def run_rule_test(self): """ Uses args to run the various components of MockElastAlerter such as loading the file, saving data, loading data, and running. """ parser = argparse.ArgumentParser(description='Validate a rule configuration') parser.add_argument('file', metavar='rule', type=str, help='rule configuration filename') parser.add_argument('--schema-only', action='store_true', help='Show only schema errors; do not run query') parser.add_argument('--days', type=int, default=1, action='store', help='Query the previous N days with this rule') parser.add_argument('--data', type=str, metavar='FILENAME', action='store', dest='json', help='A JSON file containing data to run the rule against') parser.add_argument('--alert', action='store_true', help='Use actual alerts instead of debug output') parser.add_argument('--save-json', type=str, metavar='FILENAME', action='store', dest='save', help='A file to which documents from the last day or --days will be saved') parser.add_argument('--count-only', action='store_true', dest='count', help='Only display the number of documents matching the filter') parser.add_argument('--config', action='store', dest='config', help='Global config file.') args = parser.parse_args() rule_yaml = load_rule_yaml(args.file) conf = self.load_conf(rule_yaml, args) if args.json: with open(args.json, 'r') as data_file: self.data = simplejson.loads(data_file.read()) else: hits = self.test_file(copy.deepcopy(rule_yaml), args) if hits and args.save: with open(args.save, 'wb') as data_file: # Add _id to _source for dump [doc['_source'].update({'_id': doc['_id']}) for doc in hits] data_file.write(simplejson.dumps([doc['_source'] for doc in hits], indent=' ')) if not args.schema_only and not args.count: self.run_elastalert(rule_yaml, conf, args)
def run_rule_test(self): """ Uses args to run the various components of MockElastAlerter such as loading the file, saving data, loading data, and running. """ parser = argparse.ArgumentParser(description='Validate a rule configuration') parser.add_argument('file', metavar='rule', type=str, help='rule configuration filename') parser.add_argument('--schema-only', action='store_true', help='Show only schema errors; do not run query') parser.add_argument('--days', type=int, default=1, action='store', help='Query the previous N days with this rule') parser.add_argument('--stop-error', action='store_true', help='Stop the entire test right after the first error') parser.add_argument( '--data', type=str, metavar='FILENAME', action='store', dest='json', help='A JSON file containing data to run the rule against') parser.add_argument('--alert', action='store_true', help='Use actual alerts instead of debug output') parser.add_argument( '--save-json', type=str, metavar='FILENAME', action='store', dest='save', help='A file to which documents from the last day or --days will be saved') parser.add_argument( '--count-only', action='store_true', dest='count', help='Only display the number of documents matching the filter') parser.add_argument('--config', action='store', dest='config', help='Global config file.') args = parser.parse_args() rule_yaml = load_rule_yaml(args.file) conf = self.load_conf(rule_yaml, args) if args.json: with open(args.json, 'r') as data_file: self.data = simplejson.loads(data_file.read()) else: hits = self.test_file(copy.deepcopy(rule_yaml), args) if hits and args.save: with open(args.save, 'wb') as data_file: # Add _id to _source for dump [doc['_source'].update({'_id': doc['_id']}) for doc in hits] data_file.write(simplejson.dumps([doc['_source'] for doc in hits], indent=' ')) if not args.schema_only and not args.count: self.run_elastalert(rule_yaml, conf, args)
def run_rule_test(self): """ Uses args to run the various components of MockElastAlerter such as loading the file, saving data, loading data, and running. """ parser = argparse.ArgumentParser( description='Validate a rule configuration') parser.add_argument('file', metavar='rule', type=str, help='rule configuration filename') parser.add_argument('--schema-only', action='store_true', help='Show only schema errors; do not run query') parser.add_argument('--days', type=int, default=1, action='store', help='Query the previous N days with this rule') parser.add_argument( '--start', dest='start', help='YYYY-MM-DDTHH:MM:SS Start querying from this timestamp.') parser.add_argument( '--end', dest='end', help= 'YYYY-MM-DDTHH:MM:SS Query to this timestamp. (Default: present) ' 'Use "NOW" to start from current time. (Default: present)') parser.add_argument( '--stop-error', action='store_true', help='Stop the entire test right after the first error') parser.add_argument('--formatted-output', action='store_true', help='Output results in formatted JSON') parser.add_argument( '--data', type=str, metavar='FILENAME', action='store', dest='json', help='A JSON file containing data to run the rule against') parser.add_argument('--alert', action='store_true', help='Use actual alerts instead of debug output') parser.add_argument( '--save-json', type=str, metavar='FILENAME', action='store', dest='save', help= 'A file to which documents from the last day or --days will be saved' ) parser.add_argument('--use-downloaded', action='store_true', dest='use_downloaded', help='Use the downloaded ') parser.add_argument('--max-query-size', type=int, default=10000, action='store', dest='max_query_size', help='Maximum size of any query') parser.add_argument( '--count-only', action='store_true', dest='count', help='Only display the number of documents matching the filter') parser.add_argument('--config', action='store', dest='config', help='Global config file.') args = parser.parse_args() rule_yaml = load_rule_yaml(args.file) conf = self.load_conf(rule_yaml, args) if args.json: with open(args.json, 'r') as data_file: self.data = json.loads(data_file.read()) else: hits = self.test_file(copy.deepcopy(rule_yaml), args) if hits and args.formatted_output: self.formatted_output['results'] = json.loads(json.dumps(hits)) if hits and args.save: with open(args.save, 'wb') as data_file: # Add _id to _source for dump [ doc['_source'].update({'_id': doc['_id']}) for doc in hits ] data_file.write( json.dumps([doc['_source'] for doc in hits], indent=4)) if args.use_downloaded: if hits: args.json = args.save with open(args.json, 'r') as data_file: self.data = json.loads(data_file.read()) else: self.data = [] if not args.schema_only and not args.count: self.run_elastalert(rule_yaml, conf, args) if args.formatted_output: print(json.dumps(self.formatted_output))
def run_rule_test(self): """ Uses args to run the various components of MockElastAlerter such as loading the file, saving data, loading data, and running. """ parser = argparse.ArgumentParser(description='Validate a rule configuration') parser.add_argument('file', metavar='rule', type=str, help='rule configuration filename') parser.add_argument('--schema-only', action='store_true', help='Show only schema errors; do not run query') parser.add_argument('--days', type=int, default=0, action='store', help='Query the previous N days with this rule') parser.add_argument('--start', dest='start', help='YYYY-MM-DDTHH:MM:SS Start querying from this timestamp.') parser.add_argument('--end', dest='end', help='YYYY-MM-DDTHH:MM:SS Query to this timestamp. (Default: present) ' 'Use "NOW" to start from current time. (Default: present)') parser.add_argument('--stop-error', action='store_true', help='Stop the entire test right after the first error') parser.add_argument('--formatted-output', action='store_true', help='Output results in formatted JSON') parser.add_argument( '--data', type=str, metavar='FILENAME', action='store', dest='json', help='A JSON file containing data to run the rule against') parser.add_argument('--alert', action='store_true', help='Use actual alerts instead of debug output') parser.add_argument( '--save-json', type=str, metavar='FILENAME', action='store', dest='save', help='A file to which documents from the last day or --days will be saved') parser.add_argument( '--use-downloaded', action='store_true', dest='use_downloaded', help='Use the downloaded ' ) parser.add_argument( '--max-query-size', type=int, default=10000, action='store', dest='max_query_size', help='Maximum size of any query') parser.add_argument( '--count-only', action='store_true', dest='count', help='Only display the number of documents matching the filter') parser.add_argument('--config', action='store', dest='config', help='Global config file.') args = parser.parse_args() rule_yaml = load_rule_yaml(args.file) conf = self.load_conf(rule_yaml, args) if args.json: with open(args.json, 'r') as data_file: self.data = json.loads(data_file.read()) else: hits = self.test_file(copy.deepcopy(rule_yaml), args) if hits and args.formatted_output: self.formatted_output['results'] = json.loads(json.dumps(hits)) if hits and args.save: with open(args.save, 'wb') as data_file: # Add _id to _source for dump [doc['_source'].update({'_id': doc['_id']}) for doc in hits] data_file.write(json.dumps([doc['_source'] for doc in hits], indent=4)) if args.use_downloaded: if hits: args.json = args.save with open(args.json, 'r') as data_file: self.data = json.loads(data_file.read()) else: self.data = [] if not args.schema_only and not args.count: self.run_elastalert(rule_yaml, conf, args) if args.formatted_output: print(json.dumps(self.formatted_output))