def event(request):
path, cfg = request.param
coll = cfg.get("$collection", COLLECTION_NAME)
assert coll == COLLECTION_NAME, "Invalid collection %s" % coll
ec = EventClass.get_by_name(
cfg.get("eventclass__name", DEFAULT_EVENT_CLASS)
)
mo = ManagedObject(
id=MO_ID,
name=MO_NAME,
address=MO_ADDRESS,
profile=Profile.get_by_name(cfg.get("profile__name", DEFAULT_PROFILE))
)
now = datetime.datetime.now()
data = cfg.get("data", {})
source = data.pop("source", "other")
event = ActiveEvent(
timestamp=now,
start_timestamp=now,
managed_object=mo,
source=source,
raw_vars=data,
repeats=1
)
request.fixturename = "events-%s" % cfg.get("uuid")
# request.fspath = path
return event, ec, cfg.get("vars", {})
def read_syslog(self, f):
now = datetime.datetime.now()
for line in f:
yield ActiveEvent(
timestamp=now,
start_timestamp=now,
managed_object=self.managed_object,
source="syslog",
raw_vars={"collector": "default", "message": line[:-1]},
repeats=1,
)
async def on_event(self, msg: Message):
# Decode message
event = orjson.loads(msg.value)
object = event.get("object")
data = event.get("data")
# Process event
event_ts = datetime.datetime.fromtimestamp(event.get("ts"))
# Generate or reuse existing object id
event_id = ObjectId(event.get("id"))
# Calculate message processing delay
lag = (time.time() - float(msg.timestamp) / NS) * 1000
metrics["lag_us"] = int(lag * 1000)
self.logger.debug("[%s] Receiving new event: %s (Lag: %.2fms)",
event_id, data, lag)
metrics[CR_PROCESSED] += 1
# Resolve managed object
mo = ManagedObject.get_by_id(object)
if not mo:
self.logger.info("[%s] Unknown managed object id %s. Skipping",
event_id, object)
metrics[CR_UOBJECT] += 1
return
self.logger.info("[%s|%s|%s] Managed object found", event_id, mo.name,
mo.address)
# Process event
source = data.pop("source", "other")
event = ActiveEvent(
id=event_id,
timestamp=event_ts,
start_timestamp=event_ts,
managed_object=mo,
source=source,
repeats=1,
) # raw_vars will be filled by classify_event()
# Ignore event
if self.patternset.find_ignore_rule(event, data):
self.logger.debug("Ignored event %s vars %s", event, data)
metrics[CR_IGNORED] += 1
return
# Classify event
try:
await self.classify_event(event, data)
except Exception as e:
self.logger.error("[%s|%s|%s] Failed to process event: %s",
event.id, mo.name, mo.address, e)
metrics[CR_FAILED] += 1
return
self.logger.info("[%s|%s|%s] Event processed successfully", event.id,
mo.name, mo.address)
def on_event(self,
message,
ts=None,
object=None,
data=None,
id=None,
*args,
**kwargs):
event_ts = datetime.datetime.fromtimestamp(ts)
# Generate or reuse existing object id
event_id = ObjectId(id)
# Calculate messate processing delay
lag = (time.time() - ts) * 1000
metrics["lag_us"] = int(lag * 1000)
self.logger.debug("[%s] Receiving new event: %s (Lag: %.2fms)",
event_id, data, lag)
metrics[CR_PROCESSED] += 1
# Resolve managed object
mo = ManagedObject.get_by_id(object)
if not mo:
self.logger.info("[%s] Unknown managed object id %s. Skipping",
event_id, object)
metrics[CR_UOBJECT] += 1
return True
self.logger.info("[%s|%s|%s] Managed object found", event_id, mo.name,
mo.address)
# Process event
source = data.pop("source", "other")
event = ActiveEvent(
id=event_id,
timestamp=event_ts,
start_timestamp=event_ts,
managed_object=mo,
source=source,
repeats=1,
) # raw_vars will be filled by classify_event()
# Classify event
try:
self.classify_event(event, data)
except Exception as e:
self.logger.error("[%s|%s|%s] Failed to process event: %s",
event.id, mo.name, mo.address, e)
metrics[CR_FAILED] += 1
return False
self.logger.info("[%s|%s|%s] Event processed successfully", event.id,
mo.name, mo.address)
return True
async def raise_abduct_event(self, event: ActiveEvent) -> None:
"""
Create Cable Abduct Event and dispose it to correlator
:param event:
:return:
"""
if not self.cable_abduct_ecls:
self.cable_abduct_ecls = EventClass.get_by_name(CABLE_ABDUCT)
abd_event = ActiveEvent(
timestamp=event.timestamp,
start_timestamp=event.timestamp,
managed_object=event.managed_object,
source=event.source,
repeats=1,
event_class=self.cable_abduct_ecls,
)
abd_event.save()
await self.dispose_event(abd_event)