Example 71 with Message
use of org.graylog2.plugin.Message in project graylog2-server by Graylog2.
the class NetFlowCodec method decodeMessages.
@Nullable
@Override
public Collection<Message> decodeMessages(@Nonnull RawMessage rawMessage) {
try {
final ResolvableInetSocketAddress remoteAddress = rawMessage.getRemoteAddress();
final InetSocketAddress sender = remoteAddress != null ? remoteAddress.getInetSocketAddress() : null;
final byte[] payload = rawMessage.getPayload();
if (payload.length < 3) {
LOG.debug("NetFlow message (source: {}) doesn't even fit the NetFlow version (size: {} bytes)", sender, payload.length);
return null;
}
final ByteBuf buffer = Unpooled.wrappedBuffer(payload);
switch(buffer.readByte()) {
case PASSTHROUGH_MARKER:
final NetFlowV5Packet netFlowV5Packet = NetFlowV5Parser.parsePacket(buffer);
return netFlowV5Packet.records().stream().map(record -> NetFlowFormatter.toMessage(netFlowV5Packet.header(), record, sender)).collect(Collectors.toList());
case ORDERED_V9_MARKER:
// our "custom" netflow v9 that has all the templates in the same packet
return decodeV9(sender, buffer);
default:
final List<RawMessage.SourceNode> sourceNodes = rawMessage.getSourceNodes();
final RawMessage.SourceNode sourceNode = sourceNodes.isEmpty() ? null : sourceNodes.get(sourceNodes.size() - 1);
final String inputId = sourceNode == null ? "<unknown>" : sourceNode.inputId;
LOG.warn("Unsupported NetFlow packet on input {} (source: {})", inputId, sender);
return null;
}
} catch (FlowException e) {
LOG.error("Error parsing NetFlow packet <{}> received from <{}>", rawMessage.getId(), rawMessage.getRemoteAddress(), e);
if (LOG.isDebugEnabled()) {
LOG.debug("NetFlow packet hexdump:\n{}", ByteBufUtil.prettyHexDump(Unpooled.wrappedBuffer(rawMessage.getPayload())));
}
return null;
} catch (InvalidProtocolBufferException e) {
LOG.error("Invalid NetFlowV9 entry found, cannot parse the messages", ExceptionUtils.getRootCause(e));
return null;
}
}
Also used :
Configuration(org.graylog2.plugin.configuration.Configuration)
TextField(org.graylog2.plugin.configuration.fields.TextField)
NetFlowV5Packet(org.graylog.plugins.netflow.v5.NetFlowV5Packet)
NetFlowV9OptionTemplate(org.graylog.plugins.netflow.v9.NetFlowV9OptionTemplate)
LoggerFactory(org.slf4j.LoggerFactory)
Unpooled(io.netty.buffer.Unpooled)
NettyTransport(org.graylog2.plugin.inputs.transports.NettyTransport)
Assisted(com.google.inject.assistedinject.Assisted)
Inject(javax.inject.Inject)
ResolvableInetSocketAddress(org.graylog2.plugin.ResolvableInetSocketAddress)
NetFlowFormatter(org.graylog.plugins.netflow.flows.NetFlowFormatter)
ByteBuf(io.netty.buffer.ByteBuf)
NetFlowV9Journal(org.graylog.plugins.netflow.v9.NetFlowV9Journal)
Map(java.util.Map)
RawMessage(org.graylog2.plugin.journal.RawMessage)
NetFlowV9FieldTypeRegistry(org.graylog.plugins.netflow.v9.NetFlowV9FieldTypeRegistry)
NetFlowV9Packet(org.graylog.plugins.netflow.v9.NetFlowV9Packet)
CodecAggregator(org.graylog2.plugin.inputs.codecs.CodecAggregator)
Codec(org.graylog2.plugin.inputs.annotations.Codec)
Nonnull(javax.annotation.Nonnull)
Nullable(javax.annotation.Nullable)
ConfigurationRequest(org.graylog2.plugin.configuration.ConfigurationRequest)
InvalidProtocolBufferException(com.google.protobuf.InvalidProtocolBufferException)
ConfigurationField(org.graylog2.plugin.configuration.fields.ConfigurationField)
ExceptionUtils(org.graylog2.shared.utilities.ExceptionUtils)
Logger(org.slf4j.Logger)
MultiMessageCodec(org.graylog2.plugin.inputs.codecs.MultiMessageCodec)
Collection(java.util.Collection)
FactoryClass(org.graylog2.plugin.inputs.annotations.FactoryClass)
IOException(java.io.IOException)
FileInputStream(java.io.FileInputStream)
Maps(com.google.common.collect.Maps)
NetFlowV5Parser(org.graylog.plugins.netflow.v5.NetFlowV5Parser)
InetSocketAddress(java.net.InetSocketAddress)
Collectors(java.util.stream.Collectors)
FlowException(org.graylog.plugins.netflow.flows.FlowException)
NetFlowV9Template(org.graylog.plugins.netflow.v9.NetFlowV9Template)
ByteBufUtil(io.netty.buffer.ByteBufUtil)
List(java.util.List)
ConfigClass(org.graylog2.plugin.inputs.annotations.ConfigClass)
NetFlowV9Record(org.graylog.plugins.netflow.v9.NetFlowV9Record)
NetFlowV9Parser(org.graylog.plugins.netflow.v9.NetFlowV9Parser)
AbstractCodec(org.graylog2.plugin.inputs.codecs.AbstractCodec)
VisibleForTesting(com.google.common.annotations.VisibleForTesting)
Message(org.graylog2.plugin.Message)
InputStream(java.io.InputStream)
ResolvableInetSocketAddress(org.graylog2.plugin.ResolvableInetSocketAddress)
InetSocketAddress(java.net.InetSocketAddress)
InvalidProtocolBufferException(com.google.protobuf.InvalidProtocolBufferException)
ByteBuf(io.netty.buffer.ByteBuf)
ResolvableInetSocketAddress(org.graylog2.plugin.ResolvableInetSocketAddress)
FlowException(org.graylog.plugins.netflow.flows.FlowException)
NetFlowV5Packet(org.graylog.plugins.netflow.v5.NetFlowV5Packet)
RawMessage(org.graylog2.plugin.journal.RawMessage)
Nullable(javax.annotation.Nullable)
Example 72 with Message
use of org.graylog2.plugin.Message in project graylog2-server by Graylog2.
the class Beats2Codec method parseEvent.
private Message parseEvent(JsonNode event) {
final String beatsType = event.path("@metadata").path("beat").asText("beat");
final String rootPath = noBeatsPrefix ? "" : beatsType;
final String message = event.path("message").asText("-");
final String timestampField = event.path("@timestamp").asText();
final DateTime timestamp = Tools.dateTimeFromString(timestampField);
JsonNode agentOrBeat = event.path("agent");
// backwards compatibility for beats < 7.0
if (agentOrBeat.isMissingNode()) {
agentOrBeat = event.path("beat");
}
final String hostname = agentOrBeat.path("hostname").asText(BEATS_UNKNOWN);
final Message gelfMessage = new Message(message, hostname, timestamp);
gelfMessage.addField("beats_type", beatsType);
// This field should be stored without a prefix
final String gl2SourceCollector = event.path(Message.FIELD_GL2_SOURCE_COLLECTOR).asText();
if (!gl2SourceCollector.isEmpty()) {
gelfMessage.addField(Message.FIELD_GL2_SOURCE_COLLECTOR, gl2SourceCollector);
}
// Remove fields that should not be duplicated with a prefix
if (event.isObject()) {
ObjectNode onode = (ObjectNode) event;
onode.remove("message");
onode.remove(Message.FIELD_GL2_SOURCE_COLLECTOR);
}
addFlattened(gelfMessage, rootPath, event);
return gelfMessage;
}
Also used :
RawMessage(org.graylog2.plugin.journal.RawMessage)
Message(org.graylog2.plugin.Message)
ObjectNode(com.fasterxml.jackson.databind.node.ObjectNode)
JsonNode(com.fasterxml.jackson.databind.JsonNode)
DateTime(org.joda.time.DateTime)
Example 73 with Message
use of org.graylog2.plugin.Message in project graylog2-server by Graylog2.
the class BeatsCodec method parseGenericBeat.
private Message parseGenericBeat(Map<String, Object> event) {
final String message = String.valueOf(event.remove("message"));
final Message gelfMessage = createMessage(message, event);
gelfMessage.addField("facility", "genericbeat");
final Map<String, Object> flattened = MapUtils.flatten(event, "beat", MAP_KEY_SEPARATOR);
// Fix field names containing dots
final Map<String, Object> withoutDots = MapUtils.replaceKeyCharacter(flattened, '.', MAP_KEY_SEPARATOR.charAt(0));
gelfMessage.addFields(withoutDots);
return gelfMessage;
}
Also used :
RawMessage(org.graylog2.plugin.journal.RawMessage)
Message(org.graylog2.plugin.Message)
Example 74 with Message
use of org.graylog2.plugin.Message in project graylog2-server by Graylog2.
the class BeatsCodec method parseWinlogbeat.
/**
* @see <a href="https://www.elastic.co/guide/en/beats/winlogbeat/1.2/exported-fields.html">Winlogbeat Exported Fields</a>
*/
private Message parseWinlogbeat(Map<String, Object> event) {
final String message = String.valueOf(event.remove("message"));
final Message gelfMessage = createMessage(message, event);
gelfMessage.addField("facility", "winlogbeat");
final Map<String, Object> flattened = MapUtils.flatten(event, "winlogbeat", MAP_KEY_SEPARATOR);
// Fix field names containing dots, like "user.name"
final Map<String, Object> withoutDots = MapUtils.replaceKeyCharacter(flattened, '.', MAP_KEY_SEPARATOR.charAt(0));
gelfMessage.addFields(withoutDots);
return gelfMessage;
}
Also used :
RawMessage(org.graylog2.plugin.journal.RawMessage)
Message(org.graylog2.plugin.Message)
Example 75 with Message
use of org.graylog2.plugin.Message in project graylog2-server by Graylog2.
the class BeatsCodec method parseMetricbeat.
/**
* @see <a href="https://www.elastic.co/guide/en/beats/metricbeat/5.1/exported-fields.html">Metricbeat Exported Fields</a>
*/
private Message parseMetricbeat(Map<String, Object> event) {
final Message gelfMessage = createMessage("-", event);
gelfMessage.addField("facility", "metricbeat");
final Map<String, Object> flattened = MapUtils.flatten(event, "metricbeat", MAP_KEY_SEPARATOR);
// Fix field names containing dots, like "cpu.name"
final Map<String, Object> withoutDots = MapUtils.replaceKeyCharacter(flattened, '.', MAP_KEY_SEPARATOR.charAt(0));
gelfMessage.addFields(withoutDots);
return gelfMessage;
}
Also used :
RawMessage(org.graylog2.plugin.journal.RawMessage)
Message(org.graylog2.plugin.Message)
Aggregations
Message (org.graylog2.plugin.Message)420
Test (org.junit.Test)391
ApiOperation (io.swagger.annotations.ApiOperation)120
ApiResponses (io.swagger.annotations.ApiResponses)107
Timed (com.codahale.metrics.annotation.Timed)105
RawMessage (org.graylog2.plugin.journal.RawMessage)103
DateTime (org.joda.time.DateTime)102
Path (javax.ws.rs.Path)87
StreamRule (org.graylog2.plugin.streams.StreamRule)77
AuditEvent (org.graylog2.audit.jersey.AuditEvent)69
Produces (javax.ws.rs.Produces)57
Stream (org.graylog2.plugin.streams.Stream)55
CreateMessage (org.graylog.plugins.pipelineprocessor.functions.messages.CreateMessage)46
DropMessage (org.graylog.plugins.pipelineprocessor.functions.messages.DropMessage)46
BaseParserTest (org.graylog.plugins.pipelineprocessor.BaseParserTest)45
Rule (org.graylog.plugins.pipelineprocessor.ast.Rule)45
POST (javax.ws.rs.POST)41
GET (javax.ws.rs.GET)40
CloneMessage (org.graylog.plugins.pipelineprocessor.functions.messages.CloneMessage)36
MockitoRule (org.mockito.junit.MockitoRule)35
