// Init initializes the HTTP protocol analyser.
func (http *httpPlugin) init(results publish.Transactions, config *httpConfig) error {
http.setFromConfig(config)
isDebug = logp.IsDebug("http")
isDetailed = logp.IsDebug("httpdetailed")
http.results = results
return nil
}
// annotateEvent adds fields that are common to all events. This adds the 'beat'
// field that contains name and hostname. It also adds 'tags' and 'fields'. See
// the documentation for Client for more information.
func (c *client) annotateEvent(event common.MapStr) {
// Allow an event to override the destination index for an event by setting
// beat.index in an event.
beatMeta := c.beatMeta
if beatIfc, ok := event["beat"]; ok {
ms, ok := beatIfc.(common.MapStr)
if ok {
// Copy beatMeta so the defaults are not changed.
beatMeta = common.MapStrUnion(beatMeta, ms)
}
}
event["beat"] = beatMeta
// Add the global tags and fields defined under shipper.
common.AddTags(event, c.globalEventMetadata.Tags)
common.MergeFields(event, c.globalEventMetadata.Fields, c.globalEventMetadata.FieldsUnderRoot)
// Add the event specific fields last so that they precedence over globals.
if metaIfc, ok := event[common.EventMetadataKey]; ok {
eventMetadata, ok := metaIfc.(common.EventMetadata)
if ok {
common.AddTags(event, eventMetadata.Tags)
common.MergeFields(event, eventMetadata.Fields, eventMetadata.FieldsUnderRoot)
}
delete(event, common.EventMetadataKey)
}
if logp.IsDebug("publish") {
PrintPublishEvent(event)
}
}
// Init initializes the HTTP protocol analyser.
func (http *HTTP) Init(testMode bool, results publish.Transactions) error {
http.initDefaults()
if !testMode {
err := http.setFromConfig(config.ConfigSingleton.Protocols.Http)
if err != nil {
return err
}
}
isDebug = logp.IsDebug("http")
isDetailed = logp.IsDebug("httpdetailed")
http.results = results
return nil
}
func (redis *Redis) init(results publish.Transactions, config *redisConfig) error {
redis.setFromConfig(config)
redis.results = results
isDebug = logp.IsDebug("redis")
return nil
}
func (c *client) annotateEvent(event common.MapStr) {
event["beat"] = c.beatMeta
if len(c.tags) > 0 {
event["tags"] = c.tags
}
if logp.IsDebug("publish") {
PrintPublishEvent(event)
}
}
func (redis *Redis) Init(test_mode bool, results publisher.Client) error {
redis.InitDefaults()
if !test_mode {
redis.setFromConfig(config.ConfigSingleton.Protocols.Redis)
}
redis.results = results
isDebug = logp.IsDebug("redis")
return nil
}
func (p *parser) init(
cfg *parserConfig,
onMessage func(*message) error,
) {
*p = parser{
buf: streambuf.Buffer{},
config: cfg,
onMessage: onMessage,
}
isDebug = logp.IsDebug("cassandra")
}
func (c *client) filterEvent(event common.MapStr) *common.MapStr {
if event = common.ConvertToGenericEvent(event); event == nil {
logp.Err("fail to convert to a generic event")
return nil
}
// filter the event by applying the configured rules
publishEvent := c.publisher.Filters.Filter(event)
if logp.IsDebug("publish") {
logp.Debug("publish", "Publish: %s", publishEvent.StringToPrint())
}
return &publishEvent
}
func (c *client) annotateEvent(event common.MapStr) {
// Check if index was set dynamically
if _, ok := event["beat"]; ok {
beatTemp := event["beat"].(common.MapStr)
if _, ok := beatTemp["index"]; ok {
c.beatMeta["index"] = beatTemp["index"]
}
}
event["beat"] = c.beatMeta
if len(c.tags) > 0 {
event["tags"] = c.tags
}
if logp.IsDebug("publish") {
PrintPublishEvent(event)
}
}
func (c *client) filterEvent(event common.MapStr) *common.MapStr {
if event = common.ConvertToGenericEvent(event); event == nil {
logp.Err("fail to convert to a generic event")
return nil
}
// process the event by applying the configured actions
publishEvent := c.publisher.Processors.Run(event)
if publishEvent == nil {
// the event is dropped
logp.Debug("publish", "Drop event %s", event.StringToPrint())
return nil
}
if logp.IsDebug("publish") {
logp.Debug("publish", "Publish: %s", publishEvent.StringToPrint())
}
return &publishEvent
}
// Creates and returns a new Tcp.
func NewTcp(p protos.Protocols) (*Tcp, error) {
isDebug = logp.IsDebug("tcp")
portMap, err := buildPortsMap(p.GetAllTcp())
if err != nil {
return nil, err
}
tcp := &Tcp{
protocols: p,
portMap: portMap,
streams: common.NewCache(
protos.DefaultTransactionExpiration,
protos.DefaultTransactionHashSize),
}
tcp.streams.StartJanitor(protos.DefaultTransactionExpiration)
if isDebug {
debugf("tcp", "Port map: %v", portMap)
}
return tcp, nil
}
// normalizeMap normalizes each element contained in the given map. If an error
// occurs during normalization, processing of m will continue, and all errors
// are returned at the end.
func normalizeMap(m MapStr, keys ...string) (MapStr, []error) {
var errs []error
out := make(MapStr, len(m))
for key, value := range m {
v, err := normalizeValue(value, append(keys, key)...)
if len(err) > 0 {
errs = append(errs, err...)
}
// Drop nil values from maps.
if v == nil {
if logp.IsDebug(eventDebugSelector) {
eventDebugf("Dropped nil value from event where key=%v", joinKeys(append(keys, key)...))
}
continue
}
out[key] = v
}
return out, errs
}
func (l *winEventLog) buildRecordFromXML(x string, recoveredErr error) (Record, error) {
e, err := sys.UnmarshalEventXML([]byte(x))
if err != nil {
return Record{}, fmt.Errorf("Failed to unmarshal XML='%s'. %v", x, err)
}
err = sys.PopulateAccount(&e.User)
if err != nil {
debugf("%s SID %s account lookup failed. %v", l.logPrefix,
e.User.Identifier, err)
}
if e.RenderErrorCode != 0 {
// Convert the render error code to an error message that can be
// included in the "message_error" field.
e.RenderErr = syscall.Errno(e.RenderErrorCode).Error()
} else if recoveredErr != nil {
e.RenderErr = recoveredErr.Error()
}
if logp.IsDebug(detailSelector) {
detailf("%s XML=%s Event=%+v", l.logPrefix, x, e)
}
r := Record{
API: winEventLogAPIName,
EventMetadata: l.eventMetadata,
Event: e,
}
if l.config.IncludeXML {
r.XML = x
}
return r, nil
}
func (p *preprocessor) onMessage(m message) {
publisher := p.pub
single := false
events := m.events
if m.event != nil {
single = true
events = []common.MapStr{m.event}
}
var ignore []int // indices of events to be removed from events
debug("Start Preprocessing")
for i, event := range events {
// validate some required field
if err := filterEvent(event); err != nil {
logp.Err("Publishing event failed: %v", err)
ignore = append(ignore, i)
continue
}
// update address and geo-ip information. Ignore event
// if address is invalid or event is found to be a duplicate
ok := updateEventAddresses(publisher, event)
if !ok {
ignore = append(ignore, i)
continue
}
// add additional Beat meta data
event["beat"] = common.MapStr{
"name": publisher.name,
"hostname": publisher.hostname,
}
if len(publisher.tags) > 0 {
event["tags"] = publisher.tags
}
if logp.IsDebug("publish") {
PrintPublishEvent(event)
}
}
// return if no event is left
if len(ignore) == len(events) {
debug("no event left, complete send")
outputs.SignalCompleted(m.context.signal)
return
}
// remove invalid events.
// TODO: is order important? Removal can be turned into O(len(ignore)) by
// copying last element into idx and doing
// events=events[:len(events)-len(ignore)] afterwards
// Alternatively filtering could be implemented like:
// https://github.com/golang/go/wiki/SliceTricks#filtering-without-allocating
for i := len(ignore) - 1; i >= 0; i-- {
idx := ignore[i]
debug("remove event[%v]", idx)
events = append(events[:idx], events[idx+1:]...)
}
if publisher.disabled {
debug("publisher disabled")
outputs.SignalCompleted(m.context.signal)
return
}
debug("Forward preprocessed events")
if single {
p.handler.onMessage(message{context: m.context, event: events[0]})
} else {
p.handler.onMessage(message{context: m.context, events: events})
}
}