Last active
December 29, 2017 20:19
-
-
Save sean-horn/8d868c4f21e4a4a53c36becbb0faeab4 to your computer and use it in GitHub Desktop.
compliance filter with additional output for logfile
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| filter { | |
| if [type] == "inspec_report" { | |
| if [end_time] { | |
| date { | |
| match => ["end_time", "YYYY-MM-dd'T'HH:mm:ssZZ"] | |
| timezone => "UTC" | |
| } | |
| } | |
| mutate { | |
| add_field => { "doc_version" => "1" } | |
| remove_field => [ | |
| "@uuid", | |
| "other_checks" | |
| ] | |
| } | |
| ruby { | |
| code => " | |
| puts 'ERROR: ENV variable LOGSTASH_CONFIG_DIR is not set' unless ENV['LOGSTASH_CONFIG_DIR'] | |
| helper_path = File.join(ENV['LOGSTASH_CONFIG_DIR'].to_s, 'ruby/inspec_helper.rb') | |
| puts 'ERROR: Ruby helper class \''+helper_path+'\' is not available' unless File.file?(helper_path) | |
| require helper_path | |
| # Update the report profiles if inheritance is used | |
| puts 'DEBUG: Ruby filter is processing an event from \'' + event['node_name'].to_s + '\' before fix_inherited_profiles ' | |
| puts 'DEBUG: Ruby filter sees an event with \'' + event['profiles'].length.to_s + '\' profiles before fix_inherited_profiles ' | |
| InspecHelper.fix_inherited_profiles(event) | |
| puts 'DEBUG: Ruby filter exited fix_inherited_profiles with node \'' + event['node_name'].to_s + '\' with \'' + event['profiles'].length.to_s + '\' profiles' | |
| InspecHelper.fix_null_platform(event) | |
| puts 'DEBUG: Ruby filter exited fix_null_platform with node \'' + event['node_name'].to_s + '\' with \'' + event['profiles'].length.to_s + '\' profiles' | |
| " | |
| } | |
| # Creating the inspec_provile event and removing report specific fields | |
| clone { | |
| clones => [ "inspec_profile" ] | |
| } | |
| # Prevent the inspec_report event type from entering here: | |
| if [type] == "inspec_profile" { | |
| ruby { | |
| code => " | |
| puts 'DEBUG: Ruby filter is processing an \'' + event['type'].to_s + '\' event ' | |
| # Remove the 'chef' tag(added by logstash-chef-input.conf) so that the new | |
| # document types we create don't get processed via logstash-chef-output.conf | |
| if event['tags'].is_a?(Array) | |
| event['tags'].delete('chef') | |
| end | |
| # The document split leaves all the other fields from the original document, so removing fields that are not needed. | |
| # https://github.com/logstash-plugins/logstash-filter-split/issues/16 | |
| # puts 'DEBUG: event fields: ' + event.to_hash.keys.to_s | |
| event.to_hash.keys.each { |field| event.remove(field) unless %w(type profiles).include?(field) } | |
| " | |
| } | |
| # Generate a new event for each profile | |
| split { | |
| field => "profiles" | |
| } | |
| } | |
| } | |
| if [type] == "inspec_profile" { | |
| ruby { | |
| code => " | |
| require 'json' | |
| puts 'ERROR: ENV variable LOGSTASH_CONFIG_DIR is not set' unless ENV['LOGSTASH_CONFIG_DIR'] | |
| helper_path = File.join(ENV['LOGSTASH_CONFIG_DIR'].to_s, 'ruby/inspec_helper.rb') | |
| puts 'ERROR: Ruby helper class \''+helper_path+'\' is not available' unless File.file?(helper_path) | |
| require helper_path | |
| profile_only = InspecHelper.profile_from_report(event['profiles']) | |
| puts 'DEBUG: Ruby filter is processing an event from \'' + event['profiles']['name'].to_s + '\' n profile_only code ' | |
| event.remove('profiles') | |
| event.append(profile_only) | |
| " | |
| } | |
| } | |
| if [type] == "inspec_report" { | |
| ruby { | |
| code => " | |
| puts 'ERROR: ENV variable LOGSTASH_CONFIG_DIR is not set' unless ENV['LOGSTASH_CONFIG_DIR'] | |
| helper_path = File.join(ENV['LOGSTASH_CONFIG_DIR'].to_s, 'ruby/inspec_helper.rb') | |
| puts 'ERROR: Ruby helper class \''+helper_path+'\' is not available' unless File.file?(helper_path) | |
| require helper_path | |
| # Remove the 'chef' tag(added by logstash-chef-input.conf) so that the new | |
| # document types we create don't get processed via logstash-chef-output.conf | |
| if event['tags'].is_a?(Array) | |
| event['tags'].delete('chef') | |
| end | |
| event['profiles_min'] = InspecHelper.profiles_min_from_report(event['profiles']) | |
| event.remove('profiles') | |
| event['controls'] = InspecHelper.count_controls(event['profiles_min']) | |
| event['status'] = InspecHelper.compliance_status(event['controls']) | |
| " | |
| } | |
| # Creating the inspec_summary event from inspec_report | |
| clone { | |
| clones => [ "inspec_summary" ] | |
| } | |
| } | |
| if [type] == "inspec_summary" { | |
| ruby { | |
| code => " | |
| puts 'ERROR: ENV variable LOGSTASH_CONFIG_DIR is not set' unless ENV['LOGSTASH_CONFIG_DIR'] | |
| helper_path = File.join(ENV['LOGSTASH_CONFIG_DIR'].to_s, 'ruby/inspec_helper.rb') | |
| puts 'ERROR: Ruby helper class \''+helper_path+'\' is not available' unless File.file?(helper_path) | |
| require helper_path | |
| event.remove('version') | |
| event.remove('statistics') | |
| event['profiles_sums'] = InspecHelper.profiles_sums_from_profiles_min(event['profiles_min']) | |
| event.remove('profiles_min') | |
| " | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment