Improve warnings around lack of evt.StrTime
field (#1954)
* fix #1951 : improve error messages * make hubtest warn you if you're missing evt.StrTime in your logs
This commit is contained in:
parent
38b37db55b
commit
e4463c412b
|
@ -78,6 +78,7 @@ func (p *ParserAssert) LoadTest(filename string) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (p *ParserAssert) AssertFile(testFile string) error {
|
func (p *ParserAssert) AssertFile(testFile string) error {
|
||||||
|
|
||||||
file, err := os.Open(p.File)
|
file, err := os.Open(p.File)
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -268,6 +269,32 @@ func LoadParserDump(filepath string) (*ParserResults, error) {
|
||||||
if err := yaml.Unmarshal(results, &pdump); err != nil {
|
if err := yaml.Unmarshal(results, &pdump); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* we know that some variables should always be set,
|
||||||
|
let's check if they're present in last parser output of last stage */
|
||||||
|
stages := make([]string, 0, len(pdump))
|
||||||
|
for k := range pdump {
|
||||||
|
stages = append(stages, k)
|
||||||
|
}
|
||||||
|
sort.Strings(stages)
|
||||||
|
/*the very last one is set to 'success' which is just a bool indicating if the line was successfully parsed*/
|
||||||
|
lastStage := stages[len(stages)-2]
|
||||||
|
|
||||||
|
parsers := make([]string, 0, len(pdump[lastStage]))
|
||||||
|
for k := range pdump[lastStage] {
|
||||||
|
parsers = append(parsers, k)
|
||||||
|
}
|
||||||
|
sort.Strings(parsers)
|
||||||
|
lastParser := parsers[len(parsers)-1]
|
||||||
|
|
||||||
|
for idx, result := range pdump[lastStage][lastParser] {
|
||||||
|
if result.Evt.StrTime == "" {
|
||||||
|
log.Warningf("Line %d/%d is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode.", idx, len(pdump[lastStage][lastParser]))
|
||||||
|
} else {
|
||||||
|
log.Debugf("Line %d/%d has evt.StrTime set to '%s'", idx, len(pdump[lastStage][lastParser]), result.Evt.StrTime)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return &pdump, nil
|
return &pdump, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -4,7 +4,6 @@ import (
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/crowdsecurity/crowdsec/pkg/types"
|
"github.com/crowdsecurity/crowdsec/pkg/types"
|
||||||
"github.com/davecgh/go-spew/spew"
|
|
||||||
log "github.com/sirupsen/logrus"
|
log "github.com/sirupsen/logrus"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -14,7 +13,11 @@ func TimeMachinePour(l *Leaky, msg types.Event) {
|
||||||
err error
|
err error
|
||||||
)
|
)
|
||||||
if msg.MarshaledTime == "" {
|
if msg.MarshaledTime == "" {
|
||||||
log.Warningf("Trying to time-machine event without timestamp : %s", spew.Sdump(msg))
|
log.WithFields(log.Fields{
|
||||||
|
"evt_type": msg.Line.Labels["type"],
|
||||||
|
"evt_src": msg.Line.Src,
|
||||||
|
"scenario": l.Name,
|
||||||
|
}).Warningf("Trying to process event without evt.StrTime. Event cannot be poured to scenario")
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue