logstash_auditor 1.0.1 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1e0fd6676dbd7bd6b2049f89f663176671632706
-  data.tar.gz: b595f455e1be70f9794aabfe557fde24f52c821b
+  metadata.gz: 2ab15fbb437df572cc228b13e35469d7a2800946
+  data.tar.gz: c8078a1bfc77a5c22d55f8ab544831392d3a3799
 SHA512:
-  metadata.gz: 43bdd4f0b32ed2eb4ec328ce9705724cc77ea640adb8e337a4afcd2328982459c28a697fc1baddbea5282ad1b4c51a1a575b5e2ca81f06594ad6902352814722
-  data.tar.gz: a1fc333997aac59cae05e55b35cd5afaccc1b657df3d5033c7188b3cc55bae2caa4853aaa0937b939f331913010c4691d374cf60c778eafbfc293247d8475547
+  metadata.gz: cce478ec437587c1a5bcff5214f96e52bd207037289fb21d01402a4f0a781200bb62647d09b693ad08c65e61ba68a9b3ce288519d9ddc0305c3f3f08cc95ca0f
+  data.tar.gz: e961399424d11bc91aad6b8216e2deed082148179f31b8d87f7a404f5b9709294d074380247e703652e5f0d52789667630e7e461714ca5015e11a9ed62cbbcef

data/README.md

@@ -17,11 +17,15 @@ gem 'logstash_auditor'
 
 And then execute:
 
-    $ bundle
+```bash
+  bundle
+```
 
 Or install it yourself as:
 
-    $ gem install logstash_auditor
+```bash
+  gem install logstash_auditor
+  ```
 
 ## Configuration of Logstash Server
 
@@ -34,27 +38,42 @@ Behavioural driven testing can be performed by testing against a local ELK docke
 
 First you need to generate the certificates needed for authenticating the client to the server and the server itself.
 
-    $ ./spec/support/certificates/setup_certificates_for_logstash_testing.sh
+```bash
+  ./spec/support/certificates/setup_certificates_for_logstash_testing.sh
+```
 
 Start a docker container with the ELK stack:
 
-    $ docker run -d --name elk_test_service -v $(pwd)/spec/support/logstash_conf.d:/etc/logstash/conf.d -v $(pwd)/spec/support/certificates:/etc/logstash/certs -p 9300:9300 -p 9200:9200 -p 5000:5000 -p 5044:5044 -p 5601:5601 -p 8081:8080 sebp/elk
+```bash
+  docker run -d --name elk_test_service -v $(pwd)/spec/support/logstash_conf.d:/etc/logstash/conf.d -v $(pwd)/spec/support/certificates:/etc/logstash/certs -p 9300:9300 -p 9200:9200 -p 5000:5000 -p 5044:5044 -p 5601:5601 -p 8081:8080 sebp/elk:es234_l234_k453
+```
 
 Wait about 30 seconds for image to fire up. Then perform the tests:
 
-    $ bundle exec rspec -cfd spec/*
+```bash
+  bundle exec rspec -cfd spec/*
+```
 
 Note that in order to ensure that the processing has occurred on Elastic Search
 there is a 2 second delay between each event submission request and the search request
 
 Debugging the docker image:
-    $ docker exec -it elk_test_service bash
-    $ docker stop elk_test_service
-    $ docker rm -f elk_test_service
+```bash
+  docker exec -it elk_test_service bash
+  docker stop elk_test_service
+  docker rm -f elk_test_service
+```
 
 Manual sending of an audit event to docker ELK stack:
+```bash
+  curl -iv -E ./spec/support/certificates/selfsigned/selfsigned_registered.cert.pem --key ./spec/support/certificates/selfsigned/selfsigned_registered.private.nopass.pem https://localhost:8081 -d "message=soar_logstash_test" --insecure
+```
 
-    $ curl -iv -E ./spec/support/certificates/selfsigned/selfsigned_registered.cert.pem --key ./spec/support/certificates/selfsigned/selfsigned_registered.private.nopass.pem https://localhost:8081 -d "message=soar_logstash_test" --insecure
+View the audit events created on the Kibana interface:
+
+```bash
+  http://localhost:5601/app/kibana#/discover?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-15m,mode:quick,to:now))&_a=(columns:!(_source),index:'*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'*')),sort:!('@timestamp',desc))
+```
 
 ## Usage
 

data/lib/logstash_auditor/auditor.rb

@@ -10,6 +10,11 @@ module LogstashAuditor
       certificate_auth_configuration_valid?(configuration)
     end
 
+    #inversion of control method required by the AuditorAPI
+    def prefer_direct_call?
+      false
+    end
+
     #inversion of control method required by the AuditorAPI
     def audit(audit_data)
       request = create_request(audit_data)

data/lib/logstash_auditor/version.rb

@@ -1,3 +1,3 @@
 module LogstashAuditor
-  VERSION = "1.0.1"
+  VERSION = "1.1.0"
 end

data/logstash_auditor.gemspec

@@ -27,6 +27,6 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "soar_auditing_format", "~> 0.0.5"
 
   spec.add_dependency "http", "~> 2"
-  spec.add_dependency "soar_auditor_api", "~> 0.0.12"
+  spec.add_dependency "soar_auditor_api", "~> 1.0"
 
 end

data/sanity/Gemfile

@@ -1,4 +1,4 @@
 source 'https://rubygems.org'
 
-gem 'logstash_auditor', "~> 1.0.1"
+gem 'logstash_auditor', path: '../'
 gem "soar_auditing_format", "~> 0.0.5"

data/sanity/sanity.rb

@@ -16,6 +16,12 @@ class Main
     my_optional_operation_field = SoarAuditingFormatter::Formatter.optional_field_format("operation", "Http.Get")
     my_optional_method_name_field = SoarAuditingFormatter::Formatter.optional_field_format("method", "#{self.class}::#{__method__}::#{__LINE__}")
     @iut.debug(SoarAuditingFormatter::Formatter.format(:debug,'my-sanity-service-id',SecureRandom.hex(32),Time.now.iso8601(3),"#{my_optional_method_name_field}#{my_optional_operation_field} test message with optional fields"))
+
+    my_optional_analytics_field = SoarAuditingFormatter::Formatter.optional_field_format("soar_time_value", rand() * 10)
+    @iut.debug(SoarAuditingFormatter::Formatter.format(:debug,'my-sanity-service-id',SecureRandom.hex(32),Time.now.iso8601(3),"#{my_optional_analytics_field}test message with analytics field"))
+
+    @iut.debug(SoarAuditingFormatter::Formatter.format(:debug,'my-sanity-service-id',SecureRandom.hex(32),Time.now.iso8601(3),"test message without analytics field"))
+
   end
 end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash_auditor
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 1.1.0
 platform: ruby
 authors:
 - Barney de Villiers
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2016-09-02 00:00:00.000000000 Z
+date: 2017-02-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -114,14 +114,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.0.12
+        version: '1.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.0.12
+        version: '1.0'
 description: Logstash implementation of SOAR architecture auditing allowing easy publishing
   of events to a centralized logstash collection engine
 email:
@@ -134,7 +134,6 @@ files:
 - ".rspec"
 - ".ruby-gemset"
 - ".ruby-version"
-- ".travis.yml"
 - Gemfile
 - LICENSE.txt
 - README.md
@@ -169,7 +168,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.8
+rubygems_version: 2.5.1
 signing_key: 
 specification_version: 4
 summary: Logstash implementation of SOAR architecture auditing

data/.travis.yml

@@ -1,4 +0,0 @@
-language: ruby
-rvm:
-  - 2.2.2
-before_install: gem install bundler -v 1.11.2