Merge pull request #38 from gabelilly/logstash-5.4

bitsofinfo · web-flow · commit 4aa3230f58a1 · 2017-06-05T12:58:30.000-06:00
Update filters to conform to Logstash 5.4
diff --git a/2000_filter_sections_split.conf b/2000_filter_sections_split.conf
@@ -26,8 +26,8 @@ filter {
 
     ruby {
       code => "
-          if !event['message'].nil?
-              modSecSectionData = event['message'].split(/(?:--[a-fA-F0-9]{8}-([A-Z])--)/)
+          if !event.get('message').nil?
+              modSecSectionData = event.get('message').split(/(?:--[a-fA-F0-9]{8}-([A-Z])--)/)
               modSecSectionData.shift
               for i in 0..((modSecSectionData.length-1)/2)
                   sectionName = 'rawSection'.concat(modSecSectionData.shift)
@@ -36,7 +36,7 @@ filter {
                   if !sectionData.nil?
                       sectionData = sectionData.strip
                   end
-                  event.to_hash.merge!(sectionName => sectionData)
+                  event.set(sectionName, sectionData)
               end
           end
         "
diff --git a/2021_filter_section_b_headers_key-value.conf b/2021_filter_section_b_headers_key-value.conf
@@ -1,5 +1,6 @@
 filter {
   if [type] == "mod_security" {
+
     #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     # Convert raw request headers into a key/value
     # pair map
@@ -17,7 +18,7 @@ filter {
       # trim leading/trailing hack  @see https://logstash.jira.com/browse/LOGSTASH-1369
       ruby {
         code => "
-            requestHeaders = event.to_hash['requestHeaders']
+            requestHeaders = event.get('requestHeaders').to_hash
             requestHeaders.each { |k, v|
               if !v.nil? and v.is_a? String
                 requestHeaders[k] = v.strip
diff --git a/2062_filter_section_f_headers_key-value.conf b/2062_filter_section_f_headers_key-value.conf
@@ -17,7 +17,7 @@ filter {
       # trim leading/trailing hack  @see https://logstash.jira.com/browse/LOGSTASH-1369
       ruby {
         code => "
-            responseHeaders = event.to_hash['responseHeaders']
+            responseHeaders = event.get('responseHeaders').to_hash
             responseHeaders.each { |k, v|
               if !v.nil? and v.is_a? String
                 responseHeaders[k] = v.strip
diff --git a/2080_filter_section_h_parse_messages_to_auditLogTrailerMessages.conf b/2080_filter_section_h_parse_messages_to_auditLogTrailerMessages.conf
@@ -27,7 +27,7 @@ filter {
             end
 
             auditLogTrailerMessages = Array.new()
-            trailer_array = event.to_hash['rawSectionH'].split(/\n/)
+            trailer_array = event.get('rawSectionH').split(/\n/)
             trailer_array.each do |entry|
               if entry.match(/^Message: /)
                 msg = Hash.new()
@@ -43,7 +43,7 @@ filter {
               end
             end
 
-            event.to_hash.merge!('auditLogTrailerMessages' => auditLogTrailerMessages)
+            event.set('auditLogTrailerMessages', auditLogTrailerMessages)
           "
       }
     }
diff --git a/2081_filter_section_h_convert_to_key-value.conf b/2081_filter_section_h_convert_to_key-value.conf
@@ -20,18 +20,21 @@ filter {
       # trim leading/trailing hack  @see https://logstash.jira.com/browse/LOGSTASH-1369
       ruby {
         code => "
-            auditLogTrailer = event.to_hash['auditLogTrailer']
-            auditLogTrailerMessages = event.to_hash['auditLogTrailerMessages']
+            auditLogTrailer = event.get('auditLogTrailer').to_hash
+            auditLogTrailerMessages = event.get('auditLogTrailerMessages').to_hash
             auditLogTrailer.each { |k, v|
               if !v.nil? and v.is_a? String
                 auditLogTrailer[k] = v.strip
               end
             }
             auditLogTrailer.delete('Message')
             auditLogTrailer['messages'] = auditLogTrailerMessages
-            event.to_hash.delete('auditLogTrailerMessages')
           "
       }
+
+      drop {
+        remove_field => ['auditLogTrailerMessages']
+      }
     }
   }
 }
diff --git a/2082_filter_section_h_extract_stopwatch.conf b/2082_filter_section_h_extract_stopwatch.conf
@@ -24,16 +24,16 @@ filter {
     # micro -> milli
     ruby {
       code => "
-          event_date_milliseconds = (event.to_hash['event_date_microseconds'] / 1000.0)
-          event.to_hash.merge!('event_date_milliseconds' => event_date_milliseconds)
+          event_date_milliseconds = (event.get('event_date_microseconds') / 1000.0)
+          event.set('event_date_milliseconds', event_date_milliseconds)
         "
     }
 
     # milli -> seconds
     ruby {
       code => "
-          event_date_seconds = (event.to_hash['event_date_milliseconds'] / 1000.0)
-          event.to_hash.merge!('event_date_seconds' => event_date_seconds)
+          event_date_seconds = (event.get('event_date_milliseconds') / 1000.0)
+          event.set('event_date_seconds', event_date_seconds)
         "
     }
 
@@ -46,7 +46,7 @@ filter {
     # a second copy of a iso8601 date
     ruby {
       code => "
-          event.to_hash.merge!('event_timestamp' => (Time.at(event.to_hash['event_date_seconds']).gmtime).iso8601(3))
+          event.set('event_timestamp', (Time.at(event.get('event_date_seconds')).gmtime).iso8601(3))
         "
     }
   }
diff --git a/2089_filter_section_h_example_geoip.conf b/2089_filter_section_h_example_geoip.conf
@@ -20,7 +20,7 @@ filter {
     # convert Strings to UTF-8, leave as-is otherwise
     #ruby {
     #  code => "
-    #      geoip = event.to_hash['XForwardedFor-GEOIP']
+    #      geoip = event.get('XForwardedFor-GEOIP').to_hash
     #      if !geoip.nil?
     #        newgeoip = Hash.new()
     #        geoip.each do |key,value|
@@ -30,7 +30,7 @@ filter {
     #            newgeoip[key] = value
     #          end
     #        end
-    #        event.to_hash.merge!('XForwardedFor-GEOIP' => newgeoip)
+    #        event.set('XForwardedFor-GEOIP', newgeoip)
     #      end
     #    "
     #}
diff --git a/2089_filter_section_h_example_severities.conf b/2089_filter_section_h_example_severities.conf
@@ -11,13 +11,13 @@ filter {
     ruby {
       code => "
           modsecSeverities = Set.new
-          trailerMsgs = event.to_hash['auditLogTrailerMessages']
+          trailerMsgs = event.get('auditLogTrailerMessages').to_hash
           trailerMsgs.each {|m|
             if m.key?('severity')
               modsecSeverities.add(m['severity'])
             end
           }
-          event.to_hash.merge!('modsecSeverities' => modsecSeverities.to_a)
+          event.set('modsecSeverities', modsecSeverities.to_a)
         "
     }
   }
diff --git a/2110_filter_section_k_parse_matchedRules.conf b/2110_filter_section_k_parse_matchedRules.conf
@@ -24,13 +24,13 @@ filter {
       ruby {
         code => "
             secRuleIds = Array.new()
-            matchedRules_array = event.to_hash['matchedRules']
+            matchedRules_array = event.get('matchedRules').to_hash
             matchedRules_array.each do |entry|
               if entry.match(/^SecRule /) and entry.match(/,id:/)
                 secRuleIds.push(/,id:(?<ruleId>\d+)/.match(entry)[:ruleId])
               end
             end
-            event.to_hash.merge!('secRuleIds' => secRuleIds)
+            event.set('secRuleIds', secRuleIds)
           "
       }
     }

Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,7 @@ filter {`
`27`	`27`	`end`
`28`	`28`
`29`	`29`	`auditLogTrailerMessages = Array.new()`
`30`		`- trailer_array = event.to_hash['rawSectionH'].split(/\n/)`
	`30`	`+ trailer_array = event.get('rawSectionH').split(/\n/)`
`31`	`31`	`trailer_array.each do \|entry\|`
`32`	`32`	`if entry.match(/^Message: /)`
`33`	`33`	`msg = Hash.new()`
`@@ -43,7 +43,7 @@ filter {`
`43`	`43`	`end`
`44`	`44`	`end`
`45`	`45`
`46`		`- event.to_hash.merge!('auditLogTrailerMessages' => auditLogTrailerMessages)`
	`46`	`+ event.set('auditLogTrailerMessages', auditLogTrailerMessages)`
`47`	`47`	`"`
`48`	`48`	`}`
`49`	`49`	`}`
Original file line number	Diff line number	Diff line change
`@@ -20,18 +20,21 @@ filter {`
`20`	`20`	`# trim leading/trailing hack @see https://logstash.jira.com/browse/LOGSTASH-1369`
`21`	`21`	`ruby {`
`22`	`22`	`code => "`
`23`		`- auditLogTrailer = event.to_hash['auditLogTrailer']`
`24`		`- auditLogTrailerMessages = event.to_hash['auditLogTrailerMessages']`
	`23`	`+ auditLogTrailer = event.get('auditLogTrailer').to_hash`
	`24`	`+ auditLogTrailerMessages = event.get('auditLogTrailerMessages').to_hash`
`25`	`25`	`auditLogTrailer.each { \|k, v\|`
`26`	`26`	`if !v.nil? and v.is_a? String`
`27`	`27`	`auditLogTrailer[k] = v.strip`
`28`	`28`	`end`
`29`	`29`	`}`
`30`	`30`	`auditLogTrailer.delete('Message')`
`31`	`31`	`auditLogTrailer['messages'] = auditLogTrailerMessages`
`32`		`- event.to_hash.delete('auditLogTrailerMessages')`
`33`	`32`	`"`
`34`	`33`	`}`
	`34`	`+`
	`35`	`+ drop {`
	`36`	`+ remove_field => ['auditLogTrailerMessages']`
	`37`	`+ }`
`35`	`38`	`}`
`36`	`39`	`}`
`37`	`40`	`}`
Original file line number	Diff line number	Diff line change
`@@ -24,16 +24,16 @@ filter {`
`24`	`24`	`# micro -> milli`
`25`	`25`	`ruby {`
`26`	`26`	`code => "`
`27`		`- event_date_milliseconds = (event.to_hash['event_date_microseconds'] / 1000.0)`
`28`		`- event.to_hash.merge!('event_date_milliseconds' => event_date_milliseconds)`
	`27`	`+ event_date_milliseconds = (event.get('event_date_microseconds') / 1000.0)`
	`28`	`+ event.set('event_date_milliseconds', event_date_milliseconds)`
`29`	`29`	`"`
`30`	`30`	`}`
`31`	`31`
`32`	`32`	`# milli -> seconds`
`33`	`33`	`ruby {`
`34`	`34`	`code => "`
`35`		`- event_date_seconds = (event.to_hash['event_date_milliseconds'] / 1000.0)`
`36`		`- event.to_hash.merge!('event_date_seconds' => event_date_seconds)`
	`35`	`+ event_date_seconds = (event.get('event_date_milliseconds') / 1000.0)`
	`36`	`+ event.set('event_date_seconds', event_date_seconds)`
`37`	`37`	`"`
`38`	`38`	`}`
`39`	`39`
`@@ -46,7 +46,7 @@ filter {`
`46`	`46`	`# a second copy of a iso8601 date`
`47`	`47`	`ruby {`
`48`	`48`	`code => "`
`49`		`- event.to_hash.merge!('event_timestamp' => (Time.at(event.to_hash['event_date_seconds']).gmtime).iso8601(3))`
	`49`	`+ event.set('event_timestamp', (Time.at(event.get('event_date_seconds')).gmtime).iso8601(3))`
`50`	`50`	`"`
`51`	`51`	`}`
`52`	`52`	`}`
Original file line number	Diff line number	Diff line change
`@@ -11,13 +11,13 @@ filter {`
`11`	`11`	`ruby {`
`12`	`12`	`code => "`
`13`	`13`	`modsecSeverities = Set.new`
`14`		`- trailerMsgs = event.to_hash['auditLogTrailerMessages']`
	`14`	`+ trailerMsgs = event.get('auditLogTrailerMessages').to_hash`
`15`	`15`	`trailerMsgs.each {\|m\|`
`16`	`16`	`if m.key?('severity')`
`17`	`17`	`modsecSeverities.add(m['severity'])`
`18`	`18`	`end`
`19`	`19`	`}`
`20`		`- event.to_hash.merge!('modsecSeverities' => modsecSeverities.to_a)`
	`20`	`+ event.set('modsecSeverities', modsecSeverities.to_a)`
`21`	`21`	`"`
`22`	`22`	`}`
`23`	`23`	`}`
Original file line number	Diff line number	Diff line change
`@@ -24,13 +24,13 @@ filter {`
`24`	`24`	`ruby {`
`25`	`25`	`code => "`
`26`	`26`	`secRuleIds = Array.new()`
`27`		`- matchedRules_array = event.to_hash['matchedRules']`
	`27`	`+ matchedRules_array = event.get('matchedRules').to_hash`
`28`	`28`	`matchedRules_array.each do \|entry\|`
`29`	`29`	`if entry.match(/^SecRule /) and entry.match(/,id:/)`
`30`	`30`	`secRuleIds.push(/,id:(?<ruleId>\d+)/.match(entry)[:ruleId])`
`31`	`31`	`end`
`32`	`32`	`end`
`33`		`- event.to_hash.merge!('secRuleIds' => secRuleIds)`
	`33`	`+ event.set('secRuleIds', secRuleIds)`
`34`	`34`	`"`
`35`	`35`	`}`
`36`	`36`	`}`