added private_domains functionality

[jaredmcqueen]

I changed the default TLD parsing behavior to ignore private domains. If users want private domains, they can set a new config parameter called private_domains to true.

Tests were added, as was documentation. I haven't tested how the inline documentation will render.

I also got rid of the default example filter text found in the inline documentation.

[jordansissel]

docs live here: https://github.com/logstash-plugins/logstash-filter-tld/blob/master/docs/index.asciidoc

(This is a recent change)

[jaredmcqueen]

ok, not familiar with modifying asciidocs directly - i thought they were auto-generated based on inline comments. I can change these as well.

[jordansissel]

This is an interesting setting. It appears to be a global setting which means the last tld plugin to initialize will win. This impacts users who may have multiple pipelines (coming in Logstash 6.0, iirc) where two pipelines may use a tld filter.

Thoughts?

Maybe we have to modify the upstream library to not use globals.

[jaredmcqueen]

Good catch. I'll modify according to how the author does it here: https://github.com/weppos/publicsuffix-ruby#private-domains

[jordansissel]

I confess to not understanding what this setting enables. From reading the tests, it considers "s3.amazonaws.com" to be a tld? I'm confused.

To ask a more pointed question, how will a user know what this setting does?

[jaredmcqueen]

The vast majority of customers / users just want public TLD parsing - to see the .com, .net, etc. They are always surprised (and confused) when they see a TLD like s3.amazonaws.com because they expect .com, not the whole thing.

Search "===begin private domains===" in the list at https://publicsuffix.org/list/public_suffix_list.dat and take a look for yourself.

for all Machine Learning, cyber security, anomaly detection use cases, customers just want public -- NOT private

[jordansissel]

Thanks for helping improve this plugin :)

I've left some comments on the PR.

[jaredmcqueen]

@jordansissel I updated the filter to disable private domains by default. Users can enable it using the config ignore_private. I updated the asciidocs and tests.

[jordansissel]

I have this PR on my todo list for this week.

[jordansissel]

no need to add Gemfile.lock to the git repo. Can you remove this file?

[jaredmcqueen]

yes, done.

[jordansissel]

This file is still here, according to github?

[jaredmcqueen]

oops.. deleted it. sorry about that.

[jordansissel]

overall LGTM.

I left one comment asking that Gemfile.lock file be removed (or tell me a story why you added it). Once this is resolved, I will merge.

Thank you for working on this :)

[jordansissel]

This PR is failing on Logstash 5.5 branch:

public_suffix-2.0.5 requires ruby version >= 2.0, which is incompatible with the current version, ruby 1.9.3p551 (jruby 1.7.25)

Logstash master (will become 6.0.0) branch is on JRuby 9k (which provides Ruby v2.3 compatibility) is has tests that are passing.

[jaredmcqueen]

ok I'm back. It looks like since the earlier versions of logstash use 1.9.3, we are limited to using a really old version of public_suffix (1.4.6). In 1.4.6, the private / public parsing is all or nothing. You cannot choose to parse private/public on a per-use filter basis.

Still though, the default really should be to ignore the private domains. Submitting my changes, and will wait for Logstash 6.0 branch to use the new and improved public_suffix version that has more control over domain parsing.

[jaredmcqueen]

@jordansissel standing by for your input on this request, let me know if there's anything else you need

[jordansissel]

LGTM

[jaredmcqueen]

any word if this will get pulled? Asking on behalf of a few customers.

[jaredmcqueen]

any update on this? @jordansissel

[jeromekleinen]

I am also interested in using the updated version of this plugin. Any ETA on when this gets merged?

Also, the public_suffix gem has been updated several times since this PR. Any chance this could be included as well?