logstash-integration-logstash 0.0.1-java

data/docs/output-logstash.asciidoc

@@ -0,0 +1,271 @@
+:integration: logstash
+:plugin: logstash
+:type: output
+:no_codec:
+
+///////////////////////////////////////////
+START - GENERATED VARIABLES, DO NOT EDIT!
+///////////////////////////////////////////
+:version: %VERSION%
+:release_date: %RELEASE_DATE%
+:changelog_url: %CHANGELOG_URL%
+:include_path: ../../../../logstash/docs/include
+///////////////////////////////////////////
+END - GENERATED VARIABLES, DO NOT EDIT!
+///////////////////////////////////////////
+
+[id="plugins-{type}s-{plugin}"]
+
+=== Logstash output plugin
+
+include::{include_path}/plugin_header-integration.asciidoc[]
+
+==== Description
+
+Send events to a <<plugins-inputs-logstash>> in a pipeline that may be in another process or on another host.
+You must have a TCP route to the port on an interface that the downstream input is bound to.
+
+NOTE: Sending events to _any_ destination other than <<plugins-inputs-logstash>> is neither advised nor supported.
+      We will maintain cross-compatibility with any two supported versions of output/input pair and reserve the right to change details such as protocol and encoding.
+
+[id="plugins-{type}s-{plugin}-minimum-config"]
+===== Minimum Configuration
+[cols="2a,2a"]
+|=======================================================================================================================
+|SSL Enabled              |SSL Disabled
+
+|
+
+[source]
+----
+output {
+  logstash {
+    host => "10.0.0.123"
+    port => 8080
+  }
+}
+----
+
+|
+
+[source]
+----
+output {
+  logstash {
+    host => "10.0.0.123"
+    port => 8080
+    ssl_enabled
+         => false
+  }
+}
+----
+
+|=======================================================================================================================
+
+[id="plugins-{type}s-{plugin}-config-connecting"]
+===== Configuration Concepts
+
+This output plugin needs to be configured to connect to a <<plugins-inputs-logstash>> by specifying its <<plugins-{type}s-{plugin}-host>> and <<plugins-{type}s-{plugin}-port>>.
+Depending on the downstream plugin's configuration, you may need to also configure SSL and/or credentials.
+
+[id="plugins-{type}s-{plugin}-config-ssl-trust"]
+===== Security: SSL Trust
+
+When communicating over SSL, this plugin establishes trust of the server it connects to before transmitting credentials or events.
+
+It does so by ensuring that the server presents a currently-valid certificate with identity claims matching the <<plugins-{type}s-{plugin}-host>> we are configured to connect to, signed by a trusted signing authority, along with proof-of-possession of the associated private key material.
+
+The system trust store is used by default.
+You can provide an _alternate_ source of trust with _ONE OF_:
+
+* A PEM-formatted list of trusted certificate authorities (see <<plugins-{type}s-{plugin}-ssl_certificate_authorities>>)
+* A PKCS12- or JKS-formatted truststore (see <<plugins-{type}s-{plugin}-ssl_truststore_path>>)
+
+[id="plugins-{type}s-{plugin}-config-ssl-identity"]
+===== Security: SSL Identity
+
+If the downstream input plugin is configured to request or require client authentication, you can configure this plugin to provide its proof-of-identity with _ONE OF_:
+
+* JKS- or PKCS12-formatted Keystore (see <<plugins-{type}s-{plugin}-ssl_keystore_path>>)
+* PKCS8-formatted Certificate/Key pair (see <<plugins-{type}s-{plugin}-ssl_certificate>>)
+
+[id="plugins-{type}s-{plugin}-config-credentials"]
+===== Security: Credentials
+
+If the downstream <<plugins-inputs-logstash>> is configured to require <<plugins-inputs-logstash-username>> and <<plugins-inputs-logstash-password>>,
+you will need to configure this output with a matching <<plugins-{type}s-{plugin}-username>> and <<plugins-{type}s-{plugin}-password>>.
+
+NOTE: when SSL is disabled, data and credentials will be transmitted in clear-text.
+
+[id="plugins-{type}s-{plugin}-options"]
+==== Logstash Output Configuration Options
+
+This plugin supports the following configuration options plus the <<plugins-{type}s-{plugin}-common-options>> described later.
+
+[cols="<,<,<",options="header",]
+|=======================================================================
+|Setting                            |Input type        |Required
+| <<plugins-{type}s-{plugin}-host>> |<<string,string>> |Yes
+| <<plugins-{type}s-{plugin}-password>> |<<password,password>>|No
+| <<plugins-{type}s-{plugin}-port>> |<<number,number>> |Yes
+| <<plugins-{type}s-{plugin}-ssl_enabled>> |<<boolean,boolean>>|No
+| <<plugins-{type}s-{plugin}-ssl_certificate>> | <<path,path>>|No
+| <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> |list of <<path,path>>|No
+| <<plugins-{type}s-{plugin}-ssl_key>> | <<path,path>>|No
+| <<plugins-{type}s-{plugin}-ssl_keystore_path>> | <<path,path>>|No
+| <<plugins-{type}s-{plugin}-ssl_keystore_password>> | <<password,password>>|No
+| <<plugins-{type}s-{plugin}-ssl_truststore_path>> | <<path,path>>|No
+| <<plugins-{type}s-{plugin}-ssl_truststore_password>> | <<password,password>>|No
+| <<plugins-{type}s-{plugin}-ssl_verification_mode>> | <<string,string>>, one of `["full", "none"]`|No
+| <<plugins-{type}s-{plugin}-username>> |<<string,string>>|No
+|=======================================================================
+
+Also see <<plugins-{type}s-{plugin}-common-options>> for a list of options supported by all
+output plugins.
+
+&nbsp;
+
+[id="plugins-{type}s-{plugin}-host"]
+===== `host`
+
+* Value type is a <<string,string>> ip address or hostname
+* There is no default value
+
+Specify which host to connect to by providing its ip address or resolvable hostname.
+
+NOTE: when using SSL, the server that responds must present a certificated with identity claim matching this host name or ip address.
+
+[id="plugins-{type}s-{plugin}-port"]
+===== `port`
+
+* Value type is a <<number,number>> port
+* There is no default value
+
+Specify which port to connect to.
+
+[id="plugins-{type}s-{plugin}-password"]
+===== `password`
+
+* Value type is <<password,password>>
+* There is no default value for this setting.
+* Required when <<plugins-{type}s-{plugin}-username>> is configured.
+
+Password for password-based authentication.
+
+When the downstream input plugin is configured with a `username` and `password`, you must also configure upstream outputs with a matching `username`/`password` pair.
+
+[id="plugins-{type}s-{plugin}-ssl_enabled"]
+===== `ssl_enabled`
+
+* Value type is <<boolean,boolean>>
+* Default value is `true`
+
+Logstash-to-Logstash communication is secured by default.
+When the downstream input plugin disables SSL, it must also be disabled here.
+
+You can disable SSL with `+ssl_enabled => false+`. When disabled, setting any `ssl_*` configuration causes configuration failure.
+
+[id="plugins-{type}s-{plugin}-ssl_certificate"]
+===== `ssl_certificate`
+
+* Value type is <<path,path>>
+* There is no default value for this setting.
+* When present, <<plugins-{type}s-{plugin}-ssl_key>> is also required.
+* Cannot be combined with configurations that disable SSL.
+
+Path to a PEM-encoded certificate or certificate chain with which to identify this plugin to connecting downstream input.
+
+[id="plugins-{type}s-{plugin}-ssl_certificate_authorities"]
+===== `ssl_certificate_authorities`
+
+* Value type is a <<path,path>>
+* There is no default value for this setting.
+* Cannot be combined with configurations that disable SSL.
+* Cannot be combined with <<plugins-{type}s-{plugin}-ssl_verification_mode, `+ssl_verification_mode => none+`>>.
+
+One or more PEM-encoded files defining certificate authorities for use in downstream input authentication.
+This setting can be used to _override_ the system trust store for verifying the SSL certificate presented by downstream input.
+
+[id="plugins-{type}s-{plugin}-ssl_key"]
+===== `ssl_key`
+
+* Value type is <<path,path>>
+* There is no default value for this setting.
+* Required when connection identity is configured with <<plugins-{type}s-{plugin}-ssl_certificate>>
+* Cannot be combined with configurations that disable SSL.
+
+A path to an PEM-encoded _unencrypted_ PKCS8 SSL certificate key.
+
+[id="plugins-{type}s-{plugin}-ssl_keystore_path"]
+===== `ssl_keystore_path`
+
+* Value type is <<path,path>>
+* There is no default value for this setting.
+* When present, <<plugins-{type}s-{plugin}-ssl_keystore_password>> is also required.
+* Cannot be combined with configurations that disable SSL.
+
+A path to a JKS- or PKCS12-formatted keystore with which to identify this plugin to the downstream input.
+The provided identity will be used if the downstream input enables <<plugins-{type}s-{plugin}-config-ssl-trust,SSL client authentication>>.
+
+[id="plugins-{type}s-{plugin}-ssl_keystore_password"]
+===== `ssl_keystore_password`
+
+* Value type is <<password,password>>
+* There is no default value for this setting.
+* Required when connection identity is configured with <<plugins-{type}s-{plugin}-ssl_keystore_path>>
+* Cannot be combined with configurations that disable SSL.
+
+Password for the <<plugins-{type}s-{plugin}-ssl_keystore_path>>
+
+[id="plugins-{type}s-{plugin}-ssl_truststore_path"]
+===== `ssl_truststore_path`
+
+* Value type is <<path,path>>
+* There is no default value for this setting.
+* When present, <<plugins-{type}s-{plugin}-ssl_truststore_path>> is also required.
+* Cannot be combined with configurations that disable SSL.
+* Cannot be combined with <<plugins-{type}s-{plugin}-ssl_verification_mode, `+ssl_verification_mode => none+`>>.
+
+A path to a JKS- or PKCS12-formatted truststore with which to validate the identity claims of the downstream input.
+The provided identity will be used if the downstream input enables <<plugins-{type}s-{plugin}-config-ssl-trust,SSL client authentication>>.
+
+[id="plugins-{type}s-{plugin}-ssl_truststore_password"]
+===== `ssl_truststore_password`
+
+* Value type is <<password,password>>
+* There is no default value for this setting.
+* Required when connection identity is configured with <<plugins-{type}s-{plugin}-ssl_truststore_path>>
+* Cannot be combined with configurations that disable SSL.
+
+Password for the <<plugins-{type}s-{plugin}-ssl_truststore_path>>
+
+[id="plugins-{type}s-{plugin}-ssl_verification_mode"]
+===== `ssl_verification_mode`
+
+* Value type is <<string,string>>
+* The supported modes are:
+** `full`: verifies that a certificate provided by the client has an identity claim matching <<plugins-{type}s-{plugin}-host>>, is signed by a trusted authority (CA), is within its valid date range, and that the client has possession of the associated key.
+** `none`: performs no validation of the presented certificate
+
+* The default value is `full`.
+* Cannot be combined with configurations that disable SSL.
+
+When communicating over SSL, this setting controls how the downstream input's certificate is verified.
+
+[id="plugins-{type}s-{plugin}-username"]
+===== `username`
+
+* Value type is <<string,string>>
+* There is no default value for this setting.
+* When present, <<plugins-{type}s-{plugin}-password>> is also required.
+
+Username for password-based authentication.
+
+When the downstream input plugin is configured with a `username` and `password`, you must also configure upstream outputs with a matching `username`/`password` pair.
+
+NOTE: when SSL is disabled, credentials will be transmitted in clear-text.
+
+[id="plugins-{type}s-{plugin}-common-options"]
+include::{include_path}/{type}.asciidoc[]
+
+:default_codec!:

data/lib/logstash/inputs/logstash.rb

@@ -0,0 +1,185 @@
+# encoding: utf-8
+
+require 'logstash/inputs/base'
+require 'logstash/namespace'
+
+require "logstash/plugin_mixins/plugin_factory_support"
+
+require 'logstash/codecs/json_lines'
+
+class LogStash::Inputs::Logstash < LogStash::Inputs::Base
+  include LogStash::PluginMixins::PluginFactorySupport
+
+  config_name "logstash"
+
+  config :host,     :validate => :string,   :default => "0.0.0.0"
+  config :port,     :validate => :number,   :required => true
+
+  # optional username/password credentials
+  config :username, :validate => :string,   :required => false
+  config :password, :validate => :password, :required => false
+
+  config :ssl_enabled, :validate => :boolean, :default => true
+
+  # SSL:IDENTITY:SOURCE cert/key pair
+  config :ssl_certificate,    :validate => :path
+  config :ssl_key,            :validate => :path
+  config :ssl_key_passphrase, :validate => :password
+
+  # SSL:IDENTITY:SOURCE keystore
+  config :ssl_keystore_path,     :validate => :path
+  config :ssl_keystore_password, :validate => :password
+
+  # SSL:TRUST:CONFIG
+  config :ssl_client_authentication,   :validate => %w(none optional required), :default => 'none'
+
+  # SSL:TRUST:SOURCE ca file
+  config :ssl_certificate_authorities, :validate => :path, :list => true
+
+  # SSL:TUNING
+  config :ssl_handshake_timeout, :validate => :number, default: 10_000
+  config :ssl_cipher_suites, :validate => :string, :list => true
+  config :ssl_supported_protocols, :validate => :string, :list => true
+
+  def initialize(*a)
+    super
+
+    if original_params.include?('codec')
+      report_invalid_config! 'The `logstash` input does not have an externally-configurable `codec`'
+    end
+
+    logger.debug("initializing inner HTTP input plugin")
+    @internal_http = plugin_factory.input('http').new(inner_http_input_options)
+    logger.debug("inner HTTP input plugin has been initialized")
+  end
+
+  def register
+    logger.debug("registering inner HTTP input plugin")
+    @internal_http.register
+    logger.debug("inner HTTP input plugin has been registered")
+  end
+
+  def run(queue)
+    logger.debug("starting inner HTTP input plugin")
+    @internal_http.run(QueueWrapper.new(queue))
+    logger.debug("inner HTTP input plugin has exited normally")
+  rescue => e
+    logger.error("inner HTTP plugin has had an unrecoverable exception: #{e.message} at #{e.backtrace.first}")
+    raise
+  end
+
+  def stop
+    logger.debug("stopping inner HTTP input plugin")
+    @internal_http.stop
+    logger.debug('inner HTTP plugin has been stopped')
+  end
+
+  def close
+    logger.debug("closing inner HTTP input plugin")
+    @internal_http.close
+    logger.debug('inner HTTP plugin has been closed')
+  end
+
+  def inner_http_input_options
+    @_inner_http_input_options ||= begin
+      http_options = {
+        # directly-configurable
+        'host' => @host,
+        'port' => @port,
+
+        # non-configurable codec
+        'codec' => plugin_factory.codec('json_lines').new(inner_json_lines_codec_options),
+        'additional_codecs' => {},
+        'response_headers' => { 'Accept' => 'application/x-ndjson' },
+
+        # enrichment avoidance
+        'ecs_compatibility'            => 'disabled',
+        'remote_host_target_field'     => '[@metadata][void]',
+        'request_headers_target_field' => '[@metadata][void]',
+      }
+
+      if @username
+        http_options['user'] = @username
+        http_options['password'] = @password || report_invalid_config!('`password` is REQUIRED when `username` is provided')
+        logger.warn("transmitting credentials over non-secured connection") if @ssl_enabled == false
+      elsif @password
+        report_invalid_config!('`password` not allowed unless `username` is configured')
+      end
+
+      if @ssl_enabled == false
+        rejected_ssl_settings = @original_params.keys.select { |k| k.start_with?('ssl_') } - %w(ssl_enabled)
+        report_invalid_config!("Explicit SSL-related settings not supported because `ssl_enabled => false`: #{rejected_ssl_settings}") if rejected_ssl_settings.any?
+      else
+        http_options['ssl_enabled'] = true
+
+        http_options['ssl_cipher_suites'] = @ssl_cipher_suites if @original_params.include?('ssl_cipher_suites')
+        http_options['ssl_supported_protocols'] = @ssl_supported_protocols if @original_params.include?('ssl_supported_protocols')
+        http_options['ssl_handshake_timeout'] = @ssl_handshake_timeout
+
+        http_options.merge!(ssl_identity_options)
+        http_options.merge!(ssl_trust_options)
+      end
+
+      http_options
+    end
+  end
+
+  def ssl_identity_options
+    {}.tap do |identity_options|
+      if @ssl_certificate && @ssl_keystore_path
+        report_invalid_config!('SSL identity can be configured with EITHER `ssl_certificate` OR `ssl_keystore_*`, but not both')
+      elsif @ssl_certificate
+        identity_options['ssl_certificate'] = @ssl_certificate
+        identity_options['ssl_key'] = @ssl_key || report_invalid_config!('`ssl_key` is required when `ssl_certificate` is configured')
+        identity_options['ssl_key_passphrase'] = @ssl_key_passphrase unless @ssl_key_passphrase.nil?
+      elsif @ssl_key
+        report_invalid_config!('`ssl_key` is not allowed unless `ssl_certificate` is configured')
+      elsif @ssl_key_passphrase
+        report_invalid_config!('`ssl_key_passphrase` is not allowed unless `ssl_key` is configured')
+      elsif @ssl_keystore_path
+        identity_options['ssl_keystore_path'] = @ssl_keystore_path
+        identity_options['ssl_keystore_password'] = @ssl_keystore_password || report_invalid_config!('`ssl_keystore_password` is REQUIRED when `ssl_keystore_path` is configured')
+      elsif @ssl_keystore_password
+        report_invalid_config!('`ssl_keystore_password` is not allowed unless `ssl_keystore_path` is configured')
+      else
+        report_invalid_config!('SSL identity MUST be configured with either `ssl_certificate`/`ssl_key` or `ssl_keystore_*`')
+      end
+    end
+  end
+
+  def ssl_trust_options
+    {
+      'ssl_client_authentication' => @ssl_client_authentication,
+    }.tap do |trust_options|
+      if @ssl_certificate_authorities&.any?
+        if @ssl_client_authentication == 'none'
+          report_invalid_config!('`ssl_certificate_authorities` is not supported because `ssl_client_authentication => none`')
+        end
+
+        trust_options['ssl_certificate_authorities'] = @ssl_certificate_authorities
+      end
+    end
+  end
+
+  def inner_json_lines_codec_options
+    @_inner_json_lines_codec_options ||= {
+      # enrichment avoidance
+      'ecs_compatibility' => 'disabled',
+    }
+  end
+
+  def report_invalid_config!(message)
+    fail(LogStash::ConfigurationError, message)
+  end
+
+  class QueueWrapper
+    def initialize(wrapped_queue)
+      @wrapped_queue = wrapped_queue
+    end
+
+    def << (event)
+      event.remove('[@metadata][void]')
+      @wrapped_queue << event
+    end
+  end
+end

data/lib/logstash/outputs/logstash.rb

@@ -0,0 +1,162 @@
+# encoding: utf-8
+
+require 'logstash/outputs/base'
+require 'logstash/namespace'
+
+require "logstash/plugin_mixins/plugin_factory_support"
+
+class LogStash::Outputs::Logstash < LogStash::Outputs::Base
+  include LogStash::PluginMixins::PluginFactorySupport
+
+  config_name "logstash"
+
+  config :host,     :validate => :string,   :required => true
+  config :port,     :validate => :number,   :required => true
+
+  # optional username/password credentials
+  config :username, :validate => :string,   :required => false
+  config :password, :validate => :password, :required => false
+
+  config :ssl_enabled,                 :validate => :boolean, :default => true
+
+  # SSL:IDENTITY:SOURCE cert/key pair
+  config :ssl_certificate,             :validate => :path
+  config :ssl_key,                     :validate => :path
+
+  # SSL:IDENTITY:SOURCE keystore
+  config :ssl_keystore_path,           :validate => :path
+  config :ssl_keystore_password,       :validate => :password
+
+  # SSL:TRUST:CONFIG
+  config :ssl_verification_mode,       :validate => %w(full none), :default => 'full'
+
+  # SSL:TRUST:SOURCE ca file
+  config :ssl_certificate_authorities, :validate => :path,         :list => true
+
+  # SSL:TRUST:SOURCE truststore
+  config :ssl_truststore_path,         :validate => :path
+  config :ssl_truststore_password,     :validate => :password
+
+  # SSL:TUNING
+  config :ssl_supported_protocols, :validate => :string, :list => true
+
+  def initialize(*a)
+    super
+
+    if original_params.include?('codec')
+      fail LogStash::ConfigurationError, 'The `logstash` output does not have an externally-configurable `codec`'
+    end
+
+    if @ssl_certificate_authorities && @ssl_certificate_authorities.size > 1
+      fail LogStash::ConfigurationError, 'The `logstash` output supports at most one `ssl_certificate_authorities` path'
+    end
+
+    logger.debug("initializing inner HTTP output plugin")
+    @internal_http = plugin_factory.output('http').new(inner_http_output_options)
+    logger.debug("inner HTTP output plugin has been initialized")
+  end
+
+  def register
+    logger.debug("registering inner HTTP output plugin")
+    @internal_http.register
+    logger.debug("inner HTTP output plugin has been registered")
+  end
+
+  def multi_receive(events)
+    return if events.empty?
+    logger.trace("proxying #{events.size} events to inner HTTP plugin")
+    @internal_http.multi_receive(events)
+  rescue => e
+    logger.error("inner HTTP plugin has had an unrecoverable exception: #{e.message} at #{e.backtrace.first}")
+    raise
+  end
+
+  def stop
+    logger.debug("stopping inner HTTP output plugin")
+    @internal_http.stop
+    logger.debug('inner HTTP output plugin has been stopped')
+  end
+
+  def close
+    logger.debug("closing inner HTTP output plugin")
+    @internal_http.close
+    logger.debug('inner HTTP output plugin has been closed')
+  end
+
+  def inner_http_output_options
+    @_inner_http_output_options ||= begin
+      http_options = {
+        'url' => "#{@ssl_enabled ? 'https' : 'http'}://#{@host}:#{@port}",
+        'http_method'          => 'post',
+        'retry_non_idempotent' => 'true',
+
+        # non-configurable codec
+        'content_type' => 'application/x-ndjson',
+        'format'       => 'json_batch',
+      }
+
+      if @username
+        http_options['user'] = @username
+        http_options['password'] = @password || fail(LogStash::ConfigurationError, '`password` is REQUIRED when `username` is provided')
+        logger.warn("transmitting credentials over non-secured connection") if @ssl_enabled == false
+      elsif @password
+        fail(LogStash::ConfigurationError, '`password` not allowed unless `username` is configured')
+      end
+
+      if @ssl_enabled == false
+        rejected_ssl_settings = @original_params.keys.select { |k| k.start_with?('ssl_') } - %w(ssl_enabled)
+        fail(LogStash::ConfigurationError, "Explicit SSL-related settings not supported because `ssl_enabled => false`: #{rejected_ssl_settings}") if rejected_ssl_settings.any?
+      else
+        http_options['ssl_supported_protocols'] = @ssl_supported_protocols if @original_params.include?('ssl_supported_protocols')
+
+        http_options.merge!(ssl_identity_options)
+        http_options.merge!(ssl_trust_options)
+      end
+
+      http_options
+    end
+  end
+
+  def ssl_identity_options
+    if @ssl_certificate && @ssl_keystore_path
+      fail(LogStash::ConfigurationError, 'SSL identity can be configured with EITHER `ssl_certificate` OR `ssl_keystore_*`, but not both')
+    elsif @ssl_certificate
+      return {
+        'ssl_certificate' => @ssl_certificate,
+        'ssl_key'  => @ssl_key || fail(LogStash::ConfigurationError, "`ssl_key` is REQUIRED when `ssl_certificate` is provided"),
+      }
+    elsif @ssl_key
+      fail(LogStash::ConfigurationError, '`ssl_key` is not allowed unless `ssl_certificate` is configured')
+    elsif @ssl_keystore_path
+      return {
+        'ssl_keystore_path' => @ssl_keystore_path,
+        'ssl_keystore_password' => @ssl_keystore_password || fail(LogStash::ConfigurationError, "`ssl_keystore_password` is REQUIRED when `ssl_keystore_path` is provided"),
+      }
+    elsif @ssl_keystore_password
+      fail(LogStash::ConfigurationError, "`ssl_keystore_password` is not allowed unless `ssl_keystore_path` is configured")
+    else
+      return {}
+    end
+  end
+
+  def ssl_trust_options
+    {
+      'ssl_verification_mode' => @ssl_verification_mode,
+    }.tap do |trust_options|
+      if @ssl_certificate_authorities&.any? && @ssl_truststore_path
+        fail(LogStash::ConfigurationError, 'SSL trust can be configured with EITHER `ssl_certificate_authorities` OR `ssl_truststore_*`, but not both')
+      elsif @ssl_certificate_authorities&.any?
+        fail(LogStash::ConfigurationError, 'SSL Certificate Authorities cannot be configured when `ssl_verification_mode => none`') if @ssl_verification_mode == 'none'
+
+        trust_options['ssl_certificate_authorities'] = @ssl_certificate_authorities.first
+      elsif @ssl_truststore_path
+        fail(LogStash::ConfigurationError, 'SSL Truststore cannot be configured when `ssl_verification_mode => none`') if @ssl_verification_mode == 'none'
+
+        trust_options['ssl_truststore_path'] = @ssl_truststore_path
+        trust_options['ssl_truststore_password'] = @ssl_truststore_password || fail(LogStash::ConfigurationError, '`ssl_truststore_password` is REQUIRED when `ssl_truststore_path` is provided')
+      elsif @ssl_truststore_password
+        fail(LogStash::ConfigurationError, '`ssl_truststore_password` not allowed unless `ssl_truststore_path` is configured')
+      end
+    end
+  end
+end

data/logstash-integration-logstash.gemspec

@@ -0,0 +1,36 @@
+INTEGRATION_LOGSTASH_VERSION = File.read(File.expand_path(File.join(File.dirname(__FILE__), "VERSION"))).strip unless defined?(INTEGRATION_LOGSTASH_VERSION)
+
+Gem::Specification.new do |s|
+  s.name            = "logstash-integration-logstash"
+  s.version         = INTEGRATION_LOGSTASH_VERSION
+  s.licenses        = ["Apache-2.0"]
+  s.summary         = "Collection of Logstash plugins that enable sending events from one Logstash pipeline to another"
+  s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
+  s.authors         = ["Elastic"]
+  s.email           = "info@elastic.co"
+  s.homepage        = "https://www.elastic.co/logstash"
+  s.platform        = "java"
+  s.metadata        = {
+    "logstash_plugin" => "true",
+    "logstash_group" => "integration",
+    "integration_plugins" => %w(
+      logstash-input-logstash
+      logstash-output-logstash
+    ).join(",")
+  }
+
+  s.require_paths   = %w[lib vendor/jar-dependencies]
+  s.files           = Dir["lib/**/*","spec/**/*","*.gemspec","*.md","CONTRIBUTORS","Gemfile","LICENSE","NOTICE.TXT", "VERSION", "docs/**/*", "vendor/jar-dependencies/**/*.jar", "vendor/jar-dependencies/**/*.rb"]
+  s.test_files      = s.files.grep(%r{^(test|spec|features)/})
+
+  s.add_runtime_dependency "logstash-core-plugin-api", ">= 2.1.12", "<= 2.99"
+  s.add_runtime_dependency "logstash-mixin-plugin_factory_support", "~> 1.0"
+  s.add_runtime_dependency "logstash-codec-json_lines", "~> 3.1"
+
+  s.add_runtime_dependency "logstash-input-http", ">= 3.7.0"  # some params not available in older versions because they are renamed, such as `cacert` to `ssl_certificate_authorities`
+  s.add_runtime_dependency "logstash-output-http", ">= 5.6.0"
+
+  s.add_development_dependency "logstash-devutils"
+  s.add_development_dependency "rspec-collection_matchers"
+  s.add_development_dependency "random-port"
+end