README
¶
Log Writer
Writes the log to the proper stream based on the Logger configuration
Log Formatter
Transforms an AuditLog struct into a binary representation
Logger
- Contains configurations like directories and permissions
Documentation
¶
Overview ¶
Package auditlog implements a set of log formatters and writers for audit logging.
The following log formats are supported:
- JSON - Coraza - Native
The following log writers are supported:
- Serial - Concurrent
More writers and formatters can be registered using the RegisterWriter and RegisterFormatter functions.
Index ¶
- Constants
- Variables
- func GetFormatter(name string) (plugintypes.AuditLogFormatter, error)
- func GetTableFields(tablename string) []string
- func GetWriter(name string) (plugintypes.AuditLogWriter, error)
- func NewConfig() plugintypes.AuditLogConfig
- func RegisterFormatter(name string, f plugintypes.AuditLogFormatter)
- func RegisterWriter(name string, writer func() plugintypes.AuditLogWriter)
- type EventLog
- type Log
- type Message
- type MessageData
- func (md *MessageData) Accuracy() int
- func (md *MessageData) Data() string
- func (md *MessageData) File() string
- func (md *MessageData) ID() int
- func (md *MessageData) Line() int
- func (md *MessageData) Maturity() int
- func (md *MessageData) Msg() string
- func (md *MessageData) Raw() string
- func (md *MessageData) Rev() string
- func (md *MessageData) Severity() types.RuleSeverity
- func (md *MessageData) Tags() []string
- func (md *MessageData) Ver() string
- type Transaction
- func (t Transaction) Action() string
- func (t Transaction) ClientIP() string
- func (t Transaction) ClientPort() int
- func (t Transaction) HasRequest() bool
- func (t Transaction) HasResponse() bool
- func (t Transaction) HighestSeverity() string
- func (t Transaction) HostIP() string
- func (t Transaction) HostPort() int
- func (t Transaction) ID() string
- func (t Transaction) IsInterrupted() bool
- func (t Transaction) LLMAnswer() string
- func (t Transaction) LLMQuestion() string
- func (t Transaction) LastMessage() string
- func (t Transaction) LastRID() string
- func (t Transaction) Payload() string
- func (t Transaction) Producer() plugintypes.AuditLogTransactionProducer
- func (t Transaction) Request() plugintypes.AuditLogTransactionRequest
- func (t Transaction) RequestHeader() string
- func (t Transaction) Response() plugintypes.AuditLogTransactionResponse
- func (t Transaction) ResponseHeader() string
- func (t Transaction) ServerID() string
- func (t Transaction) Timestamp() string
- func (t Transaction) UnixTimestamp() int64
- type TransactionProducer
- type TransactionRequest
- func (tr *TransactionRequest) Args() *collections.ConcatKeyed
- func (tr *TransactionRequest) Body() string
- func (tr *TransactionRequest) Files() []plugintypes.AuditLogTransactionRequestFiles
- func (tr *TransactionRequest) HTTPVersion() string
- func (tr *TransactionRequest) Headers() map[string][]string
- func (tr *TransactionRequest) Length() int32
- func (tReq *TransactionRequest) Method() string
- func (tr *TransactionRequest) Protocol() string
- func (tr *TransactionRequest) URI() string
- type TransactionRequestFiles
- type TransactionResponse
Constants ¶
View Source
const ( TABLENAME = "eventlog" DBNAME = "insights" )
View Source
const (
POSTGRESQL = "postgresql"
)
TODO 使用其他方式定位数据库Writer,避免出现单词拼写错误的情况
Variables ¶
View Source
var NoopCloser = noopCloser{}
Functions ¶
func GetFormatter ¶
func GetFormatter(name string) (plugintypes.AuditLogFormatter, error)
GetFormatter returns a formatter by name It returns an error if it doesn't exist
func GetTableFields ¶ added in v3.0.4
func GetWriter ¶
func GetWriter(name string) (plugintypes.AuditLogWriter, error)
GetWriter returns a logger by name It returns an error if it doesn't exist
func NewConfig ¶
func NewConfig() plugintypes.AuditLogConfig
NewConfig returns a Config with default values.
func RegisterFormatter ¶
func RegisterFormatter(name string, f plugintypes.AuditLogFormatter)
RegisterFormatter registers a new logger format it can be used for plugins
func RegisterWriter ¶
func RegisterWriter(name string, writer func() plugintypes.AuditLogWriter)
RegisterWriter registers a new logger it can be used for plugins
Types ¶
type EventLog ¶ added in v3.0.4
type EventLog struct {
// 发生时间戳
Timestamp int64 `json:"timestamp"`
// Event ID
EventID string `json:"event_id"`
// 威胁等级
Severity string `json:"serverity"`
// 威胁类别
Category string `json:"category"`
// 威胁指标
IOC string `json:"ioc"`
// 规则ID
RuleID string `json:"rule_id"`
// 威胁描述
Message string `json:"message"`
// 处置方式
Action string `json:"action"`
// TODO 攻击结果
Status string `json:"status"`
// TODO 载荷信息(存储命中规则的载荷列表),待确认是否需要base64编码解决特殊字符问题?
Payloads []string `json:"payloads"`
// 访问数据信息
// 访问源,也就是ClientIP和ClientPort
SrcIp string `json:"src_ip"`
SrcPort int `json:"src_port"`
// 访问目的,也就是HostIP和HostPort
DstIp string `json:"dst_ip"`
DstPort int `json:"dst_port"`
// HTTP请求
// 请求头信息
Host string `json:"host"`
URI string `json:"uri"`
Method string `json:"method"`
AppProtocol string `json:"app_protocol"`
Protocol string `json:"protocol"`
Version string `json:"version"`
RequestHeaders string `json:"request_headers"`
// 请求体信息
RequestBody string `json:"request_body"`
Question string `json:"question"`
// HTTP应答
// 响应头
StatusCode string `json:"status_code"`
ResponseHeaders string `json:"response_headers"`
// 响应体
ResponseBody string `json:"response_body"`
Answers string `json:"answers"`
}
TODO 定义表结构
type Log ¶
type Log struct {
// Parts contains the parts of the audit log
Parts_ types.AuditLogParts `json:"-"`
// Transaction contains the transaction information
Transaction_ Transaction `json:"transaction"`
// Messages contains the triggered rules information
Messages_ []plugintypes.AuditLogMessage `json:"messages,omitempty"`
}
Log represents the main struct for audit log data
func (*Log) Messages ¶
func (l *Log) Messages() []plugintypes.AuditLogMessage
func (*Log) Parts ¶
func (l *Log) Parts() types.AuditLogParts
func (*Log) Transaction ¶
func (l *Log) Transaction() plugintypes.AuditLogTransaction
func (*Log) UnmarshalJSON ¶
type Message ¶
type Message struct {
Actionset_ string `json:"actionset"`
Message_ string `json:"message"`
Data_ *MessageData `json:"data"`
}
Message contains information about the triggered rules
func (Message) Data ¶
func (m Message) Data() plugintypes.AuditLogMessageData
type MessageData ¶
type MessageData struct {
File_ string `json:"file"`
Line_ int `json:"line"`
ID_ int `json:"id"`
Rev_ string `json:"rev"`
Msg_ string `json:"msg"`
Data_ string `json:"data"`
Severity_ types.RuleSeverity `json:"severity"`
Ver_ string `json:"ver"`
Maturity_ int `json:"maturity"`
Accuracy_ int `json:"accuracy"`
Tags_ []string `json:"tags"`
Raw_ string `json:"raw"`
}
MessageData contains information about the triggered rules in detail
func (*MessageData) Accuracy ¶
func (md *MessageData) Accuracy() int
func (*MessageData) Data ¶
func (md *MessageData) Data() string
func (*MessageData) File ¶
func (md *MessageData) File() string
func (*MessageData) ID ¶
func (md *MessageData) ID() int
func (*MessageData) Line ¶
func (md *MessageData) Line() int
func (*MessageData) Maturity ¶
func (md *MessageData) Maturity() int
func (*MessageData) Msg ¶
func (md *MessageData) Msg() string
func (*MessageData) Raw ¶
func (md *MessageData) Raw() string
func (*MessageData) Rev ¶
func (md *MessageData) Rev() string
func (*MessageData) Severity ¶
func (md *MessageData) Severity() types.RuleSeverity
func (*MessageData) Tags ¶
func (md *MessageData) Tags() []string
func (*MessageData) Ver ¶
func (md *MessageData) Ver() string
type Transaction ¶
type Transaction struct {
// Timestamp "02/Jan/2006:15:04:20 -0700" format
Timestamp_ string `json:"timestamp"`
UnixTimestamp_ int64 `json:"unix_timestamp"`
// Unique ID
ID_ string `json:"id"`
// Client IP Address string representation
ClientIP_ string `json:"client_ip"`
ClientPort_ int `json:"client_port"`
HostIP_ string `json:"host_ip"`
HostPort_ int `json:"host_port"`
ServerID_ string `json:"server_id"`
Request_ *TransactionRequest `json:"request,omitempty"`
Response_ *TransactionResponse `json:"response,omitempty"`
Producer_ *TransactionProducer `json:"producer,omitempty"`
HighestSeverity_ string `json:"highest_severity"`
IsInterrupted_ bool `json:"is_interrupted"`
// 新增用于存储最后匹配到规则的规则ID,需要在LLMGuard检测的时候,写入tx.variables.rule.SetIndex("id", 0, "规则ID")
LastRID_ string `json:"last_id,omitempty"`
// 新增用于存储最后匹配到规则的规则描述,需要在LLMGuard检测的时候,写入tx.variables.rule.SetIndex("msg", 0, "规则描述")
LastMessage_ string `json:"last_message,omitempty"`
// 新增用于存储最后匹配到规则的数据特征,对应payload,如果是LLMGuard的时候,需要输出对应的请求和应答,如果是特征规则输出payload
Payload_ string `json:"payload,omitempty"`
// 新增用于存储请求头内容的RequestHeader_
RequestHeader_ string `json:"request_header,omitempty"`
// 新增用于存储响应头内容的ResponseHeader_
ResponseHeader_ string `json:"response_header,omitempty"`
// 存储大模型问题部分内容
LLMQuestion_ string `json:"llm_question,omitempty"`
// 存储大模型答案部分内容
LLMAnswer_ string `json:"llm_answer,omitempty"`
// 存储interruption里的action;
Action_ string `json:"action,omitempty"`
}
Transaction contains transaction specific information
func (Transaction) Action ¶ added in v3.0.4
func (t Transaction) Action() string
添加Action() string方法,用于获取处理动作
func (Transaction) ClientIP ¶
func (t Transaction) ClientIP() string
func (Transaction) ClientPort ¶
func (t Transaction) ClientPort() int
func (Transaction) HasRequest ¶
func (t Transaction) HasRequest() bool
func (Transaction) HasResponse ¶
func (t Transaction) HasResponse() bool
func (Transaction) HighestSeverity ¶
func (t Transaction) HighestSeverity() string
func (Transaction) HostIP ¶
func (t Transaction) HostIP() string
func (Transaction) HostPort ¶
func (t Transaction) HostPort() int
func (Transaction) ID ¶
func (t Transaction) ID() string
func (Transaction) IsInterrupted ¶
func (t Transaction) IsInterrupted() bool
func (Transaction) LLMAnswer ¶ added in v3.0.4
func (t Transaction) LLMAnswer() string
添加LLMAnswer() string方法,用于获取答案
func (Transaction) LLMQuestion ¶ added in v3.0.4
func (t Transaction) LLMQuestion() string
添加LLMQuestion() string方法,用于获取问题
func (Transaction) LastMessage ¶ added in v3.0.4
func (t Transaction) LastMessage() string
添加LastMessage() string方法,用于获取最后匹配到的规则描述
func (Transaction) LastRID ¶ added in v3.0.4
func (t Transaction) LastRID() string
添加LastRID() string方法,用于获取最后匹配到的规则ID
func (Transaction) Payload ¶ added in v3.0.4
func (t Transaction) Payload() string
添加Payload() string方法,用于获取最后匹配到规则的数据内容,仅针对特征规则检测部分内容
func (Transaction) Producer ¶
func (t Transaction) Producer() plugintypes.AuditLogTransactionProducer
func (Transaction) Request ¶
func (t Transaction) Request() plugintypes.AuditLogTransactionRequest
func (Transaction) RequestHeader ¶ added in v3.0.4
func (t Transaction) RequestHeader() string
添加RequestHeader() string方法,用于获取请求头字符串内容
func (Transaction) Response ¶
func (t Transaction) Response() plugintypes.AuditLogTransactionResponse
func (Transaction) ResponseHeader ¶ added in v3.0.4
func (t Transaction) ResponseHeader() string
添加ResponseHeader() string方法,用于获取响应头字符串内容
func (Transaction) ServerID ¶
func (t Transaction) ServerID() string
func (Transaction) Timestamp ¶
func (t Transaction) Timestamp() string
func (Transaction) UnixTimestamp ¶
func (t Transaction) UnixTimestamp() int64
type TransactionProducer ¶
type TransactionProducer struct {
Connector_ string `json:"connector"`
Version_ string `json:"version"`
Server_ string `json:"server"`
RuleEngine_ string `json:"rule_engine"`
Stopwatch_ string `json:"stopwatch"`
Rulesets_ []string `json:"rulesets"`
}
TransactionProducer contains producer specific information for debugging
func (*TransactionProducer) Connector ¶
func (tp *TransactionProducer) Connector() string
func (*TransactionProducer) RuleEngine ¶
func (tp *TransactionProducer) RuleEngine() string
func (*TransactionProducer) Rulesets ¶
func (tp *TransactionProducer) Rulesets() []string
func (*TransactionProducer) Server ¶
func (tp *TransactionProducer) Server() string
func (*TransactionProducer) Stopwatch ¶
func (tp *TransactionProducer) Stopwatch() string
func (*TransactionProducer) Version ¶
func (tp *TransactionProducer) Version() string
type TransactionRequest ¶
type TransactionRequest struct {
Method_ string `json:"method"`
Protocol_ string `json:"protocol"`
URI_ string `json:"uri"`
HTTPVersion_ string `json:"http_version"`
Headers_ map[string][]string `json:"headers"`
Body_ string `json:"body"`
Files_ []plugintypes.AuditLogTransactionRequestFiles `json:"files"`
Args_ *collections.ConcatKeyed `json:"args"`
Length_ int32 `json:"length"`
}
TransactionRequest contains request specific information
func (*TransactionRequest) Args ¶
func (tr *TransactionRequest) Args() *collections.ConcatKeyed
func (*TransactionRequest) Body ¶
func (tr *TransactionRequest) Body() string
func (*TransactionRequest) Files ¶
func (tr *TransactionRequest) Files() []plugintypes.AuditLogTransactionRequestFiles
func (*TransactionRequest) HTTPVersion ¶
func (tr *TransactionRequest) HTTPVersion() string
func (*TransactionRequest) Headers ¶
func (tr *TransactionRequest) Headers() map[string][]string
func (*TransactionRequest) Length ¶
func (tr *TransactionRequest) Length() int32
func (*TransactionRequest) Method ¶
func (tReq *TransactionRequest) Method() string
func (*TransactionRequest) Protocol ¶
func (tr *TransactionRequest) Protocol() string
func (*TransactionRequest) URI ¶
func (tr *TransactionRequest) URI() string
type TransactionRequestFiles ¶
type TransactionRequestFiles struct {
Name_ string `json:"name"`
Size_ int64 `json:"size"`
Mime_ string `json:"mime"`
}
TransactionRequestFiles contains information for the uploaded files using multipart forms
func (TransactionRequestFiles) Mime ¶
func (trf TransactionRequestFiles) Mime() string
func (TransactionRequestFiles) Name ¶
func (trf TransactionRequestFiles) Name() string
func (TransactionRequestFiles) Size ¶
func (trf TransactionRequestFiles) Size() int64
type TransactionResponse ¶
type TransactionResponse struct {
Protocol_ string `json:"protocol"`
Status_ int `json:"status"`
Headers_ map[string][]string `json:"headers"`
Body_ string `json:"body"`
}
TransactionResponse contains response specific information
func (*TransactionResponse) Body ¶
func (tr *TransactionResponse) Body() string
func (*TransactionResponse) Headers ¶
func (tr *TransactionResponse) Headers() map[string][]string
func (*TransactionResponse) Protocol ¶
func (tRes *TransactionResponse) Protocol() string
func (*TransactionResponse) Status ¶
func (tr *TransactionResponse) Status() int
Source Files
Click to show internal directories.
Click to hide internal directories.