Examples with EventWithContext - org.graylog.events.event.EventWithContext

Example 16 with EventWithContext

use of org.graylog.events.event.EventWithContext in project graylog2-server by Graylog2.

the class EventProcessorEngine method execute.

// TODO: Implement stop/cancel for event processors to make sure we can gracefully shutdown the server
public void execute(String definitionId, EventProcessorParameters parameters) throws EventProcessorException {
    final EventDefinition definition = getEventDefinition(definitionId);
    final EventProcessor.Factory factory = eventProcessorFactories.get(definition.config().type());
    if (factory == null) {
        throw new EventProcessorException("Couldn't find event processor factory for type " + definition.config().type(), true, definitionId, definition);
    }
    LOG.debug("Executing event processor <{}/{}/{}>", definition.title(), definition.id(), definition.config().type());
    final EventProcessor eventProcessor = factory.create(definition);
    final EventConsumer<List<EventWithContext>> eventConsumer = eventsWithContext -> emitEvents(eventProcessor, definition, eventsWithContext);
    metrics.registerEventProcessor(eventProcessor, definitionId);
    try {
        metrics.recordExecutions(eventProcessor, definitionId);
        // Manually time this, so we don't record executions that throw an Exception
        final Stopwatch stopwatch = Stopwatch.createStarted();
        eventProcessor.createEvents(eventFactoryProvider.get(), parameters, eventConsumer);
        stopwatch.stop();
        metrics.recordExecutionTime(eventProcessor, definitionId, stopwatch.elapsed());
        metrics.recordSuccess(eventProcessor, definitionId);
    } catch (EventProcessorException e) {
        metrics.recordException(eventProcessor, definitionId);
        // We can just re-throw the exception because we already got an EventProcessorException
        throw e;
    } catch (Exception e) {
        metrics.recordException(eventProcessor, definitionId);
        LOG.error("Caught an unhandled exception while executing event processor <{}/{}/{}> - Make sure to modify the event processor to throw only EventProcessorExecutionException so we get more context!", definition.config().type(), definition.title(), definition.id(), e);
        // Since we don't know what kind of error this is, we play safe and make this a temporary error.
        throw new EventProcessorException("Couldn't create events for: " + definition.toString(), false, definition, e);
    }
}

Also used : Logger(org.slf4j.Logger) Provider(javax.inject.Provider) Stopwatch(com.google.common.base.Stopwatch) EventWithContext(org.graylog.events.event.EventWithContext) LoggerFactory(org.slf4j.LoggerFactory) EventNotificationHandler(org.graylog.events.notifications.EventNotificationHandler) Singleton(javax.inject.Singleton) Collectors(java.util.stream.Collectors) FieldValue(org.graylog.events.fields.FieldValue) Inject(javax.inject.Inject) Objects(java.util.Objects) TimeUnit(java.util.concurrent.TimeUnit) List(java.util.List) EventStorageHandlerEngine(org.graylog.events.processor.storage.EventStorageHandlerEngine) Map(java.util.Map) EventProcessorEventFactory(org.graylog.events.event.EventProcessorEventFactory) EventFieldSpecEngine(org.graylog.events.fields.EventFieldSpecEngine) EventStorageHandlerException(org.graylog.events.processor.storage.EventStorageHandlerException) Stopwatch(com.google.common.base.Stopwatch) List(java.util.List) EventStorageHandlerException(org.graylog.events.processor.storage.EventStorageHandlerException)

Example 17 with EventWithContext

use of org.graylog.events.event.EventWithContext in project graylog2-server by Graylog2.

the class EventNotificationHandler method handleEvents.

public void handleEvents(EventDefinition definition, List<EventWithContext> eventsWithContext) {
    for (Config config : definition.notifications()) {
        final Optional<JobDefinitionDto> jobDefinition = jobDefinitionService.getByConfigField(Config.FIELD_NOTIFICATION_ID, config.notificationId());
        if (!jobDefinition.isPresent()) {
            LOG.error("Couldn't find job definition for notification <{}>", config.notificationId());
            continue;
        }
        final Optional<NotificationDto> notificationDto = notificationService.get(config.notificationId());
        if (!notificationDto.isPresent()) {
            LOG.error("Couldn't find notification definition for id <{}>", config.notificationId());
            continue;
        }
        final EventNotificationConfig notificationConfig = notificationDto.get().config();
        for (EventWithContext eventWithContext : eventsWithContext) {
            final Event event = eventWithContext.event();
            if (notificationGracePeriodService.inGracePeriod(definition, config.notificationId(), event)) {
                continue;
            }
            try {
                final JobTriggerDto trigger = jobTriggerService.create(JobTriggerDto.builder().jobDefinitionId(jobDefinition.get().id()).schedule(OnceJobSchedule.create()).data(notificationConfig.toJobTriggerData(event.toDto())).build());
                LOG.debug("Scheduled job <{}> for notification <{}> - event <{}/{}>", trigger.id(), config.notificationId(), event.getId(), event.getMessage());
            // TODO: The trigger ID needs to be added to the "triggered_tasks" list of the event
            } catch (Exception e) {
                LOG.error("Couldn't create job trigger for notification <{}> and event: {}", config.notificationId(), event, e);
            }
        }
    }
}

Also used : JobDefinitionDto(org.graylog.scheduler.JobDefinitionDto) Event(org.graylog.events.event.Event) EventWithContext(org.graylog.events.event.EventWithContext) JobTriggerDto(org.graylog.scheduler.JobTriggerDto) NotFoundException(org.graylog2.database.NotFoundException)

Example 18 with EventWithContext

use of org.graylog.events.event.EventWithContext in project graylog2-server by Graylog2.

the class EventFieldSpecEngine method execute.

public void execute(List<EventWithContext> eventsWithContext, Map<String, EventFieldSpec> fieldSpec) {
    for (final Map.Entry<String, EventFieldSpec> entry : fieldSpec.entrySet()) {
        final String fieldName = entry.getKey();
        final EventFieldSpec spec = entry.getValue();
        for (final FieldValueProvider.Config providerConfig : spec.providers()) {
            final FieldValueProvider.Factory providerFactory = fieldValueProviders.get(providerConfig.type());
            if (providerFactory == null) {
                LOG.error("Couldn't find field provider factory for type {}", providerConfig.type());
                continue;
            }
            final FieldValueProvider provider = providerFactory.create(providerConfig);
            for (final EventWithContext eventWithContext : eventsWithContext) {
                final Event event = eventWithContext.event();
                event.setField(fieldName, provider.get(fieldName, eventWithContext));
            }
        }
    }
}

Also used : FieldValueProvider(org.graylog.events.fields.providers.FieldValueProvider) Event(org.graylog.events.event.Event) EventWithContext(org.graylog.events.event.EventWithContext) Map(java.util.Map)

Example 19 with EventWithContext

use of org.graylog.events.event.EventWithContext in project graylog2-server by Graylog2.

the class AggregationEventProcessor method eventsFromAggregationResult.

@VisibleForTesting
ImmutableList<EventWithContext> eventsFromAggregationResult(EventFactory eventFactory, AggregationEventProcessorParameters parameters, AggregationResult result) {
    final ImmutableList.Builder<EventWithContext> eventsWithContext = ImmutableList.builder();
    final Set<String> sourceStreams = buildEventSourceStreams(getStreams(parameters), result.sourceStreams());
    for (final AggregationKeyResult keyResult : result.keyResults()) {
        if (!satisfiesConditions(keyResult)) {
            LOG.debug("Skipping result <{}> because the conditions <{}> don't match", keyResult, config.conditions());
            continue;
        }
        final String keyString = Strings.join(keyResult.key(), '|');
        final String eventMessage = createEventMessageString(keyString, keyResult);
        // Extract eventTime from the key result or use query time range as fallback
        final DateTime eventTime = keyResult.timestamp().orElse(result.effectiveTimerange().to());
        final Event event = eventFactory.createEvent(eventDefinition, eventTime, eventMessage);
        // TODO: Do we have to set any other event fields here?
        event.setTimerangeStart(parameters.timerange().getFrom());
        event.setTimerangeEnd(parameters.timerange().getTo());
        sourceStreams.forEach(event::addSourceStream);
        final Map<String, Object> fields = new HashMap<>();
        // username=jane
        for (int i = 0; i < config.groupBy().size(); i++) {
            fields.put(config.groupBy().get(i), keyResult.key().get(i));
        }
        // Group By fields need to be saved on the event so they are available to the subsequent notification events
        event.setGroupByFields(fields.entrySet().stream().collect(Collectors.toMap(Map.Entry::getKey, e -> e.getValue().toString())));
        // aggregation_value_card_anonid=23
        for (AggregationSeriesValue seriesValue : keyResult.seriesValues()) {
            final String function = seriesValue.series().function().toString().toLowerCase(Locale.ROOT);
            final Optional<String> field = seriesValue.series().field();
            final String fieldName;
            if (field.isPresent()) {
                fieldName = String.format(Locale.ROOT, "aggregation_value_%s_%s", function, field.get());
            } else {
                fieldName = String.format(Locale.ROOT, "aggregation_value_%s", function);
            }
            fields.put(fieldName, seriesValue.value());
        }
        // This is the concatenated key value
        fields.put("aggregation_key", keyString);
        // TODO: Can we find a useful source value?
        final Message message = new Message(eventMessage, "", result.effectiveTimerange().to());
        message.addFields(fields);
        LOG.debug("Creating event {}/{} - {} {} ({})", eventDefinition.title(), eventDefinition.id(), keyResult.key(), seriesString(keyResult), fields);
        eventsWithContext.add(EventWithContext.create(event, message));
    }
    return eventsWithContext.build();
}

Also used : ResultMessage(org.graylog2.indexer.results.ResultMessage) Message(org.graylog2.plugin.Message) HashMap(java.util.HashMap) ImmutableList(com.google.common.collect.ImmutableList) EventWithContext(org.graylog.events.event.EventWithContext) ElasticsearchQueryString(org.graylog.plugins.views.search.elasticsearch.ElasticsearchQueryString) DateTime(org.joda.time.DateTime) Event(org.graylog.events.event.Event) VisibleForTesting(com.google.common.annotations.VisibleForTesting)

Aggregations

EventWithContext (org.graylog.events.event.EventWithContext)19 TestEvent (org.graylog.events.event.TestEvent)15 Test (org.junit.Test)15 FieldValue (org.graylog.events.fields.FieldValue)11 Event (org.graylog.events.event.Event)7 Message (org.graylog2.plugin.Message)6 DateTime (org.joda.time.DateTime)5 EventDefinitionDto (org.graylog.events.processor.EventDefinitionDto)4 AbsoluteRange (org.graylog2.plugin.indexer.searches.timeranges.AbsoluteRange)4 Map (java.util.Map)2 VisibleForTesting (com.google.common.annotations.VisibleForTesting)1 Stopwatch (com.google.common.base.Stopwatch)1 ImmutableList (com.google.common.collect.ImmutableList)1 HashMap (java.util.HashMap)1 List (java.util.List)1 Objects (java.util.Objects)1 TimeUnit (java.util.concurrent.TimeUnit)1 Collectors (java.util.stream.Collectors)1 Inject (javax.inject.Inject)1 Provider (javax.inject.Provider)1