Project

logstash-filter-phpipam

0.0
No commit activity in last 3 years
No release in over 3 years
logstash-filter-phpipammagnuslarsen/logstash-filter-phpipamHomepageDocumentationSource CodeBug TrackerWiki
A Logstash filter that looks up an IP-address, and returns results from phpIPAM
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
16,916
Stars
0
Forks
0
Watchers
2
 Releases
Current version
0.8.1
Total releases
9
First release
2019-07-31
Latest release
2019-09-13
 Issues
Open Issues
1
Closed Issues
0
Total Issues
1
Issue Closure Rate
0%
 Development
Primary Language
Ruby
Licenses
Apache-2.0
Average date of last 50 commits
2019-08-08
Reverse Dependencies
0

 Dependencies

Development

logstash-devutils
~> 1.3, >= 1.3.6

Runtime

logstash-core-plugin-api
~> 2.0
redis
~> 4.1, >= 4.1.2
 Project Readme

logstash-filter-phpipam

A Logstash filter that looks up an IP-address, and returns results from phpIPAM

Installation

Prerequisites

Redis is required for this plugin to work.

You can install it using most your distributions package manager.

Ubuntu example

You can install it with apt:

sudo apt install redis

Plugin

This plugin can be installed using the logstash-plugin command in $LOGSTASH_HOME:

${LOGSTASH_HOME:-/usr/share/logstash}/bin/logstash-plugin install logstash-filter-phpipam

Redis configuration

Redis is primarily used as a LRU cache, and can be configured in a lot of ways.

The two highly recommended settings to set, are maxmemory and maxmemory-policy:

  • maxmemory can be tested using the redis-cli --lru-test command
  • maxmemory-policy I would set to allkeys-lru

The above settings would limit the memory that Redis can use. The limit should be high enough to contain almost all keys.
If the limit is reached--and maxmemory-policy is set to allkeys-lru--the least accessed keys would be evicted first.

Every key will also have an expiration time of cache_fresshness (default 24 hours) associated, meaning that every key will live for 24 hours maximum.
This is to prevent cached data to become stale, and always keep (approximately) up-to-date data from phpIPAM.

Performance

Here are some stats from my production environment:

keys       mem      clients blocked requests            connections
10516      2.87M    12      0       8047901 (+0)        26

Configuration options

Option Type Default Comment
host string What host to connect to with protocol and optional port (e.g. https://fqdn:3000)
app_id string See below
username string Username to use for the connection
password string Password to use for the connection
auth boolean true Whether to use authentication or not
cache_ip integer 0 ID of the redis database for IP-addresses
cache_subnet integer 1 ID of the redis database for subnets
cache_vlan integer 2 ID of the redis database for vlans
cache_device integer 3 ID of the redis database for devices
cache_location integer 4 ID of the redis database for locations
cache_device_type integer 5 ID of the redis database for device types
cache_freshness integer 86400 (1 day) How long, in seconds, a value should be cached before it's expired
source string Which field the IP-address is in
target string phpipam Where to place the phpIPAM data in

app_id can be found in phpIPAM: Administration -> API
It's recommended to use SSL when accessing the app_id in phpIPAM.

Geo-points

By default the lon and lat are mapped as normal floats, NOT geo-points!

To use the latitude and longtitude in Kibana Maps, you either need to:

  1. Preload mappings yourself
  2. Use preloaded mappings from something like Filebeat (7.0+)

For option 2, if you use the default target of phpipam, you can do something like this, after the phpipam filter:

mutate {
  rename => {
    "[phpipam][location][location]" => "[geo][location]"
  }
}

Example

This example...

phpipam {
  host     => "https://phpipam.local.domain"
  app_id   => "logstash"
  username => "username"
  password => "password"
  source   => "[source][ip]"
  target   => "[source][phpipam]"
}

...would produce:

"source" => {
  "phpipam" => {
    "subnet" => {
      "network"    => "172.16.1.0",
      "bitmask"    => 24,
      "netmask"    => "255.255.255.0",
      "section_id" => 1,
      "wildcard"   => "0.0.0.255",
      "id"         => 1
    },
    "ip" => {
      "description" => "This is my test IP",
      "hostname"    => "test.domain.local",
      "id"          => 1,
      "note"        => "This switch is in test!",
      "address"     => "172.16.1.10",
      "mac"         => "aa:bb:cc:dd:ee:ff"
      "owner"       => "Testing Team"
    },
    "vlan" => {
      "name"      => "TestVLAN",
      "number"    => 100,
      "id"        => 1,
      "domain_id" => 1,
    },
    "device" => {
      "name"        => "test.domain.local",
      "description" => "Juniper Switch",
      "type"        => "Switch",
      "id"          => 1
    },
    "location" => {
      "name"     => "Null Island",
      "id"       => 1,
      "location" => {
        "lat" => 0.0,
        "lon" => 0.0
      },
      "address" => "Null Island, Atlantic Ocean"
    }
  }
}

Provided that all that information is entered in phpIPAM.

Empty values in phpIPAM will not be pulled, therefore the output can vary, depending on the information gathered from the IP-address.