Custom log type implementation #500
Conversation
Codecov Report
@@ Coverage Diff @@
## 2.x #500 +/- ##
============================================
- Coverage 28.16% 25.96% -2.21%
- Complexity 935 940 +5
============================================
Files 236 252 +16
Lines 9866 10687 +821
Branches 1118 1187 +69
============================================
- Hits 2779 2775 -4
- Misses 6844 7666 +822
- Partials 243 246 +3
|
sbcd90
force-pushed
the
custom_log_type
branch
4 times, most recently
from
1ddbbff to
deb0ae3
Compare
| @@ -133,15 +134,16 @@ public void onResponse(MultiSearchResponse items) { | |||
| for (int i = 0; i < 100; ++i) { | |||
| corrVector[i] = ((float) counter) - 50.0f; | |||
| } | |||
| corrVector[Detector.DetectorType.valueOf(detectorType.toUpperCase(Locale.ROOT)).getDim()] = (float) counter; | |||
|
|
|||
| corrVector[Integer.parseInt(logTypes.get(detectorType).getTags().get("correlation_id").toString())] = (float) counter; | |||
There was a problem hiding this comment.
Can we break up Integer.parseInt(logTypes.get(detectorType).getTags().get("correlation_id").toString()) into variables and pass in the final variable here?
There was a problem hiding this comment.
It would be helpful for line 146, 163, 164 as well.
| @@ -268,15 +270,15 @@ public void onResponse(IndexResponse response) { | |||
| if (response.status().equals(RestStatus.OK)) { | |||
| try { | |||
| float[] corrVector = new float[101]; | |||
| corrVector[Detector.DetectorType.valueOf(detectorType.toUpperCase(Locale.ROOT)).getDim()] = 50.0f; | |||
| corrVector[Integer.parseInt(logTypes.get(detectorType).getTags().get("correlation_id").toString())] = 50.0f; | |||
There was a problem hiding this comment.
Same comment as above about breaking it up into readable variables.
There was a problem hiding this comment.
fixed it.
Map<String, Object> tags = logTypes.get(detectorType).getTags();
String correlationId = tags.get("correlation_id").toString();
| protected List<CustomLogType> loadBuiltinLogTypesMetadata() throws URISyntaxException, IOException { | ||
| List<CustomLogType> customLogTypes = new ArrayList<>(); | ||
|
|
||
| final String url = Objects.requireNonNull(BuiltinLogTypeLoader.class.getClassLoader().getResource(BASE_PATH)).toURI().toString(); |
There was a problem hiding this comment.
We should have an exception message added as part of the requireNonNull function
|
|
||
| final String url = Objects.requireNonNull(BuiltinLogTypeLoader.class.getClassLoader().getResource(BASE_PATH)).toURI().toString(); | ||
| Path dirPath = null; | ||
| if (url.contains("!")) { |
There was a problem hiding this comment.
the url contains ! because the plugin is loaded as a zip file.
| } | ||
|
|
||
| Stream<Path> folder = Files.list(dirPath); | ||
| Path logTypePath = folder.filter(e -> e.toString().endsWith("logtypes.json")).collect(Collectors.toList()).get(0); |
There was a problem hiding this comment.
Do we know for a fact that we will get a folder that ends with logtypes.json to prevent array out of bounds type exception?
There was a problem hiding this comment.
| SearchSourceBuilder searchSourceBuilder = new SearchSourceBuilder(); | ||
| searchSourceBuilder.query(queryBuilder); | ||
| searchSourceBuilder.fetchSource(true); | ||
| searchSourceBuilder.size(10000); |
There was a problem hiding this comment.
Cant we use size 0 if we just want to see if it exists and use TotalHits?
There was a problem hiding this comment.
we add a filter clause to the query
.must(QueryBuilders.matchQuery("name", logType));```
so, it anyway will fetch `1 or 0` doc.
There was a problem hiding this comment.
why specify this then? It implies there can be a lot of results and may add confusion for other devs looking at it.
| @@ -128,6 +134,92 @@ public void getAllLogTypes(ActionListener<List<String>> listener) { | |||
| }, listener::onFailure)); | |||
| } | |||
|
|
|||
| public void getAllLogTypesMetadata(ActionListener<List<String>> listener) { | |||
There was a problem hiding this comment.
Do we need to paginate? What happens if ther are more than 10000 documents?
There was a problem hiding this comment.
currently, we have only 13 predefined log types & we dont expect to grow to 10000 log types ever. so, it looks to be a good threshold.
we may add a setting in future on no. of allowed log types.
| SearchSourceBuilder searchSourceBuilder = new SearchSourceBuilder(); | ||
| searchSourceBuilder.query(queryBuilder); | ||
| searchSourceBuilder.fetchSource(true); | ||
| searchSourceBuilder.size(10000); |
There was a problem hiding this comment.
the same logic applies here as we have only 13 pre-defined log sources. it is hard that no. of custom log types may go beyond 100.
| @@ -438,7 +438,7 @@ private Object convertValueCidr(SigmaCIDRExpression ip) { | |||
| } | |||
|
|
|||
| private String getMappedField(String field) { | |||
| if (this.enableFieldMappings && this.fieldMappings.containsKey(field)) { | |||
| if (this.enableFieldMappings && this.fieldMappings.containsKey(field) && this.fieldMappings.get(field) != null) { | |||
There was a problem hiding this comment.
If it contains the key, how would the value be set to null?
There was a problem hiding this comment.
there is a scenario when we create & then update a custom log type, we end up with fields which have only raw fields & no ecs fields.
this scenario is covered by integ test
| SearchSourceBuilder searchSourceBuilder = new SearchSourceBuilder(); | ||
| searchSourceBuilder.query(queryBuilder); | ||
| searchSourceBuilder.fetchSource(true); | ||
| searchSourceBuilder.size(10000); |
There was a problem hiding this comment.
same logic as #500 (comment)
| SearchSourceBuilder searchSourceBuilder = new SearchSourceBuilder(); | ||
| searchSourceBuilder.query(queryBuilder); | ||
| searchSourceBuilder.fetchSource(true); | ||
| searchSourceBuilder.size(10000); |
There was a problem hiding this comment.
the same logic as #500 (comment).
it will be good to add a setting in future on max. no. of log types allowed. created issue here: #501
Signed-off-by: Subhobrata Dey <[email protected]>
| User user = readUserFromThreadContext(this.threadPool); | ||
|
|
||
| String validateBackendRoleMessage = validateUserBackendRoles(user, this.filterByEnabled); | ||
| if (!"".equals(validateBackendRoleMessage)) { |
There was a problem hiding this comment.
nitpick: validateBackendRoleMessage.isNotEmpty()
|
|
||
| public void onCreateMappingsResponse(CreateIndexResponse response) { | ||
| if (response.isAcknowledged()) { | ||
| log.info(String.format(Locale.getDefault(), "Created %s with mappings.", LogTypeService.LOG_TYPE_INDEX)); |
There was a problem hiding this comment.
Should this be a debug log? Same with the others.
| if (response.isTimedOut()) { | ||
| onFailures(new OpenSearchStatusException(String.format(Locale.getDefault(), "Log Type with id %s cannot be updated", logTypeId), RestStatus.INTERNAL_SERVER_ERROR)); | ||
| return; |
There was a problem hiding this comment.
Does this happen often enough? If we are specifically looking for this, we should mention it timed out in the exception. Also this should not be an internal server error since this should be a a transient error that the customer can retry.
There was a problem hiding this comment.
sure. we need to address this in entire codebase. we'll do it in 2.10.
created an issue: #502
| } | ||
| } | ||
|
|
||
| private void finishHim(CustomLogType logType, Exception... t) { |
There was a problem hiding this comment.
Do we need to update the schema version?
There was a problem hiding this comment.
this file is introduced in 2.9 open source release. so, we can keep schema version same.
Signed-off-by: Subhobrata Dey <[email protected]> (cherry picked from commit ef64f00)
Signed-off-by: Subhobrata Dey <[email protected]> (cherry picked from commit ef64f00)
Signed-off-by: Subhobrata Dey <[email protected]>
Description
DetectorTypeenum & makelogtypedynamic.CRUDworkflow of log types.Issues Resolved
#447
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.