def transform(logdata):
identifier = utils.cluster_instance_identifier(logdata)
logdata['rds']['cluster_identifier'] = identifier['cluster']
logdata['rds']['instance_identifier'] = identifier['instance']
if 'mysql_object' in logdata:
logdata['rds']['query'] = logdata['mysql_object'].rstrip(';').encode(
"utf-8").decode("unicode-escape")[1:-1]
if 'mysql_operation' in logdata:
if logdata['mysql_operation'] in ('FAILED_CONNECT', ):
logdata['event']['category'] = 'authentication'
logdata['event']['type'] = 'start'
logdata['event']['action'] = 'failed'
if logdata['mysql_operation'] in ('CONNECT', ):
logdata['event']['category'] = 'authentication'
logdata['event']['type'] = 'start'
logdata['event']['action'] = 'authorized'
if logdata['mysql_operation'] in ('DISCONNECT', ):
logdata['event']['category'] = 'authentication'
logdata['event']['type'] = 'end'
logdata['event']['action'] = 'disconnected'
if 'mysql_retcode' in logdata:
if logdata['mysql_retcode'] == 0:
logdata['event']['outcome'] = 'success'
else:
logdata['event']['outcome'] = 'failure'
logdata = utils.convert_underscore_field_into_dot_notation(
'mysql', logdata)
return logdata
def transform(logdata):
identifier = utils.cluster_instance_identifier(logdata)
logdata['rds']['cluster_identifier'] = identifier['cluster']
logdata['rds']['instance_identifier'] = identifier['instance']
logdata = utils.convert_underscore_field_into_dot_notation(
'mysql', logdata)
return logdata
def transform(logdata):
identifier = utils.cluster_instance_identifier(logdata)
logdata['rds']['cluster_identifier'] = identifier['cluster']
logdata['rds']['instance_identifier'] = identifier['instance']
try:
m_failed = RE_AUTH_FAILED.match(logdata['mysql_message'])
except TypeError:
m_failed = None
if m_failed:
logdata['event']['category'] = 'authentication'
logdata['event']['type'] = 'start'
logdata['event']['action'] = 'failed'
logdata['event']['outcome'] = 'failure'
logdata['mysql_username'] = m_failed.group('mysql_username')
if 'user' not in logdata:
logdata['user'] = {}
logdata['user']['name'] = m_failed.group('mysql_username')
host = m_failed.group('mysql_host')
logdata['mysql_host'] = host
if 'source' not in logdata:
logdata['source'] = {}
logdata['source']['address'] = host
try:
ipaddress.ip_address(host)
logdata['source']['ip'] = host
except ValueError:
pass
try:
m_unknown_db = RE_UNKNOWN_DB.match(logdata['mysql_message'])
except TypeError:
m_unknown_db = None
if m_unknown_db:
logdata['event']['category'] = 'authentication'
logdata['event']['type'] = 'start'
logdata['event']['action'] = 'failed'
logdata['event']['outcome'] = 'failure'
logdata['mysql_database'] = m_unknown_db.group('mysql_database')
logdata['rds']['database_name'] = m_unknown_db.group('mysql_database')
logdata = utils.convert_underscore_field_into_dot_notation(
'mysql', logdata)
return logdata
def transform(logdata):
identifier = utils.cluster_instance_identifier(logdata)
logdata['rds']['cluster_identifier'] = identifier['cluster']
logdata['rds']['instance_identifier'] = identifier['instance']
logdata['rds']['query_time'] = logdata['mysql_query_time']
m_db = RE_DATABASE.match(logdata['mysql_query'])
if m_db:
logdata['rds']['database_name'] = m_db.group(1)
m_query = RE_QUERY.search(logdata['mysql_query'])
if m_query:
logdata['rds']['query'] = m_query.group().rstrip(';')
logdata = utils.convert_underscore_field_into_dot_notation(
'mysql', logdata)
return logdata
def transform(logdata):
logdata = utils.convert_underscore_field_into_dot_notation(
'postgresql', logdata)
identifier = utils.cluster_instance_identifier(logdata)
logdata['rds']['cluster_identifier'] = identifier['cluster']
logdata['rds']['instance_identifier'] = identifier['instance']
if 'log_level' in logdata['postgresql']:
if logdata['postgresql']['log_level'] in ('STATEMENT', ):
logdata['rds']['query'] = logdata['postgresql']['message']
return logdata
elif logdata['postgresql']['log_level'] in ('FATAL', ):
m_failed = RE_AUTH_FAILED.search(logdata['postgresql']['message'])
if m_failed:
logdata['event']['category'] = 'authentication'
logdata['event']['type'] = 'start'
logdata['event']['action'] = 'failed'
logdata['event']['outcome'] = 'failure'
return logdata
elif logdata['postgresql']['log_level'] in ('LOG', ):
m_success = RE_AUTH_SUCCESS.search(
logdata['postgresql']['message'])
if m_success:
logdata['event']['category'] = 'authentication'
logdata['event']['type'] = 'start'
logdata['event']['action'] = 'authorized'
logdata['event']['outcome'] = 'success'
return logdata
m_session = RE_SESSION_TIME.match(logdata['postgresql']['message'])
if m_session:
hours = int(m_session.group(1))
minutes = int(m_session.group(2))
seconds = float(m_session.group(3))
m_session_time = seconds
if hours > 0:
m_session_time += hours * 60 * 24
if minutes > 0:
m_session_time += minutes * 60
logdata['postgresql']['session_time_seconds'] = m_session_time
return logdata
logdata = extract_slow_log(logdata)
return logdata