Example 1 with RawMessage
use of org.graylog2.plugin.journal.RawMessage in project graylog2-server by Graylog2.
the class DecodingProcessor method postProcessMessage.
@Nullable
private Message postProcessMessage(RawMessage raw, Codec codec, String inputIdOnCurrentNode, String baseMetricName, Message message, long decodeTime) {
if (message == null) {
metricRegistry.meter(name(baseMetricName, "failures")).mark();
return null;
}
if (!message.isComplete()) {
metricRegistry.meter(name(baseMetricName, "incomplete")).mark();
if (LOG.isDebugEnabled()) {
LOG.debug("Dropping incomplete message {} on input <{}>. Parsed fields: [{}]", raw, inputIdOnCurrentNode, message.getFields());
}
return null;
}
message.setMessageQueueId(raw.getMessageQueueId());
message.recordTiming(serverStatus, "parse", decodeTime);
metricRegistry.timer(name(baseMetricName, "parseTime")).update(decodeTime, TimeUnit.NANOSECONDS);
for (final RawMessage.SourceNode node : raw.getSourceNodes()) {
switch(node.type) {
case SERVER:
// Always use the last source node.
if (message.getField(Message.FIELD_GL2_SOURCE_INPUT) != null) {
LOG.debug("Multiple server nodes ({} {}) set for message id {}", message.getField(Message.FIELD_GL2_SOURCE_INPUT), node.nodeId, message.getId());
}
message.addField(Message.FIELD_GL2_SOURCE_INPUT, node.inputId);
message.addField(Message.FIELD_GL2_SOURCE_NODE, node.nodeId);
break;
// TODO Due to be removed in Graylog 3.x
case RADIO:
// Always use the last source node.
if (message.getField(Message.FIELD_GL2_SOURCE_RADIO_INPUT) != null) {
LOG.debug("Multiple radio nodes ({} {}) set for message id {}", message.getField(Message.FIELD_GL2_SOURCE_RADIO_INPUT), node.nodeId, message.getId());
}
message.addField(Message.FIELD_GL2_SOURCE_RADIO_INPUT, node.inputId);
message.addField(Message.FIELD_GL2_SOURCE_RADIO, node.nodeId);
break;
}
}
if (inputIdOnCurrentNode != null) {
try {
message.setSourceInputId(inputIdOnCurrentNode);
} catch (RuntimeException e) {
LOG.warn("Unable to find input with id " + inputIdOnCurrentNode + ", not setting input id in this message.", e);
}
}
final ResolvableInetSocketAddress remoteAddress = raw.getRemoteAddress();
if (remoteAddress != null) {
final String addrString = InetAddresses.toAddrString(remoteAddress.getAddress());
message.addField(Message.FIELD_GL2_REMOTE_IP, addrString);
if (remoteAddress.getPort() > 0) {
message.addField(Message.FIELD_GL2_REMOTE_PORT, remoteAddress.getPort());
}
if (remoteAddress.isReverseLookedUp()) {
// avoid reverse lookup if the hostname is available
message.addField(Message.FIELD_GL2_REMOTE_HOSTNAME, remoteAddress.getHostName());
}
if (Strings.isNullOrEmpty(message.getSource())) {
message.setSource(addrString);
}
}
if (codec.getConfiguration() != null && codec.getConfiguration().stringIsSet(Codec.Config.CK_OVERRIDE_SOURCE)) {
message.setSource(codec.getConfiguration().getString(Codec.Config.CK_OVERRIDE_SOURCE));
}
// Make sure that there is a value for the source field.
if (Strings.isNullOrEmpty(message.getSource())) {
message.setSource("unknown");
}
// The raw message timestamp is the receive time of the message. It has been created before writing the raw
// message to the journal.
message.setReceiveTime(raw.getTimestamp());
metricRegistry.meter(name(baseMetricName, "processedMessages")).mark();
decodedTrafficCounter.inc(message.getSize());
return message;
}
Also used :
ResolvableInetSocketAddress(org.graylog2.plugin.ResolvableInetSocketAddress)
RawMessage(org.graylog2.plugin.journal.RawMessage)
Nullable(javax.annotation.Nullable)
Example 2 with RawMessage
use of org.graylog2.plugin.journal.RawMessage in project graylog2-server by Graylog2.
the class DecodingProcessor method processMessage.
private void processMessage(final MessageEvent event) throws ExecutionException {
final RawMessage raw = event.getRaw();
// for backwards compatibility: the last source node should contain the input we use.
// this means that extractors etc defined on the prior inputs are silently ignored.
// TODO fix the above
String inputIdOnCurrentNode;
try {
// .inputId checked during raw message decode!
inputIdOnCurrentNode = Iterables.getLast(raw.getSourceNodes()).inputId;
} catch (NoSuchElementException e) {
inputIdOnCurrentNode = null;
}
final Codec.Factory<? extends Codec> factory = codecFactory.get(raw.getCodecName());
if (factory == null) {
LOG.warn("Couldn't find factory for codec <{}>, skipping message {} on input <{}>.", raw.getCodecName(), raw, inputIdOnCurrentNode);
return;
}
final Codec codec = factory.create(raw.getCodecConfig());
final String baseMetricName = name(codec.getClass(), inputIdOnCurrentNode);
Message message = null;
Collection<Message> messages = null;
final Timer.Context decodeTimeCtx = parseTime.time();
final long decodeTime;
try {
// TODO The Codec interface should be changed for 2.0 to support collections of messages so we can remove this hack.
if (codec instanceof MultiMessageCodec) {
messages = ((MultiMessageCodec) codec).decodeMessages(raw);
} else {
message = codec.decode(raw);
}
} catch (RuntimeException e) {
LOG.error("Unable to decode raw message {} on input <{}>.", raw, inputIdOnCurrentNode);
metricRegistry.meter(name(baseMetricName, "failures")).mark();
throw e;
} finally {
decodeTime = decodeTimeCtx.stop();
}
if (message != null) {
event.setMessage(postProcessMessage(raw, codec, inputIdOnCurrentNode, baseMetricName, message, decodeTime));
} else if (messages != null && !messages.isEmpty()) {
final List<Message> processedMessages = Lists.newArrayListWithCapacity(messages.size());
for (final Message msg : messages) {
final Message processedMessage = postProcessMessage(raw, codec, inputIdOnCurrentNode, baseMetricName, msg, decodeTime);
if (processedMessage != null) {
processedMessages.add(processedMessage);
}
}
event.setMessages(processedMessages);
}
}
Also used :
RawMessage(org.graylog2.plugin.journal.RawMessage)
Message(org.graylog2.plugin.Message)
MultiMessageCodec(org.graylog2.plugin.inputs.codecs.MultiMessageCodec)
MultiMessageCodec(org.graylog2.plugin.inputs.codecs.MultiMessageCodec)
Codec(org.graylog2.plugin.inputs.codecs.Codec)
Timer(com.codahale.metrics.Timer)
List(java.util.List)
RawMessage(org.graylog2.plugin.journal.RawMessage)
NoSuchElementException(java.util.NoSuchElementException)
Example 3 with RawMessage
use of org.graylog2.plugin.journal.RawMessage in project graylog2-server by Graylog2.
the class CEFCodecTest method decideSourceWithShortDeviceAddressReturnsExtensionValue.
@Test
public void decideSourceWithShortDeviceAddressReturnsExtensionValue() throws Exception {
final MappedMessage cefMessage = mock(MappedMessage.class);
when(cefMessage.mappedExtensions()).thenReturn(Collections.singletonMap("dvc", "128.66.23.42"));
final RawMessage rawMessage = new RawMessage(new byte[0], new InetSocketAddress("example.com", 12345));
assertEquals("128.66.23.42", codec.decideSource(cefMessage, rawMessage));
}
Also used :
MappedMessage(org.graylog.plugins.cef.parser.MappedMessage)
InetSocketAddress(java.net.InetSocketAddress)
RawMessage(org.graylog2.plugin.journal.RawMessage)
Test(org.junit.Test)
Example 4 with RawMessage
use of org.graylog2.plugin.journal.RawMessage in project graylog2-server by Graylog2.
the class CEFCodecTest method decideSourceWithFullDeviceAddressReturnsExtensionValue.
@Test
public void decideSourceWithFullDeviceAddressReturnsExtensionValue() throws Exception {
final MappedMessage cefMessage = mock(MappedMessage.class);
when(cefMessage.mappedExtensions()).thenReturn(Collections.singletonMap("deviceAddress", "128.66.23.42"));
final RawMessage rawMessage = new RawMessage(new byte[0], new InetSocketAddress("example.com", 12345));
assertEquals("128.66.23.42", codec.decideSource(cefMessage, rawMessage));
}
Also used :
MappedMessage(org.graylog.plugins.cef.parser.MappedMessage)
InetSocketAddress(java.net.InetSocketAddress)
RawMessage(org.graylog2.plugin.journal.RawMessage)
Test(org.junit.Test)
Example 5 with RawMessage
use of org.graylog2.plugin.journal.RawMessage in project graylog2-server by Graylog2.
the class NetFlowCodecTest method decodeMessagesThrowsEmptyTemplateExceptionWithIncompleteNetFlowV9.
@Test
public void decodeMessagesThrowsEmptyTemplateExceptionWithIncompleteNetFlowV9() throws Exception {
final byte[] b = Resources.toByteArray(Resources.getResource("netflow-data/netflow-v9-3_incomplete.dat"));
final InetSocketAddress source = new InetSocketAddress(InetAddress.getLocalHost(), 12345);
assertThat(codec.decodeMessages(new RawMessage(b, source))).isNull();
}
Also used :
InetSocketAddress(java.net.InetSocketAddress)
RawMessage(org.graylog2.plugin.journal.RawMessage)
Test(org.junit.Test)
Aggregations
RawMessage (org.graylog2.plugin.journal.RawMessage)59
Test (org.junit.Test)35
Message (org.graylog2.plugin.Message)23
InetSocketAddress (java.net.InetSocketAddress)13
IOException (java.io.IOException)7
Nullable (javax.annotation.Nullable)7
MappedMessage (org.graylog.plugins.cef.parser.MappedMessage)6
ResolvableInetSocketAddress (org.graylog2.plugin.ResolvableInetSocketAddress)6
DateTime (org.joda.time.DateTime)5
Configuration (org.graylog2.plugin.configuration.Configuration)4
ByteBuf (io.netty.buffer.ByteBuf)3
URL (java.net.URL)3
ZonedDateTime (java.time.ZonedDateTime)3
Timer (com.codahale.metrics.Timer)2
List (java.util.List)2
Map (java.util.Map)2
Properties (java.util.Properties)2
CountDownLatch (java.util.concurrent.CountDownLatch)2
NotFoundException (javax.ws.rs.NotFoundException)2
DocumentNotFoundException (org.graylog2.indexer.messages.DocumentNotFoundException)2
