("@noisy_log")).to eql(subject.method(:open_log))
|
|
109
|
+
end
|
|
110
|
+
end
|
|
111
|
+
context "when a throttle is set" do
|
|
112
|
+
let(:opts) { throttle_opts }
|
|
113
|
+
it "sets the logger function to throttled_log" do
|
|
114
|
+
subject.register
|
|
115
|
+
expect(subject.instance_variable_get("@noisy_log")).to eql(subject.method(:throttled_log))
|
|
116
|
+
end
|
|
117
|
+
|
|
118
|
+
context "when log level is debug" do
|
|
119
|
+
it "sets the logger function to open_log" do
|
|
120
|
+
allow(subject.instance_variable_get("@logger")).to receive(:debug?) { true }
|
|
121
|
+
subject.register
|
|
122
|
+
expect(subject.instance_variable_get("@noisy_log")).to eql(subject.method(:open_log))
|
|
123
|
+
end
|
|
124
|
+
end
|
|
125
|
+
context "when log level is trace" do
|
|
126
|
+
it "sets the logger function to open_log" do
|
|
127
|
+
allow(subject.instance_variable_get("@logger")).to receive(:trace?) { true }
|
|
128
|
+
subject.register
|
|
129
|
+
expect(subject.instance_variable_get("@noisy_log")).to eql(subject.method(:open_log))
|
|
130
|
+
end
|
|
131
|
+
end
|
|
132
|
+
end
|
|
133
|
+
end
|
|
91
134
|
end
|
|
92
135
|
|
|
93
136
|
describe "instances" do
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-input-okta_enterprise
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.6.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Security Risk Advisors
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2018-11-17 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|