No release in over 3 years
Low commit activity in last 3 years
Filter plugin to include TCP/UDP services.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Development

~> 2.0
~> 12.0
~> 3.0

Runtime

>= 0.14.10, < 2
~> 1.3
 Project Readme

Fluent::Plugin::PortToService

Build Status Gem Version

Overview

Fluentd filter plugin to map TCP/UDP ports to service names. This is useful for parsing firewall logs and similar network based information, by adding easy to read service information into your logs based on TCP/UDP port information. The lookup values are stored in a SQLite database file on the local disk for simplicity and perfomance.

This package includes a Ruby script that will build the SQLite database based on the local /etc/services file. However, you're free to build the database on your own.

Requirements

fluent-plugin-port_to_service fluentd ruby sqlite3
> 0.0.9 >= v0.14.0 >= 2.1 >= 1.3.7

Dependency

Before use, install dependant libraries, namely sqlite3.

# for RHEL/CentOS
$ sudo yum groupinstall "Development Tools"
$ sudo yum install sqlite sqlite-devel

# for Ubuntu/Debian
$ sudo apt-get install build-essential
$ sudo apt-get install sqlite3 libsqlite3-dev

# for MacOS
$ brew install sqlite3

Installation

# for fluentd
$ gem install fluent-plugin-port_to_service

# for td-agent
$ sudo fluent-gem install fluent-plugin-port_to_service

# for td-agent2
$ sudo td-agent-gem install fluent-plugin-port_to_service

After installation, you can use the built-in executable to create a database based on the /etc/services file on host. You have to give the script one parameter, where you want the database to be created.

$ fluent-plugin-port_to_service_build_db /etc/td-agent/plugin/port_to_service.db

Configuration

<filter **>
  @type port_to_service

  # Required parameters
  path          /etc/td-agent/plugin/port_to_service.db

  # Optional parameters
  port_key      port
  protocol_key  protocol
  service_key   service
</filter>

If the following record is passed in:

{"protocol": "tcp", "port": "22", "foo": "bar"}

The filtered record will be:

{"protocol": "tcp", "port": "22", "service": "ssh", "foo": "bar"}

SQLite3 Database Setup

The plugin requires a SQLite database to be built. There is a script provided that parses /etc/services and creates the required database with the services. You have to specify one command line parameter, and that is the file path you wish to install the database to.

$ fluent-plugin-port_to_service_build_db /etc/td-agent/plugin/port_to_service.db

Alternatively, you can build your own database. It just needs a single table that must be called services with 3 mandatory columns:

  • port - Integer
  • protocol - Text
  • service - Text

You can also add a primary key, id, but it's only required for posterity.

Example:

$ sqlite3 /etc/td-agent/plugin/port_to_service.db
sqlite> CREATE TABLE services(id INTEGER PRIMARY KEY, port INTEGER, protocol TEXT, service TEXT);
sqlite> INSERT INTO services(port, protocol, service) VALUES (22, 'tcp', 'ssh');
...

Copyright

​ Copyright(c) 2019- Chris Pedro

License

The Unlicense