Esempio n. 1
0
 def add_data(self, data):
     qk = self.rules.get('query_key')
     for event in data:
         if qk:
             key = hashable(lookup_es_key(event, qk))
         else:
             # If no query_key, we use the key 'all' for all events
             key = 'all'
         self.cardinality_cache.setdefault(key, {})
         self.first_event.setdefault(key, event[self.ts_field])
         value = hashable(lookup_es_key(event, self.cardinality_field))
         if value is not None:
             # Store this timestamp as most recent occurence of the term
             self.cardinality_cache[key][value] = event[self.ts_field]
             self.check_for_match(key, event)
Esempio n. 2
0
 def add_data(self, data):
     qk = self.rules.get('query_key')
     for event in data:
         if qk:
             key = hashable(lookup_es_key(event, qk))
         else:
             # If no query_key, we use the key 'all' for all events
             key = 'all'
         self.cardinality_cache.setdefault(key, {})
         self.first_event.setdefault(key, event[self.ts_field])
         value = hashable(lookup_es_key(event, self.cardinality_field))
         if value is not None:
             # Store this timestamp as most recent occurence of the term
             self.cardinality_cache[key][value] = event[self.ts_field]
             self.check_for_match(key, event)
Esempio n. 3
0
    def compare(self, event):
        key = hashable(lookup_es_key(event, self.rules['query_key']))
        values = []
        elastalert_logger.debug(" Previous Values of compare keys  " + str(self.occurrences))
        for val in self.rules['compound_compare_key']:
            lookup_value = lookup_es_key(event, val)
            values.append(lookup_value)
        elastalert_logger.debug(" Current Values of compare keys   " + str(values))

        changed = False
        for val in values:
            if not isinstance(val, bool) and not val and self.rules['ignore_null']:
                return False
        # If we have seen this key before, compare it to the new value
        if key in self.occurrences:
            for idx, previous_values in enumerate(self.occurrences[key]):
                elastalert_logger.debug(" " + str(previous_values) + " " + str(values[idx]))
                changed = previous_values != values[idx]
                if changed:
                    break
            if changed:
                self.change_map[key] = (self.occurrences[key], values)
                # If using timeframe, only return true if the time delta is < timeframe
                if key in self.occurrence_time:
                    changed = event[self.rules['timestamp_field']] - self.occurrence_time[key] <= self.rules['timeframe']

        # Update the current value and time
        elastalert_logger.debug(" Setting current value of compare keys values " + str(values))
        self.occurrences[key] = values
        if 'timeframe' in self.rules:
            self.occurrence_time[key] = event[self.rules['timestamp_field']]
        elastalert_logger.debug("Final result of comparision between previous and current values " + str(changed))
        return changed
Esempio n. 4
0
    def compare(self, event):
        key = hashable(lookup_es_key(event, self.rules["query_key"]))
        val = lookup_es_key(event, self.rules["compare_key"])
        if not val and self.rules["ignore_null"]:
            return False
        changed = False

        # If we have seen this key before, compare it to the new value
        if key in self.occurrences:
            changed = self.occurrences[key] != val
            if changed:
                self.change_map[key] = (self.occurrences[key], val)

                # If using timeframe, only return true if the time delta is < timeframe
                if key in self.occurrence_time:
                    changed = (
                        event[self.rules["timestamp_field"]] - self.occurrence_time[key] <= self.rules["timeframe"]
                    )

        # Update the current value and time
        self.occurrences[key] = val
        if "timeframe" in self.rules:
            self.occurrence_time[key] = event[self.rules["timestamp_field"]]

        return changed
Esempio n. 5
0
    def compare(self, event):
        key = hashable(lookup_es_key(event, self.rules['query_key']))
        val = lookup_es_key(event, self.rules['compare_key'])
        if not val and self.rules['ignore_null']:
            return False
        changed = False

        # If we have seen this key before, compare it to the new value
        if key in self.occurrences:
            changed = self.occurrences[key] != val
            if changed:
                self.change_map[key] = (self.occurrences[key], val)

                # If using timeframe, only return true if the time delta is < timeframe
                if key in self.occurrence_time:
                    changed = event[
                        self.rules['timestamp_field']] - self.occurrence_time[
                            key] <= self.rules['timeframe']

        # Update the current value and time
        self.occurrences[key] = val
        if 'timeframe' in self.rules:
            self.occurrence_time[key] = event[self.rules['timestamp_field']]

        return changed
Esempio n. 6
0
    def compare(self, event):
        key = hashable(lookup_es_key(event, self.rules['query_key']))
        values = []
        elastalert_logger.debug(" Previous Values of compare keys  " + str(self.occurrences))
        for val in self.rules['compound_compare_key']:
            lookup_value = lookup_es_key(event, val)
            values.append(lookup_value)
        elastalert_logger.debug(" Current Values of compare keys   " + str(values))

        changed = False
        for val in values:
            if not isinstance(val, bool) and not val and self.rules['ignore_null']:
                return False
        # If we have seen this key before, compare it to the new value
        if key in self.occurrences:
            for idx, previous_values in enumerate(self.occurrences[key]):
                elastalert_logger.debug(" " + str(previous_values) + " " + str(values[idx]))
                changed = previous_values != values[idx]
                if changed:
                    break
            if changed:
                self.change_map[key] = (self.occurrences[key], values)
                # If using timeframe, only return true if the time delta is < timeframe
                if key in self.occurrence_time:
                    changed = event[self.rules['timestamp_field']] - self.occurrence_time[key] <= self.rules['timeframe']

        # Update the current value and time
        elastalert_logger.debug(" Setting current value of compare keys values " + str(values))
        self.occurrences[key] = values
        if 'timeframe' in self.rules:
            self.occurrence_time[key] = event[self.rules['timestamp_field']]
        elastalert_logger.debug("Final result of comparision between previous and current values " + str(changed))
        return changed
Esempio n. 7
0
 def add_data(self, data):
     for event in data:
         qk = self.rules.get("query_key", "all")
         if qk != "all":
             qk = hashable(lookup_es_key(event, qk))
             if qk is None:
                 qk = "other"
         self.handle_event(event, 1, qk)
Esempio n. 8
0
 def add_data(self, data):
     for event in data:
         qk = self.rules.get('query_key', 'all')
         if qk != 'all':
             qk = hashable(lookup_es_key(event, qk))
             if qk is None:
                 qk = 'other'
         self.handle_event(event, 1, qk)
Esempio n. 9
0
 def add_data(self, data):
     for event in data:
         qk = self.rules.get('query_key', 'all')
         if qk != 'all':
             qk = hashable(lookup_es_key(event, qk))
             if qk is None:
                 qk = 'other'
         self.handle_event(event, 1, qk)
Esempio n. 10
0
 def add_match(self, match):
     # TODO this is not technically correct
     # if the term changes multiple times before an alert is sent
     # this data will be overwritten with the most recent change
     change = self.change_map.get(hashable(lookup_es_key(match, self.rules["query_key"])))
     extra = {}
     if change:
         extra = {"old_value": change[0], "new_value": change[1]}
     super(ChangeRule, self).add_match(dict(match.items() + extra.items()))
Esempio n. 11
0
 def add_match(self, match):
     # TODO this is not technically correct
     # if the term changes multiple times before an alert is sent
     # this data will be overwritten with the most recent change
     change = self.change_map.get(hashable(lookup_es_key(match, self.rules['query_key'])))
     extra = {}
     if change:
         extra = {'old_value': change[0],
                  'new_value': change[1]}
     super(ChangeRule, self).add_match(dict(match.items() + extra.items()))
Esempio n. 12
0
 def add_match(self, match):
     # TODO this is not technically correct
     # if the term changes multiple times before an alert is sent
     # this data will be overwritten with the most recent change
     change = self.change_map.get(hashable(lookup_es_key(match, self.rules['query_key'])))
     extra = {}
     if change:
         extra = {'old_value': change[0],
                  'new_value': change[1]}
         elastalert_logger.debug("Description of the changed records  " + str(dict(match.items() + extra.items())))
     super(ChangeRule, self).add_match(dict(match.items() + extra.items()))
Esempio n. 13
0
    def add_data(self, data):
        if 'query_key' in self.rules:
            qk = self.rules['query_key']
        else:
            qk = None

        for event in data:
            if qk:
                key = hashable(lookup_es_key(event, qk))
            else:
                # If no query_key, we use the key 'all' for all events
                key = 'all'

            # Store the timestamps of recent occurrences, per key
            self.occurrences.setdefault(key, EventWindow(self.rules['timeframe'], getTimestamp=self.get_ts)).append((event, 1))
            self.check_for_match(key)
Esempio n. 14
0
    def add_data(self, data):
        if 'query_key' in self.rules:
            qk = self.rules['query_key']
        else:
            qk = None

        for event in data:
            if qk:
                key = hashable(lookup_es_key(event, qk))
            else:
                # If no query_key, we use the key 'all' for all events
                key = 'all'

            # Store the timestamps of recent occurrences, per key
            self.occurrences.setdefault(key, EventWindow(self.rules['timeframe'], getTimestamp=self.get_ts)).append((event, 1))
            self.check_for_match(key)
Esempio n. 15
0
    def add_data(self, data):
        if 'query_key' in self.rules:
            qk = self.rules['query_key']
        else:
            qk = None

        for event in data:
            if qk:
                key = hashable(lookup_es_key(event, qk))
            else:
                # If no query_key, we use the key 'all' for all events
                key = 'all'

            # Store the timestamps of recent occurrences, per key
            self.occurrences.setdefault(key, EventWindow(self.rules['timeframe'], getTimestamp=self.get_ts)).append((event, 1))

        # Only check for match _once_ after adding all the events discovered in this run
        # If the current running count is 1, and the threshold is 10, and we go to add 8 entries
        # it should only count as a single match, and not 8 consecutive ones.
        self.check_for_match(key)
Esempio n. 16
0
    def add_data(self, data):
        if 'query_key' in self.rules:
            qk = self.rules['query_key']
        else:
            qk = None

        for event in data:
            if qk:
                key = hashable(lookup_es_key(event, qk))
            else:
                # If no query_key, we use the key 'all' for all events
                key = 'all'

            # Store the timestamps of recent occurrences, per key
            self.occurrences.setdefault(key, EventWindow(self.rules['timeframe'], getTimestamp=self.get_ts)).append((event, 1))
            self.check_for_match(key, end=False)

        # We call this multiple times with the 'end' parameter because subclasses
        # may or may not want to check while only partial data has been added
        if key in self.occurrences:  # could have been emptied by previous check
            self.check_for_match(key, end=True)
Esempio n. 17
0
    def add_data(self, data):
        if 'query_key' in self.rules:
            qk = self.rules['query_key']
        else:
            qk = None

        for event in data:
            if qk:
                key = hashable(lookup_es_key(event, qk))
            else:
                # If no query_key, we use the key 'all' for all events
                key = 'all'

            # Store the timestamps of recent occurrences, per key
            self.occurrences.setdefault(key, EventWindow(self.rules['timeframe'], getTimestamp=self.get_ts)).append((event, 1))
            self.check_for_match(key, end=False)

        # We call this multiple times with the 'end' parameter because subclasses
        # may or may not want to check while only partial data has been added
        if key in self.occurrences:  # could have been emptied by previous check
            self.check_for_match(key, end=True)
Esempio n. 18
0
    def add_data(self, data):
        if 'query_key' in self.rules:
            qk = self.rules['query_key']
        else:
            qk = None

        for event in data:
            if qk:
                key = hashable(lookup_es_key(event, qk))
            else:
                # If no query_key, we use the key 'all' for all events
                key = 'all'

            # Store the timestamps of recent occurrences, per key
            self.occurrences.setdefault(
                key,
                EventWindow(self.rules['timeframe'],
                            getTimestamp=self.get_ts)).append((event, 1))

        # Only check for match _once_ after adding all the events discovered in this run
        # If the current running count is 1, and the threshold is 10, and we go to add 8 entries
        # it should only count as a single match, and not 8 consecutive ones.
        self.check_for_match(key)