Documentation ¶
Index ¶
- Constants
- Variables
- func Addr2Ints(any string) (int, int64, int64, int64, int64, error)
- func CatchPanic(component string)
- func Clone(a, b interface{}) error
- func ConfigureLogger(clog *log.Logger) error
- func CopyFile(sourceSymLink, destinationFile string) (err error)
- func GetData(data []*DataSource, dataDir string) error
- func IP2Ints(pip net.IP) (int, int64, int64, error)
- func LastAddress(n net.IPNet) net.IP
- func ParseDuration(d string) (time.Duration, error)
- func Range2Ints(network net.IPNet) (int, int64, int64, int64, int64, error)
- func SetDefaultLoggerConfig(cfgMode string, cfgFolder string, cfgLevel log.Level) error
- type DataSet
- type DataSource
- type Event
- type ExprWhitelist
- type ExtraField
- type GrokPattern
- type Line
- type Profile
- type RemediationProfile
- type RuntimeAlert
- type ScopeType
- type Whitelist
Constants ¶
View Source
const ( LOG = iota OVFLW )
View Source
const ( Undefined = "" Ip = "Ip" Range = "Range" Filter = "Filter" )
Move in leakybuckets
Variables ¶
View Source
var LogOutput *lumberjack.Logger //io.Writer
Functions ¶
func CatchPanic ¶
func CatchPanic(component string)
CatchPanic is a util func that we should call from all go-routines to ensure proper stacktrace handling
func ConfigureLogger ¶
func GetData ¶
func GetData(data []*DataSource, dataDir string) error
func Range2Ints ¶
size (16|4), nw_start, suffix_start, nw_end, suffix_end, error
Types ¶
type DataSet ¶
type DataSet struct {
Data []*DataSource `yaml:"data,omitempty"`
}
type DataSource ¶
type Event ¶
type Event struct { /* is it a log or an overflow */ Type int `yaml:"Type,omitempty" json:"Type,omitempty"` //Can be types.LOG (0) or types.OVFLOW (1) ExpectMode int `yaml:"ExpectMode,omitempty" json:"ExpectMode,omitempty"` //how to buckets should handle event : leaky.TIMEMACHINE or leaky.LIVE Whitelisted bool `yaml:"Whitelisted,omitempty" json:"Whitelisted,omitempty"` WhiteListReason string `yaml:"whitelist_reason,omitempty" json:"whitelist_reason,omitempty"` //should add whitelist reason ? /* the current stage of the line being parsed */ Stage string `yaml:"Stage,omitempty" json:"Stage,omitempty"` /* original line (produced by acquisition) */ Line Line `yaml:"Line,omitempty" json:"Line,omitempty"` /* output of groks */ Parsed map[string]string `yaml:"Parsed,omitempty" json:"Parsed,omitempty"` /* output of enrichment */ Enriched map[string]string `yaml:"Enriched,omitempty" json:"Enriched,omitempty"` /* Overflow */ Overflow RuntimeAlert `yaml:"Alert,omitempty" json:"Alert,omitempty"` Time time.Time `yaml:"Time,omitempty" json:"Time,omitempty"` //parsed time `json:"-"` “ StrTime string `yaml:"StrTime,omitempty" json:"StrTime,omitempty"` MarshaledTime string `yaml:"MarshaledTime,omitempty" json:"MarshaledTime,omitempty"` Process bool `yaml:"Process,omitempty" json:"Process,omitempty"` //can be set to false to avoid processing line /* Meta is the only part that will make it to the API - it should be normalized */ Meta map[string]string `yaml:"Meta,omitempty" json:"Meta,omitempty"` }
Event is the structure representing a runtime event (log or overflow)
type ExprWhitelist ¶
type ExprWhitelist struct { Filter *vm.Program ExprDebugger *exprhelpers.ExprDebugger // used to debug expression by printing the content of each variable of the expression }
type ExtraField ¶
type ExtraField struct { //if the target is indicated by name Struct.Field etc, TargetByName string `yaml:"target,omitempty"` //if the target field is in Event map Parsed string `yaml:"parsed,omitempty"` //if the target field is in Meta map Meta string `yaml:"meta,omitempty"` //if the target field is in Enriched map Enriched string `yaml:"enriched,omitempty"` //the source is a static value Value string `yaml:"value,omitempty"` //or the result of an Expression ExpValue string `yaml:"expression,omitempty"` RunTimeValue *vm.Program `json:"-"` //the actual compiled filter //or an enrichment method Method string `yaml:"method,omitempty"` }
Used mostly for statics
type GrokPattern ¶
type GrokPattern struct { //the field to which regexp is going to apply TargetField string `yaml:"apply_on,omitempty"` //the grok/regexp by name (loaded from patterns/*) RegexpName string `yaml:"name,omitempty"` //a proper grok pattern RegexpValue string `yaml:"pattern,omitempty"` //the runtime form of regexpname / regexpvalue RunTimeRegexp *grokky.Pattern `json:"-"` //the actual regexp //a grok can contain statics that apply if pattern is successfull Statics []ExtraField `yaml:"statics,omitempty"` }
type RemediationProfile ¶
type RemediationProfile struct { Apply bool Ban bool Slow bool Captcha bool Duration string TimeDuration time.Duration }
Action profiles
type RuntimeAlert ¶
type RuntimeAlert struct { Mapkey string `yaml:"MapKey,omitempty" json:"MapKey,omitempty"` BucketId string `yaml:"BucketId,omitempty" json:"BucketId,omitempty"` Whitelisted bool `yaml:"Whitelisted,omitempty" json:"Whitelisted,omitempty"` Reprocess bool `yaml:"Reprocess,omitempty" json:"Reprocess,omitempty"` Sources map[string]models.Source `yaml:"Sources,omitempty" json:"Sources,omitempty"` Alert *models.Alert `yaml:"Alert,omitempty" json:"Alert,omitempty"` //this one is a pointer to APIAlerts[0] for convenience. //APIAlerts will be populated at the end when there is more than one source APIAlerts []models.Alert `yaml:"APIAlerts,omitempty" json:"APIAlerts,omitempty"` }
Click to show internal directories.
Click to hide internal directories.