fluent-plugin-viaq_docker_audit_log_parser 0.0.3 → 0.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/lib/fluent/plugin/{parser_auditd.rb → parser_viaq_docker_audit.rb} +7 -7
  3. data/lib/fluent/plugin/{auditd.rb → viaq_docker_audit.rb} +5 -5
  4. metadata +5 -7
  5. data/test/test_auditd_parser.rb +0 -61
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 9a041ae8be29fd0671885a00cf1ed555f3972be2
4
- data.tar.gz: e55ecd2d98b0f6f8465b8cfeac821660685b183a
3
+ metadata.gz: b66eaf9810fb73e129c5c80d2160a25b84056dcf
4
+ data.tar.gz: ba324dd764f534c2a88f9a9436cc8b447577deeb
5
5
  SHA512:
6
- metadata.gz: 254c499b158f7fd0eb0fb5078a33f4ab1ec42391e22facc3bb0c1d88a2ed1735e90494b39880313cd8d450f82a0929856be6b34ea55db6239295e46df4de3948
7
- data.tar.gz: b691bc3eaf9b2d00f5ab5eb8a74f2f96819f8021acd9a61381f190b3d6563661a5c503b2cf4c06f2ebe7b418e1d79ea5f0bf60c1fd070a8676daa3badf57478b
6
+ metadata.gz: 4a6928953f720c1a0ed7fd967a592738c7e845dff2423668853b3f3ebf255f863a919615e7f40bc0bfe422327ef41a143bd600cd63b4896612f509258522a80c
7
+ data.tar.gz: '09644a068ce88a790512c501d365f0728bd424c96194b1a1de8c51ff1f9795669fc3c0422e143aa39928ab38ef5cd151cc9b67369ff783ecee22dceae1306e9a'
data/lib/fluent/plugin/{parser_auditd.rb → parser_viaq_docker_audit.rb} RENAMED
@@ -1,19 +1,19 @@
1
- require "fluent/plugin/auditd"
1
+ require "fluent/plugin/viaq_docker_audit"
2
2
  require 'fluent/parser'
3
3
  require 'fluent/time'
4
4
 
5
5
  module Fluent
6
- class AuditdParser < Parser
7
- Plugin.register_parser("auditd", self)
6
+ class ViaqDockerAuditParser < Parser
7
+ Plugin.register_parser("viaq_docker_audit", self)
8
8
 
9
9
  def configure(conf={})
10
10
  super
11
- @auditd = Auditd.new()
11
+ @audit_parser = ViaqDockerAudit.new()
12
12
  end
13
13
 
14
14
  def parse(text)
15
15
  begin
16
- parsed_line = @auditd.parse_auditd_line text
16
+ parsed_line = @audit_parser.parse_audit_line text
17
17
  time = parsed_line.nil? ? Time.now.to_f : DateTime.parse(parsed_line['time']).to_time.to_f
18
18
 
19
19
  # All other logs than virt-control should be ignored.
@@ -24,10 +24,10 @@ module Fluent
24
24
  parsed_line = {"virt-control" => "false"} if parsed_line.nil?
25
25
 
26
26
  yield time, parsed_line
27
- rescue Fluent::Auditd::AuditdParserException => e
27
+ rescue Fluent::ViaqDockerAudit::ViaqDockerAuditParserException => e
28
28
  log.error e.message
29
29
  yield nil, nil
30
30
  end
31
31
  end
32
32
  end
33
- end
33
+ end
data/lib/fluent/plugin/{auditd.rb → viaq_docker_audit.rb} RENAMED
@@ -2,9 +2,9 @@ require 'time'
2
2
 
3
3
  # Parses docker audit log to format that fits Origin Aggregated Logging
4
4
  module Fluent
5
- class Auditd
5
+ class ViaqDockerAudit
6
6
 
7
- class AuditdParserException < StandardError
7
+ class ViaqDockerAuditParserException < StandardError
8
8
  end
9
9
 
10
10
  # Keys as found in raw audit.log messsages
@@ -53,7 +53,7 @@ module Fluent
53
53
  # Takes one line from audit.log and returns hash
54
54
  # that fits the OAL format.
55
55
  # Messages of other types than 'virt_control' are ignored.
56
- def parse_auditd_line(line)
56
+ def parse_audit_line(line)
57
57
  if filter_virt_control(line)
58
58
  event = {}
59
59
  docker = {}
@@ -62,7 +62,7 @@ module Fluent
62
62
  parse_msg(docker, metadata['g2'].split)
63
63
  event[IN_EVENT_TYPE] = docker
64
64
  else
65
- raise AuditdParserException, "Couldn't parse message: #{line}"
65
+ raise ViaqDockerAuditParserException, "Couldn't parse message: #{line}"
66
66
  end
67
67
  return normalize(event)
68
68
  end
@@ -149,4 +149,4 @@ module Fluent
149
149
  end
150
150
 
151
151
  end
152
- end
152
+ end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: fluent-plugin-viaq_docker_audit_log_parser
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.3
4
+ version: 0.0.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - Josef Karasek
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-10-10 00:00:00.000000000 Z
11
+ date: 2017-10-11 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -73,9 +73,8 @@ executables: []
73
73
  extensions: []
74
74
  extra_rdoc_files: []
75
75
  files:
76
- - lib/fluent/plugin/auditd.rb
77
- - lib/fluent/plugin/parser_auditd.rb
78
- - test/test_auditd_parser.rb
76
+ - lib/fluent/plugin/parser_viaq_docker_audit.rb
77
+ - lib/fluent/plugin/viaq_docker_audit.rb
79
78
  homepage: https://github.com/viaq/fluent-plugin-viaq_docker_audit_log_parser
80
79
  licenses:
81
80
  - Apache-2.0
@@ -100,5 +99,4 @@ rubygems_version: 2.6.13
100
99
  signing_key:
101
100
  specification_version: 4
102
101
  summary: Fluentd plugin for parsing atomic-project docker auditd logs
103
- test_files:
104
- - test/test_auditd_parser.rb
102
+ test_files: []
data/test/test_auditd_parser.rb DELETED
@@ -1,61 +0,0 @@
1
- require 'fluent/test'
2
- require 'fluent/parser'
3
- require 'json'
4
- require_relative '../lib/fluent/plugin/auditd'
5
-
6
-
7
- module ParserTest
8
- include Fluent
9
-
10
- class AuditdParserTest < ::Test::Unit::TestCase
11
-
12
- def setup()
13
- @parser = Fluent::Auditd.new()
14
- end
15
-
16
- data('line' => [
17
- '{
18
- "type": "VIRT_CONTROL",
19
- "time": "1505977228.725",
20
- "pid": "1115",
21
- "uid": "0",
22
- "auid": "4294967295",
23
- "ses": "4294967295",
24
- "subj": "system_u:system_r:container_runtime_t:s0",
25
- "msg": {
26
- "auid": "1000",
27
- "reason": "api",
28
- "op": "_ping",
29
- "user": "jkarasek",
30
- "exe": "\"/usr/bin/dockerd-current\"",
31
- "res": "success"
32
- }
33
- }', "type=VIRT_CONTROL msg=audit(1506321923.246:470): pid=1182 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='reason=api vm-pid=10657 hostname=1235c5a6476b op=resize vm=centos:7 user=origin auid=1000 exe=sleep exe=\"/usr/bin/dockerd-current\" hostname=? addr=? terminal=? res=success'"])
34
- def test_correct_data(data)
35
- expected, target = data
36
- puts JSON.pretty_generate (@parser.parse_auditd_line target)
37
- # begin
38
- # expected, target = data
39
- # target_json = JSON.pretty_generate (@parser.parse_auditd_line target)
40
- # assert_equal(expected, target_json)
41
- # rescue Fluent::Auditd::AuditdParserException => e
42
- # fail(e.message)
43
- # end
44
- end
45
-
46
- data('line' => ["expecting AuditdParserException", "type=VIRT_CONTROL msg=audit(1505977228.725:3309): pid=1115 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='auid=1000 exe=? reason=api op=_ping vm=? vm-pid=? user=jkarasek hostname=? exe=\"/usr/bin/dockerd-current\" hostname=? addr=? terminal=? res=success"])
47
- def test_missing_apostrophe(data)
48
- expected, target = data
49
- assert_raise Fluent::Auditd::AuditdParserException do
50
- JSON.pretty_generate (@parser.parse_auditd_line target)
51
- end
52
- end
53
-
54
- private
55
-
56
- def fail(reason)
57
- assert(false, reason)
58
- end
59
-
60
- end
61
- end