Sha256: 21737a2b557101024ade7e4a21e768eec554a803d493c5b1916f40a721cddfb9
Contents?: true
Size: 1.61 KB
Versions: 15
Compression:
Stored size: 1.61 KB
Contents
# encoding: utf-8
require "logstash/codecs/base"
require "logstash/json"
require "logstash/util/charset"
# This is the base class for logstash codecs.
class LogStash::Codecs::CloudTrail < LogStash::Codecs::Base
config_name "cloudtrail"
config :charset, :validate => ::Encoding.name_list, :default => "UTF-8"
public
def register
@converter = LogStash::Util::Charset.new(@charset)
@converter.logger = @logger
end
public
def decode(data)
decoded = LogStash::Json.load(@converter.convert(data))
decoded['Records'].to_a.each do |event|
event['@timestamp'] = event.delete('eventTime')
if event["requestParameters"] && event['requestParameters'].has_key?("disableApiTermination")
if event['requestParameters']['disableApiTermination'].class != Hash
disableApiTermination = event['requestParameters'].delete('disableApiTermination')
event['requestParameters']['disableApiTermination']= {"value" => disableApiTermination}
end
end
substitute_invalid_ip_address(event)
yield LogStash::Event.new(event)
end
end # def decode
# Workaround for https://github.com/logstash-plugins/logstash-codec-cloudtrail/issues/20
# API calls from support will fill the sourceIpAddress with a hostname string instead of an ip
# address.
def substitute_invalid_ip_address(event)
source_ip_address = event["sourceIpAddress"]
if source_ip_address && source_ip_address !~ Resolv::IPv4::Regex && source_ip_address !~ Resolv::IPv6::Regex
event["sourceHost"] = event.delete("sourceIpAddress")
end
end
end # class LogStash::Codecs::CloudTrail
Version data entries
15 entries across 15 versions & 2 rubygems