Documentation ¶
Index ¶
- Variables
- func GenDateParse(date string) (string, time.Time)
- func GeoIPASNInit(cfg map[string]string) (interface{}, error)
- func GeoIPCityInit(cfg map[string]string) (interface{}, error)
- func GeoIpASN(field string, p *types.Event, ctx interface{}, plog *log.Entry) (map[string]string, error)
- func GeoIpCity(field string, p *types.Event, ctx interface{}, plog *log.Entry) (map[string]string, error)
- func IpToRange(field string, p *types.Event, ctx interface{}, plog *log.Entry) (map[string]string, error)
- func IpToRangeInit(cfg map[string]string) (interface{}, error)
- func Parse(ctx UnixParserCtx, xp types.Event, nodes []Node) (types.Event, error)
- func ParseDate(in string, p *types.Event, x interface{}, plog *log.Entry) (map[string]string, error)
- func SetTargetByName(target string, value string, evt *types.Event) bool
- type DataCapture
- type EnrichFunc
- type Enricher
- type EnricherCtx
- type ExprWhitelist
- type ExtraField
- type GrokPattern
- type InitFunc
- type Node
- func (n *Node) CheckExprWL(cachedExprEnv map[string]interface{}, p *types.Event) (bool, error)
- func (n *Node) CheckIPsWL(p *types.Event) bool
- func (n *Node) CompileWLs() (bool, error)
- func (n *Node) ContainsExprLists() bool
- func (n *Node) ContainsIPLists() bool
- func (n *Node) ContainsWLs() bool
- func (n *Node) ProcessStatics(statics []ExtraField, event *types.Event) error
- type Parsers
- type Stagefile
- type UnixParserCtx
- type Whitelist
Constants ¶
This section is empty.
Variables ¶
View Source
var DumpFolder string
View Source
var NodesHits = prometheus.NewCounterVec( prometheus.CounterOpts{ Name: "cs_node_hits_total", Help: "Total events entered node.", }, []string{"source", "type", "name"}, )
View Source
var NodesHitsKo = prometheus.NewCounterVec( prometheus.CounterOpts{ Name: "cs_node_hits_ko_total", Help: "Total events unsuccessfully exited node.", }, []string{"source", "type", "name"}, )
View Source
var NodesHitsOk = prometheus.NewCounterVec( prometheus.CounterOpts{ Name: "cs_node_hits_ok_total", Help: "Total events successfully exited node.", }, []string{"source", "type", "name"}, )
View Source
var NodesWlHits = prometheus.NewCounterVec( prometheus.CounterOpts{ Name: "cs_node_wl_hits_total", Help: "Total events processed by whitelist node.", }, []string{"source", "type", "name", "reason"}, )
View Source
var NodesWlHitsOk = prometheus.NewCounterVec( prometheus.CounterOpts{ Name: "cs_node_wl_hits_ok_total", Help: "Total events successfully whitelisted by node.", }, []string{"source", "type", "name", "reason"}, )
View Source
var ParseDump bool
View Source
var StageParseCache dumps.ParserResults
View Source
var StageParseMutex sync.Mutex
Functions ¶
func GeoIPASNInit ¶ added in v1.2.0
func GeoIPCityInit ¶ added in v1.2.0
func IpToRangeInit ¶ added in v1.2.0
Types ¶
type DataCapture ¶ added in v1.5.3
type DataCapture struct { Name string `yaml:"name,omitempty"` Key string `yaml:"key,omitempty"` KeyExpression *vm.Program `yaml:"-"` Value string `yaml:"value,omitempty"` ValueExpression *vm.Program `yaml:"-"` TTL string `yaml:"ttl,omitempty"` TTLVal time.Duration `yaml:"-"` MaxMapSize int `yaml:"size,omitempty"` Strategy string `yaml:"strategy,omitempty"` }
type EnrichFunc ¶
should be part of a package shared with enrich/geoip.go
type Enricher ¶ added in v1.2.0
type Enricher struct { Name string InitFunc InitFunc EnrichFunc EnrichFunc Ctx interface{} }
type EnricherCtx ¶
type ExprWhitelist ¶ added in v1.4.0
type ExtraField ¶ added in v1.5.3
type ExtraField struct { //if the target is indicated by name Struct.Field etc, TargetByName string `yaml:"target,omitempty"` //if the target field is in Event map Parsed string `yaml:"parsed,omitempty"` //if the target field is in Meta map Meta string `yaml:"meta,omitempty"` //if the target field is in Enriched map Enriched string `yaml:"enriched,omitempty"` //the source is a static value Value string `yaml:"value,omitempty"` //or the result of an Expression ExpValue string `yaml:"expression,omitempty"` RunTimeValue *vm.Program `json:"-"` //the actual compiled filter //or an enrichment method Method string `yaml:"method,omitempty"` }
Used mostly for statics
type GrokPattern ¶ added in v1.5.3
type GrokPattern struct { //the field to which regexp is going to apply TargetField string `yaml:"apply_on,omitempty"` //the grok/regexp by name (loaded from patterns/*) RegexpName string `yaml:"name,omitempty"` //a proper grok pattern RegexpValue string `yaml:"pattern,omitempty"` //the runtime form of regexpname / regexpvalue RunTimeRegexp grokky.Pattern `json:"-"` //the actual regexp //the output of the expression is going to be the source for regexp ExpValue string `yaml:"expression,omitempty"` RunTimeValue *vm.Program `json:"-"` //the actual compiled filter //a grok can contain statics that apply if pattern is successful Statics []ExtraField `yaml:"statics,omitempty"` }
type Node ¶
type Node struct { FormatVersion string `yaml:"format"` //Enable config + runtime debug of node via config o/ Debug bool `yaml:"debug,omitempty"` //If enabled, the node (and its child) will report their own statistics Profiling bool `yaml:"profiling,omitempty"` //Name, author, description and reference(s) for parser pattern Name string `yaml:"name,omitempty"` Author string `yaml:"author,omitempty"` Description string `yaml:"description,omitempty"` References []string `yaml:"references,omitempty"` //if debug is present in the node, keep its specific Logger in runtime structure Logger *log.Entry `yaml:"-"` //This is mostly a hack to make writing less repetitive. //relying on stage, we know which field to parse, and we //can also promote log to next stage on success Stage string `yaml:"stage,omitempty"` //OnSuccess allows to tag a node to be able to move log to next stage on success OnSuccess string `yaml:"onsuccess,omitempty"` //Filter is executed at runtime (with current log line as context) //and must succeed or node is exited Filter string `yaml:"filter,omitempty"` RunTimeFilter *vm.Program `yaml:"-" json:"-"` //the actual compiled filter //If node has leafs, execute all of them until one asks for a 'break' LeavesNodes []Node `yaml:"nodes,omitempty"` //Flag used to describe when to 'break' or return an 'error' EnrichFunctions EnricherCtx /* If the node is actually a leaf, it can have : grok, enrich, statics */ //pattern_syntax are named grok patterns that are re-utilized over several grok patterns SubGroks yaml.MapSlice `yaml:"pattern_syntax,omitempty"` //Holds a grok pattern Grok GrokPattern `yaml:"grok,omitempty"` //Statics can be present in any type of node and is executed last Statics []ExtraField `yaml:"statics,omitempty"` //Stash allows to capture data from the log line and store it in an accessible cache Stash []DataCapture `yaml:"stash,omitempty"` //Whitelists Whitelist Whitelist `yaml:"whitelist,omitempty"` Data []*types.DataSource `yaml:"data,omitempty"` // contains filtered or unexported fields }
func LoadStages ¶
func LoadStages(stageFiles []Stagefile, pctx *UnixParserCtx, ectx EnricherCtx) ([]Node, error)
func (*Node) CheckExprWL ¶ added in v1.5.5
func (*Node) CompileWLs ¶ added in v1.5.5
func (*Node) ContainsExprLists ¶ added in v1.5.5
func (*Node) ContainsIPLists ¶ added in v1.5.5
func (*Node) ContainsWLs ¶ added in v1.5.5
func (*Node) ProcessStatics ¶ added in v1.0.0
func (n *Node) ProcessStatics(statics []ExtraField, event *types.Event) error
type Parsers ¶ added in v1.0.0
type Parsers struct { Ctx *UnixParserCtx Povfwctx *UnixParserCtx StageFiles []Stagefile PovfwStageFiles []Stagefile Nodes []Node Povfwnodes []Node EnricherCtx EnricherCtx }
func LoadParsers ¶ added in v1.0.0
func NewParsers ¶ added in v1.5.0
Return new parsers nodes and povfwnodes are already initialized in parser.LoadStages
type UnixParserCtx ¶
func Init ¶ added in v1.0.0
func Init(c map[string]interface{}) (*UnixParserCtx, error)
Click to show internal directories.
Click to hide internal directories.