search

corelight / ecs-logstash-mappings

Mapping Corelight or Zeek data to Elastic Common Schema logs
BSD 3-Clause "New" or "Revised" License
12 stars 6 forks source link

Document hardcoded paths to ruby script #5

Closed brsolomon-deloitte closed 2 years ago

brsolomon-deloitte commented 2 years ago

Several pipelines reference a hardcoded path under /etc to the Ruby script.

This could minimally be pointed out in the README as a gotcha, since the script itself might not end up there e.g. when deployed from a configmap on Kubernetes.

$ rg '\.rb' pipeline/
pipeline/8112-corelight-ecs-source-ip-enrich-filter.conf
15:        path => "/etc/logstash/pipelines/ecs-logstash-corelight/ruby/corelight-ecs-ip_clean_and_public-ruby.rb"
24:        tag_on_exception =>  "_rubyexception-9718082dd0e3-source-ip_clean_and_public.rb-20220310.01"

pipeline/8112-corelight-ecs-host-ip-enrich-filter.conf
16:        path => "/etc/logstash/pipelines/ecs-logstash-corelight/ruby/corelight-ecs-ip_clean_and_public-ruby.rb"
25:        tag_on_exception =>  "_rubyexception-8bd5224c1084-host-ip_clean_and_public.rb-20220310.01"

pipeline/8112-corelight-ecs-destination-ip-enrich-filter.conf
16:        path => "/etc/logstash/pipelines/ecs-logstash-corelight/ruby/corelight-ecs-ip_clean_and_public-ruby.rb"
25:        tag_on_exception =>  "_rubyexception-56531bf4c88a-destination-ip_clean_and_public.rb-20220310.01"
brasitech commented 2 years ago

Documentation is coming, you are correct. However, on the subject of the ruby script - I actually already moved the ruby code into the logstash files themselves. This is in a branch that will be merged later this week. This had become a hassle with logstash central management pipelines anyways.