fluent-plugin-elastic-log 0.2.0 → 0.4.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/.rubocop.yml +8 -0
  3. data/fluent-plugin-elastic-log.gemspec +1 -1
  4. data/lib/fluent/plugin/elastic_log/audit_log_to_metric_processor.rb +54 -0
  5. data/lib/fluent/plugin/elastic_log/granted_privileges_metric.rb +27 -28
  6. data/lib/fluent/plugin/out_elastic_audit_log_metric.rb +13 -48
  7. metadata +3 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 6ef4e2a586f566d7b309ef59d3c754bbccaffe6ba545eb31a4715683403f67af
4
- data.tar.gz: fd5f957963bb03ca6bc4c2f456c8cf3c9053f35a53cadb2594280bc5899858c1
3
+ metadata.gz: '089f4560a3510e19726b2236b1085bfd9d2bcc751ef9fbdb3200385348eb2505'
4
+ data.tar.gz: 0b09fcff0fd33999c05a55191a766161ebf09464fc130a4ab80271352ec896e0
5
5
  SHA512:
6
- metadata.gz: 482176de12204c607485f80d2234106e20c6d618f8bd6c04155105ff335a20e8d04c71778e9e3bc1382e3efbacda46b2aa1c95fbc2521cebe061503970cdecab
7
- data.tar.gz: f1a408614e789248cc1486ca9af9a11c3c8a66502c2bfbd3fe655e9dcd60f66bfbf3853082f99f78b368b39dfe15d67ae223b3a4574b1fdd8018e4651e1e3944
6
+ metadata.gz: 93fbd475a195e8cd124160cbbf3ffb76f77023e4926bae097e533398950b27a68d99e9d13515b872963b6541f753941041b2b9a09a5c195cbbffc7d2cad1f095
7
+ data.tar.gz: 608e7042c5ec2facaf5a5ae58fc9cd718ff2aa010dcfee4a12e785e22ce685100571389e97107f16f1cf144d7e6d2b01d93390b36ad58243963e69a07ec17cc5
data/.rubocop.yml CHANGED
@@ -10,9 +10,17 @@ Metrics/BlockLength:
10
10
  - fluent-plugin-elastic-log.gemspec
11
11
  - test/**/*.rb
12
12
 
13
+ Metrics/ClassLength:
14
+ Exclude:
15
+ - test/**/*.rb
16
+
13
17
  Metrics/MethodLength:
14
18
  Max: 20
15
19
 
20
+ Metrics/ParameterLists:
21
+ Exclude:
22
+ - test/helper.rb
23
+
16
24
  Naming/MethodParameterName:
17
25
  Exclude:
18
26
  - lib/fluent/plugin/out_elastic_audit_log_metric.rb
data/fluent-plugin-elastic-log.gemspec CHANGED
@@ -5,7 +5,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
5
5
 
6
6
  Gem::Specification.new do |spec|
7
7
  spec.name = 'fluent-plugin-elastic-log'
8
- spec.version = '0.2.0'
8
+ spec.version = '0.4.0'
9
9
  spec.authors = ['Thomas Tych']
10
10
  spec.email = ['thomas.tych@gmail.com']
11
11
 
data/lib/fluent/plugin/elastic_log/audit_log_to_metric_processor.rb ADDED
@@ -0,0 +1,54 @@
1
+ # frozen_string_literal: true
2
+
3
+ require_relative 'granted_privileges_metric'
4
+
5
+ module Fluent
6
+ module Plugin
7
+ module ElasticLog
8
+ # convert audit log event stream to metric event stream
9
+ class AuditLogToMetricProcessor
10
+ attr_reader :conf
11
+
12
+ def initialize(conf:)
13
+ @conf = conf
14
+ end
15
+
16
+ def process(_tag, log_es)
17
+ metric_es = MultiEventStream.new
18
+
19
+ log_es.each do |time, record|
20
+ next unless record
21
+ next unless (category = record[conf.category_key])
22
+ next unless conf.categories.include? category
23
+
24
+ new_records = send("generate_#{category.downcase}_metrics_for", record)
25
+ new_records.each { |new_record| metric_es.add(time, new_record) }
26
+ end
27
+ metric_es
28
+ end
29
+
30
+ private
31
+
32
+ # rubocop:disable Metrics/AbcSize
33
+ def generate_granted_privileges_metrics_for(record)
34
+ return unless record[conf.privilege_key]
35
+
36
+ GrantedPrivilegesMetric.new(
37
+ record: {
38
+ timestamp: record[conf.timestamp_key],
39
+ privilege: record[conf.privilege_key],
40
+ user: record[conf.user_key],
41
+ cluster: record[conf.cluster_key],
42
+ indices: record[conf.indices_key],
43
+ r_indices: record[conf.r_indices_key],
44
+ layer: record[conf.layer_key],
45
+ request_type: record[conf.request_type_key]
46
+ },
47
+ conf: conf
48
+ ).generate_metrics
49
+ end
50
+ # rubocop:enable Metrics/AbcSize
51
+ end
52
+ end
53
+ end
54
+ end
data/lib/fluent/plugin/elastic_log/granted_privileges_metric.rb CHANGED
@@ -3,8 +3,6 @@
3
3
  require 'set'
4
4
  require 'time'
5
5
 
6
- require 'fluent/event'
7
-
8
6
  module Fluent
9
7
  module Plugin
10
8
  module ElasticLog
@@ -21,50 +19,51 @@ module Fluent
21
19
  # data/write/* => write
22
20
  # monitor/* => monitor
23
21
  PRIVILEGE_MAP = {
24
- "cluster:admin/" => 'admin_query',
25
- "cluster:monitor/" => 'monitor_query',
26
- "indices:admin/" => 'admin_query',
27
- "indices:data/read/" => 'read_query',
28
- "indices:data/write/" => 'write_query',
29
- "indices:monitor/" => 'monitor_query'
22
+ 'cluster:admin/' => 'admin',
23
+ 'cluster:monitor/' => 'monitor',
24
+ 'indices:admin/delete' => 'destroy',
25
+ 'indices:admin/' => 'admin',
26
+ 'indices:data/read/' => 'read',
27
+ 'indices:data/write/delete' => 'delete',
28
+ 'indices:data/write/' => 'write',
29
+ 'indices:monitor/' => 'monitor'
30
30
  }.freeze
31
31
 
32
32
  ILM_PATTERN = /^(.*)-\d{6}$/.freeze
33
33
 
34
- attr_reader :time, :record, :conf
34
+ attr_reader :record, :conf
35
35
 
36
- def initialize(time:, record:, conf:)
37
- @time = time
36
+ def initialize(record:, conf:)
38
37
  @record = record
39
38
  @conf = conf
40
39
  end
41
40
 
42
41
  def timestamp
43
- begin
44
- timestamp = Time.parse(record[:timestamp])
45
- rescue StandardError
46
- timestamp = time.to_time
47
- end
42
+ timestamp = Time.parse(record[:timestamp])
48
43
 
49
- return timestamp.utc.strftime('%s%3N') if conf.timestamp_format == :epochmillis
44
+ return (timestamp.utc.to_f * 1000).to_i if conf.timestamp_format == :epochmillis
45
+ return timestamp.utc.strftime('%s%3N') if conf.timestamp_format == :epochmillis_str
50
46
 
51
47
  timestamp.utc.iso8601(3)
48
+ rescue StandardError
49
+ nil
52
50
  end
53
51
 
54
- def metric_name
52
+ def query_type
55
53
  PRIVILEGE_MAP.each do |pattern, name|
56
- return "#{name}_count" if record[:privilege].to_s.start_with?(pattern)
54
+ return name if record[:privilege].to_s.start_with?(pattern)
57
55
  end
58
- "unknown_count"
56
+ 'unknown'
59
57
  end
60
58
 
61
59
  def base
62
60
  {
63
61
  'timestamp' => timestamp,
64
- 'metric_name' => metric_name,
62
+ 'metric_name' => 'query_count',
65
63
  'metric_value' => 1,
66
- 'tags_user' => record[:user],
67
- 'tags_cluster' => record[:cluster]
64
+ "#{conf.prefix}user" => record[:user],
65
+ "#{conf.prefix}cluster" => record[:cluster],
66
+ "#{conf.prefix}query_type" => query_type
68
67
  }
69
68
  end
70
69
 
@@ -72,19 +71,19 @@ module Fluent
72
71
  indices = record[:r_indices] || record[:indices] || [nil]
73
72
  if conf.aggregate_ilm
74
73
  indices = indices.inject(Set.new) do |acc, index|
75
- aggregated_format = index[ILM_PATTERN, 1]
74
+ aggregated_format = index && index[ILM_PATTERN, 1]
76
75
  acc << (aggregated_format || index)
77
76
  end.to_a
78
77
  end
79
78
  indices
80
79
  end
81
80
 
82
- def generate_event_stream
83
- metric_es = MultiEventStream.new
81
+ def generate_metrics
82
+ metrics = []
84
83
  indices.each do |indice|
85
- metric_es.add(time, base.merge(tags_technical_name: indice))
84
+ metrics << base.merge("#{conf.prefix}technical_name" => indice)
86
85
  end
87
- metric_es
86
+ metrics
88
87
  end
89
88
  end
90
89
  end
data/lib/fluent/plugin/out_elastic_audit_log_metric.rb CHANGED
@@ -16,7 +16,9 @@
16
16
  # limitations under the License.
17
17
 
18
18
  require 'fluent/plugin/output'
19
- require 'fluent/plugin/elastic_log/granted_privileges_metric'
19
+ require 'fluent/event'
20
+
21
+ require_relative 'elastic_log/audit_log_to_metric_processor'
20
22
 
21
23
  module Fluent
22
24
  module Plugin
@@ -42,16 +44,7 @@ module Fluent
42
44
  DEFAULT_R_INDICES_KEY = 'audit_trace_resolved_indices'
43
45
  DEFAULT_TIMESTAMP_KEY = '@timestamp'
44
46
  DEFAULT_PRIVILEGE_KEY = 'audit_request_privilege'
45
-
46
- # REQUEST PRIVILEGE:
47
- # cluster:
48
- # admin/* => admin
49
- # monitor/* => monitor
50
- # indices:
51
- # admin/* => admin
52
- # data/read/* => read
53
- # data/write/* => write
54
- # monitor/* => monitor
47
+ DEFAULT_PREFIX = ''
55
48
 
56
49
  desc 'Tag to emit metric events on'
57
50
  config_param :tag, :string, default: nil
@@ -78,11 +71,14 @@ module Fluent
78
71
  config_param :privilege_key, :string, default: DEFAULT_PRIVILEGE_KEY
79
72
 
80
73
  desc 'Timestamp format'
81
- config_param :timestamp_format, :enum, list: %i[iso epochmillis], default: :iso
82
-
74
+ config_param :timestamp_format, :enum, list: %i[iso epochmillis epochmillis_str], default: :iso
75
+ desc 'Attribute prefix'
76
+ config_param :prefix, :string, default: DEFAULT_PREFIX
83
77
  desc 'Aggregate ILM'
84
78
  config_param :aggregate_ilm, :bool, default: true
85
79
 
80
+ attr_reader :metric_processor
81
+
86
82
  def configure(conf)
87
83
  super
88
84
  raise Fluent::ConfigError, "#{NAME}: tag is mandatory" if !tag || tag.to_s.empty?
@@ -95,6 +91,8 @@ module Fluent
95
91
  @categories = categories - unsupported_categories
96
92
  end
97
93
 
94
+ @metric_processor = ElasticLog::AuditLogToMetricProcessor.new(conf: self)
95
+
98
96
  true
99
97
  end
100
98
 
@@ -110,42 +108,9 @@ module Fluent
110
108
  end
111
109
 
112
110
  def process(_tag, es)
113
- es.each do |time, record|
114
- next unless record
115
- next unless (category = record[category_key])
116
- next unless ALLOWED_CATEGORIES.include? category
117
-
118
- event_time = Fluent::EventTime.from_time(time)
119
- metric_es = send("generate_#{category.downcase}_metrics_for", event_time, record)
120
- router.emit_stream(tag, metric_es) if metric_es
121
- end
122
- end
123
-
124
- # es = Fluent::MultiEventStream.new
125
- # router.emit_stream(tag, es)
126
-
127
- private
128
-
129
- # rubocop:disable Metrics/AbcSize
130
- def generate_granted_privileges_metrics_for(time, record)
131
- return unless record[privilege_key]
132
-
133
- Fluent::Plugin::ElasticLog::GrantedPrivilegesMetric.new(
134
- time: time,
135
- record: {
136
- timestamp: record[timestamp_key],
137
- privilege: record[privilege_key],
138
- user: record[user_key],
139
- cluster: record[cluster_key],
140
- indices: record[indices_key],
141
- r_indices: record[r_indices_key],
142
- layer: record[layer_key],
143
- request_type: record[request_type_key]
144
- },
145
- conf: self
146
- ).generate_event_stream
111
+ metrics = metric_processor.process(tag, es) || []
112
+ router.emit_stream(tag, metrics) if metrics
147
113
  end
148
- # rubocop:enable Metrics/AbcSize
149
114
  end
150
115
  end
151
116
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: fluent-plugin-elastic-log
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.0
4
+ version: 0.4.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Thomas Tych
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-06-08 00:00:00.000000000 Z
11
+ date: 2023-06-14 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bump
@@ -162,6 +162,7 @@ files:
162
162
  - README.md
163
163
  - Rakefile
164
164
  - fluent-plugin-elastic-log.gemspec
165
+ - lib/fluent/plugin/elastic_log/audit_log_to_metric_processor.rb
165
166
  - lib/fluent/plugin/elastic_log/granted_privileges_metric.rb
166
167
  - lib/fluent/plugin/out_elastic_audit_log_metric.rb
167
168
  homepage: https://gitlab.com/ttych/fluent-plugin-elastic-log