logstash-output-loginsight 0.1.13

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: ef32e65e47b9329686f03a7200debf3a4af7a1e0
+  data.tar.gz: fcb94b9a3495ad68de22ddedb2860330588a7404
+SHA512:
+  metadata.gz: f34e1b3a95651db377f134c88054186c9366ba23de94d6782e9b2cae9874f7c644e9f31541b8a3a71d51f7cbaa67df4e3b5329a12d8950d4fd669fff36eb7d06
+  data.tar.gz: dc8a429b68d009fdb582a8c7b8dc88868260061fa42475998b9d06c45a34b0e07eb336f818c1ca4e8faa3a5a727941c71edd544a337ef9f475f3064c4c427025

data/CHANGELOG.md

@@ -0,0 +1,2 @@
+## 0.1.0
+  - Plugin created with the logstash plugin generator

data/CONTRIBUTORS

@@ -0,0 +1,10 @@
+The following is a list of people who have contributed ideas, code, bug
+reports, or in general have helped logstash along its way.
+
+Contributors:
+* Alan Castonguay - acastonguay@vmware.com
+
+Note: If you've sent us patches, bug reports, or otherwise contributed to
+Logstash, and you aren't on the list above and want to be, please let us know
+and we'll make sure you're here. Contributions from folks like you are what make
+open source awesome.

data/Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gemspec

data/LICENSE

@@ -0,0 +1,11 @@
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/README.md

@@ -0,0 +1,82 @@
+# logstash-output-loginsight
+
+This is a plugin for [Logstash](https://github.com/elastic/logstash), sending events to [VMware vRealize Log Insight](https://www.vmware.com/support/pubs/log-insight-pubs.html)
+
+It is fully free and fully open source. The license is Apache 2.0, meaning you are pretty much free to use it however you want in whatever way.
+
+## Documentation
+
+Logstash provides infrastructure to automatically generate documentation for this plugin. We use the asciidoc format to write documentation so any comments in the source code will be first converted into asciidoc and then into html. All plugin documentation are placed under one [central location](http://www.elastic.co/guide/en/logstash/current/).
+
+- For formatting code or config example, you can use the asciidoc `[source,ruby]` directive
+- For more asciidoc formatting tips, see the excellent reference here https://github.com/elastic/docs#asciidoc-guide
+
+## Need Help?
+
+Need help? Try #logstash on freenode IRC or the https://discuss.elastic.co/c/logstash discussion forum.
+
+## Developing
+
+### 1. Plugin Developement and Testing
+
+#### Code
+- To get started, you'll need JRuby with the Bundler gem installed.
+
+- Create a new plugin or clone and existing from the GitHub [logstash-plugins](https://github.com/logstash-plugins) organization. We also provide [example plugins](https://github.com/logstash-plugins?query=example).
+
+- Install dependencies
+```sh
+bundle install
+```
+
+#### Test
+
+- Update your dependencies
+
+```sh
+bundle install
+```
+
+- Run tests
+
+```sh
+bundle exec rspec
+```
+
+### 2. Running your unpublished Plugin in Logstash
+
+#### 2.1 Run in a local Logstash clone
+
+- Edit Logstash `Gemfile` and add the local plugin path, for example:
+```ruby
+gem "logstash-filter-awesome", :path => "/your/local/logstash-filter-awesome"
+```
+- Install plugin
+```sh
+bin/logstash-plugin install --no-verify
+```
+- Run Logstash with your plugin
+```sh
+bin/logstash -e 'filter {awesome {}}'
+```
+At this point any modifications to the plugin code will be applied to this local Logstash setup. After modifying the plugin, simply rerun Logstash.
+
+#### 2.2 Run in an installed Logstash
+
+You can use the same **2.1** method to run your plugin in an installed Logstash by editing its `Gemfile` and pointing the `:path` to your local plugin development directory. Or you can build the gem and install it using:
+
+- Build your plugin gem
+```sh
+gem build logstash-output-loginsight.gemspec
+```
+- Install the plugin from the Logstash home
+```sh
+bin/logstash-plugin install /your/local/plugin/logstash-filter-loginsight.gem
+```
+- Start Logstash and proceed to test the plugin
+```sh
+bin/logstash -e 'input { stdin { add_field => { "fieldname" => "10" } } } output { loginsight { host => "10.11.12.13" } }' --log.level=debug
+```
+## Contributing
+
+All contributions are welcome: ideas, patches, documentation, bug reports, complaints, and even something you drew up on a napkin.

data/lib/logstash/outputs/loginsight.rb

@@ -0,0 +1,127 @@
+# encoding: utf-8
+require "logstash/outputs/base"
+require "logstash/namespace"
+require "stud/buffer"
+require "manticore"
+#require "logstash/agent"
+
+# An output plugin that sends events to a VMware vRealize Log Insight cluster.
+class LogStash::Outputs::Loginsight < LogStash::Outputs::Base
+  include Stud::Buffer
+
+  config_name "loginsight"
+
+  config :host, :validate => :string, :required => true
+  config :port, :validate => :number, :default => 9000
+  config :proto, :validate => :string, :default => "http"
+  config :uuid, :validate => :string, :default => nil
+
+  config :flush_size, :validate => :number, :default => 100
+  config :idle_flush_time, :validate => :number, :default => 1
+
+  # Fields that will be renamed or dropped.
+  config :adjusted_fields, :validate => :hash, :default => {
+    "hostname" => "host",  # unlikely to be present, preserve anyway
+    "host" => "hostname",  # desired change
+    "@version" => nil,  # drop
+    "@timestamp" => nil,  # drop, already mapped to "timestamp" in event_hash
+    "message" => nil,  # drop, already mapped to "text" in event_hash
+  }
+
+  concurrency :single
+
+  public
+  def register
+    @uuid ||= ( @id or 0 )  # Default UUID
+    @logger.debug("Starting up agent #{@uuid}")
+    @url = "#{@proto}://#{@host}:#{@port}/api/v1/events/ingest/#{@uuid}"
+    
+    @client = Manticore::Client.new(headers: {"Content-Type" => "application/json"})
+
+    #@client.use_ssl = true
+    #@client.verify_mode = OpenSSL::SSL::VERIFY_NONE
+    @logger.debug("Client", :client => @client)
+    
+    buffer_initialize(
+      :max_items => @flush_size,
+      :max_interval => @idle_flush_time,
+      :logger => @logger
+    )
+  end # def register
+
+  public
+  def receive(event)
+    @logger.debug("Event received", :event => event)
+    buffer_receive(event)
+  end # def receive
+
+  public
+  def flush(events, database, teardown = false)
+    @logger.debug? and @logger.debug("Flushing #{events.size} events - Teardown? #{teardown}")
+    
+    post(cfapi(events))
+  end
+
+  def timestamp_in_milliseconds(timestamp)
+    return (timestamp.to_f * 1000).to_i
+  end
+
+  # Frame the events in the hash-array structure required by Log Insight
+  def cfapi(events)
+    messages = []
+
+    # For each event
+    events.each do |event|
+      # Create an outbound event; this can be serialized to json and sent
+      event_hash = {
+        "timestamp" => timestamp_in_milliseconds(event.get("@timestamp")),
+        "text" => (event.get("message") or ""),
+      }
+
+      # Map fields from the event to the desired form
+      event_hash["fields"] = merge_hash(event.to_hash)
+        .reject { |key,value| @adjusted_fields.has_key?(key) and @adjusted_fields[key] == nil }  # drop banned fields
+        .map {|k,v| [ @adjusted_fields.has_key?(k) ? @adjusted_fields[k] : k,v] }  # rename fields
+        .map {|k,v| { "name" => (k), "content" => v } }  # Convert a hashmap {k=>v, k2=>v2} to a list [{name=>k, content=>v}, {name=>k2, content=>v2}]
+
+        messages.push(event_hash)
+    end # events.each do
+
+    return { "events" => messages }  # Framing required by CFAPI.
+  end # def flush
+
+  # Return a copy of the fieldname with non-alphanumeric characters removed.
+  def safefield(fieldname)
+    fieldname.gsub(/[^a-zA-Z0-9\_]/, '')  # TODO: Correct pattern for a valid fieldname. Must deny leading numbers.
+  end
+
+  def post(messages)
+    @logger.debug("post(body)", :messages => messages)
+    
+    body = LogStash::Json.dump(messages)
+    @logger.debug("json-dump", :body => body)
+    
+    @logger.debug("attempting connection", :url => @url)
+    response = @client.post!(@url, :body => body)
+    @logger.debug("result", :response => response)
+
+  end # def post
+
+  # Recursively merge a nested dictionary into a flat dictionary with dotted keys.
+  def merge_hash(hash, prelude = nil)
+    hash.reduce({}) do |acc, kv|
+      k, v = kv
+      generated_key = prelude ? "#{prelude}_#{k}" : k.to_s
+      #puts("Generated key #{generated_key}")
+      if v.is_a?(Hash)
+        acc.merge!(merge_hash(v, generated_key))
+      elsif v.is_a?(Array)
+        acc[generated_key] = v.to_s
+      else
+        acc[generated_key] = v
+      end
+      acc
+    end
+  end
+
+end # class LogStash::Outputs::Loginsight

data/logstash-output-loginsight.gemspec

@@ -0,0 +1,25 @@
+Gem::Specification.new do |s|
+  s.name          = 'logstash-output-loginsight'
+  s.version       = '0.1.13'
+  s.licenses      = ['Apache-2.0']
+  s.summary       = 'Output events to a Log Insight server. This uses the Ingestion API protocol.'
+  s.description   = 'This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install logstash-output-loginsight. This gem is not a stand-alone program.'
+  s.homepage      = 'https://github.com/alanjcastonguay/logstash-output-loginsight'
+  s.authors       = ['Alan Castonguay']
+  s.email         = 'acastonguay@vmware.com'
+  s.require_paths = ['lib']
+
+  # Files
+  s.files = Dir['lib/**/*','spec/**/*','vendor/**/*','*.gemspec','*.md','CONTRIBUTORS','Gemfile','LICENSE','NOTICE.TXT']
+   # Tests
+  s.test_files = s.files.grep(%r{^(test|spec|features)/})
+
+  # Special flag to let us know this is actually a logstash plugin
+  s.metadata = { "logstash_plugin" => "true", "logstash_group" => "output" }
+
+  # Gem dependencies
+  s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
+  s.add_runtime_dependency "manticore", "~> 0.6", ">= 0.6.0"
+
+  s.add_development_dependency "logstash-devutils", "~> 0", ">= 1.3.1"
+end

data/spec/outputs/loginsight_spec.rb

@@ -0,0 +1,146 @@
+# encoding: utf-8
+require "logstash/devutils/rspec/spec_helper"
+require "logstash/outputs/loginsight"
+require "logstash/codecs/plain"
+require "logstash/event"
+
+describe LogStash::Outputs::Loginsight do
+  
+  let(:epoch123) { "1970-01-01T00:00:00.123Z" }
+  let(:port) { 9543 }
+  let(:server) { subject.socket }
+  let(:sample_event) { LogStash::Event.new }
+
+  describe "safefield" do
+    let(:safefield) { LogStash::Outputs::Loginsight.new("host" => "localhost").send(:safefield, proposed) }
+    context "a simple name" do
+      let(:proposed) { "simple" }
+      it "should do nothing" do
+        expect(safefield).to eql("simple")
+      end
+    end
+
+    context "special characters" do
+      let(:proposed) { "a!_@{$%^&*()}[]|\\/.,;:'`~b" }
+      it "should be stripped" do
+        expect(safefield).to eql("a_b")
+      end
+    end
+
+    context "a name with spaces" do
+      let(:proposed) { "a name with spaces" }
+      it "should strip spaces" do
+        expect(safefield).to eql("anamewithspaces")
+      end
+    end
+
+    context "a name starting with a @" do
+      let(:proposed) { "@abc" }
+      it "should strip the @" do
+        expect(safefield).to eql("abc")
+      end
+    end
+    
+    # TODO: Test for a fieldname starting with a number or underscore
+  end
+
+  describe "dotify" do
+    let(:event) { LogStash::Event.new() }
+    let(:merged) { LogStash::Outputs::Loginsight.new("host" => "localhost").send(:merge_hash, hash) }
+
+    context "a simple hash" do
+      let(:hash) { {:a => 2, 5 => 4} }
+      it "should do nothing more than stringify the keys" do
+        expect(merged).to eql("a" => 2, "5" => 4)
+      end
+    end
+
+    context "a complex hash" do
+      let(:hash) { {:a => 2, :b => {:c => 3, :d => 4, :e => {:f => 5}}} }
+      it "should dottify correctly" do
+        expect(merged).to eql({"a" => 2, "b_c" => 3, "b_d" => 4, "b_e_f" => 5})
+      end
+    end
+  end
+
+  describe "timestamp" do
+    let(:t_in_ms) { LogStash::Outputs::Loginsight.new("host" => "localhost").send(:timestamp_in_milliseconds, ts) }
+    context "0.123Z in milliseconds" do
+      let(:ts) { LogStash::Timestamp.new("1970-01-01T00:00:00.123Z") }
+      it "should be 123" do
+        expect(t_in_ms).to eql(123)
+      end
+    end
+  end
+
+  describe "simple cfapi with" do
+    let(:cfapi) { LogStash::Outputs::Loginsight.new("host" => "localhost").send(:cfapi, events) }
+
+    context "no events" do
+      let(:events) { [] }
+      it "should produce an empty list of events" do
+        expect(cfapi).to eql({"events" => []})
+      end
+    end
+
+    context "two events with no content" do
+      let(:events) { [LogStash::Event.new, LogStash::Event.new] }
+      it "should have an events key with a list of two" do
+        expect(cfapi).to have_key("events")
+        expect((cfapi)["events"].size).to eq(2)
+      end
+    end
+
+    context "an event with no content" do
+      let(:events) { [LogStash::Event.new] }
+      it "should have an events key with a non-empty list" do
+        expect(cfapi).to have_key("events")
+        expect((cfapi)["events"]).not_to be_empty
+      end
+    end
+
+    context "an empty event" do
+      let(:events) { [LogStash::Event.new] }
+      let(:subject) { (cfapi)["events"][0] }
+      it "should have a timestamp" do
+        expect(subject).to have_key("timestamp")
+        expect(subject["timestamp"]).not_to be_zero
+      end
+      it "should have an empty text string" do
+        expect(subject).to have_key("text")
+        expect(subject["text"]).to match("")
+      end
+      it "should have an empty field list" do
+        expect(subject).to have_key("fields")
+        expect(subject["fields"]).to be_kind_of(Array)
+        expect(subject["fields"]).to eql([])
+      end
+    end
+  end  # simple cfapi with
+
+  describe "complex cfapi with" do
+    let(:cfapi) { LogStash::Outputs::Loginsight.new("host" => "localhost").send(:cfapi, events) }
+
+    context "only fields" do
+      let(:events) { [LogStash::Event.new("@timestamp"=>epoch123, "@version"=>1, "bar"=>"baz")] }
+      it "should produce a populated dict" do
+        expect(cfapi).to eql({"events" => [{"timestamp"=>123, "text"=>"", "fields"=>[{"name"=>"bar", "content"=>"baz"}]}]})
+      end
+    end
+
+    context "a populated event" do
+      let(:events) { [LogStash::Event.new("@timestamp"=>epoch123, "@version"=>1, "message"=>"foo", "bar"=>"baz")] }
+      it "should produce a populated dict" do
+        expect(cfapi).to eql({"events" => [{"timestamp"=>123, "text"=>"foo", "fields"=>[{"name"=>"bar", "content"=>"baz"}]}]})
+      end
+    end
+
+    context "a nested keyed event" do
+      let(:events) { [LogStash::Event.new("@timestamp"=>epoch123, "@version"=>1, "message"=>"foo", "bar"=>{"baz"=>"awesome"})] }
+      it "should produce an awesome dict" do
+        expect(cfapi).to eql({"events" => [{"timestamp"=>123, "text"=>"foo", "fields"=>[{"name"=>"bar_baz", "content"=>"awesome"}]}]})
+      end
+    end
+  end  # complex cfapi with
+
+end

metadata

@@ -0,0 +1,114 @@
+--- !ruby/object:Gem::Specification
+name: logstash-output-loginsight
+version: !ruby/object:Gem::Version
+  version: 0.1.13
+platform: ruby
+authors:
+- Alan Castonguay
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2017-03-08 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.60'
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: '2.99'
+  name: logstash-core-plugin-api
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.60'
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: '2.99'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.6.0
+  name: manticore
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.6.0
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.3.1
+  name: logstash-devutils
+  prerelease: false
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.3.1
+description: This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install logstash-output-loginsight. This gem is not a stand-alone program.
+email: acastonguay@vmware.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- CONTRIBUTORS
+- Gemfile
+- LICENSE
+- README.md
+- lib/logstash/outputs/loginsight.rb
+- logstash-output-loginsight.gemspec
+- spec/outputs/loginsight_spec.rb
+homepage: https://github.com/alanjcastonguay/logstash-output-loginsight
+licenses:
+- Apache-2.0
+metadata:
+  logstash_plugin: 'true'
+  logstash_group: output
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.6.8
+signing_key:
+specification_version: 4
+summary: Output events to a Log Insight server. This uses the Ingestion API protocol.
+test_files:
+- spec/outputs/loginsight_spec.rb