We use cookies to ensure you get the best experience on our website
Startsida Utforska Hjälp
Registrera dig Logga in
0ct0pu5
/
crowdsec
1
0
Fork 0
Filer Ärenden 0 Pull-förfrågningar 0 Wiki
Bläddra i källkod

fix node success logic (#993)

* fix node success logic : only fail node on child failure if mother node has no successfull grok
Thibault "bui" Koechlin 3 år sedan
förälder
fb308d5596
incheckning
c2fd173d1e
2 ändrade filer med 11 tillägg och 4 borttagningar
Unifierad Vy Visa Diff Statistik
  1. 10 3
      pkg/parser/node.go
  2. 1 1
      scripts/func_tests/tests_post-install_4cold-logs.sh

+ 10 - 3
pkg/parser/node.go
Visa fil 

@@ -108,6 +108,7 @@ func (n *Node) validate(pctx *UnixParserCtx, ectx EnricherCtx) error {
 
 
 
 func (n *Node) process(p *types.Event, ctx UnixParserCtx) (bool, error) {
 
 func (n *Node) process(p *types.Event, ctx UnixParserCtx) (bool, error) {
 
 	var NodeState bool
 
 	var NodeState bool
 
+	var NodeHasOKGrok bool
 
 	clog := n.Logger
 
 	clog := n.Logger
 
 
 
 	clog.Tracef("Event entering node")
 
 	clog.Tracef("Event entering node")
 
@@ -258,6 +259,8 @@ func (n *Node) process(p *types.Event, ctx UnixParserCtx) (bool, error) {
 
 		}
 
 		}
 
 		grok := n.Grok.RunTimeRegexp.Parse(gstr)
 
 		grok := n.Grok.RunTimeRegexp.Parse(gstr)
 
 		if len(grok) > 0 {
 
 		if len(grok) > 0 {
 
+			/*tag explicitely that the *current* node had a successful grok pattern. it's important to know success state*/
 
+			NodeHasOKGrok = true
 
 			clog.Debugf("+ Grok '%s' returned %d entries to merge in Parsed", groklabel, len(grok))
 
 			clog.Debugf("+ Grok '%s' returned %d entries to merge in Parsed", groklabel, len(grok))
 
 			//We managed to grok stuff, merged into parse
 
 			//We managed to grok stuff, merged into parse
 
 			for k, v := range grok {
 
 			for k, v := range grok {
 
@@ -272,7 +275,6 @@ func (n *Node) process(p *types.Event, ctx UnixParserCtx) (bool, error) {
 
 		} else {
 
 		} else {
 
 			//grok failed, node failed
 
 			//grok failed, node failed
 
 			clog.Debugf("+ Grok '%s' didn't return data on '%s'", groklabel, gstr)
 
 			clog.Debugf("+ Grok '%s' didn't return data on '%s'", groklabel, gstr)
 
-			//clog.Tracef("on '%s'", gstr)
 
 			NodeState = false
 
 			NodeState = false
 
 		}
 
 		}
 
 
 
@@ -283,7 +285,6 @@ func (n *Node) process(p *types.Event, ctx UnixParserCtx) (bool, error) {
 
 	//Iterate on leafs
 
 	//Iterate on leafs
 
 	if len(n.LeavesNodes) > 0 {
 
 	if len(n.LeavesNodes) > 0 {
 
 		for _, leaf := range n.LeavesNodes {
 
 		for _, leaf := range n.LeavesNodes {
 
-			//clog.Debugf("Processing sub-node %d/%d : %s", idx, len(n.SuccessNodes), leaf.rn)
 
 			ret, err := leaf.process(p, ctx)
 
 			ret, err := leaf.process(p, ctx)
 
 			if err != nil {
 
 			if err != nil {
 
 				clog.Tracef("\tNode (%s) failed : %v", leaf.rn, err)
 
 				clog.Tracef("\tNode (%s) failed : %v", leaf.rn, err)
 
@@ -299,7 +300,13 @@ func (n *Node) process(p *types.Event, ctx UnixParserCtx) (bool, error) {
 
 					break
 
 					break
 
 				}
 
 				}
 
 			} else {
 
 			} else {
 
-				NodeState = false
 
+				/*
 
+					If the parent node has a successful grok pattern, it's state will stay successfull even if one or more chil fails.
 
+					If the parent node is a skeleton node (no grok pattern), then at least one child must be successful for it to be a success.
 
+				*/
 
+				if !NodeHasOKGrok {
 
+					NodeState = false
 
+				}
 
 			}
 
 			}
 
 		}
 
 		}
 
 	}
 
 	}

+ 1 - 1
scripts/func_tests/tests_post-install_4cold-logs.sh
Visa fil 

@@ -16,7 +16,7 @@ rm  -f ssh-bf.log
 
 
 
 sync
 
 sync
 
 
 
-for i in `seq 1 10` ; do 
+for i in `seq 1 6` ; do 
     echo `LC_ALL=C date '+%b %d %H:%M:%S '`'sd-126005 sshd[12422]: Invalid user netflix from 1.1.1.172 port 35424' >> ssh-bf.log
 
     echo `LC_ALL=C date '+%b %d %H:%M:%S '`'sd-126005 sshd[12422]: Invalid user netflix from 1.1.1.172 port 35424' >> ssh-bf.log
 
 done;
 
 done;

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5