Class: LogStash::Codecs::CloudTrail

Inherits:

Base

• Object
• Base
• LogStash::Codecs::CloudTrail

Defined in:

lib/logstash/codecs/cloudtrail.rb

Overview

This is the base class for logstash codecs.

Instance Method Summary

• #decode(data) ⇒ Object
• #register ⇒ Object
• #substitute_invalid_ip_address(event) ⇒ Object

  Workaround for github.com/logstash-plugins/logstash-codec-cloudtrail/issues/20 API calls from support will fill the sourceIpAddress with a hostname string instead of an ip address.

Instance Method Details

#decode(data) ⇒ Object

# File 'lib/logstash/codecs/cloudtrail.rb', line 19

def decode(data)
  decoded = LogStash::Json.load(@converter.convert(data))
  decoded['Records'].to_a.each do |event|
    event['@timestamp'] = event.delete('eventTime')

    if event["requestParameters"] && event['requestParameters'].has_key?("disableApiTermination")
      if event['requestParameters']['disableApiTermination'].class != Hash
        disableApiTermination = event['requestParameters'].delete('disableApiTermination')
        event['requestParameters']['disableApiTermination']= {"value" => disableApiTermination}
      end
    end

    substitute_invalid_ip_address(event)

    yield LogStash::Event.new(event)
  end
end

#register ⇒ Object

# File 'lib/logstash/codecs/cloudtrail.rb', line 13

def register
  @converter = LogStash::Util::Charset.new(@charset)
  @converter.logger = @logger
end

#substitute_invalid_ip_address(event) ⇒ Object

Workaround for github.com/logstash-plugins/logstash-codec-cloudtrail/issues/20 API calls from support will fill the sourceIpAddress with a hostname string instead of an ip address.

# File 'lib/logstash/codecs/cloudtrail.rb', line 40

def substitute_invalid_ip_address(event)
  source_ip_address = event["sourceIpAddress"]
  if source_ip_address && source_ip_address !~ Resolv::IPv4::Regex && source_ip_address !~ Resolv::IPv6::Regex
    event["sourceHost"] = event.delete("sourceIpAddress")
  end
end