Class: LogStash::Filters::Webookup

Inherits:
Base
  • Object
show all
Defined in:
lib/logstash/filters/weblookup.rb

Constant Summary collapse

HTTP_OPTIONS = 
{
    keep_alive_timeout: 300
}

Instance Method Summary collapse

Instance Method Details

#filter(event) ⇒ Object

def register



98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
 
# File 'lib/logstash/filters/weblookup.rb', line 98

def filter(event)
    if destinations[0] == "srcdst"
        # ... do special sauce
        src = parse(event.get(fields[0]).to_s)
  dst = parse(event.get(fields[1]).to_s)
        srcdst = { :srcnet => src["netname"], :srchost => src["hostname"], :dstnet => dst["netname"], :dsthost => dst["hostname"] }
        event.set("srcdst", srcdst)
        event.get("[srcdst]").each {|k, v| event.set(k, v) }
        event.remove("[srcdst]")
  @logger.trace("processed: #{event.get(fields[0]).to_s} #{src} #{event.get(fields[1]).to_s} #{dst} #{srcdst}")
    else
        fields.each_with_index do |field, index|
            # @logger.info(event.get("["+field+"]"))
            begin
             json = parse(event.get(field).to_s)
             event.set("["+destinations[index]+"]", json)
            rescue Exception => e
             @logger.error(" caught: #{e.message}")
            end 
        end
    end
    if @normalize
        replant(event, @newroot)
    end
    # filter_matched should go in the last line of our successful code
    filter_matched(event)
end

#registerObject 



56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
 
# File 'lib/logstash/filters/weblookup.rb', line 56

def register
    if use_redis
        unless redis_path.to_s.strip.empty?
            @red = Redis.new(path: redis_path)
        else
            @red = Redis.new()
        end
    end

    # input fields and destinations
    @is_one_destination=false
    if destinations.size == 1
        @logger.info("one destination found, it is #{destinations[0]}")
  @is_one_destination=true
    else
        if destinations.size != fields.size
            @logger.error("Configuration error, there must be an equal amount of destinations and fields, defaulting to using the field as a root for the new values. e.g. if the lookup is done on the value of [\"ClientIP\"] the destination will be [\"ClientIP\"][\"Key\"]")
            destinations=fields
        end
        # add case destination is empty to put the result in under the same field 
    end

    # http connectionpool
    @uri = Addressable::URI.parse(url)
    @uri.merge!(HTTP_OPTIONS)
    #@http = Net::HTTP.new(uri.host, uri.port, HTTP_OPTIONS)
    @uri.port=80 if (@uri.port.nil? && @uri.scheme=="http")
    @uri.port=443 if (@uri.port.nil? && @uri.scheme=="https")
    # find the key where the value is <item>, otherwise just use the value
    @params = @uri.query_values(Hash)
    @params.each do |key, value|
        if value == "\<item\>" 
            @ip=key
      @params.delete(key)
      logger.info("the ip key in the uri is #{@ip}")
        end
    end
    @connpool = ConnectionPool.new(size: 4, timeout: 180) { 
        Net::HTTP.new(@uri.host, @uri.port)
    }
end