Class: LogStash::Filters::IeeeOui

Inherits:

Base

• Object
• Base
• LogStash::Filters::IeeeOui

Defined in:

lib/logstash/filters/ieee_oui.rb

Overview

The ieee_oui filter allows you to match mac addresses to vendor names. It accepts source mac addresses delimited by a colon(:), a dash(-) or no delimiter. The filter requires a specially formatted oui-logstash.txt file for the ouifile. See github.com/Vigilant-LLC/logstash-oui-scraper

Instance Method Summary

• #filter(event) ⇒ Object
• #hashfile(file) ⇒ Object
• #md5file(file) ⇒ Object

  public.

• #refreshfile(file) ⇒ Object
• #register ⇒ Object

Instance Method Details

#filter(event) ⇒ Object

# File 'lib/logstash/filters/ieee_oui.rb', line 64

def filter(event)
  matched = false
  if ! @ouihash.nil?
    refreshfile(@ouifile) 
    validhex = false
    mac = event.get(@source)
    delimiter = mac[2]
    if delimiter[/\H/]
      mfrid = mac.split("#{delimiter}")[0..2].join.upcase
    else
      mfrid = mac[0,6].upcase
    end
    if !mfrid[/\H/]
      validhex = true
      vendor = @ouihash[mfrid]
      if vendor.nil?
        vendor = 'unknown'
      else
        vendor = vendor.gsub(/\r/,"")
      end
      matched = true
      event.set("#{@target}", vendor)
    end
  end
  @logger.debug("Invalid Hex in source", :string => @source) if not validhex
  @tag_on_failure.each{|tag| event.tag(tag)} if not matched
  filter_matched(event) if matched
end

#hashfile(file) ⇒ Object

# File 'lib/logstash/filters/ieee_oui.rb', line 51

def hashfile(file)
  return Hash[*File.read(file).split(/\t|\n/)]
end

#md5file(file) ⇒ Object

public

# File 'lib/logstash/filters/ieee_oui.rb', line 47

def md5file(file)
  return Digest::MD5.file(file).hexdigest
end

#refreshfile(file) ⇒ Object

# File 'lib/logstash/filters/ieee_oui.rb', line 55

def refreshfile(file)
  @newmd5 = md5file(file)
  if @newmd5 != @md5
    @md5 = md5file(file)
    @ouihash = hashfile(file)
    @logger.info("Refreshing oui file" , :path => file)
  end
end

#register ⇒ Object

# File 'lib/logstash/filters/ieee_oui.rb', line 34

def register
  if @ouifile.nil?
    @logger.debug("You must specifiy 'ouifile => path_to_file' in your ieee_oui filter")
    @ouihash = nil
  else
    @logger.info("Using oui file", :path => @ouifile)
    @md5 = md5file(@ouifile)
    @newmd5 = md5file(@ouifile)
    @ouihash = hashfile(@ouifile)
  end
end