beenull/crowdsec
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

fix node success logic (#993)

Browse source 
* fix node success logic : only fail node on child failure if mother node has no successfull grok
This commit is contained in:
Thibault "bui" Koechlin 2021-09-28 17:58:07 +02:00 committed by GitHub
parent fb308d5596
commit c2fd173d1e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
pkg/parser/node.go
View file

@ -108,6 +108,7 @@ func (n *Node) validate(pctx *UnixParserCtx, ectx EnricherCtx) error {
func (n *Node) process(p *types.Event, ctx UnixParserCtx) (bool, error) { func (n *Node) process(p *types.Event, ctx UnixParserCtx) (bool, error) {
var NodeState bool var NodeState bool
var NodeHasOKGrok bool
clog := n.Logger clog := n.Logger
clog.Tracef("Event entering node") clog.Tracef("Event entering node")
@ -258,6 +259,8 @@ func (n *Node) process(p *types.Event, ctx UnixParserCtx) (bool, error) {
} }
grok := n.Grok.RunTimeRegexp.Parse(gstr) grok := n.Grok.RunTimeRegexp.Parse(gstr)
if len(grok) > 0 { if len(grok) > 0 {
/*tag explicitely that the *current* node had a successful grok pattern. it's important to know success state*/
NodeHasOKGrok = true
clog.Debugf("+ Grok '%s' returned %d entries to merge in Parsed", groklabel, len(grok)) clog.Debugf("+ Grok '%s' returned %d entries to merge in Parsed", groklabel, len(grok))
//We managed to grok stuff, merged into parse //We managed to grok stuff, merged into parse
for k, v := range grok { for k, v := range grok {
@ -272,7 +275,6 @@ func (n *Node) process(p *types.Event, ctx UnixParserCtx) (bool, error) {
} else { } else {
//grok failed, node failed //grok failed, node failed
clog.Debugf("+ Grok '%s' didn't return data on '%s'", groklabel, gstr) clog.Debugf("+ Grok '%s' didn't return data on '%s'", groklabel, gstr)
//clog.Tracef("on '%s'", gstr)
NodeState = false NodeState = false
} }
@ -283,7 +285,6 @@ func (n *Node) process(p *types.Event, ctx UnixParserCtx) (bool, error) {
//Iterate on leafs //Iterate on leafs
if len(n.LeavesNodes) > 0 { if len(n.LeavesNodes) > 0 {
for _, leaf := range n.LeavesNodes { for _, leaf := range n.LeavesNodes {
//clog.Debugf("Processing sub-node %d/%d : %s", idx, len(n.SuccessNodes), leaf.rn)
ret, err := leaf.process(p, ctx) ret, err := leaf.process(p, ctx)
if err != nil { if err != nil {
clog.Tracef("\tNode (%s) failed : %v", leaf.rn, err) clog.Tracef("\tNode (%s) failed : %v", leaf.rn, err)
@ -299,7 +300,13 @@ func (n *Node) process(p *types.Event, ctx UnixParserCtx) (bool, error) {
break break
} }
} else { } else {
NodeState = false /*
If the parent node has a successful grok pattern, it's state will stay successfull even if one or more chil fails.
If the parent node is a skeleton node (no grok pattern), then at least one child must be successful for it to be a success.
*/
if !NodeHasOKGrok {
NodeState = false
}
} }
} }
} }

2
scripts/func_tests/tests_post-install_4cold-logs.sh
View file

@ -16,7 +16,7 @@ rm -f ssh-bf.log
sync sync
for i in `seq 1 10` ; do for i in `seq 1 6` ; do
echo `LC_ALL=C date '+%b %d %H:%M:%S '`'sd-126005 sshd[12422]: Invalid user netflix from 1.1.1.172 port 35424' >> ssh-bf.log echo `LC_ALL=C date '+%b %d %H:%M:%S '`'sd-126005 sshd[12422]: Invalid user netflix from 1.1.1.172 port 35424' >> ssh-bf.log
done; done;