Logstash Stormshield SES Plugin

Documentation

This logstash plugin provides support for Stormshield Endpoint Security logs:

• On EXT-BLK event status, split source and destination file extension into two keys:
  • source_extension
  • target_extension

Developing

1. Plugin Developement and Testing

Code

• To get started, you'll need JRuby with the Bundler gem installed.

• If you work behind a proxy:

  • add the environment variable export HTTP_PROXY=http://<hostname>:<port>
  • add the environment variable export HTTPS_PROXY=http://<hostname>:<port>

• Create a new plugin or clone and existing from the GitHub logstash-plugins organization. We also provide example plugins.

• Install dependencies

bundle install

Test

• Update your dependencies

bundle install

• Run tests

bundle exec rspec

2. Running your unpublished Plugin in Logstash

2.1 Run in a local Logstash clone

• Edit Logstash Gemfile and add the local plugin path, for example:

gem "logstash-filter-SES", :path => "/your/local/logstash-filter-SES"

• Install plugin

bin/plugin install --no-verify

• Run Logstash with your plugin

bin/logstash -e 'filter {SES {}}'

At this point any modifications to the plugin code will be applied to this local Logstash setup. After modifying the plugin, simply rerun Logstash.

2.2 Run in an installed Logstash

You can use the same 2.1 method to run your plugin in an installed Logstash by editing its Gemfile and pointing the :path to your local plugin development directory or you can build the gem and install it using:

• Build your plugin gem

gem build logstash-filter-SES.gemspec

• Install the plugin from the Logstash home

bin/plugin install /your/local/plugin/logstash-filter-SES.gem

• Start Logstash and proceed to test the plugin