ready to release 0.4.3

add back in postfix geoip processing
remove the geoip mutate from fail2ban... don't need mapping for geopoint now
2021-11-04 04:01:24 -05:00 · 2021-11-04 03:57:32 -05:00 · 2021-11-04 03:44:27 -05:00
7 changed files with 25 additions and 13 deletions
--- a/5
+++ b/5
@ -1,5 +1,10 @@
 Revision history for Search-ESsearcher

+0.4.3	 2021-11-04/04:00
+		 -Remove mutate from geoip on fail2ban.
+		  This removes the need for mappings in Elasticsearch.
+		 -Add back in GeoIP for Postfix.
+
 0.4.2	 2021-10-21/23:15
 		 - Include logstash examples.
 		 - Update Postfix logstash bits.
--- a/10
+++ b/10
@ -17,6 +17,10 @@ t/manifest.t
 t/pod-coverage.t
 t/pod.t
 bin/essearcher
-logstash/postfix/50-filter-postfix.conf
-logstash/postfix/README.md
-logstash/postfix/postfix.grok
+logstash/patterns.d/postfix.grok
+logstash/conf.d/50-filter-postfix.conf
+logstash/conf.d/syslog.conf
+logstash/conf.d/rsyslog.conf
+logstash/conf.d/beats.conf
+logstash/conf.d/51-filter-postfix-aggregate.conf.off
+logstash/README.md
--- a/lib/Search/ESsearcher.pm
+++ b/lib/Search/ESsearcher.pm
@ -17,11 +17,11 @@ Search::ESsearcher - Provides a handy system for doing templated elasticsearch s

 =head1 VERSION

-Version 0.4.2
+Version 0.4.3

 =cut

-our $VERSION = '0.4.2';
+our $VERSION = '0.4.3';


 =head1 SYNOPSIS
--- a/lib/Search/ESsearcher/Templates/bf2b.pm
+++ b/lib/Search/ESsearcher/Templates/bf2b.pm
@ -10,11 +10,11 @@ Search::ESsearcher::Templates::sfail2ban - Provicdes support for fail2ban logs s

 =head1 VERSION

-Version 0.0.1
+Version 0.0.2

 =cut

-our $VERSION = '0.0.1';
+our $VERSION = '0.0.2';

 =head1 LOGSTASH

@ -38,9 +38,6 @@ This uses a logstash configuration like below.
                geoip {
                        source => "clientip"
                }
-                mutate {
-                        convert => [ "[geoip][coordinates]", "float" ]
-                }
        }
    }
    
--- a/logstash/README.md
+++ b/logstash/README.md
@ -13,3 +13,5 @@ These come from
 51-filter-postfix-aggregate.conf is set to off by default as in
 testing I found it to be buggy. It will often times result in lines
 being skipped.
+
+This one does have GeoIP processing though.
--- a/logstash/conf.d/50-filter-postfix.conf
+++ b/logstash/conf.d/50-filter-postfix.conf
@ -262,5 +262,12 @@ filter {
            "postfix_postscreen_violation_time", "float"
        ]
    }
+
+    # add geoip for postfix
+    if [program] =~ /.*postfix.*/ {
+        geoip {
+            source => "postfix_client_ip"
+        }
+    }
 }

--- a/logstash/conf.d/beats.conf
+++ b/logstash/conf.d/beats.conf
@ -28,9 +28,6 @@ an_status} %{IP:clientip}"
                geoip {
                        source => "clientip"
                }
-                mutate {
-                        convert => [ "[geoip][coordinates]", "float" ]
-                }
    }

    if [fields][log] == "apache-access" {
Author	SHA1	Message	Date
Zane C. B-H	feb144fdfe	ready to release 0.4.3	2021-11-04 04:01:24 -05:00
Zane C. B-H	48e360c825	add back in postfix geoip processing	2021-11-04 03:57:32 -05:00
Zane C. B-H	5c596e54cc	remove the geoip mutate from fail2ban... don't need mapping for geopoint now	2021-11-04 03:44:27 -05:00