Example 26 with Codec
use of org.graylog2.plugin.inputs.annotations.Codec in project graylog-plugin-integrations by Graylog2.
the class AWSCodecTest method testKinesisFlowLogCodec.
@Test
public void testKinesisFlowLogCodec() throws JsonProcessingException {
final HashMap<String, Object> configMap = new HashMap<>();
configMap.put(AWSCodec.CK_AWS_MESSAGE_TYPE, AWSMessageType.KINESIS_CLOUDWATCH_FLOW_LOGS.toString());
final Configuration configuration = new Configuration(configMap);
final AWSCodec codec = new AWSCodec(configuration, AWSTestingUtils.buildTestCodecs());
DateTime timestamp = DateTime.now(DateTimeZone.UTC);
KinesisLogEntry kinesisLogEntry = KinesisLogEntry.create("a-stream", "log-group", "log-stream", timestamp, "2 423432432432 eni-3244234 172.1.1.2 172.1.1.2 80 2264 6 1 52 1559738144 1559738204 ACCEPT OK");
Message message = codec.decode(new RawMessage(objectMapper.writeValueAsBytes(kinesisLogEntry)));
Assert.assertEquals("log-group", message.getField(AbstractKinesisCodec.FIELD_LOG_GROUP));
Assert.assertEquals("log-stream", message.getField(AbstractKinesisCodec.FIELD_LOG_STREAM));
Assert.assertEquals("a-stream", message.getField(AbstractKinesisCodec.FIELD_KINESIS_STREAM));
Assert.assertEquals(6, message.getField(KinesisCloudWatchFlowLogCodec.FIELD_PROTOCOL_NUMBER));
Assert.assertEquals("172.1.1.2", message.getField(KinesisCloudWatchFlowLogCodec.FIELD_SRC_ADDR));
Assert.assertEquals(KinesisCloudWatchFlowLogCodec.SOURCE, message.getField("source"));
Assert.assertEquals("eni-3244234 ACCEPT TCP 172.1.1.2:80 -> 172.1.1.2:2264", message.getField("message"));
Assert.assertEquals(1L, message.getField(KinesisCloudWatchFlowLogCodec.FIELD_PACKETS));
Assert.assertEquals(80, message.getField(KinesisCloudWatchFlowLogCodec.FIELD_SRC_PORT));
Assert.assertEquals(60, message.getField(KinesisCloudWatchFlowLogCodec.FIELD_CAPTURE_WINDOW_DURATION));
Assert.assertEquals("TCP", message.getField(KinesisCloudWatchFlowLogCodec.FIELD_PROTOCOL));
Assert.assertEquals("423432432432", message.getField(KinesisCloudWatchFlowLogCodec.FIELD_ACCOUNT_ID));
Assert.assertEquals("eni-3244234", message.getField(KinesisCloudWatchFlowLogCodec.FIELD_INTERFACE_ID));
Assert.assertEquals("OK", message.getField(KinesisCloudWatchFlowLogCodec.FIELD_LOG_STATUS));
Assert.assertEquals(52L, message.getField(KinesisCloudWatchFlowLogCodec.FIELD_BYTES));
Assert.assertEquals(true, message.getField(KinesisCloudWatchFlowLogCodec.SOURCE_GROUP_IDENTIFIER));
Assert.assertEquals("172.1.1.2", message.getField(KinesisCloudWatchFlowLogCodec.FIELD_DST_ADDR));
Assert.assertEquals(2264, message.getField(KinesisCloudWatchFlowLogCodec.FIELD_DST_PORT));
Assert.assertEquals("ACCEPT", message.getField(KinesisCloudWatchFlowLogCodec.FIELD_ACTION));
Assert.assertEquals(timestamp, message.getTimestamp());
}
Also used :
Configuration(org.graylog2.plugin.configuration.Configuration)
RawMessage(org.graylog2.plugin.journal.RawMessage)
Message(org.graylog2.plugin.Message)
HashMap(java.util.HashMap)
KinesisLogEntry(org.graylog.integrations.aws.cloudwatch.KinesisLogEntry)
RawMessage(org.graylog2.plugin.journal.RawMessage)
DateTime(org.joda.time.DateTime)
Test(org.junit.Test)
Example 27 with Codec
use of org.graylog2.plugin.inputs.annotations.Codec in project graylog-plugin-integrations by Graylog2.
the class IpfixAggregatorTest method dataAndDataTemplate.
@Test
public void dataAndDataTemplate() throws IOException {
final IpfixAggregator ipfixAggregator = new IpfixAggregator();
final Map<String, Object> configMap = getIxiaConfigmap();
final Configuration configuration = new Configuration(configMap);
final IpfixCodec codec = new IpfixCodec(configuration, ipfixAggregator);
AtomicInteger messageCount = new AtomicInteger();
try (InputStream stream = Resources.getResource("data-datatemplate.pcap").openStream()) {
final Pcap pcap = Pcap.openStream(stream);
pcap.loop(packet -> {
if (packet.hasProtocol(Protocol.UDP)) {
final UDPPacket udp = (UDPPacket) packet.getPacket(Protocol.UDP);
final InetSocketAddress source = new InetSocketAddress(udp.getParentPacket().getSourceIP(), udp.getSourcePort());
byte[] payload = new byte[udp.getPayload().getReadableBytes()];
udp.getPayload().getBytes(payload);
final ByteBuf buf = Unpooled.wrappedBuffer(payload);
final CodecAggregator.Result result = ipfixAggregator.addChunk(buf, source);
final ByteBuf ipfixRawBuf = result.getMessage();
if (ipfixRawBuf != null) {
byte[] bytes = new byte[ipfixRawBuf.readableBytes()];
ipfixRawBuf.getBytes(0, bytes);
final Collection<Message> messages = codec.decodeMessages(new RawMessage(bytes));
if (messages != null) {
messageCount.addAndGet(messages.size());
}
}
}
return true;
});
} catch (IOException e) {
LOG.debug("Cannot process PCAP stream", e);
}
assertThat(messageCount.get()).isEqualTo(4L);
}
Also used :
Configuration(org.graylog2.plugin.configuration.Configuration)
RawMessage(org.graylog2.plugin.journal.RawMessage)
IpfixMessage(org.graylog.integrations.ipfix.IpfixMessage)
Message(org.graylog2.plugin.Message)
InputStream(java.io.InputStream)
InetSocketAddress(java.net.InetSocketAddress)
Pcap(io.pkts.Pcap)
IOException(java.io.IOException)
ByteBuf(io.netty.buffer.ByteBuf)
UDPPacket(io.pkts.packet.UDPPacket)
CodecAggregator(org.graylog2.plugin.inputs.codecs.CodecAggregator)
AtomicInteger(java.util.concurrent.atomic.AtomicInteger)
RawMessage(org.graylog2.plugin.journal.RawMessage)
Test(org.junit.Test)
Example 28 with Codec
use of org.graylog2.plugin.inputs.annotations.Codec in project graylog-plugin-aws by Graylog2.
the class CloudTrailCodecTest method testNoAdditionalEventDataField.
@Test
public void testNoAdditionalEventDataField() {
final CloudTrailCodec codec = new CloudTrailCodec(Configuration.EMPTY_CONFIGURATION, new ObjectMapperProvider().get());
final RawMessage rawMessage = new RawMessage(("{\n" + "\"eventVersion\": \"1.05\",\n" + "\"userIdentity\": {\n" + "\"type\": \"IAMUser\",\n" + "\"principalId\": \"AIDAJHGSCCCCBBBBAAAA\",\n" + "\"arn\": \"arn:aws:iam::1111122221111:user/some.user\",\n" + "\"accountId\": \"1111122221111\",\n" + "\"userName\": \"some.user\"" + "},\n" + "\"eventTime\": \"2020-08-19T14:12:28Z\",\n" + "\"eventSource\": \"signin.amazonaws.com\",\n" + "\"eventName\": \"ConsoleLogin\",\n" + "\"awsRegion\": \"us-east-1\",\n" + "\"sourceIPAddress\": \"127.0.0.1\",\n" + "\"userAgent\": \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36\",\n" + "\"requestParameters\": null,\n" + "\"responseElements\": {\n" + "\"ConsoleLogin\": \"Success\"\n" + "},\n" + "\"eventID\": \"df38ed44-32d4-43f6-898f-5a55d260a2bb\",\n" + "\"eventType\": \"AwsConsoleSignIn\",\n" + "\"recipientAccountId\": \"1111122221111\"\n" + "}").getBytes());
Message message = codec.decode(rawMessage);
assertNull(message.getField("additional_event_data"));
}
Also used :
RawMessage(org.graylog2.plugin.journal.RawMessage)
Message(org.graylog2.plugin.Message)
RawMessage(org.graylog2.plugin.journal.RawMessage)
ObjectMapperProvider(org.graylog2.shared.bindings.providers.ObjectMapperProvider)
Test(org.junit.Test)
Example 29 with Codec
use of org.graylog2.plugin.inputs.annotations.Codec in project graylog-plugin-aws by Graylog2.
the class CloudTrailCodecTest method testAdditionalEventDataField.
@Test
public void testAdditionalEventDataField() {
final CloudTrailCodec codec = new CloudTrailCodec(Configuration.EMPTY_CONFIGURATION, new ObjectMapperProvider().get());
// Decode message with error code
final RawMessage rawMessage = new RawMessage(("{\n" + "\"eventVersion\": \"1.05\",\n" + "\"userIdentity\": {\n" + "\"type\": \"IAMUser\",\n" + "\"principalId\": \"AIDAJHGSCCCCBBBBAAAA\",\n" + "\"arn\": \"arn:aws:iam::1111122221111:user/some.user\",\n" + "\"accountId\": \"1111122221111\",\n" + "\"userName\": \"some.user\"" + "},\n" + "\"eventTime\": \"2020-08-19T14:12:28Z\",\n" + "\"eventSource\": \"signin.amazonaws.com\",\n" + "\"eventName\": \"ConsoleLogin\",\n" + "\"awsRegion\": \"us-east-1\",\n" + "\"sourceIPAddress\": \"127.0.0.1\",\n" + "\"userAgent\": \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36\",\n" + "\"requestParameters\": null,\n" + "\"responseElements\": {\n" + "\"ConsoleLogin\": \"Success\"\n" + "},\n" + "\"additionalEventData\": {\n" + "\"LoginTo\": \"https://console.aws.amazon.com/something\",\n" + "\"MobileVersion\": \"No\",\n" + "\"MFAUsed\": \"Yes\"\n" + "},\n" + "\"eventID\": \"df38ed44-32d4-43f6-898f-5a55d260a2bb\",\n" + "\"eventType\": \"AwsConsoleSignIn\",\n" + "\"recipientAccountId\": \"1111122221111\"\n" + "}").getBytes());
Message message = codec.decode(rawMessage);
String additional_event_data = message.getField("additional_event_data").toString();
assertTrue(additional_event_data.contains("MFAUsed=Yes"));
assertTrue(additional_event_data.contains("MobileVersion=No"));
assertTrue(additional_event_data.contains("LoginTo=https://console.aws.amazon.com/something"));
}
Also used :
RawMessage(org.graylog2.plugin.journal.RawMessage)
Message(org.graylog2.plugin.Message)
RawMessage(org.graylog2.plugin.journal.RawMessage)
ObjectMapperProvider(org.graylog2.shared.bindings.providers.ObjectMapperProvider)
Test(org.junit.Test)
Aggregations
RawMessage (org.graylog2.plugin.journal.RawMessage)21
Message (org.graylog2.plugin.Message)20
Test (org.junit.Test)16
Configuration (org.graylog2.plugin.configuration.Configuration)11
Codec (org.graylog2.plugin.inputs.codecs.Codec)6
DateTime (org.joda.time.DateTime)6
KinesisLogEntry (org.graylog.integrations.aws.cloudwatch.KinesisLogEntry)4
CodecAggregator (org.graylog2.plugin.inputs.codecs.CodecAggregator)4
ChannelHandler (io.netty.channel.ChannelHandler)3
IOException (java.io.IOException)3
InetSocketAddress (java.net.InetSocketAddress)3
HashMap (java.util.HashMap)3
Callable (java.util.concurrent.Callable)3
ResolvableInetSocketAddress (org.graylog2.plugin.ResolvableInetSocketAddress)3
ByteBuf (io.netty.buffer.ByteBuf)2
Pcap (io.pkts.Pcap)2
UDPPacket (io.pkts.packet.UDPPacket)2
InputStream (java.io.InputStream)2
LinkedHashMap (java.util.LinkedHashMap)2
List (java.util.List)2
