Merge pull request #24 from wpoely86/pixiu

smoors · web-flow · commit 9bae649fcfe9 · 2024-08-14T09:51:42.000+02:00
Generalise Pixiu alerting and a couple of more fixes for it
diff --git a/files/pixiu b/files/pixiu
@@ -2,11 +2,11 @@ PIXIU_BASH \s*%{IPORHOST:syslog_hostname} \[%{PROG:program}\]: \[%{YEAR}-%{MONTH
 
 PIXIU_APACHE \[%{HTTPDATE:timestamp}\] %{IPORHOST:clientip} %{HTTPDUSER:auth} %{WORD:verb} %{NOTSPACE:request} %{GREEDYDATA:other}
 
-PIXIU_NGINX \s*%{IPORHOST:syslog_hostname} %{SYSLOGPROG} %{IPORHOST:clientip} - %{HTTPDUSER:auth}\s+\[%{HTTPDATE:timestamp}\] \"%{WORD:verb} %{NOTSPACE:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:response:int} %{GREEDYDATA:other}
+PIXIU_NGINX \s*%{IPORHOST:syslog_hostname} %{SYSLOGPROG} %{IPORHOST:clientip} (?:- %{HTTPDUSER:auth}\s+)?\[%{HTTPDATE:timestamp}\] \"%{WORD:verb} %{NOTSPACE:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:response:int} %{GREEDYDATA:other}
 
 PIXIU_TOMCAT \s*%{IPORHOST:syslog_hostname} %{SYSLOGPROG} \[%{HTTPDATE:timestamp}\]\^%{IPORHOST:clientip}\^%{HTTPDUSER:auth}\^%{WORD:verb} %{NOTSPACE:request} HTTP/%{NUMBER:httpversion}\^%{GREEDYDATA:other}
 
-PIXIU_ALARM_PREFIX \s*%{IPORHOST:syslog_hostname} %{SYSLOGPROG}: .+%{IPORHOST} (?<alarm_object>OceanStor-Distributed-Storage)\s+%{NUMBER} (?<alarm_id>0x[A-F0-9]+) (?<alarm_severity>%{WORD}).*:
+PIXIU_ALARM_PREFIX \s*%{IPORHOST:syslog_hostname} %{SYSLOGPROG}: .+%{IPORHOST} (?<alarm_object>OceanStor-Distributed-Storage)\s+%{NUMBER} (?<alarm_id>0x[A-F0-9]+) (?<alarm_severity>%{WORD})\(%{NUMBER:alarm_severity_level}\):
 
 PIXIU_ALARM_USER_TYPE user name, owner name %{USERNAME:username}
 
@@ -23,7 +23,11 @@ PIXIU_USER_SPACE_ALARM %{PIXIU_ALARM_PREFIX} %{PIXIU_ALARM_COMMON} reaches (?:or
 PIXIU_LOGIN_STATUS failed|succeeded
 PIXIU_LOGIN_ACTION in|out
 
+PIXIU_ACCOUNT_QUOTA %{PIXIU_ALARM_PREFIX} The used \((?<quota_used_type>%{WORD})\) quota \(%{NUMBER:quota_used}\) of account \(ID (?<account_id>%{NUMBER:int})\) reaches or approaches \(%{NUMBER:quota_limit}\) of the \(%{WORD} %{WORD} quota\)\..*
 
 PIXIU_LOGIN_ALARM %{PIXIU_ALARM_PREFIX} User \(user name %{USERNAME:username}\) %{PIXIU_LOGIN_STATUS:state} (?:to log %{PIXIU_LOGIN_ACTION:action}|in logging %{PIXIU_LOGIN_ACTION:action})(?: upon timeout)? from source \(%{IPORHOST:source_ip}\)\..*
 
-PIXIU_ALARM %{PIXIU_USER_INODE_ALARM}|%{PIXIU_USER_SPACE_ALARM}|%{PIXIU_LOGIN_ALARM}
+PIXIU_ALARM_GENERAL %{PIXIU_ALARM_PREFIX} %{GREEDYDATA:alarm_message}
+
+# PIXIU_ALARM_GENERAL must be last
+PIXIU_ALARM %{PIXIU_USER_INODE_ALARM}|%{PIXIU_USER_SPACE_ALARM}|%{PIXIU_LOGIN_ALARM}|%{PIXIU_ACCOUNT_QUOTA}|%{PIXIU_ALARM_GENERAL}
diff --git a/tests/data/pixiu b/tests/data/pixiu
@@ -303,4 +303,58 @@ data = [
             "used_space": 6108000000,
         },
     },
+    {
+        "raw": "<190>Aug 12 14:05:08 C4STO01-Node1 alarm[4162768]: <189>2024-08-12 14:05:08 DST 172.19.104.10 OceanStor-Distributed-Storage     1478853 0x200FEA670009 Informational(8): adm_wpoelmans:172.18.252.110 succeeded in setting alarm severity (alarm ID: 0xFEA6A000C, severity: warning).",
+        "expected": {
+            "program": "alarm",
+            "alarm_severity": "Informational",
+            "alarm_object": "OceanStor-Distributed-Storage",
+            "alarm_id": "0x200FEA670009",
+            "alarm_message": "adm_wpoelmans:172.18.252.110 succeeded in setting alarm severity (alarm ID: 0xFEA6A000C, severity: warning).",
+        },
+    },
+    {
+        "raw": "<190>Aug 13 15:04:36 HKSTO03-Node1 alarm[2003199]: <189>2024-08-13 15:04:34 DST 172.19.96.130 OceanStor-Distributed-Storage     1253732 0x200FEA6A009F Informational(8): objectrest:134.184.143.132 succeeded in creating namespace snapshot (name SNAP_2024_08_13_130433, namespace ID 702, namespace name sarl -auditlog, dtree ID --, dtree name --, whether it is a secure snapshot no, secure snapshot retention period - -, whether automatic deletion is supported no).",
+        "expected": {
+            "program": "alarm",
+            "alarm_severity": "Informational",
+            "alarm_severity_level": "8",
+            "alarm_object": "OceanStor-Distributed-Storage",
+            "alarm_id": "0x200FEA6A009F",
+            "alarm_message": "objectrest:134.184.143.132 succeeded in creating namespace snapshot (name SNAP_2024_08_13_130433, namespace ID 702, namespace name sarl -auditlog, dtree ID --, dtree name --, whether it is a secure snapshot no, secure snapshot retention period - -, whether automatic deletion is supported no).",
+        },
+    },
+    {
+        "raw": "<187>Aug 13 14:26:28 HKSTO03-Node1 alarm[2003199]: <186>2024-08-13 14:26:26 DST 172.19.96.130 OceanStor-Distributed-Storage     1253626 0xFEA6A001A Major(1): The used (space) quota (549755813888000) of account (ID 319307833) reaches or approaches (549755813888000) of the (space hard quota). Data writing is about to be rejected.",
+        "expected": {
+            "program": "alarm",
+            "alarm_severity": "Major",
+            "alarm_object": "OceanStor-Distributed-Storage",
+        },
+    },
+    {
+        "raw": "<187>Aug 13 14:27:19 HKSTO03-Node1 alarm[2003199]: <186>2024-08-13 14:26:26 DST 2024-08-13 14:27:17 DST 172.19.96.130 OceanStor-Distributed-Storage     1253626 0xFEA6A001A Major(2): The used (space) quota (549755813888000) of account (ID 319307833) reaches or approaches (549755813888000) of the (space hard quota). Data writing is about to be rejected.",
+        "expected": {
+            "program": "alarm",
+            "alarm_severity": "Major",
+            "alarm_object": "OceanStor-Distributed-Storage",
+            "account_id": 319307833,
+            "quota_used_type": "space",
+            "quota_used": 549755813888000,
+            "quota_limit": 549755813888000,
+        },
+    },
+    {
+#        "raw": '<174>Oct 17 12:50:42 HKSTO03-Node1 nginx 127.0.0.1 - -  [17/Oct/2022:12:50:42 +0200] "GET /dsware/service/cluster/storagepool/query*** HTTP/1.1" 200 "0.062" 924 "-" "Apache-HttpClient/5.1 (Java/1.8.0_322)" "-" 127.0.0.1:9527 200 "0.064" "********" "********" "********" "127.0.0.1" "application/json;charset=UTF-8" "-" "-" "gzip, x-gzip, deflate"',
+
+        "raw": '<174>Aug 14 09:15:16 C4STO01-Node1 nginx 127.0.0.1 [14/Aug/2024:09:15:16 +0200] "GET /api/v2/cluster/se*** HTTP/1.1" 200 "0.046" 3072 "Apache-HttpClient/5.1 (Java/1.8.0_372)" "-" 127.0.0.1:8099 200 "0.046" "********" "********" "********" "127.0.0.1" "application/json;charset=UTF-8" "-" ',
+        "expected": {
+            "@source_host": "C4STO01-Node1",
+            "program": "nginx",
+            "clientip": "127.0.0.1",
+            "verb": "GET",
+            "request": "/api/v2/cluster/se***",
+            "response": 200,
+        },
+    },
 ]
diff --git a/tests/logstash_7.6.2.conf b/tests/logstash_7.6.2.conf
@@ -76,10 +76,13 @@ filter {
             "actread" => "integer"
             "dtree_id" => "integer"
             "namespace_id" => "integer"
+            "account_id" => "integer"
             "used_files" => "integer"
             "used_space" => "integer"
             "quota_files_limit" => "integer"
             "quota_space_limit" => "integer"
+            "quota_used" => "integer"
+            "quota_limit" => "integer"
         }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -76,10 +76,13 @@ filter {`
`76`	`76`	`"actread" => "integer"`
`77`	`77`	`"dtree_id" => "integer"`
`78`	`78`	`"namespace_id" => "integer"`
	`79`	`+ "account_id" => "integer"`
`79`	`80`	`"used_files" => "integer"`
`80`	`81`	`"used_space" => "integer"`
`81`	`82`	`"quota_files_limit" => "integer"`
`82`	`83`	`"quota_space_limit" => "integer"`
	`84`	`+ "quota_used" => "integer"`
	`85`	`+ "quota_limit" => "integer"`
`83`	`86`	`}`
`84`	`87`	`}`
`85`	`88`	`}`