Examples with EvaluationContext org.graylog.plugins.pipelineprocessor.EvaluationContext used on opensource projects

Example 6 with EvaluationContext

use of org.graylog.plugins.pipelineprocessor.EvaluationContext in project graylog2-server by Graylog2.

the class CEFParserFunctionTest method evaluate_returns_result_for_valid_CEF_string_with_short_names_if_useFullNames_parameter_is_missing.

@Test
public void evaluate_returns_result_for_valid_CEF_string_with_short_names_if_useFullNames_parameter_is_missing() throws Exception {
    final Map<String, Expression> arguments = Collections.singletonMap(CEFParserFunction.VALUE, new StringExpression(new CommonToken(0), "CEF:0|vendor|product|1.0|id|name|low|dvc=example.com msg=Foobar"));
    final FunctionArgs functionArgs = new FunctionArgs(function, arguments);
    final Message message = new Message("__dummy", "__dummy", DateTime.parse("2010-07-30T16:03:25Z"));
    final EvaluationContext evaluationContext = new EvaluationContext(message);
    final CEFParserResult result = function.evaluate(functionArgs, evaluationContext);
    assertNotNull(result);
    assertEquals(0, result.get("cef_version"));
    assertEquals("vendor", result.get("device_vendor"));
    assertEquals("product", result.get("device_product"));
    assertEquals("1.0", result.get("device_version"));
    assertEquals("id", result.get("device_event_class_id"));
    assertEquals("low", result.get("severity"));
    assertEquals("example.com", result.get("dvc"));
    assertEquals("Foobar", result.get("msg"));
}

Example 7 with EvaluationContext

use of org.graylog.plugins.pipelineprocessor.EvaluationContext in project graylog2-server by Graylog2.

the class PipelineInterpreter method evaluateStage.

private void evaluateStage(Stage stage, Message message, String msgId, List<Message> result, Set<Pipeline> pipelinesToSkip, InterpreterListener interpreterListener) {
    final Pipeline pipeline = stage.getPipeline();
    if (pipelinesToSkip.contains(pipeline)) {
        log.debug("[{}] previous stage result prevents further processing of pipeline `{}`", msgId, pipeline.name());
        return;
    }
    stage.markExecution();
    interpreterListener.enterStage(stage);
    log.debug("[{}] evaluating rule conditions in stage {}: match {}", msgId, stage.stage(), stage.match());
    // TODO the message should be decorated to allow layering changes and isolate stages
    final EvaluationContext context = new EvaluationContext(message);
    // 3. iterate over all the stages in these pipelines and execute them in order
    final List<Rule> stageRules = stage.getRules();
    final List<Rule> rulesToRun = new ArrayList<>(stageRules.size());
    // If there are no rules, we can simply continue to the next stage
    boolean anyRulesMatched = stageRules.isEmpty();
    boolean allRulesMatched = true;
    for (Rule rule : stageRules) {
        try {
            final boolean ruleCondition = evaluateRuleCondition(rule, message, msgId, pipeline, context, rulesToRun, interpreterListener);
            anyRulesMatched |= ruleCondition;
            allRulesMatched &= ruleCondition;
            if (context.hasEvaluationErrors()) {
                log.warn("Error evaluating condition for rule <{}/{}> with message: {} (Error: {})", rule.name(), rule.id(), message, context.lastEvaluationError());
                break;
            }
        } catch (Exception e) {
            log.warn("Error evaluating condition for rule <{}/{}> with message: {} (Error: {})", rule.name(), rule.id(), message, e.getMessage());
            throw e;
        }
    }
    for (Rule rule : rulesToRun) {
        if (!executeRuleActions(rule, message, msgId, pipeline, context, interpreterListener)) {
            log.warn("Error evaluating action for rule <{}/{}> with message: {} (Error: {})", rule.name(), rule.id(), message, context.lastEvaluationError());
            // if any of the rules raise an error, skip the rest of the rules
            break;
        }
    }
    // stage needed to match all rule conditions to enable the next stage,
    // record that it is ok to proceed with this pipeline
    // OR
    // any rule could match, but at least one had to,
    // record that it is ok to proceed with the pipeline
    final boolean matchAllSuccess = Stage.Match.ALL == stage.match() && allRulesMatched;
    final boolean matchEitherSuccess = Stage.Match.EITHER == stage.match() && anyRulesMatched;
    final boolean matchIsPass = Stage.Match.PASS == stage.match();
    if (matchAllSuccess || matchEitherSuccess || matchIsPass) {
        interpreterListener.continuePipelineExecution(pipeline, stage);
        log.debug("[{}] stage {} for pipeline `{}` required match: {}, ok to proceed with next stage", msgId, stage.stage(), pipeline.name(), stage.match());
    } else {
        // no longer execute stages from this pipeline, the guard prevents it
        interpreterListener.stopPipelineExecution(pipeline, stage);
        log.debug("[{}] stage {} for pipeline `{}` required match: {}, NOT ok to proceed with next stage", msgId, stage.stage(), pipeline.name(), stage.match());
        pipelinesToSkip.add(pipeline);
    }
    // 4. after each complete stage run, merge the processing changes, stages are isolated from each other
    // TODO message changes become visible immediately for now
    // 4a. also add all new messages from the context to the toProcess work list
    Iterables.addAll(result, context.createdMessages());
    context.clearCreatedMessages();
    interpreterListener.exitStage(stage);
}

Example 8 with EvaluationContext

use of org.graylog.plugins.pipelineprocessor.EvaluationContext in project graylog2-server by Graylog2.

the class CEFParserFunctionTest method evaluate_returns_null_for_invalid_CEF_string.

@Test
public void evaluate_returns_null_for_invalid_CEF_string() throws Exception {
    final Map<String, Expression> arguments = ImmutableMap.of(CEFParserFunction.VALUE, new StringExpression(new CommonToken(0), "CEF:0|Foobar"), CEFParserFunction.USE_FULL_NAMES, new BooleanExpression(new CommonToken(0), false));
    final FunctionArgs functionArgs = new FunctionArgs(function, arguments);
    final Message message = new Message("__dummy", "__dummy", DateTime.parse("2010-07-30T16:03:25Z"));
    final EvaluationContext evaluationContext = new EvaluationContext(message);
    final CEFParserResult result = function.evaluate(functionArgs, evaluationContext);
    assertNull(result);
}

Example 9 with EvaluationContext

use of org.graylog.plugins.pipelineprocessor.EvaluationContext in project graylog2-server by Graylog2.

the class CEFParserFunctionTest method evaluate_returns_result_without_message_field.

@Test
public void evaluate_returns_result_without_message_field() throws Exception {
    final Map<String, Expression> arguments = ImmutableMap.of(CEFParserFunction.VALUE, new StringExpression(new CommonToken(0), "CEF:0|vendor|product|1.0|id|name|low|dvc=example.com"), CEFParserFunction.USE_FULL_NAMES, new BooleanExpression(new CommonToken(0), false));
    final FunctionArgs functionArgs = new FunctionArgs(function, arguments);
    final Message message = new Message("__dummy", "__dummy", DateTime.parse("2010-07-30T16:03:25Z"));
    final EvaluationContext evaluationContext = new EvaluationContext(message);
    final CEFParserResult result = function.evaluate(functionArgs, evaluationContext);
    assertNotNull(result);
    assertEquals(0, result.get("cef_version"));
    assertEquals("vendor", result.get("device_vendor"));
    assertEquals("product", result.get("device_product"));
    assertEquals("1.0", result.get("device_version"));
    assertEquals("id", result.get("device_event_class_id"));
    assertEquals("low", result.get("severity"));
    assertEquals("example.com", result.get("dvc"));
    assertFalse(result.containsKey("message"));
}

Example 10 with EvaluationContext

use of org.graylog.plugins.pipelineprocessor.EvaluationContext in project graylog2-server by Graylog2.

the class CEFParserFunctionTest method evaluate_returns_result_for_valid_CEF_string_with_full_names.

@Test
public void evaluate_returns_result_for_valid_CEF_string_with_full_names() throws Exception {
    final CEFParserFunction function = new CEFParserFunction(new MetricRegistry());
    final Map<String, Expression> arguments = ImmutableMap.of(CEFParserFunction.VALUE, new StringExpression(new CommonToken(0), "CEF:0|vendor|product|1.0|id|name|low|dvc=example.com msg=Foobar"), CEFParserFunction.USE_FULL_NAMES, new BooleanExpression(new CommonToken(0), true));
    final FunctionArgs functionArgs = new FunctionArgs(function, arguments);
    final Message message = new Message("__dummy", "__dummy", DateTime.parse("2010-07-30T16:03:25Z"));
    final EvaluationContext evaluationContext = new EvaluationContext(message);
    final CEFParserResult result = function.evaluate(functionArgs, evaluationContext);
    assertNotNull(result);
    assertEquals(0, result.get("cef_version"));
    assertEquals("vendor", result.get("device_vendor"));
    assertEquals("product", result.get("device_product"));
    assertEquals("1.0", result.get("device_version"));
    assertEquals("id", result.get("device_event_class_id"));
    assertEquals("low", result.get("severity"));
    assertEquals("example.com", result.get("deviceAddress"));
    assertEquals("Foobar", result.get("message"));
}