logstash-integration-aws 7.1.1-java
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/CHANGELOG.PRE.MERGE.md +658 -0
- data/CHANGELOG.md +33 -0
- data/CONTRIBUTORS +40 -0
- data/Gemfile +11 -0
- data/LICENSE +202 -0
- data/NOTICE.TXT +5 -0
- data/README.md +205 -0
- data/VERSION +1 -0
- data/docs/codec-cloudfront.asciidoc +53 -0
- data/docs/codec-cloudtrail.asciidoc +45 -0
- data/docs/index.asciidoc +36 -0
- data/docs/input-cloudwatch.asciidoc +320 -0
- data/docs/input-s3.asciidoc +346 -0
- data/docs/input-sqs.asciidoc +287 -0
- data/docs/output-cloudwatch.asciidoc +321 -0
- data/docs/output-s3.asciidoc +442 -0
- data/docs/output-sns.asciidoc +166 -0
- data/docs/output-sqs.asciidoc +242 -0
- data/lib/logstash/codecs/cloudfront.rb +84 -0
- data/lib/logstash/codecs/cloudtrail.rb +47 -0
- data/lib/logstash/inputs/cloudwatch.rb +338 -0
- data/lib/logstash/inputs/s3.rb +466 -0
- data/lib/logstash/inputs/sqs.rb +196 -0
- data/lib/logstash/outputs/cloudwatch.rb +346 -0
- data/lib/logstash/outputs/s3/file_repository.rb +193 -0
- data/lib/logstash/outputs/s3/path_validator.rb +18 -0
- data/lib/logstash/outputs/s3/size_and_time_rotation_policy.rb +24 -0
- data/lib/logstash/outputs/s3/size_rotation_policy.rb +26 -0
- data/lib/logstash/outputs/s3/temporary_file.rb +114 -0
- data/lib/logstash/outputs/s3/temporary_file_factory.rb +126 -0
- data/lib/logstash/outputs/s3/time_rotation_policy.rb +26 -0
- data/lib/logstash/outputs/s3/uploader.rb +76 -0
- data/lib/logstash/outputs/s3/writable_directory_validator.rb +17 -0
- data/lib/logstash/outputs/s3/write_bucket_permission_validator.rb +60 -0
- data/lib/logstash/outputs/s3.rb +442 -0
- data/lib/logstash/outputs/sns.rb +133 -0
- data/lib/logstash/outputs/sqs.rb +167 -0
- data/lib/logstash/plugin_mixins/aws_config/generic.rb +54 -0
- data/lib/logstash/plugin_mixins/aws_config/v2.rb +93 -0
- data/lib/logstash/plugin_mixins/aws_config.rb +8 -0
- data/lib/logstash-integration-aws_jars.rb +4 -0
- data/lib/tasks/build.rake +15 -0
- data/logstash-integration-aws.gemspec +55 -0
- data/spec/codecs/cloudfront_spec.rb +92 -0
- data/spec/codecs/cloudtrail_spec.rb +56 -0
- data/spec/fixtures/aws_credentials_file_sample_test.yml +2 -0
- data/spec/fixtures/aws_temporary_credentials_file_sample_test.yml +3 -0
- data/spec/fixtures/cloudfront.log +4 -0
- data/spec/fixtures/compressed.log.gee.zip +0 -0
- data/spec/fixtures/compressed.log.gz +0 -0
- data/spec/fixtures/compressed.log.gzip +0 -0
- data/spec/fixtures/invalid_utf8.gbk.log +2 -0
- data/spec/fixtures/json.log +2 -0
- data/spec/fixtures/json_with_message.log +2 -0
- data/spec/fixtures/multiline.log +6 -0
- data/spec/fixtures/multiple_compressed_streams.gz +0 -0
- data/spec/fixtures/uncompressed.log +2 -0
- data/spec/inputs/cloudwatch_spec.rb +85 -0
- data/spec/inputs/s3_spec.rb +610 -0
- data/spec/inputs/sincedb_spec.rb +17 -0
- data/spec/inputs/sqs_spec.rb +324 -0
- data/spec/integration/cloudwatch_spec.rb +25 -0
- data/spec/integration/dynamic_prefix_spec.rb +92 -0
- data/spec/integration/gzip_file_spec.rb +62 -0
- data/spec/integration/gzip_size_rotation_spec.rb +63 -0
- data/spec/integration/outputs/sqs_spec.rb +98 -0
- data/spec/integration/restore_from_crash_spec.rb +133 -0
- data/spec/integration/s3_spec.rb +66 -0
- data/spec/integration/size_rotation_spec.rb +59 -0
- data/spec/integration/sqs_spec.rb +110 -0
- data/spec/integration/stress_test_spec.rb +60 -0
- data/spec/integration/time_based_rotation_with_constant_write_spec.rb +60 -0
- data/spec/integration/time_based_rotation_with_stale_write_spec.rb +64 -0
- data/spec/integration/upload_current_file_on_shutdown_spec.rb +51 -0
- data/spec/outputs/cloudwatch_spec.rb +38 -0
- data/spec/outputs/s3/file_repository_spec.rb +143 -0
- data/spec/outputs/s3/size_and_time_rotation_policy_spec.rb +77 -0
- data/spec/outputs/s3/size_rotation_policy_spec.rb +41 -0
- data/spec/outputs/s3/temporary_file_factory_spec.rb +89 -0
- data/spec/outputs/s3/temporary_file_spec.rb +47 -0
- data/spec/outputs/s3/time_rotation_policy_spec.rb +60 -0
- data/spec/outputs/s3/uploader_spec.rb +69 -0
- data/spec/outputs/s3/writable_directory_validator_spec.rb +40 -0
- data/spec/outputs/s3/write_bucket_permission_validator_spec.rb +49 -0
- data/spec/outputs/s3_spec.rb +232 -0
- data/spec/outputs/sns_spec.rb +160 -0
- data/spec/plugin_mixin/aws_config_spec.rb +217 -0
- data/spec/spec_helper.rb +8 -0
- data/spec/support/helpers.rb +121 -0
- data/spec/unit/outputs/sqs_spec.rb +247 -0
- data/vendor/jar-dependencies/org/logstash/plugins/integration/aws/logstash-integration-aws/7.1.1/logstash-integration-aws-7.1.1.jar +0 -0
- metadata +472 -0
@@ -0,0 +1,242 @@
|
|
1
|
+
:integration: aws
|
2
|
+
:plugin: sqs
|
3
|
+
:type: output
|
4
|
+
:default_codec: json
|
5
|
+
|
6
|
+
///////////////////////////////////////////
|
7
|
+
START - GENERATED VARIABLES, DO NOT EDIT!
|
8
|
+
///////////////////////////////////////////
|
9
|
+
:version: %VERSION%
|
10
|
+
:release_date: %RELEASE_DATE%
|
11
|
+
:changelog_url: %CHANGELOG_URL%
|
12
|
+
:include_path: ../../../../logstash/docs/include
|
13
|
+
///////////////////////////////////////////
|
14
|
+
END - GENERATED VARIABLES, DO NOT EDIT!
|
15
|
+
///////////////////////////////////////////
|
16
|
+
|
17
|
+
[id="plugins-{type}s-{plugin}"]
|
18
|
+
|
19
|
+
=== Sqs output plugin
|
20
|
+
|
21
|
+
include::{include_path}/plugin_header-integration.asciidoc[]
|
22
|
+
|
23
|
+
==== Description
|
24
|
+
|
25
|
+
Push events to an Amazon Web Services (AWS) Simple Queue Service (SQS) queue.
|
26
|
+
|
27
|
+
SQS is a simple, scalable queue system that is part of the Amazon Web
|
28
|
+
Services suite of tools. Although SQS is similar to other queuing systems
|
29
|
+
such as Advanced Message Queuing Protocol (AMQP), it uses a custom API and
|
30
|
+
requires that you have an AWS account. See http://aws.amazon.com/sqs/ for
|
31
|
+
more details on how SQS works, what the pricing schedule looks like and how
|
32
|
+
to setup a queue.
|
33
|
+
|
34
|
+
The "consumer" identity must have the following permissions on the queue:
|
35
|
+
|
36
|
+
* `sqs:GetQueueUrl`
|
37
|
+
* `sqs:SendMessage`
|
38
|
+
* `sqs:SendMessageBatch`
|
39
|
+
|
40
|
+
Typically, you should setup an IAM policy, create a user and apply the IAM
|
41
|
+
policy to the user. See http://aws.amazon.com/iam/ for more details on
|
42
|
+
setting up AWS identities. A sample policy is as follows:
|
43
|
+
|
44
|
+
[source,json]
|
45
|
+
{
|
46
|
+
"Version": "2012-10-17",
|
47
|
+
"Statement": [
|
48
|
+
{
|
49
|
+
"Effect": "Allow",
|
50
|
+
"Action": [
|
51
|
+
"sqs:GetQueueUrl",
|
52
|
+
"sqs:SendMessage",
|
53
|
+
"sqs:SendMessageBatch"
|
54
|
+
],
|
55
|
+
"Resource": "arn:aws:sqs:us-east-1:123456789012:my-sqs-queue"
|
56
|
+
}
|
57
|
+
]
|
58
|
+
}
|
59
|
+
|
60
|
+
==== Batch Publishing
|
61
|
+
This output publishes messages to SQS in batches in order to optimize event
|
62
|
+
throughput and increase performance. This is done using the
|
63
|
+
[`SendMessageBatch`](http://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SendMessageBatch.html)
|
64
|
+
API. When publishing messages to SQS in batches, the following service limits
|
65
|
+
must be respected (see
|
66
|
+
[Limits in Amazon SQS](http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/limits-messages.html)):
|
67
|
+
|
68
|
+
* The maximum allowed individual message size is 256KiB.
|
69
|
+
* The maximum total payload size (i.e. the sum of the sizes of all
|
70
|
+
individual messages within a batch) is also 256KiB.
|
71
|
+
|
72
|
+
This plugin will dynamically adjust the size of the batch published to SQS in
|
73
|
+
order to ensure that the total payload size does not exceed 256KiB.
|
74
|
+
|
75
|
+
WARNING: This output cannot currently handle messages larger than 256KiB. Any
|
76
|
+
single message exceeding this size will be dropped.
|
77
|
+
|
78
|
+
|
79
|
+
[id="plugins-{type}s-{plugin}-options"]
|
80
|
+
==== Sqs Output Configuration Options
|
81
|
+
|
82
|
+
This plugin supports the following configuration options plus the <<plugins-{type}s-{plugin}-common-options>> described later.
|
83
|
+
|
84
|
+
[cols="<,<,<",options="header",]
|
85
|
+
|=======================================================================
|
86
|
+
|Setting |Input type|Required
|
87
|
+
| <<plugins-{type}s-{plugin}-access_key_id>> |<<string,string>>|No
|
88
|
+
| <<plugins-{type}s-{plugin}-aws_credentials_file>> |<<string,string>>|No
|
89
|
+
| <<plugins-{type}s-{plugin}-batch_events>> |<<number,number>>|No
|
90
|
+
| <<plugins-{type}s-{plugin}-endpoint>> |<<string,string>>|No
|
91
|
+
| <<plugins-{type}s-{plugin}-message_max_size>> |<<bytes,bytes>>|No
|
92
|
+
| <<plugins-{type}s-{plugin}-proxy_uri>> |<<string,string>>|No
|
93
|
+
| <<plugins-{type}s-{plugin}-queue>> |<<string,string>>|Yes
|
94
|
+
| <<plugins-{type}s-{plugin}-queue_owner_aws_account_id>> |<<string,string>>|No
|
95
|
+
| <<plugins-{type}s-{plugin}-region>> |<<string,string>>|No
|
96
|
+
| <<plugins-{type}s-{plugin}-role_arn>> |<<string,string>>|No
|
97
|
+
| <<plugins-{type}s-{plugin}-role_session_name>> |<<string,string>>|No
|
98
|
+
| <<plugins-{type}s-{plugin}-secret_access_key>> |<<string,string>>|No
|
99
|
+
| <<plugins-{type}s-{plugin}-session_token>> |<<string,string>>|No
|
100
|
+
|=======================================================================
|
101
|
+
|
102
|
+
Also see <<plugins-{type}s-{plugin}-common-options>> for a list of options supported by all
|
103
|
+
output plugins.
|
104
|
+
|
105
|
+
|
106
|
+
|
107
|
+
[id="plugins-{type}s-{plugin}-access_key_id"]
|
108
|
+
===== `access_key_id`
|
109
|
+
|
110
|
+
* Value type is <<string,string>>
|
111
|
+
* There is no default value for this setting.
|
112
|
+
|
113
|
+
This plugin uses the AWS SDK and supports several ways to get credentials, which will be tried in this order:
|
114
|
+
|
115
|
+
1. Static configuration, using `access_key_id` and `secret_access_key` params in logstash plugin config
|
116
|
+
2. External credentials file specified by `aws_credentials_file`
|
117
|
+
3. Environment variables `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`
|
118
|
+
4. Environment variables `AMAZON_ACCESS_KEY_ID` and `AMAZON_SECRET_ACCESS_KEY`
|
119
|
+
5. IAM Instance Profile (available when running inside EC2)
|
120
|
+
|
121
|
+
[id="plugins-{type}s-{plugin}-aws_credentials_file"]
|
122
|
+
===== `aws_credentials_file`
|
123
|
+
|
124
|
+
* Value type is <<string,string>>
|
125
|
+
* There is no default value for this setting.
|
126
|
+
|
127
|
+
Path to YAML file containing a hash of AWS credentials.
|
128
|
+
This file will only be loaded if `access_key_id` and
|
129
|
+
`secret_access_key` aren't set. The contents of the
|
130
|
+
file should look like this:
|
131
|
+
|
132
|
+
[source,ruby]
|
133
|
+
----------------------------------
|
134
|
+
:access_key_id: "12345"
|
135
|
+
:secret_access_key: "54321"
|
136
|
+
----------------------------------
|
137
|
+
|
138
|
+
|
139
|
+
[id="plugins-{type}s-{plugin}-batch_events"]
|
140
|
+
===== `batch_events`
|
141
|
+
|
142
|
+
* Value type is <<number,number>>
|
143
|
+
* Default value is `10`
|
144
|
+
|
145
|
+
The number of events to be sent in each batch. Set this to `1` to disable
|
146
|
+
the batch sending of messages.
|
147
|
+
|
148
|
+
[id="plugins-{type}s-{plugin}-endpoint"]
|
149
|
+
===== `endpoint`
|
150
|
+
|
151
|
+
* Value type is <<string,string>>
|
152
|
+
* There is no default value for this setting.
|
153
|
+
|
154
|
+
The endpoint to connect to. By default it is constructed using the value of `region`.
|
155
|
+
This is useful when connecting to S3 compatible services, but beware that these aren't
|
156
|
+
guaranteed to work correctly with the AWS SDK.
|
157
|
+
|
158
|
+
[id="plugins-{type}s-{plugin}-message_max_size"]
|
159
|
+
===== `message_max_size`
|
160
|
+
|
161
|
+
* Value type is <<bytes,bytes>>
|
162
|
+
* Default value is `"256KiB"`
|
163
|
+
|
164
|
+
The maximum number of bytes for any message sent to SQS. Messages exceeding
|
165
|
+
this size will be dropped. See
|
166
|
+
http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/limits-messages.html.
|
167
|
+
|
168
|
+
[id="plugins-{type}s-{plugin}-proxy_uri"]
|
169
|
+
===== `proxy_uri`
|
170
|
+
|
171
|
+
* Value type is <<string,string>>
|
172
|
+
* There is no default value for this setting.
|
173
|
+
|
174
|
+
URI to proxy server if required
|
175
|
+
|
176
|
+
[id="plugins-{type}s-{plugin}-queue"]
|
177
|
+
===== `queue`
|
178
|
+
|
179
|
+
* This is a required setting.
|
180
|
+
* Value type is <<string,string>>
|
181
|
+
* There is no default value for this setting.
|
182
|
+
|
183
|
+
The name of the target SQS queue. Note that this is just the name of the
|
184
|
+
queue, not the URL or ARN.
|
185
|
+
|
186
|
+
[id="plugins-{type}s-{plugin}-queue_owner_aws_account_id"]
|
187
|
+
===== `queue_owner_aws_account_id`
|
188
|
+
|
189
|
+
* Value type is <<string,string>>
|
190
|
+
* There is no default value for this setting.
|
191
|
+
|
192
|
+
The owning account id of the target SQS queue. IAM permissions need to be
|
193
|
+
configured on both accounts to function.
|
194
|
+
|
195
|
+
[id="plugins-{type}s-{plugin}-region"]
|
196
|
+
===== `region`
|
197
|
+
|
198
|
+
* Value type is <<string,string>>
|
199
|
+
* Default value is `"us-east-1"`
|
200
|
+
|
201
|
+
The AWS Region
|
202
|
+
|
203
|
+
[id="plugins-{type}s-{plugin}-role_arn"]
|
204
|
+
===== `role_arn`
|
205
|
+
|
206
|
+
* Value type is <<string,string>>
|
207
|
+
* There is no default value for this setting.
|
208
|
+
|
209
|
+
The AWS IAM Role to assume, if any.
|
210
|
+
This is used to generate temporary credentials, typically for cross-account access.
|
211
|
+
See the https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html[AssumeRole API documentation] for more information.
|
212
|
+
|
213
|
+
[id="plugins-{type}s-{plugin}-role_session_name"]
|
214
|
+
===== `role_session_name`
|
215
|
+
|
216
|
+
* Value type is <<string,string>>
|
217
|
+
* Default value is `"logstash"`
|
218
|
+
|
219
|
+
Session name to use when assuming an IAM role.
|
220
|
+
|
221
|
+
[id="plugins-{type}s-{plugin}-secret_access_key"]
|
222
|
+
===== `secret_access_key`
|
223
|
+
|
224
|
+
* Value type is <<string,string>>
|
225
|
+
* There is no default value for this setting.
|
226
|
+
|
227
|
+
The AWS Secret Access Key
|
228
|
+
|
229
|
+
[id="plugins-{type}s-{plugin}-session_token"]
|
230
|
+
===== `session_token`
|
231
|
+
|
232
|
+
* Value type is <<string,string>>
|
233
|
+
* There is no default value for this setting.
|
234
|
+
|
235
|
+
The AWS Session token for temporary credential
|
236
|
+
|
237
|
+
|
238
|
+
|
239
|
+
[id="plugins-{type}s-{plugin}-common-options"]
|
240
|
+
include::{include_path}/{type}.asciidoc[]
|
241
|
+
|
242
|
+
:default_codec!:
|
@@ -0,0 +1,84 @@
|
|
1
|
+
# encoding: utf-8
|
2
|
+
require "logstash/codecs/base"
|
3
|
+
require "logstash/codecs/plain"
|
4
|
+
require "logstash/json"
|
5
|
+
|
6
|
+
# This codec will read cloudfront encoded content
|
7
|
+
class LogStash::Codecs::Cloudfront < LogStash::Codecs::Base
|
8
|
+
config_name "cloudfront"
|
9
|
+
|
10
|
+
|
11
|
+
# The character encoding used in this codec. Examples include "UTF-8" and
|
12
|
+
# "CP1252"
|
13
|
+
#
|
14
|
+
# JSON requires valid UTF-8 strings, but in some cases, software that
|
15
|
+
# emits JSON does so in another encoding (nxlog, for example). In
|
16
|
+
# weird cases like this, you can set the charset setting to the
|
17
|
+
# actual encoding of the text and logstash will convert it for you.
|
18
|
+
#
|
19
|
+
# For nxlog users, you'll want to set this to "CP1252"
|
20
|
+
config :charset, :validate => ::Encoding.name_list, :default => "UTF-8"
|
21
|
+
|
22
|
+
public
|
23
|
+
def initialize(params={})
|
24
|
+
super(params)
|
25
|
+
@converter = LogStash::Util::Charset.new(@charset)
|
26
|
+
@converter.logger = @logger
|
27
|
+
end
|
28
|
+
|
29
|
+
public
|
30
|
+
def decode(data)
|
31
|
+
begin
|
32
|
+
@gzip = Zlib::GzipReader.new(data)
|
33
|
+
|
34
|
+
metadata = extract_metadata(@gzip)
|
35
|
+
|
36
|
+
@logger.debug("Cloudfront: Extracting metadata", :metadata => metadata)
|
37
|
+
|
38
|
+
@gzip.each_line do |line|
|
39
|
+
yield create_event(line, metadata)
|
40
|
+
end
|
41
|
+
|
42
|
+
rescue Zlib::Error, Zlib::GzipFile::Error=> e
|
43
|
+
file = data.is_a?(String) ? data : data.class
|
44
|
+
|
45
|
+
@logger.error("Cloudfront codec: We cannot uncompress the gzip file", :filename => file)
|
46
|
+
raise e
|
47
|
+
end
|
48
|
+
end # def decode
|
49
|
+
|
50
|
+
public
|
51
|
+
def create_event(line, metadata)
|
52
|
+
event = LogStash::Event.new("message" => @converter.convert(line))
|
53
|
+
event.set("cloudfront_version", metadata["cloudfront_version"])
|
54
|
+
event.set("cloudfront_fields", metadata["cloudfront_fields"])
|
55
|
+
event
|
56
|
+
end
|
57
|
+
|
58
|
+
|
59
|
+
def extract_metadata(io)
|
60
|
+
version = extract_version(io.gets)
|
61
|
+
fields = extract_fields(io.gets)
|
62
|
+
|
63
|
+
return {
|
64
|
+
"cloudfront_version" => version,
|
65
|
+
"cloudfront_fields" => fields,
|
66
|
+
}
|
67
|
+
end
|
68
|
+
|
69
|
+
|
70
|
+
def extract_version(line)
|
71
|
+
if /^#Version: .+/.match(line)
|
72
|
+
junk, version = line.strip().split(/#Version: (.+)/)
|
73
|
+
version unless version.nil?
|
74
|
+
end
|
75
|
+
end
|
76
|
+
|
77
|
+
|
78
|
+
def extract_fields(line)
|
79
|
+
if /^#Fields: .+/.match(line)
|
80
|
+
junk, format = line.strip().split(/#Fields: (.+)/)
|
81
|
+
format unless format.nil?
|
82
|
+
end
|
83
|
+
end
|
84
|
+
end # class LogStash::Codecs::Cloudfront
|
@@ -0,0 +1,47 @@
|
|
1
|
+
# encoding: utf-8
|
2
|
+
require "logstash/codecs/base"
|
3
|
+
require "logstash/json"
|
4
|
+
require "logstash/util/charset"
|
5
|
+
|
6
|
+
# This is the base class for logstash codecs.
|
7
|
+
class LogStash::Codecs::CloudTrail < LogStash::Codecs::Base
|
8
|
+
config_name "cloudtrail"
|
9
|
+
|
10
|
+
config :charset, :validate => ::Encoding.name_list, :default => "UTF-8"
|
11
|
+
|
12
|
+
public
|
13
|
+
def register
|
14
|
+
@converter = LogStash::Util::Charset.new(@charset)
|
15
|
+
@converter.logger = @logger
|
16
|
+
end
|
17
|
+
|
18
|
+
public
|
19
|
+
def decode(data)
|
20
|
+
decoded = LogStash::Json.load(@converter.convert(data))
|
21
|
+
decoded['Records'].to_a.each do |event|
|
22
|
+
event['@timestamp'] = event.delete('eventTime')
|
23
|
+
|
24
|
+
if event["requestParameters"] && event['requestParameters'].has_key?("disableApiTermination")
|
25
|
+
if event['requestParameters']['disableApiTermination'].class != Hash
|
26
|
+
disableApiTermination = event['requestParameters'].delete('disableApiTermination')
|
27
|
+
event['requestParameters']['disableApiTermination']= {"value" => disableApiTermination}
|
28
|
+
end
|
29
|
+
end
|
30
|
+
|
31
|
+
substitute_invalid_ip_address(event)
|
32
|
+
|
33
|
+
yield LogStash::Event.new(event)
|
34
|
+
end
|
35
|
+
end # def decode
|
36
|
+
|
37
|
+
# Workaround for https://github.com/logstash-plugins/logstash-codec-cloudtrail/issues/20
|
38
|
+
# API calls from support will fill the sourceIpAddress with a hostname string instead of an ip
|
39
|
+
# address.
|
40
|
+
def substitute_invalid_ip_address(event)
|
41
|
+
source_ip_address = event["sourceIpAddress"]
|
42
|
+
if source_ip_address && source_ip_address !~ Resolv::IPv4::Regex && source_ip_address !~ Resolv::IPv6::Regex
|
43
|
+
event["sourceHost"] = event.delete("sourceIpAddress")
|
44
|
+
end
|
45
|
+
end
|
46
|
+
|
47
|
+
end # class LogStash::Codecs::CloudTrail
|