Non-IP address content in sourceIPAddress field is not properly handled #27
Description
Logstash information:
- Logstash version:
7.17.24 - Logstash installation source:
apt - How logstash is being run: as a
systemdservice - How the plugin was installed:
bin/logstash-plugin install logstash-codec-cloudtrail
JVM (e.g. java -version):
N/A - this is caused by a bug in the Ruby code
OS version (uname -a if on a Unix-like system):
N/A - this is caused by a bug in the Ruby code
Description of the problem including expected versus actual behavior:
CloudTrail's sourceIPAddress field can contain both IP addresses and DNS names [1]. In #22 this plugin was changed to put non-IP address content from the sourceIPAddress field in the sourceHost field instead. However, that functionality does not work properly and non-IP address content stays in the sourceIPAddress field.
This is due to two separate issues:
- In
and
there is a typo -
sourceIpAddressshould actually besourceIPAddress. This causessource_ip_addressto always benilwhich means always evaluates tofalseand the field is never renamed - The file is missing a
require 'resolv'statement, so ifsource_ip_addressis ever notniltheResolvreferences will throw an error
Steps to reproduce:
I can try to put together an anonymized set of configuration files if necessary, but I'm hoping that won't be necessary since the issue is relatively straightforward. It should be fairly easy to reproduce if you have access to an AWS account - you just need to configure logstash to read the CloudTrail logs using this plugin and examine the output.
Provide logs (if relevant):
AFAICT there are no logs related to these bugs, but if you fix the typos and don't add the require statement you'll see the following error in the logs:
Failed to read file, processing skipped {:exception=>NameError, :message=>"uninitialized constant LogStash::Codecs::CloudTrail::Resolv", :filename=>"$INPUT_FILE"}