use of org.graylog2.plugin.inputs.annotations.Codec in project graylog-plugin-integrations by Graylog2.
the class AWSCodecTest method testKinesisFlowLogCodec.
@Test
public void testKinesisFlowLogCodec() throws JsonProcessingException {
final HashMap<String, Object> configMap = new HashMap<>();
configMap.put(AWSCodec.CK_AWS_MESSAGE_TYPE, AWSMessageType.KINESIS_CLOUDWATCH_FLOW_LOGS.toString());
final Configuration configuration = new Configuration(configMap);
final AWSCodec codec = new AWSCodec(configuration, AWSTestingUtils.buildTestCodecs());
DateTime timestamp = DateTime.now(DateTimeZone.UTC);
KinesisLogEntry kinesisLogEntry = KinesisLogEntry.create("a-stream", "log-group", "log-stream", timestamp, "2 423432432432 eni-3244234 172.1.1.2 172.1.1.2 80 2264 6 1 52 1559738144 1559738204 ACCEPT OK");
Message message = codec.decode(new RawMessage(objectMapper.writeValueAsBytes(kinesisLogEntry)));
Assert.assertEquals("log-group", message.getField(AbstractKinesisCodec.FIELD_LOG_GROUP));
Assert.assertEquals("log-stream", message.getField(AbstractKinesisCodec.FIELD_LOG_STREAM));
Assert.assertEquals("a-stream", message.getField(AbstractKinesisCodec.FIELD_KINESIS_STREAM));
Assert.assertEquals(6, message.getField(KinesisCloudWatchFlowLogCodec.FIELD_PROTOCOL_NUMBER));
Assert.assertEquals("172.1.1.2", message.getField(KinesisCloudWatchFlowLogCodec.FIELD_SRC_ADDR));
Assert.assertEquals(KinesisCloudWatchFlowLogCodec.SOURCE, message.getField("source"));
Assert.assertEquals("eni-3244234 ACCEPT TCP 172.1.1.2:80 -> 172.1.1.2:2264", message.getField("message"));
Assert.assertEquals(1L, message.getField(KinesisCloudWatchFlowLogCodec.FIELD_PACKETS));
Assert.assertEquals(80, message.getField(KinesisCloudWatchFlowLogCodec.FIELD_SRC_PORT));
Assert.assertEquals(60, message.getField(KinesisCloudWatchFlowLogCodec.FIELD_CAPTURE_WINDOW_DURATION));
Assert.assertEquals("TCP", message.getField(KinesisCloudWatchFlowLogCodec.FIELD_PROTOCOL));
Assert.assertEquals("423432432432", message.getField(KinesisCloudWatchFlowLogCodec.FIELD_ACCOUNT_ID));
Assert.assertEquals("eni-3244234", message.getField(KinesisCloudWatchFlowLogCodec.FIELD_INTERFACE_ID));
Assert.assertEquals("OK", message.getField(KinesisCloudWatchFlowLogCodec.FIELD_LOG_STATUS));
Assert.assertEquals(52L, message.getField(KinesisCloudWatchFlowLogCodec.FIELD_BYTES));
Assert.assertEquals(true, message.getField(KinesisCloudWatchFlowLogCodec.SOURCE_GROUP_IDENTIFIER));
Assert.assertEquals("172.1.1.2", message.getField(KinesisCloudWatchFlowLogCodec.FIELD_DST_ADDR));
Assert.assertEquals(2264, message.getField(KinesisCloudWatchFlowLogCodec.FIELD_DST_PORT));
Assert.assertEquals("ACCEPT", message.getField(KinesisCloudWatchFlowLogCodec.FIELD_ACTION));
Assert.assertEquals(timestamp, message.getTimestamp());
}
use of org.graylog2.plugin.inputs.annotations.Codec in project graylog-plugin-integrations by Graylog2.
the class IpfixAggregatorTest method dataAndDataTemplate.
@Test
public void dataAndDataTemplate() throws IOException {
final IpfixAggregator ipfixAggregator = new IpfixAggregator();
final Map<String, Object> configMap = getIxiaConfigmap();
final Configuration configuration = new Configuration(configMap);
final IpfixCodec codec = new IpfixCodec(configuration, ipfixAggregator);
AtomicInteger messageCount = new AtomicInteger();
try (InputStream stream = Resources.getResource("data-datatemplate.pcap").openStream()) {
final Pcap pcap = Pcap.openStream(stream);
pcap.loop(packet -> {
if (packet.hasProtocol(Protocol.UDP)) {
final UDPPacket udp = (UDPPacket) packet.getPacket(Protocol.UDP);
final InetSocketAddress source = new InetSocketAddress(udp.getParentPacket().getSourceIP(), udp.getSourcePort());
byte[] payload = new byte[udp.getPayload().getReadableBytes()];
udp.getPayload().getBytes(payload);
final ByteBuf buf = Unpooled.wrappedBuffer(payload);
final CodecAggregator.Result result = ipfixAggregator.addChunk(buf, source);
final ByteBuf ipfixRawBuf = result.getMessage();
if (ipfixRawBuf != null) {
byte[] bytes = new byte[ipfixRawBuf.readableBytes()];
ipfixRawBuf.getBytes(0, bytes);
final Collection<Message> messages = codec.decodeMessages(new RawMessage(bytes));
if (messages != null) {
messageCount.addAndGet(messages.size());
}
}
}
return true;
});
} catch (IOException e) {
LOG.debug("Cannot process PCAP stream", e);
}
assertThat(messageCount.get()).isEqualTo(4L);
}
use of org.graylog2.plugin.inputs.annotations.Codec in project graylog-plugin-aws by Graylog2.
the class CloudTrailCodecTest method testNoAdditionalEventDataField.
@Test
public void testNoAdditionalEventDataField() {
final CloudTrailCodec codec = new CloudTrailCodec(Configuration.EMPTY_CONFIGURATION, new ObjectMapperProvider().get());
final RawMessage rawMessage = new RawMessage(("{\n" + "\"eventVersion\": \"1.05\",\n" + "\"userIdentity\": {\n" + "\"type\": \"IAMUser\",\n" + "\"principalId\": \"AIDAJHGSCCCCBBBBAAAA\",\n" + "\"arn\": \"arn:aws:iam::1111122221111:user/some.user\",\n" + "\"accountId\": \"1111122221111\",\n" + "\"userName\": \"some.user\"" + "},\n" + "\"eventTime\": \"2020-08-19T14:12:28Z\",\n" + "\"eventSource\": \"signin.amazonaws.com\",\n" + "\"eventName\": \"ConsoleLogin\",\n" + "\"awsRegion\": \"us-east-1\",\n" + "\"sourceIPAddress\": \"127.0.0.1\",\n" + "\"userAgent\": \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36\",\n" + "\"requestParameters\": null,\n" + "\"responseElements\": {\n" + "\"ConsoleLogin\": \"Success\"\n" + "},\n" + "\"eventID\": \"df38ed44-32d4-43f6-898f-5a55d260a2bb\",\n" + "\"eventType\": \"AwsConsoleSignIn\",\n" + "\"recipientAccountId\": \"1111122221111\"\n" + "}").getBytes());
Message message = codec.decode(rawMessage);
assertNull(message.getField("additional_event_data"));
}
use of org.graylog2.plugin.inputs.annotations.Codec in project graylog-plugin-aws by Graylog2.
the class CloudTrailCodecTest method testAdditionalEventDataField.
@Test
public void testAdditionalEventDataField() {
final CloudTrailCodec codec = new CloudTrailCodec(Configuration.EMPTY_CONFIGURATION, new ObjectMapperProvider().get());
// Decode message with error code
final RawMessage rawMessage = new RawMessage(("{\n" + "\"eventVersion\": \"1.05\",\n" + "\"userIdentity\": {\n" + "\"type\": \"IAMUser\",\n" + "\"principalId\": \"AIDAJHGSCCCCBBBBAAAA\",\n" + "\"arn\": \"arn:aws:iam::1111122221111:user/some.user\",\n" + "\"accountId\": \"1111122221111\",\n" + "\"userName\": \"some.user\"" + "},\n" + "\"eventTime\": \"2020-08-19T14:12:28Z\",\n" + "\"eventSource\": \"signin.amazonaws.com\",\n" + "\"eventName\": \"ConsoleLogin\",\n" + "\"awsRegion\": \"us-east-1\",\n" + "\"sourceIPAddress\": \"127.0.0.1\",\n" + "\"userAgent\": \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36\",\n" + "\"requestParameters\": null,\n" + "\"responseElements\": {\n" + "\"ConsoleLogin\": \"Success\"\n" + "},\n" + "\"additionalEventData\": {\n" + "\"LoginTo\": \"https://console.aws.amazon.com/something\",\n" + "\"MobileVersion\": \"No\",\n" + "\"MFAUsed\": \"Yes\"\n" + "},\n" + "\"eventID\": \"df38ed44-32d4-43f6-898f-5a55d260a2bb\",\n" + "\"eventType\": \"AwsConsoleSignIn\",\n" + "\"recipientAccountId\": \"1111122221111\"\n" + "}").getBytes());
Message message = codec.decode(rawMessage);
String additional_event_data = message.getField("additional_event_data").toString();
assertTrue(additional_event_data.contains("MFAUsed=Yes"));
assertTrue(additional_event_data.contains("MobileVersion=No"));
assertTrue(additional_event_data.contains("LoginTo=https://console.aws.amazon.com/something"));
}
Aggregations