Class: LogStash::Filters::Greynoise

Inherits:

Base

• Object
• Base
• LogStash::Filters::Greynoise

Defined in:

lib/logstash/filters/greynoise.rb

Overview

This filter will replace the contents of the default message field with whatever you specify in the configuration.

Instance Method Summary

• #filter(event) ⇒ Object
• #register ⇒ Object

Instance Method Details

#filter(event) ⇒ Object

# File 'lib/logstash/filters/greynoise.rb', line 98

def filter(event)
  valid = nil
  begin
    IPAddr.new(event.sprintf(ip))
  rescue ArgumentError => e
    valid = e
  end

  if valid
    @logger.error("Invalid IP address, skipping", :ip => event.sprintf(ip), :event => event.to_hash)
    event.tag(@tag_on_failure)
    return
  end

  if @hit_cache
    gn_result = @hit_cache[event.sprintf(ip)]

    # use cached data
    if gn_result
      event.set(@target, gn_result)
      filter_matched(event)
      return
    end
  end

  # use GN API, since not found in cache
  begin
    gn_result = lookup_ip(event.sprintf(ip), event.sprintf(key), @full_context)
    unless gn_result.nil?
      if @hit_cache
        # store in cache
        @hit_cache[event.sprintf(ip)] = gn_result
      end

      event.set(@target, gn_result)
      # filter_matched should go in the last line of our successful code
      filter_matched(event)
    end
  rescue InvalidAPIKey => _
    @logger.error("unauthorized - check API key")
    event.tag(@tag_on_auth_failure)
  end
end

#register ⇒ Object

# File 'lib/logstash/filters/greynoise.rb', line 57

def register
  if @hit_cache_size > 0
    @hit_cache = LruRedux::TTL::ThreadSafeCache.new(@hit_cache_size, @hit_cache_ttl)
  end
end