Example 1 with GetRequest
use of org.apache.metron.indexing.dao.search.GetRequest in project metron by apache.
the class MetaAlertControllerIntegrationTest method shouldAddRemoveAlerts.
@Test
public void shouldAddRemoveAlerts() throws Exception {
MetaAlertCreateRequest metaAlertCreateRequest = new MetaAlertCreateRequest();
metaAlertCreateRequest.setGroups(Arrays.asList("group_one", "group_two"));
metaAlertCreateRequest.setAlerts(new ArrayList<GetRequest>() {
{
add(new GetRequest("bro_1", "bro", "bro_index_2017.01.01.01"));
add(new GetRequest("snort_2", "snort", "snort_index_2017.01.01.01"));
}
});
MetaAlertCreateResponse metaAlertCreateResponse = metaAlertService.create(metaAlertCreateRequest);
MetaAlertAddRemoveRequest addRequest = new MetaAlertAddRemoveRequest();
addRequest.setMetaAlertGuid(metaAlertCreateResponse.getGuid());
addRequest.setAlerts(new ArrayList<GetRequest>() {
{
add(new GetRequest("bro_2", "bro", "bro_index_2017.01.01.01"));
add(new GetRequest("bro_3", "bro", "bro_index_2017.01.01.01"));
}
});
ResultActions result = this.mockMvc.perform(post(metaalertUrl + "/add/alert").with(httpBasic(user, password)).with(csrf()).contentType(MediaType.parseMediaType("application/json;charset=UTF-8")).content(JSONUtils.INSTANCE.toJSON(addRequest, false)));
result.andExpect(status().isOk()).andExpect(content().string("true"));
MetaAlertAddRemoveRequest addDuplicateRequest = new MetaAlertAddRemoveRequest();
addDuplicateRequest.setMetaAlertGuid(metaAlertCreateResponse.getGuid());
addDuplicateRequest.setAlerts(new ArrayList<GetRequest>() {
{
add(new GetRequest("bro_1", "bro"));
}
});
result = this.mockMvc.perform(post(metaalertUrl + "/add/alert").with(httpBasic(user, password)).with(csrf()).contentType(MediaType.parseMediaType("application/json;charset=UTF-8")).content(JSONUtils.INSTANCE.toJSON(addDuplicateRequest, false)));
result.andExpect(status().isOk()).andExpect(content().string("false"));
MetaAlertAddRemoveRequest removeRequest = new MetaAlertAddRemoveRequest();
removeRequest.setMetaAlertGuid(metaAlertCreateResponse.getGuid());
removeRequest.setAlerts(new ArrayList<GetRequest>() {
{
add(new GetRequest("bro_2", "bro"));
add(new GetRequest("bro_3", "bro"));
}
});
result = this.mockMvc.perform(post(metaalertUrl + "/remove/alert").with(httpBasic(user, password)).with(csrf()).contentType(MediaType.parseMediaType("application/json;charset=UTF-8")).content(JSONUtils.INSTANCE.toJSON(removeRequest, false)));
result.andExpect(status().isOk()).andExpect(content().string("true"));
MetaAlertAddRemoveRequest removeMissingRequest = new MetaAlertAddRemoveRequest();
addRequest.setMetaAlertGuid(metaAlertCreateResponse.getGuid());
removeMissingRequest.setAlerts(new ArrayList<GetRequest>() {
{
add(new GetRequest("bro_1", "bro"));
}
});
result = this.mockMvc.perform(post(metaalertUrl + "/remove/alert").with(httpBasic(user, password)).with(csrf()).contentType(MediaType.parseMediaType("application/json;charset=UTF-8")).content(JSONUtils.INSTANCE.toJSON(removeMissingRequest, false)));
result.andExpect(status().isOk()).andExpect(content().string("false"));
}
Also used :
GetRequest(org.apache.metron.indexing.dao.search.GetRequest)
MetaAlertCreateResponse(org.apache.metron.indexing.dao.metaalert.MetaAlertCreateResponse)
ResultActions(org.springframework.test.web.servlet.ResultActions)
MetaAlertCreateRequest(org.apache.metron.indexing.dao.metaalert.MetaAlertCreateRequest)
MetaAlertAddRemoveRequest(org.apache.metron.indexing.dao.metaalert.MetaAlertAddRemoveRequest)
SearchIntegrationTest(org.apache.metron.indexing.dao.SearchIntegrationTest)
Test(org.junit.Test)
SpringBootTest(org.springframework.boot.test.context.SpringBootTest)
Example 2 with GetRequest
use of org.apache.metron.indexing.dao.search.GetRequest in project metron by apache.
the class ElasticsearchMetaAlertDao method updateMetaAlertStatus.
@Override
public boolean updateMetaAlertStatus(String metaAlertGuid, MetaAlertStatus status) throws IOException {
Map<Document, Optional<String>> updates = new HashMap<>();
Document metaAlert = indexDao.getLatest(metaAlertGuid, METAALERT_TYPE);
String currentStatus = (String) metaAlert.getDocument().get(MetaAlertDao.STATUS_FIELD);
boolean metaAlertUpdated = !status.getStatusString().equals(currentStatus);
if (metaAlertUpdated) {
metaAlert.getDocument().put(MetaAlertDao.STATUS_FIELD, status.getStatusString());
updates.put(metaAlert, Optional.of(index));
List<GetRequest> getRequests = new ArrayList<>();
List<Map<String, Object>> currentAlerts = (List<Map<String, Object>>) metaAlert.getDocument().get(MetaAlertDao.ALERT_FIELD);
currentAlerts.stream().forEach(currentAlert -> {
getRequests.add(new GetRequest((String) currentAlert.get(GUID), (String) currentAlert.get(SOURCE_TYPE)));
});
Iterable<Document> alerts = indexDao.getAllLatest(getRequests);
for (Document alert : alerts) {
boolean metaAlertAdded = false;
boolean metaAlertRemoved = false;
// If we're making it active add add the meta alert guid for every alert.
if (MetaAlertStatus.ACTIVE.equals(status)) {
metaAlertAdded = addMetaAlertToAlert(metaAlert.getGuid(), alert);
}
// If we're making it inactive, remove the meta alert guid from every alert.
if (MetaAlertStatus.INACTIVE.equals(status)) {
metaAlertRemoved = removeMetaAlertFromAlert(metaAlert.getGuid(), alert);
}
if (metaAlertAdded || metaAlertRemoved) {
updates.put(alert, Optional.empty());
}
}
}
if (metaAlertUpdated) {
indexDaoUpdate(updates);
}
return metaAlertUpdated;
}
Also used :
Document(org.apache.metron.indexing.dao.update.Document)
GetRequest(org.apache.metron.indexing.dao.search.GetRequest)
Example 3 with GetRequest
use of org.apache.metron.indexing.dao.search.GetRequest in project metron by apache.
the class ElasticsearchMetaAlertIntegrationTest method shouldUpdateMetaAlertStatus.
@Test
public void shouldUpdateMetaAlertStatus() throws Exception {
int numChildAlerts = 25;
int numUnrelatedAlerts = 25;
int totalAlerts = numChildAlerts + numUnrelatedAlerts;
// Load alerts
List<Map<String, Object>> alerts = buildAlerts(totalAlerts);
List<Map<String, Object>> childAlerts = alerts.subList(0, numChildAlerts);
List<Map<String, Object>> unrelatedAlerts = alerts.subList(numChildAlerts, totalAlerts);
for (Map<String, Object> alert : childAlerts) {
alert.put(METAALERT_FIELD, Collections.singletonList("meta_alert"));
}
elasticsearchAdd(alerts, INDEX, SENSOR_NAME);
// Load metaAlerts
Map<String, Object> metaAlert = buildMetaAlert("meta_alert", MetaAlertStatus.ACTIVE, Optional.of(childAlerts));
// We pass MetaAlertDao.METAALERT_TYPE, because the "_doc" gets appended automatically.
elasticsearchAdd(Collections.singletonList(metaAlert), METAALERTS_INDEX, MetaAlertDao.METAALERT_TYPE);
List<GetRequest> requests = new ArrayList<>();
for (int i = 0; i < numChildAlerts; ++i) {
requests.add(new GetRequest("message_" + i, SENSOR_NAME));
}
requests.add(new GetRequest("meta_alert", METAALERT_TYPE));
// Verify load was successful
findCreatedDocs(requests);
{
// Verify status changed to inactive and child alerts are updated
Assert.assertTrue(metaDao.updateMetaAlertStatus("meta_alert", MetaAlertStatus.INACTIVE));
Map<String, Object> expectedMetaAlert = new HashMap<>(metaAlert);
expectedMetaAlert.put(STATUS_FIELD, MetaAlertStatus.INACTIVE.getStatusString());
findUpdatedDoc(expectedMetaAlert, "meta_alert", METAALERT_TYPE);
for (int i = 0; i < numChildAlerts; ++i) {
Map<String, Object> expectedAlert = new HashMap<>(childAlerts.get(i));
expectedAlert.put("metaalerts", new ArrayList());
findUpdatedDoc(expectedAlert, "message_" + i, SENSOR_NAME);
}
// Ensure unrelated alerts are unaffected
for (int i = 0; i < numUnrelatedAlerts; ++i) {
Map<String, Object> expectedAlert = new HashMap<>(unrelatedAlerts.get(i));
// Make sure to handle the guid offset from creation
findUpdatedDoc(expectedAlert, "message_" + (i + numChildAlerts), SENSOR_NAME);
}
}
{
// Verify status changed to active and child alerts are updated
Assert.assertTrue(metaDao.updateMetaAlertStatus("meta_alert", MetaAlertStatus.ACTIVE));
Map<String, Object> expectedMetaAlert = new HashMap<>(metaAlert);
expectedMetaAlert.put(STATUS_FIELD, MetaAlertStatus.ACTIVE.getStatusString());
findUpdatedDoc(expectedMetaAlert, "meta_alert", METAALERT_TYPE);
for (int i = 0; i < numChildAlerts; ++i) {
Map<String, Object> expectedAlert = new HashMap<>(alerts.get(i));
expectedAlert.put("metaalerts", Collections.singletonList("meta_alert"));
findUpdatedDoc(expectedAlert, "message_" + i, SENSOR_NAME);
}
// Ensure unrelated alerts are unaffected
for (int i = 0; i < numUnrelatedAlerts; ++i) {
Map<String, Object> expectedAlert = new HashMap<>(unrelatedAlerts.get(i));
// Make sure to handle the guid offset from creation
findUpdatedDoc(expectedAlert, "message_" + (i + numChildAlerts), SENSOR_NAME);
}
{
// Verify status changed to current status has no effect
Assert.assertFalse(metaDao.updateMetaAlertStatus("meta_alert", MetaAlertStatus.ACTIVE));
findUpdatedDoc(expectedMetaAlert, "meta_alert", METAALERT_TYPE);
for (int i = 0; i < numChildAlerts; ++i) {
Map<String, Object> expectedAlert = new HashMap<>(alerts.get(i));
expectedAlert.put("metaalerts", Collections.singletonList("meta_alert"));
findUpdatedDoc(expectedAlert, "message_" + i, SENSOR_NAME);
}
// Ensure unrelated alerts are unaffected
for (int i = 0; i < numUnrelatedAlerts; ++i) {
Map<String, Object> expectedAlert = new HashMap<>(unrelatedAlerts.get(i));
// Make sure to handle the guid offset from creation
findUpdatedDoc(expectedAlert, "message_" + (i + numChildAlerts), SENSOR_NAME);
}
}
}
}Example 4 with GetRequest
use of org.apache.metron.indexing.dao.search.GetRequest in project metron by apache.
the class ElasticsearchMetaAlertIntegrationTest method shouldSearchByNestedAlert.
@Test
public void shouldSearchByNestedAlert() throws Exception {
// Load alerts
List<Map<String, Object>> alerts = buildAlerts(4);
alerts.get(0).put(METAALERT_FIELD, Collections.singletonList("meta_active"));
alerts.get(0).put("ip_src_addr", "192.168.1.1");
alerts.get(0).put("ip_src_port", 8010);
alerts.get(1).put(METAALERT_FIELD, Collections.singletonList("meta_active"));
alerts.get(1).put("ip_src_addr", "192.168.1.2");
alerts.get(1).put("ip_src_port", 8009);
alerts.get(2).put("ip_src_addr", "192.168.1.3");
alerts.get(2).put("ip_src_port", 8008);
alerts.get(3).put("ip_src_addr", "192.168.1.4");
alerts.get(3).put("ip_src_port", 8007);
elasticsearchAdd(alerts, INDEX, SENSOR_NAME);
// Put the nested type into the test index, so that it'll match appropriately
((ElasticsearchDao) esDao).getClient().admin().indices().preparePutMapping(INDEX).setType("test_doc").setSource(nestedAlertMapping).get();
// Load metaAlerts
Map<String, Object> activeMetaAlert = buildMetaAlert("meta_active", MetaAlertStatus.ACTIVE, Optional.of(Arrays.asList(alerts.get(0), alerts.get(1))));
Map<String, Object> inactiveMetaAlert = buildMetaAlert("meta_inactive", MetaAlertStatus.INACTIVE, Optional.of(Arrays.asList(alerts.get(2), alerts.get(3))));
// We pass MetaAlertDao.METAALERT_TYPE, because the "_doc" gets appended automatically.
elasticsearchAdd(Arrays.asList(activeMetaAlert, inactiveMetaAlert), METAALERTS_INDEX, MetaAlertDao.METAALERT_TYPE);
// Verify load was successful
findCreatedDocs(Arrays.asList(new GetRequest("message_0", SENSOR_NAME), new GetRequest("message_1", SENSOR_NAME), new GetRequest("message_2", SENSOR_NAME), new GetRequest("message_3", SENSOR_NAME), new GetRequest("meta_active", METAALERT_TYPE), new GetRequest("meta_inactive", METAALERT_TYPE)));
SearchResponse searchResponse = metaDao.search(new SearchRequest() {
{
setQuery("(ip_src_addr:192.168.1.1 AND ip_src_port:8009) OR (alert.ip_src_addr:192.168.1.1 AND alert.ip_src_port:8009)");
setIndices(Collections.singletonList(MetaAlertDao.METAALERT_TYPE));
setFrom(0);
setSize(5);
setSort(Collections.singletonList(new SortField() {
{
setField(Constants.GUID);
}
}));
}
});
// Should not have results because nested alerts shouldn't be flattened
Assert.assertEquals(0, searchResponse.getTotal());
// Query against all indices. Only the single active meta alert should be returned.
// The child alerts should be hidden.
searchResponse = metaDao.search(new SearchRequest() {
{
setQuery("(ip_src_addr:192.168.1.1 AND ip_src_port:8010)" + " OR (alert.ip_src_addr:192.168.1.1 AND alert.ip_src_port:8010)");
setIndices(Collections.singletonList("*"));
setFrom(0);
setSize(5);
setSort(Collections.singletonList(new SortField() {
{
setField(Constants.GUID);
}
}));
}
});
// Nested query should match a nested alert
Assert.assertEquals(1, searchResponse.getTotal());
Assert.assertEquals("meta_active", searchResponse.getResults().get(0).getSource().get("guid"));
// Query against all indices. The child alert has no actual attached meta alerts, and should
// be returned on its own.
searchResponse = metaDao.search(new SearchRequest() {
{
setQuery("(ip_src_addr:192.168.1.3 AND ip_src_port:8008)" + " OR (alert.ip_src_addr:192.168.1.3 AND alert.ip_src_port:8008)");
setIndices(Collections.singletonList("*"));
setFrom(0);
setSize(1);
setSort(Collections.singletonList(new SortField() {
{
setField(Constants.GUID);
}
}));
}
});
// Nested query should match a plain alert
Assert.assertEquals(1, searchResponse.getTotal());
Assert.assertEquals("message_2", searchResponse.getResults().get(0).getSource().get("guid"));
}
Also used :
SearchRequest(org.apache.metron.indexing.dao.search.SearchRequest)
ElasticsearchDao(org.apache.metron.elasticsearch.dao.ElasticsearchDao)
GetRequest(org.apache.metron.indexing.dao.search.GetRequest)
SortField(org.apache.metron.indexing.dao.search.SortField)
Map(java.util.Map)
HashMap(java.util.HashMap)
SearchResponse(org.apache.metron.indexing.dao.search.SearchResponse)
Test(org.junit.Test)
Example 5 with GetRequest
use of org.apache.metron.indexing.dao.search.GetRequest in project metron by apache.
the class ElasticsearchMetaAlertIntegrationTest method shouldGetAllMetaAlertsForAlert.
@Test
public void shouldGetAllMetaAlertsForAlert() throws Exception {
// Load alerts
List<Map<String, Object>> alerts = buildAlerts(3);
elasticsearchAdd(alerts, INDEX, SENSOR_NAME);
// Load metaAlerts
List<Map<String, Object>> metaAlerts = buildMetaAlerts(12, MetaAlertStatus.ACTIVE, Optional.of(Collections.singletonList(alerts.get(0))));
metaAlerts.add(buildMetaAlert("meta_active_12", MetaAlertStatus.ACTIVE, Optional.of(Arrays.asList(alerts.get(0), alerts.get(2)))));
metaAlerts.add(buildMetaAlert("meta_inactive", MetaAlertStatus.INACTIVE, Optional.of(Arrays.asList(alerts.get(0), alerts.get(2)))));
// We pass MetaAlertDao.METAALERT_TYPE, because the "_doc" gets appended automatically.
elasticsearchAdd(metaAlerts, METAALERTS_INDEX, MetaAlertDao.METAALERT_TYPE);
// Verify load was successful
List<GetRequest> createdDocs = metaAlerts.stream().map(metaAlert -> new GetRequest((String) metaAlert.get(Constants.GUID), METAALERT_TYPE)).collect(Collectors.toList());
createdDocs.addAll(alerts.stream().map(alert -> new GetRequest((String) alert.get(Constants.GUID), SENSOR_NAME)).collect(Collectors.toList()));
findCreatedDocs(createdDocs);
int previousPageSize = ((ElasticsearchMetaAlertDao) metaDao).getPageSize();
((ElasticsearchMetaAlertDao) metaDao).setPageSize(5);
{
// Verify searches successfully return more than 10 results
SearchResponse searchResponse0 = metaDao.getAllMetaAlertsForAlert("message_0");
List<SearchResult> searchResults0 = searchResponse0.getResults();
Assert.assertEquals(13, searchResults0.size());
Set<Map<String, Object>> resultSet = new HashSet<>();
Iterables.addAll(resultSet, Iterables.transform(searchResults0, r -> r.getSource()));
StringBuffer reason = new StringBuffer("Unable to find " + metaAlerts.get(0) + "\n");
reason.append(Joiner.on("\n").join(resultSet));
Assert.assertTrue(reason.toString(), resultSet.contains(metaAlerts.get(0)));
// Verify no meta alerts are returned because message_1 was not added to any
SearchResponse searchResponse1 = metaDao.getAllMetaAlertsForAlert("message_1");
List<SearchResult> searchResults1 = searchResponse1.getResults();
Assert.assertEquals(0, searchResults1.size());
// Verify only the meta alert message_2 was added to is returned
SearchResponse searchResponse2 = metaDao.getAllMetaAlertsForAlert("message_2");
List<SearchResult> searchResults2 = searchResponse2.getResults();
Assert.assertEquals(1, searchResults2.size());
Assert.assertEquals(metaAlerts.get(12), searchResults2.get(0).getSource());
}
((ElasticsearchMetaAlertDao) metaDao).setPageSize(previousPageSize);
}
Also used :
InvalidSearchException(org.apache.metron.indexing.dao.search.InvalidSearchException)
Arrays(java.util.Arrays)
AccessConfig(org.apache.metron.indexing.dao.AccessConfig)
ALERT_FIELD(org.apache.metron.indexing.dao.MetaAlertDao.ALERT_FIELD)
Date(java.util.Date)
PatchRequest(org.apache.metron.indexing.dao.update.PatchRequest)
GroupResult(org.apache.metron.indexing.dao.search.GroupResult)
GroupResponse(org.apache.metron.indexing.dao.search.GroupResponse)
METAALERTS_INDEX(org.apache.metron.indexing.dao.MetaAlertDao.METAALERTS_INDEX)
Map(java.util.Map)
SearchResult(org.apache.metron.indexing.dao.search.SearchResult)
After(org.junit.After)
MetaAlertCreateRequest(org.apache.metron.indexing.dao.metaalert.MetaAlertCreateRequest)
Document(org.apache.metron.indexing.dao.update.Document)
AfterClass(org.junit.AfterClass)
MetaAlertDao(org.apache.metron.indexing.dao.MetaAlertDao)
IndexDao(org.apache.metron.indexing.dao.IndexDao)
Set(java.util.Set)
GetRequest(org.apache.metron.indexing.dao.search.GetRequest)
SearchRequest(org.apache.metron.indexing.dao.search.SearchRequest)
Collectors(java.util.stream.Collectors)
OriginalNotFoundException(org.apache.metron.indexing.dao.update.OriginalNotFoundException)
ElasticSearchComponent(org.apache.metron.elasticsearch.integration.components.ElasticSearchComponent)
List(java.util.List)
METAALERT_TYPE(org.apache.metron.indexing.dao.MetaAlertDao.METAALERT_TYPE)
Optional(java.util.Optional)
Joiner(com.google.common.base.Joiner)
SearchResponse(org.apache.metron.indexing.dao.search.SearchResponse)
Iterables(com.google.common.collect.Iterables)
MetaAlertStatus(org.apache.metron.indexing.dao.metaalert.MetaAlertStatus)
BeforeClass(org.junit.BeforeClass)
SimpleDateFormat(java.text.SimpleDateFormat)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
HashSet(java.util.HashSet)
Group(org.apache.metron.indexing.dao.search.Group)
JSONUtils(org.apache.metron.common.utils.JSONUtils)
STATUS_FIELD(org.apache.metron.indexing.dao.MetaAlertDao.STATUS_FIELD)
Before(org.junit.Before)
GroupRequest(org.apache.metron.indexing.dao.search.GroupRequest)
JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException)
IOException(java.io.IOException)
Test(org.junit.Test)
Constants(org.apache.metron.common.Constants)
SortField(org.apache.metron.indexing.dao.search.SortField)
File(java.io.File)
MetaAlertCreateResponse(org.apache.metron.indexing.dao.metaalert.MetaAlertCreateResponse)
ElasticsearchMetaAlertDao(org.apache.metron.elasticsearch.dao.ElasticsearchMetaAlertDao)
METAALERT_FIELD(org.apache.metron.indexing.dao.MetaAlertDao.METAALERT_FIELD)
Multiline(org.adrianwalker.multilinestring.Multiline)
Assert(org.junit.Assert)
Collections(java.util.Collections)
ElasticsearchDao(org.apache.metron.elasticsearch.dao.ElasticsearchDao)
Set(java.util.Set)
HashSet(java.util.HashSet)
SearchResponse(org.apache.metron.indexing.dao.search.SearchResponse)
GetRequest(org.apache.metron.indexing.dao.search.GetRequest)
List(java.util.List)
ArrayList(java.util.ArrayList)
Map(java.util.Map)
HashMap(java.util.HashMap)
ElasticsearchMetaAlertDao(org.apache.metron.elasticsearch.dao.ElasticsearchMetaAlertDao)
Test(org.junit.Test)
Aggregations
GetRequest (org.apache.metron.indexing.dao.search.GetRequest)19
Test (org.junit.Test)13
HashMap (java.util.HashMap)10
ArrayList (java.util.ArrayList)9
Map (java.util.Map)9
Document (org.apache.metron.indexing.dao.update.Document)9
MetaAlertCreateResponse (org.apache.metron.indexing.dao.metaalert.MetaAlertCreateResponse)6
MetaAlertCreateRequest (org.apache.metron.indexing.dao.metaalert.MetaAlertCreateRequest)5
IOException (java.io.IOException)4
List (java.util.List)4
SearchRequest (org.apache.metron.indexing.dao.search.SearchRequest)4
SearchResponse (org.apache.metron.indexing.dao.search.SearchResponse)4
ElasticsearchDao (org.apache.metron.elasticsearch.dao.ElasticsearchDao)3
SortField (org.apache.metron.indexing.dao.search.SortField)3
HashSet (java.util.HashSet)2
Optional (java.util.Optional)2
Collectors (java.util.stream.Collectors)2
JSONUtils (org.apache.metron.common.utils.JSONUtils)2
AccessConfig (org.apache.metron.indexing.dao.AccessConfig)2
IndexDao (org.apache.metron.indexing.dao.IndexDao)2
