Search in sources :

Example 11 with Messages

use of org.graylog2.indexer.messages.Messages in project graylog2-server by Graylog2.

the class PipelineInterpreterTest method testCreateMessage.

@Test
public void testCreateMessage() {
    final RuleService ruleService = mock(MongoDbRuleService.class);
    when(ruleService.loadAll()).thenReturn(Collections.singleton(RuleDao.create("abc", "title", "description", "rule \"creates message\"\n" + "when to_string($message.message) == \"original message\"\n" + "then\n" + "  create_message(\"derived message\");\n" + "end", Tools.nowUTC(), null)));
    final PipelineService pipelineService = mock(MongoDbPipelineService.class);
    when(pipelineService.loadAll()).thenReturn(Collections.singleton(PipelineDao.create("p1", "title", "description", "pipeline \"pipeline\"\n" + "stage 0 match all\n" + "    rule \"creates message\";\n" + "end\n", Tools.nowUTC(), null)));
    final Map<String, Function<?>> functions = ImmutableMap.of(CreateMessage.NAME, new CreateMessage(), StringConversion.NAME, new StringConversion());
    final PipelineInterpreter interpreter = createPipelineInterpreter(ruleService, pipelineService, functions);
    Message msg = messageInDefaultStream("original message", "test");
    final Messages processed = interpreter.process(msg);
    final Message[] messages = Iterables.toArray(processed, Message.class);
    assertEquals(2, messages.length);
}
Also used : Function(org.graylog.plugins.pipelineprocessor.ast.functions.Function) Messages(org.graylog2.plugin.Messages) PipelineService(org.graylog.plugins.pipelineprocessor.db.PipelineService) MongoDbPipelineService(org.graylog.plugins.pipelineprocessor.db.mongodb.MongoDbPipelineService) InMemoryPipelineService(org.graylog.plugins.pipelineprocessor.db.memory.InMemoryPipelineService) CreateMessage(org.graylog.plugins.pipelineprocessor.functions.messages.CreateMessage) DropMessage(org.graylog.plugins.pipelineprocessor.functions.messages.DropMessage) Message(org.graylog2.plugin.Message) RuleService(org.graylog.plugins.pipelineprocessor.db.RuleService) MongoDbRuleService(org.graylog.plugins.pipelineprocessor.db.mongodb.MongoDbRuleService) InMemoryRuleService(org.graylog.plugins.pipelineprocessor.db.memory.InMemoryRuleService) CreateMessage(org.graylog.plugins.pipelineprocessor.functions.messages.CreateMessage) StringConversion(org.graylog.plugins.pipelineprocessor.functions.conversion.StringConversion) Test(org.junit.Test)

Example 12 with Messages

use of org.graylog2.indexer.messages.Messages in project graylog2-server by Graylog2.

the class V20190304102700_MigrateMessageListStructureTest method testMigratingViewStructure.

@Test
@MongoDBFixtures("V20190304102700_MigrateMessageListStructureTest.json")
public void testMigratingViewStructure() {
    final BasicDBObject dbQuery1 = new BasicDBObject();
    dbQuery1.put("_id", new ObjectId("58458e442f857c314491344e"));
    final MongoCollection<Document> collection = mongodb.mongoConnection().getMongoDatabase().getCollection("views");
    migration.upgrade();
    final FindIterable<Document> views = collection.find(dbQuery1);
    final Document view1 = views.first();
    @SuppressWarnings("unchecked") final List<Document> widgets1 = (List) view1.get("state", Document.class).get("a2a804b7-27cf-4cac-8015-58d9a9640d33", Document.class).get("widgets");
    assertThat(widgets1.size()).isEqualTo(2);
    assertThat(widgets1.stream().filter(widget -> widget.getString("type").equals("messages")).count()).isEqualTo(1);
    assertThat(widgets1.stream().filter(widget -> widget.getString("type").equals("messages")).allMatch((widget) -> {
        final Document config = widget.get("config", Document.class);
        @SuppressWarnings("unchecked") final List<String> fields = (List) config.get("fields");
        final boolean startWithTimestamp = fields.get(0).contains("timestamp");
        final boolean showMessageRow = config.getBoolean("show_message_row");
        return startWithTimestamp && showMessageRow;
    })).isTrue();
    final BasicDBObject dbQuery2 = new BasicDBObject();
    dbQuery2.put("_id", new ObjectId("58458e442f857c314491344f"));
    final FindIterable<Document> views2 = collection.find(dbQuery2);
    final Document view2 = views2.first();
    final Document states = view2.get("state", Document.class);
    assertThat(states.values().size()).isEqualTo(13);
    assertThat(states.keySet()).containsExactly("7c042319-530a-41b9-9dbb-9676fb1da1a4", "9e5144be-a445-4289-a4cc-0f55142524bc", "c13b2482-60e7-4b1e-98c9-0df8d6da8230", "5adc9297-dfc8-4fd9-b422-cbb097715a62", "ade8c853-503c-407f-b125-efbe2d368973", "cc2bf983-b398-4295-bf01-1c10ed1a97e1", "64feccae-9447-40ef-a401-79a7972078a2", "7c7e04c6-f9f0-495c-91cc-865f60687f8c", "eeaa8838-616f-40c0-88c0-1059ac64f37e", "91c6f8c9-024c-48ec-a869-90548fad218a", "955a71f2-673a-4e1c-a99f-ef97b1b4ae71", "343ff7b6-4554-49d4-bc0b-1339fdc5dac0", "7a84d053-e40a-48c1-a433-97521f7ce7ef");
    states.values().forEach(state -> {
        @SuppressWarnings("unchecked") final List<Document> widgets2 = (List) ((Document) state).get("widgets");
        assertThat(widgets2.stream().filter(widget -> widget.getString("type").equals("messages")).count()).isGreaterThan(0);
        widgets2.stream().filter(widget -> widget.getString("type").equals("messages")).forEach((widget) -> {
            final Document config = widget.get("config", Document.class);
            @SuppressWarnings("unchecked") final List<String> fields = (List) config.get("fields");
            final boolean startWithTimestamp = fields.get(0).contains("timestamp");
            final boolean showMessageRow = config.getBoolean("show_message_row");
            assertThat(startWithTimestamp).isTrue();
            assertThat(showMessageRow).isTrue();
        });
    });
}
Also used : Document(org.bson.Document) MongoCollection(com.mongodb.client.MongoCollection) Mock(org.mockito.Mock) ZonedDateTime(java.time.ZonedDateTime) Assertions.assertThat(org.assertj.core.api.Assertions.assertThat) BasicDBObject(com.mongodb.BasicDBObject) Test(org.junit.Test) List(java.util.List) Rule(org.junit.Rule) ClusterConfigService(org.graylog2.plugin.cluster.ClusterConfigService) FindIterable(com.mongodb.client.FindIterable) MongoDBInstance(org.graylog.testing.mongodb.MongoDBInstance) ObjectId(org.bson.types.ObjectId) MockitoJUnit(org.mockito.junit.MockitoJUnit) Migration(org.graylog2.migrations.Migration) MockitoRule(org.mockito.junit.MockitoRule) MongoDBFixtures(org.graylog.testing.mongodb.MongoDBFixtures) Before(org.junit.Before) BasicDBObject(com.mongodb.BasicDBObject) ObjectId(org.bson.types.ObjectId) List(java.util.List) Document(org.bson.Document) MongoDBFixtures(org.graylog.testing.mongodb.MongoDBFixtures) Test(org.junit.Test)

Example 13 with Messages

use of org.graylog2.indexer.messages.Messages in project graylog2-server by Graylog2.

the class NetFlowCodec method decodeMessages.

@Nullable
@Override
public Collection<Message> decodeMessages(@Nonnull RawMessage rawMessage) {
    try {
        final ResolvableInetSocketAddress remoteAddress = rawMessage.getRemoteAddress();
        final InetSocketAddress sender = remoteAddress != null ? remoteAddress.getInetSocketAddress() : null;
        final byte[] payload = rawMessage.getPayload();
        if (payload.length < 3) {
            LOG.debug("NetFlow message (source: {}) doesn't even fit the NetFlow version (size: {} bytes)", sender, payload.length);
            return null;
        }
        final ByteBuf buffer = Unpooled.wrappedBuffer(payload);
        switch(buffer.readByte()) {
            case PASSTHROUGH_MARKER:
                final NetFlowV5Packet netFlowV5Packet = NetFlowV5Parser.parsePacket(buffer);
                return netFlowV5Packet.records().stream().map(record -> NetFlowFormatter.toMessage(netFlowV5Packet.header(), record, sender)).collect(Collectors.toList());
            case ORDERED_V9_MARKER:
                // our "custom" netflow v9 that has all the templates in the same packet
                return decodeV9(sender, buffer);
            default:
                final List<RawMessage.SourceNode> sourceNodes = rawMessage.getSourceNodes();
                final RawMessage.SourceNode sourceNode = sourceNodes.isEmpty() ? null : sourceNodes.get(sourceNodes.size() - 1);
                final String inputId = sourceNode == null ? "<unknown>" : sourceNode.inputId;
                LOG.warn("Unsupported NetFlow packet on input {} (source: {})", inputId, sender);
                return null;
        }
    } catch (FlowException e) {
        LOG.error("Error parsing NetFlow packet <{}> received from <{}>", rawMessage.getId(), rawMessage.getRemoteAddress(), e);
        if (LOG.isDebugEnabled()) {
            LOG.debug("NetFlow packet hexdump:\n{}", ByteBufUtil.prettyHexDump(Unpooled.wrappedBuffer(rawMessage.getPayload())));
        }
        return null;
    } catch (InvalidProtocolBufferException e) {
        LOG.error("Invalid NetFlowV9 entry found, cannot parse the messages", ExceptionUtils.getRootCause(e));
        return null;
    }
}
Also used : Configuration(org.graylog2.plugin.configuration.Configuration) TextField(org.graylog2.plugin.configuration.fields.TextField) NetFlowV5Packet(org.graylog.plugins.netflow.v5.NetFlowV5Packet) NetFlowV9OptionTemplate(org.graylog.plugins.netflow.v9.NetFlowV9OptionTemplate) LoggerFactory(org.slf4j.LoggerFactory) Unpooled(io.netty.buffer.Unpooled) NettyTransport(org.graylog2.plugin.inputs.transports.NettyTransport) Assisted(com.google.inject.assistedinject.Assisted) Inject(javax.inject.Inject) ResolvableInetSocketAddress(org.graylog2.plugin.ResolvableInetSocketAddress) NetFlowFormatter(org.graylog.plugins.netflow.flows.NetFlowFormatter) ByteBuf(io.netty.buffer.ByteBuf) NetFlowV9Journal(org.graylog.plugins.netflow.v9.NetFlowV9Journal) Map(java.util.Map) RawMessage(org.graylog2.plugin.journal.RawMessage) NetFlowV9FieldTypeRegistry(org.graylog.plugins.netflow.v9.NetFlowV9FieldTypeRegistry) NetFlowV9Packet(org.graylog.plugins.netflow.v9.NetFlowV9Packet) CodecAggregator(org.graylog2.plugin.inputs.codecs.CodecAggregator) Codec(org.graylog2.plugin.inputs.annotations.Codec) Nonnull(javax.annotation.Nonnull) Nullable(javax.annotation.Nullable) ConfigurationRequest(org.graylog2.plugin.configuration.ConfigurationRequest) InvalidProtocolBufferException(com.google.protobuf.InvalidProtocolBufferException) ConfigurationField(org.graylog2.plugin.configuration.fields.ConfigurationField) ExceptionUtils(org.graylog2.shared.utilities.ExceptionUtils) Logger(org.slf4j.Logger) MultiMessageCodec(org.graylog2.plugin.inputs.codecs.MultiMessageCodec) Collection(java.util.Collection) FactoryClass(org.graylog2.plugin.inputs.annotations.FactoryClass) IOException(java.io.IOException) FileInputStream(java.io.FileInputStream) Maps(com.google.common.collect.Maps) NetFlowV5Parser(org.graylog.plugins.netflow.v5.NetFlowV5Parser) InetSocketAddress(java.net.InetSocketAddress) Collectors(java.util.stream.Collectors) FlowException(org.graylog.plugins.netflow.flows.FlowException) NetFlowV9Template(org.graylog.plugins.netflow.v9.NetFlowV9Template) ByteBufUtil(io.netty.buffer.ByteBufUtil) List(java.util.List) ConfigClass(org.graylog2.plugin.inputs.annotations.ConfigClass) NetFlowV9Record(org.graylog.plugins.netflow.v9.NetFlowV9Record) NetFlowV9Parser(org.graylog.plugins.netflow.v9.NetFlowV9Parser) AbstractCodec(org.graylog2.plugin.inputs.codecs.AbstractCodec) VisibleForTesting(com.google.common.annotations.VisibleForTesting) Message(org.graylog2.plugin.Message) InputStream(java.io.InputStream) ResolvableInetSocketAddress(org.graylog2.plugin.ResolvableInetSocketAddress) InetSocketAddress(java.net.InetSocketAddress) InvalidProtocolBufferException(com.google.protobuf.InvalidProtocolBufferException) ByteBuf(io.netty.buffer.ByteBuf) ResolvableInetSocketAddress(org.graylog2.plugin.ResolvableInetSocketAddress) FlowException(org.graylog.plugins.netflow.flows.FlowException) NetFlowV5Packet(org.graylog.plugins.netflow.v5.NetFlowV5Packet) RawMessage(org.graylog2.plugin.journal.RawMessage) Nullable(javax.annotation.Nullable)

Example 14 with Messages

use of org.graylog2.indexer.messages.Messages in project graylog2-server by Graylog2.

the class PipelineInterpreter method process.

/**
 * Evaluates all pipelines that apply to the given messages, based on the current stream routing
 * of the messages.
 *
 * The processing loops on each single message (passed in or created by pipelines) until the set
 * of streams does not change anymore. No cycle detection is performed.
 *
 * @param messages            the messages to process through the pipelines
 * @param interpreterListener a listener which gets called for each processing stage (e.g. to
 *                            trace execution)
 * @param state               the pipeline/stage/rule/stream connection state to use during
 *                            processing
 * @return the processed messages
 */
public Messages process(Messages messages, InterpreterListener interpreterListener, State state) {
    interpreterListener.startProcessing();
    // message id + stream id
    final Set<Tuple2<String, String>> processingBlacklist = Sets.newHashSet();
    final List<Message> toProcess = Lists.newArrayList(messages);
    final List<Message> fullyProcessed = Lists.newArrayListWithExpectedSize(toProcess.size());
    while (!toProcess.isEmpty()) {
        final MessageCollection currentSet = new MessageCollection(toProcess);
        // we'll add them back below
        toProcess.clear();
        for (Message message : currentSet) {
            final String msgId = message.getId();
            // this makes a copy of the list, which is mutated later in updateStreamBlacklist
            // it serves as a worklist, to keep track of which <msg, stream> tuples need to be re-run again
            final Set<String> initialStreamIds = message.getStreams().stream().map(Stream::getId).collect(Collectors.toSet());
            final ImmutableSet<Pipeline> pipelinesToRun = selectPipelines(interpreterListener, processingBlacklist, message, initialStreamIds, state.getStreamPipelineConnections());
            toProcess.addAll(processForResolvedPipelines(message, msgId, pipelinesToRun, interpreterListener, state));
            // add each processed message-stream combination to the blacklist set and figure out if the processing
            // has added a stream to the message, in which case we need to cycle and determine whether to process
            // its pipeline connections, too
            boolean addedStreams = updateStreamBlacklist(processingBlacklist, message, initialStreamIds);
            potentiallyDropFilteredMessage(message);
            // go to 1 and iterate over all messages again until no more streams are being assigned
            if (!addedStreams || message.getFilterOut()) {
                log.debug("[{}] no new streams matches or dropped message, not running again", msgId);
                fullyProcessed.add(message);
            } else {
                // process again, we've added a stream
                log.debug("[{}] new streams assigned, running again for those streams", msgId);
                toProcess.add(message);
            }
        }
    }
    interpreterListener.finishProcessing();
    // 7. return the processed messages
    return new MessageCollection(fullyProcessed);
}
Also used : MessageCollection(org.graylog2.plugin.MessageCollection) Message(org.graylog2.plugin.Message) Tuple2(org.jooq.lambda.tuple.Tuple2) Pipeline(org.graylog.plugins.pipelineprocessor.ast.Pipeline)

Example 15 with Messages

use of org.graylog2.indexer.messages.Messages in project graylog2-server by Graylog2.

the class LoggersResource method messages.

@GET
@Timed
@ApiOperation(value = "Get recent internal log messages")
@ApiResponses(value = { @ApiResponse(code = 404, message = "Memory appender is disabled."), @ApiResponse(code = 500, message = "Memory appender is broken.") })
@Path("/messages/recent")
@Produces(MediaType.APPLICATION_JSON)
@RequiresPermissions(RestPermissions.LOGGERSMESSAGES_READ)
public LogMessagesSummary messages(@ApiParam(name = "limit", value = "How many log messages should be returned", defaultValue = "500", allowableValues = "range[0, infinity]") @QueryParam("limit") @DefaultValue("500") @Min(0L) int limit, @ApiParam(name = "level", value = "Which log level (or higher) should the messages have", defaultValue = "ALL", allowableValues = "[OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE, ALL]") @QueryParam("level") @DefaultValue("ALL") @NotEmpty String level) {
    final Appender appender = getAppender(MEMORY_APPENDER_NAME);
    if (appender == null) {
        throw new NotFoundException("Memory appender is disabled. Please refer to the example log4j.xml file.");
    }
    if (!(appender instanceof MemoryAppender)) {
        throw new InternalServerErrorException("Memory appender is not an instance of MemoryAppender. Please refer to the example log4j.xml file.");
    }
    final Level logLevel = Level.toLevel(level, Level.ALL);
    final MemoryAppender memoryAppender = (MemoryAppender) appender;
    final List<InternalLogMessage> messages = new ArrayList<>(limit);
    for (LogEvent event : memoryAppender.getLogMessages(limit)) {
        final Level eventLevel = event.getLevel();
        if (!eventLevel.isMoreSpecificThan(logLevel)) {
            continue;
        }
        final ThrowableProxy thrownProxy = event.getThrownProxy();
        final String throwable;
        if (thrownProxy == null) {
            throwable = null;
        } else {
            throwable = thrownProxy.getExtendedStackTraceAsString("");
        }
        final Marker marker = event.getMarker();
        messages.add(InternalLogMessage.create(event.getMessage().getFormattedMessage(), event.getLoggerName(), eventLevel.toString(), marker == null ? null : marker.toString(), new DateTime(event.getTimeMillis(), DateTimeZone.UTC), throwable, event.getThreadName(), event.getContextData().toMap()));
    }
    return LogMessagesSummary.create(messages);
}
Also used : Appender(org.apache.logging.log4j.core.Appender) MemoryAppender(org.graylog2.log4j.MemoryAppender) MemoryAppender(org.graylog2.log4j.MemoryAppender) LogEvent(org.apache.logging.log4j.core.LogEvent) ArrayList(java.util.ArrayList) NotFoundException(javax.ws.rs.NotFoundException) Marker(org.apache.logging.log4j.Marker) ThrowableProxy(org.apache.logging.log4j.core.impl.ThrowableProxy) DateTime(org.joda.time.DateTime) InternalLogMessage(org.graylog2.rest.models.system.loggers.responses.InternalLogMessage) InternalServerErrorException(javax.ws.rs.InternalServerErrorException) Level(org.apache.logging.log4j.Level) Path(javax.ws.rs.Path) RequiresPermissions(org.apache.shiro.authz.annotation.RequiresPermissions) Produces(javax.ws.rs.Produces) Timed(com.codahale.metrics.annotation.Timed) GET(javax.ws.rs.GET) ApiOperation(io.swagger.annotations.ApiOperation) ApiResponses(io.swagger.annotations.ApiResponses)

Aggregations

Message (org.graylog2.plugin.Message)41 Test (org.junit.Test)31 DateTime (org.joda.time.DateTime)17 Map (java.util.Map)15 ApiOperation (io.swagger.annotations.ApiOperation)14 Produces (javax.ws.rs.Produces)14 Timed (com.codahale.metrics.annotation.Timed)13 ApiResponses (io.swagger.annotations.ApiResponses)12 Messages (org.graylog2.plugin.Messages)12 List (java.util.List)11 GET (javax.ws.rs.GET)11 AbsoluteRange (org.graylog2.plugin.indexer.searches.timeranges.AbsoluteRange)11 ResultMessage (org.graylog2.indexer.results.ResultMessage)10 TimeRange (org.graylog2.plugin.indexer.searches.timeranges.TimeRange)10 ArrayList (java.util.ArrayList)9 Collectors (java.util.stream.Collectors)9 ResultMessageSummary (org.graylog2.rest.models.messages.responses.ResultMessageSummary)9 ImmutableMap (com.google.common.collect.ImmutableMap)8 IOException (java.io.IOException)8 Inject (javax.inject.Inject)8