Browse Source

Support CADF notifications

Change-Id: Iba89fc145b1c4d304bd843dcde9aba1c25774c45
changes/07/442307/2
Simon Pasquier 2 years ago
parent
commit
6dbab5edb7

+ 61
- 31
deployment_scripts/puppet/modules/lma_collector/files/plugins/decoders/notification.lua View File

@@ -17,13 +17,6 @@ require "cjson"
17 17
 local patt = require 'patterns'
18 18
 local utils = require 'lma_utils'
19 19
 
20
-local msg = {
21
-    Timestamp = nil,
22
-    Type = "notification",
23
-    Payload = nil,
24
-    Fields = nil
25
-}
26
-
27 20
 -- Mapping table from event_type prefixes to notification loggers
28 21
 local logger_map = {
29 22
     --cinder
@@ -108,35 +101,34 @@ local transform_functions = {
108 101
 
109 102
 local include_full_notification = read_config("include_full_notification") or false
110 103
 
111
-function process_message ()
112
-    local data = read_message("Payload")
113
-    local ok, notif = pcall(cjson.decode, data)
114
-    if not ok then
115
-        return -1, string.format("Failed to parse notification: %s: '%s'", notif, string.sub(data or 'N/A', 1, 64))
116
-    end
104
+function process_cadf_event(notif, msg)
105
+    local cadf_event = notif.payload
117 106
 
118
-    local oslo_version = notif['oslo.version']
119
-    if oslo_version then
120
-        -- messagingv2 notifications
121
-        ok, notif = pcall(cjson.decode, notif['oslo.message'])
122
-        if not ok then
123
-            return -1, string.format("Failed to parse v%s notification: %s: '%s'", oslo_version, notif, string.sub(data or 'N/A', 1, 64))
124
-        end
125
-    end
107
+    msg.Type = 'audit'
108
+    msg.Logger = notif.publisher_id
109
+    msg.Severity = utils.label_to_severity_map[notif.priority]
110
+    msg.Timestamp = patt.Timestamp:match(cadf_event.eventTime)
126 111
 
127
-    if include_full_notification then
128
-        msg.Payload = data
129
-    else
130
-        msg.Payload = utils.safe_json_encode(notif.payload) or '{}'
131
-    end
112
+    msg.Fields.action = cadf_event.action
113
+    -- notif.event_type can be 'http.request' or 'http.response'
114
+    msg.Fields.notification_type = notif.event_type
115
+    -- cadf_event.eventType can be 'activity', 'monitor', ...
116
+    msg.Fields.event_type = cadf_event.eventType
117
+    msg.Fields.outcome = cadf_event.outcome
118
+    msg.Fields.severity_label = notif.priority
119
+end
132 120
 
133
-    msg.Fields = {}
121
+function process_notification(notif, msg)
122
+    local openstack_notif = notif.payload
123
+
124
+    msg.Type = 'notification'
134 125
     msg.Logger = logger_map[string.match(notif.event_type, '([^.]+)')]
135 126
     msg.Severity = utils.label_to_severity_map[notif.priority]
136 127
     msg.Timestamp = patt.Timestamp:match(notif.timestamp)
128
+
137 129
     msg.Fields.publisher, msg.Hostname = string.match(notif.publisher_id, '([^.]+)%.([%w_-]+)')
138
-    if notif.payload.host ~= nil then
139
-        msg.Hostname = string.match(notif.payload.host, '([%w_-]+)')
130
+    if openstack_notif.host ~= nil then
131
+        msg.Hostname = string.match(openstack_notif.host, '([%w_-]+)')
140 132
     end
141 133
 
142 134
     msg.Fields.event_type = notif.event_type
@@ -144,7 +136,7 @@ function process_message ()
144 136
     msg.Fields.hostname = msg.Hostname
145 137
 
146 138
     for k, v in pairs(payload_fields) do
147
-        local val = notif.payload[k]
139
+        local val = openstack_notif[k]
148 140
         if val ~= nil then
149 141
             local name = payload_fields[k] or k
150 142
             local transform = transform_functions[k]
@@ -155,7 +147,45 @@ function process_message ()
155 147
             end
156 148
         end
157 149
     end
158
-    utils.inject_tags(msg)
150
+end
159 151
 
152
+function process_message()
153
+    local msg = {Fields={}}
154
+    local data = read_message("Payload")
155
+    local ok, notif = pcall(cjson.decode, data)
156
+    if not ok then
157
+        return -1, string.format("Failed to parse notification: %s: '%s'", notif, string.sub(data or 'N/A', 1, 64))
158
+    end
159
+
160
+    local oslo_version = notif['oslo.version']
161
+    if oslo_version then
162
+        -- messagingv2 notifications
163
+        ok, notif = pcall(cjson.decode, notif['oslo.message'])
164
+        if not ok then
165
+            return -1, string.format("Failed to parse v%s notification: %s: '%s'", oslo_version, notif, string.sub(data or 'N/A', 1, 64))
166
+        end
167
+    end
168
+
169
+    if include_full_notification then
170
+        msg.Payload = data
171
+    else
172
+        msg.Payload = utils.safe_json_encode(notif.payload) or '{}'
173
+    end
174
+
175
+    local ok, error_msg
176
+    if notif.payload.eventType and notif.payload.eventTime then
177
+        -- Payload of CADF event notifications always contain at least
178
+        -- eventType and eventTime fields
179
+        -- http://docs.openstack.org/developer/pycadf/specification/events.html
180
+        ok, error_msg = pcall(process_cadf_event, notif, msg)
181
+    else
182
+        ok, error_msg = pcall(process_notification, notif, msg)
183
+    end
184
+
185
+    if not ok then
186
+        return -1, error_msg
187
+    end
188
+
189
+    utils.inject_tags(msg)
160 190
     return utils.safe_inject_message(msg)
161 191
 end

+ 1
- 1
deployment_scripts/puppet/modules/lma_collector/manifests/elasticsearch.pp View File

@@ -37,7 +37,7 @@ class lma_collector::elasticsearch (
37 37
     config_dir        => $lma_collector::params::log_config_dir,
38 38
     server            => $server,
39 39
     port              => $port,
40
-    message_matcher   => 'Type == \'log\' || Type  == \'notification\'',
40
+    message_matcher   => 'Type == \'log\' || Type  == \'notification\' || Type == \'audit\'',
41 41
     use_buffering     => $lma_collector::params::buffering_enabled,
42 42
     max_buffer_size   => $lma_collector::params::buffering_max_buffer_size_for_log,
43 43
     max_file_size     => $lma_collector::params::buffering_max_file_size_for_log,

Loading…
Cancel
Save