Merge pull request #20 from wpoely86/pixiu_bis

smoors · web-flow · commit 0930fe1b0f95 · 2024-06-07T09:03:44.000+02:00
Fix Pixiu patterns
diff --git a/files/pixiu b/files/pixiu
@@ -14,14 +14,16 @@ PIXIU_BYTES [0-9]+(?:K|M|G|T|P)?B
 
 PIXIU_QUOTA_SIZE_TYPE (?:(?<used_files>%{NUMBER:int})|(?<used_space>%{PIXIU_BYTES}))
 
-PIXIU_ALARM_COMMON The used (?<quota_used_type>%{WORD}) \(%{PIXIU_QUOTA_SIZE_TYPE}\) of (?:the )?quota \(type (?<quota_type>%{WORD}) quota(?:, %{PIXIU_ALARM_USER_TYPE})?\) of dtree \(name (?<dtree>%{WORD}), ID (?<dtree_id>%{NUMBER:int})\) at %{UNIXPATH:path} in namespace \(name (?<namespace>%{WORD}), ID (?<namespace_id>%{NUMBER:int})\)
+PIXIU_ALARM_COMMON The used (?<quota_used_type>%{WORD}) \(%{PIXIU_QUOTA_SIZE_TYPE}\) of (?:the )?quota \(type (?<quota_type>%{WORD}) quota(?:, %{PIXIU_ALARM_USER_TYPE})?\) of dtree \(name (?<dtree>%{NOTSPACE}), ID (?<dtree_id>%{NUMBER:int})\) at %{UNIXPATH:path} in namespace \(name (?<namespace>%{NOTSPACE}), ID (?<namespace_id>%{NUMBER:int})\)
 
 PIXIU_USER_INODE_ALARM %{PIXIU_ALARM_PREFIX} %{PIXIU_ALARM_COMMON} reaches (?:or approaches )?to the (:?(?<quota_limit_type>%{WORD}) (?:file|space) quantity quota of|(?:file|space) quantity (?<quota_limit_type>%{WORD}) quota of) \((?<quota_files_limit>%{NUMBER:int})\)\..*
 
 PIXIU_USER_SPACE_ALARM %{PIXIU_ALARM_PREFIX} %{PIXIU_ALARM_COMMON} reaches (?:or approaches )?to the (:?(?<quota_limit_type>%{WORD}) space(?: quantity)? quota of|space(?: quantity)? (?<quota_limit_type>%{WORD}) quota of) \((?<quota_space_limit>%{PIXIU_BYTES})\)\..*
 
 PIXIU_LOGIN_STATUS failed|succeeded
+PIXIU_LOGIN_ACTION in|out
 
-PIXIU_LOGIN_ALARM %{PIXIU_ALARM_PREFIX} User \(user name %{USERNAME:username}\) %{PIXIU_LOGIN_STATUS:state} (?:to log in|in logging in) from source \(%{IPORHOST:source_ip}\)\..*
+
+PIXIU_LOGIN_ALARM %{PIXIU_ALARM_PREFIX} User \(user name %{USERNAME:username}\) %{PIXIU_LOGIN_STATUS:state} (?:to log %{PIXIU_LOGIN_ACTION:action}|in logging %{PIXIU_LOGIN_ACTION:action})(?: upon timeout)? from source \(%{IPORHOST:source_ip}\)\..*
 
 PIXIU_ALARM %{PIXIU_USER_INODE_ALARM}|%{PIXIU_USER_SPACE_ALARM}|%{PIXIU_LOGIN_ALARM}
diff --git a/tests/data/pixiu b/tests/data/pixiu
@@ -208,6 +208,7 @@ data = [
             "username": "bsdfsdf",
             "source_ip": "172.18.124.113",
             "state": "failed",
+            "action": "in",
         },
     },
     {
@@ -218,4 +219,31 @@ data = [
             "path": "/108",
         },
     },
+    {
+        "raw": "<187>Jun  5 10:19:28 HKSTO03-Node1 alarm[2003199]: <186>2024-06-05 10:19:26 DST 172.19.96.130 OceanStor-Distributed-Storage     908704 0xFEA6A000E Major(1): The used space (18MB) of quota (type directory quota) of dtree (name --, ID 0) at / in namespace (name zzzzbucket, ID 242) reaches to the space soft quota of (15MB).",
+        "expected": {
+            "program": "alarm",
+            "quota_used_type": "directory",
+            "namespace": "zzzzbucket",
+            "namespace_id": 242,
+            "dtree": "--",
+            "dtree_id": 0,
+            "used_space": 18000000,
+            "quota_used_type": "space",
+            "quota_type": "directory",
+            "quota_limit_type": "soft",
+            "quota_space_limit": 15000000,
+            "path": "/",
+        },
+    },
+    {
+        "raw": "<190>Jun  5 11:19:57 C4STO01-Node1 alarm[4162768]: <189>2024-06-05 11:19:57 DST 172.19.104.10 OceanStor-Distributed-Storage     1140981 0x100F00C90022 Informational(9): User (user name adm_CV000080) succeeded in logging out upon timeout from source (172.18.252.67).",
+        "expected": {
+            "program": "alarm",
+            "username": "adm_CV000080",
+            "source_ip": "172.18.252.67",
+            "state": "succeeded",
+            "action": "out",
+        },
+    },
 ]
diff --git a/tests/logstash_7.6.2.conf b/tests/logstash_7.6.2.conf
@@ -25,7 +25,7 @@ filter {
     }
 
     date {
-        match => [ "syslog_timestamp", "yyyy-MM-dd'T'HH:mm:ss.SSSSSSZZ", "yyyy-MM-dd'T'HH:mm:ssZZ", "yyyy-MM-dd HH:mm:ss.SSSSSS", "MMM dd HH:mm:ss" ]
+        match => [ "syslog_timestamp", "yyyy-MM-dd'T'HH:mm:ss.SSSSSSZZ", "yyyy-MM-dd'T'HH:mm:ssZZ", "yyyy-MM-dd HH:mm:ss.SSSSSS", "MMM d HH:mm:ss", "MMM  d HH:mm:ss" ]
     }
 
     if ("exclude_tags" not in [tags]) {

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ filter {`
`25`	`25`	`}`
`26`	`26`
`27`	`27`	`date {`
`28`		`- match => [ "syslog_timestamp", "yyyy-MM-dd'T'HH:mm:ss.SSSSSSZZ", "yyyy-MM-dd'T'HH:mm:ssZZ", "yyyy-MM-dd HH:mm:ss.SSSSSS", "MMM dd HH:mm:ss" ]`
	`28`	`+ match => [ "syslog_timestamp", "yyyy-MM-dd'T'HH:mm:ss.SSSSSSZZ", "yyyy-MM-dd'T'HH:mm:ssZZ", "yyyy-MM-dd HH:mm:ss.SSSSSS", "MMM d HH:mm:ss", "MMM d HH:mm:ss" ]`
`29`	`29`	`}`
`30`	`30`
`31`	`31`	`if ("exclude_tags" not in [tags]) {`