class AuditbeatFull < Formula desc "Lightweight Shipper for Audit Data" homepage "https://www.elastic.co/products/beats/auditbeat" url "https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-7.17.4-darwin-x86_64.tar.gz?tap=elastic/homebrew-tap" version "7.17.4" sha256 "ef842a52a573ed658e8109410570f651e9208f2156008afbcf253c6daf35aee5" conflicts_with "auditbeat" conflicts_with "auditbeat-oss" def install ["fields.yml", "ingest", "kibana", "module"].each { |d| libexec.install d if File.exist?(d) } (libexec/"bin").install "auditbeat" (etc/"auditbeat").install "auditbeat.yml" (etc/"auditbeat").install "modules.d" if File.exist?("modules.d") (bin/"auditbeat").write <<~EOS #!/bin/sh exec #{libexec}/bin/auditbeat \ --path.config #{etc}/auditbeat \ --path.data #{var}/lib/auditbeat \ --path.home #{libexec} \ --path.logs #{var}/log/auditbeat \ "$@" EOS end def post_install (var/"lib/auditbeat").mkpath (var/"log/auditbeat").mkpath end plist_options :manual => "auditbeat" def plist; <<~EOS <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>#{plist_name}</string> <key>Program</key> <string>#{opt_bin}/auditbeat</string> <key>RunAtLoad</key> <true/> </dict> </plist> EOS end test do (testpath/"files").mkpath (testpath/"config/auditbeat.yml").write <<~EOS auditbeat.modules: - module: file_integrity paths: - #{testpath}/files output.file: path: "#{testpath}/auditbeat" filename: auditbeat EOS pid = fork do exec "#{bin}/auditbeat", "-path.config", testpath/"config", "-path.data", testpath/"data" end sleep 20 begin touch testpath/"files/touch" sleep 30 s = IO.readlines(testpath/"auditbeat/auditbeat").last(1)[0] assert_match "\"action\":\[\"created\"\]", s realdirpath = File.realdirpath(testpath) assert_match "\"path\":\"#{realdirpath}/files/touch\"", s ensure Process.kill "SIGINT", pid Process.wait pid end end end