Project

logstash-filter-spamhaus

0.0
Bugfix fork oflogstash-filter-geoip
No commit activity in last 3 years
No release in over 3 years
logstash-filter-spamhauswedjaaopen/logstash-filter-spamhausHomepageDocumentationSource CodeBug TrackerWiki
This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
2,941
Stars
3
Forks
0
Watchers
3
 Releases
Current version
1.0.1
Total releases
1
First release
2015-12-29
Latest release
2015-12-29
 Issues
Open Issues
1
Closed Issues
1
Total Issues
2
Issue Closure Rate
50%
 Development
Primary Language
Ruby
Licenses
Apache License (2.0)
Average date of last 50 commits
2015-12-29
Reverse Dependencies
0

 Dependencies

Development

logstash-devutils
>= 0.0.18

Runtime

charon
~> 1.0
logstash-core
< 3.0.0, >= 2.0.0
 Project Readme

Logstash SpamHaus Plugin

This is a plugin for Logstash.

It is fully free and fully open source. The license is Apache 2.0, meaning you are pretty much free to use it however you want in whatever way.

Documentation

This filter allows you to lookup an IP address in the SpamHaus ZEN list. This list includes all of the SpamHaus blacklists.

This filter can be used in the simplest form as follows:

	spamhaus {}

It will run with the following defaults:

  • It will loookup the IP address in the clientip field
  • It will tag IPs in the blacklist as spamhaus_blacklisted
  • It will tag IPs not in the blacklist as spamhaus_whitelisted

If an IP is blacklisted it will add a spamhaus object to the event with the following properties:

  • code: it's the SpamHaus code for the blocking reason
  • blocklist: it's the SpamHaus blacklist name where this IP was found

Configuration

The filter accepts the following configuration options:

  • ip - It's the field that contains the IP address to resolve. Default: clientip.
  • tag_blacklisted - The tag to add to the event in case the IP is blacklisted. Default: spamhaus_blacklisted.
  • tag_whitelisted - The tag to add to the event in case the IP is not in any blacklist. Default: spamhaus_whitelisted.

A more involved filter configuration could look like:

  spamhaus {
    ip => 'client_ip'
    tag_blacklisted => 'blacklisted'
    tag_whitelisted => 'whitelisted'
  }

Missing functionality

This is a bare minimum implementation of the filter. Some things could be good to implement:

  • Lookup multiple IPs
  • Select the blacklists to lookup

Compiling and testing

Compiling, deploying and testing this plugin requires JRuby. Not only - you want to make sure that the bundle, rake and rspec commands are run using JRuby.

If you start seeing errors that look like:

Could not find gem 'logstash-devutils (>= 0.0.18) ruby' in any of the gem sources listed in your Gemfile or available on this machine.

notice the ruby bit after the version - try and make it explicit that you want to use the JRuby versions of the commands:

alias rspec="jruby -S rspec"
alias rake="jruby -S rake"
alias bundle="jruby -S bundle"

Once you specified these aliases things should start working as expected -- unless you don't have jruby in your path.

Test it our by running bundle install && bundle exec rspec - it should produce some output, ending with the test results:

Finished in 0.382 seconds (files took 4.03 seconds to load)
2 examples, 0 failures

Randomized with seed xxxxx