Improve warnings around lack of evt.StrTime field (#1954)
* fix #1951 : improve error messages * make hubtest warn you if you're missing evt.StrTime in your logs
This commit is contained in:
Thibault "bui" Koechlin
GitHub
parent
38b37db55b
commit
e4463c412b
|
|
@ -78,6 +78,7 @@ func (p *ParserAssert) LoadTest(filename string) error {
|
|||
}
|
||||
|
||||
func (p *ParserAssert) AssertFile(testFile string) error {
|
||||
|
||||
file, err := os.Open(p.File)
|
||||
|
||||
if err != nil {
|
||||
|
|
@ -268,6 +269,32 @@ func LoadParserDump(filepath string) (*ParserResults, error) {
|
|||
if err := yaml.Unmarshal(results, &pdump); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
/* we know that some variables should always be set,
|
||||
let's check if they're present in last parser output of last stage */
|
||||
stages := make([]string, 0, len(pdump))
|
||||
for k := range pdump {
|
||||
stages = append(stages, k)
|
||||
}
|
||||
sort.Strings(stages)
|
||||
/*the very last one is set to 'success' which is just a bool indicating if the line was successfully parsed*/
|
||||
lastStage := stages[len(stages)-2]
|
||||
|
||||
parsers := make([]string, 0, len(pdump[lastStage]))
|
||||
for k := range pdump[lastStage] {
|
||||
parsers = append(parsers, k)
|
||||
}
|
||||
sort.Strings(parsers)
|
||||
lastParser := parsers[len(parsers)-1]
|
||||
|
||||
for idx, result := range pdump[lastStage][lastParser] {
|
||||
if result.Evt.StrTime == "" {
|
||||
log.Warningf("Line %d/%d is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode.", idx, len(pdump[lastStage][lastParser]))
|
||||
} else {
|
||||
log.Debugf("Line %d/%d has evt.StrTime set to '%s'", idx, len(pdump[lastStage][lastParser]), result.Evt.StrTime)
|
||||
}
|
||||
}
|
||||
|
||||
return &pdump, nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -4,7 +4,6 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/crowdsecurity/crowdsec/pkg/types"
|
||||
"github.com/davecgh/go-spew/spew"
|
||||
log "github.com/sirupsen/logrus"
|
||||
)
|
||||
|
||||
|
|
@ -14,7 +13,11 @@ func TimeMachinePour(l *Leaky, msg types.Event) {
|
|||
err error
|
||||
)
|
||||
if msg.MarshaledTime == "" {
|
||||
log.Warningf("Trying to time-machine event without timestamp : %s", spew.Sdump(msg))
|
||||
log.WithFields(log.Fields{
|
||||
"evt_type": msg.Line.Labels["type"],
|
||||
"evt_src": msg.Line.Src,
|
||||
"scenario": l.Name,
|
||||
}).Warningf("Trying to process event without evt.StrTime. Event cannot be poured to scenario")
|
||||
return
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue