Browse Source

Support CADF notifications

Change-Id: Iba89fc145b1c4d304bd843dcde9aba1c25774c45
changes/07/442307/2
Simon Pasquier 3 years ago
parent
commit
6dbab5edb7
2 changed files with 62 additions and 32 deletions
  1. +61
    -31
      deployment_scripts/puppet/modules/lma_collector/files/plugins/decoders/notification.lua
  2. +1
    -1
      deployment_scripts/puppet/modules/lma_collector/manifests/elasticsearch.pp

+ 61
- 31
deployment_scripts/puppet/modules/lma_collector/files/plugins/decoders/notification.lua View File

@@ -17,13 +17,6 @@ require "cjson"
local patt = require 'patterns'
local utils = require 'lma_utils'

local msg = {
Timestamp = nil,
Type = "notification",
Payload = nil,
Fields = nil
}

-- Mapping table from event_type prefixes to notification loggers
local logger_map = {
--cinder
@@ -108,35 +101,34 @@ local transform_functions = {

local include_full_notification = read_config("include_full_notification") or false

function process_message ()
local data = read_message("Payload")
local ok, notif = pcall(cjson.decode, data)
if not ok then
return -1, string.format("Failed to parse notification: %s: '%s'", notif, string.sub(data or 'N/A', 1, 64))
end
function process_cadf_event(notif, msg)
local cadf_event = notif.payload

local oslo_version = notif['oslo.version']
if oslo_version then
-- messagingv2 notifications
ok, notif = pcall(cjson.decode, notif['oslo.message'])
if not ok then
return -1, string.format("Failed to parse v%s notification: %s: '%s'", oslo_version, notif, string.sub(data or 'N/A', 1, 64))
end
end
msg.Type = 'audit'
msg.Logger = notif.publisher_id
msg.Severity = utils.label_to_severity_map[notif.priority]
msg.Timestamp = patt.Timestamp:match(cadf_event.eventTime)

if include_full_notification then
msg.Payload = data
else
msg.Payload = utils.safe_json_encode(notif.payload) or '{}'
end
msg.Fields.action = cadf_event.action
-- notif.event_type can be 'http.request' or 'http.response'
msg.Fields.notification_type = notif.event_type
-- cadf_event.eventType can be 'activity', 'monitor', ...
msg.Fields.event_type = cadf_event.eventType
msg.Fields.outcome = cadf_event.outcome
msg.Fields.severity_label = notif.priority
end

msg.Fields = {}
function process_notification(notif, msg)
local openstack_notif = notif.payload

msg.Type = 'notification'
msg.Logger = logger_map[string.match(notif.event_type, '([^.]+)')]
msg.Severity = utils.label_to_severity_map[notif.priority]
msg.Timestamp = patt.Timestamp:match(notif.timestamp)

msg.Fields.publisher, msg.Hostname = string.match(notif.publisher_id, '([^.]+)%.([%w_-]+)')
if notif.payload.host ~= nil then
msg.Hostname = string.match(notif.payload.host, '([%w_-]+)')
if openstack_notif.host ~= nil then
msg.Hostname = string.match(openstack_notif.host, '([%w_-]+)')
end

msg.Fields.event_type = notif.event_type
@@ -144,7 +136,7 @@ function process_message ()
msg.Fields.hostname = msg.Hostname

for k, v in pairs(payload_fields) do
local val = notif.payload[k]
local val = openstack_notif[k]
if val ~= nil then
local name = payload_fields[k] or k
local transform = transform_functions[k]
@@ -155,7 +147,45 @@ function process_message ()
end
end
end
utils.inject_tags(msg)
end

function process_message()
local msg = {Fields={}}
local data = read_message("Payload")
local ok, notif = pcall(cjson.decode, data)
if not ok then
return -1, string.format("Failed to parse notification: %s: '%s'", notif, string.sub(data or 'N/A', 1, 64))
end

local oslo_version = notif['oslo.version']
if oslo_version then
-- messagingv2 notifications
ok, notif = pcall(cjson.decode, notif['oslo.message'])
if not ok then
return -1, string.format("Failed to parse v%s notification: %s: '%s'", oslo_version, notif, string.sub(data or 'N/A', 1, 64))
end
end

if include_full_notification then
msg.Payload = data
else
msg.Payload = utils.safe_json_encode(notif.payload) or '{}'
end

local ok, error_msg
if notif.payload.eventType and notif.payload.eventTime then
-- Payload of CADF event notifications always contain at least
-- eventType and eventTime fields
-- http://docs.openstack.org/developer/pycadf/specification/events.html
ok, error_msg = pcall(process_cadf_event, notif, msg)
else
ok, error_msg = pcall(process_notification, notif, msg)
end

if not ok then
return -1, error_msg
end

utils.inject_tags(msg)
return utils.safe_inject_message(msg)
end

+ 1
- 1
deployment_scripts/puppet/modules/lma_collector/manifests/elasticsearch.pp View File

@@ -37,7 +37,7 @@ class lma_collector::elasticsearch (
config_dir => $lma_collector::params::log_config_dir,
server => $server,
port => $port,
message_matcher => 'Type == \'log\' || Type == \'notification\'',
message_matcher => 'Type == \'log\' || Type == \'notification\' || Type == \'audit\'',
use_buffering => $lma_collector::params::buffering_enabled,
max_buffer_size => $lma_collector::params::buffering_max_buffer_size_for_log,
max_file_size => $lma_collector::params::buffering_max_file_size_for_log,

Loading…
Cancel
Save