Class: LogStash::Filters::IeeeOui

Inherits:
Base
  • Object
show all
Defined in:
lib/logstash/filters/ieee_oui.rb

Overview

The ieee_oui filter allows you to match mac addresses to vendor names. It accepts source mac addresses delimited by a colon(:), a dash(-) or no delimiter. The filter requires a specially formatted oui-logstash.txt file for the ouifile. See github.com/Vigilant-LLC/logstash-oui-scraper

Instance Method Summary collapse

Instance Method Details

#filter(event) ⇒ Object 



112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
 
# File 'lib/logstash/filters/ieee_oui.rb', line 112

def filter(event)
  matched = false

  if ! @ouihash.nil?
    if needs_refresh?
      lock_for_write do
        if needs_refresh?
          refreshfile(@ouifile)
        end
      end
    end

    validhex = false
    mac = event.get(@source)
    delimiter = mac[2]
    if delimiter[/\H/]
      mfrid = mac.split("#{delimiter}")[0..2].join.upcase
    else
      mfrid = mac[0,6].upcase
    end
    if !mfrid[/\H/]
      validhex = true
      vendor = nil
      lock_for_read do
        vendor = @ouihash[mfrid]
      end
      if vendor.nil?
        vendor = 'unknown'
      else
        vendor = vendor.gsub(/\r/,"")
      end
      matched = true
      event.set("#{@target}", vendor)
    end
  end

  @logger.debug("Invalid MAC address in source", :string => @source) if not validhex
  @tag_on_failure.each{|tag| event.tag(tag)} if not matched
  filter_matched(event) if matched
end

#registerObject 



38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
 
# File 'lib/logstash/filters/ieee_oui.rb', line 38

def register
  rw_lock = java.util.concurrent.locks.ReentrantReadWriteLock.new
  @read_lock = rw_lock.readLock
  @write_lock = rw_lock.writeLock

  if @ouifile.nil?
    @ouihash = nil
    raise LogStash::ConfigurationError, I18n.t(
      "logstash.agent.configuration.invalid_plugin_register",
      :plugin => "filter",
      :type => "ieee_oui",
      :error => "You must specifiy 'ouifile => path_to_file' in your ieee_oui filter"
    )
  else
    @logger.info("Using OUI file", :path => @ouifile)
    @logger.info("OUI file refresh check seconds", :number => @refresh_interval)
    @md5 = nil
    @newmd5 = nil
    @ouihash = nil
    @next_refresh = Time.now + @refresh_interval
    lock_for_write { refreshfile(@ouifile) }
  end
end