From 9df4d9f6dfc3fdfc5afaedad382da10f538c9015 Mon Sep 17 00:00:00 2001 From: Ward Poelmans Date: Tue, 13 Aug 2024 17:07:54 +0200 Subject: [PATCH 1/3] add general catch all for pixiu alarms --- files/pixiu | 6 ++++-- tests/data/pixiu | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+), 2 deletions(-) diff --git a/files/pixiu b/files/pixiu index 8f8d715..ecd5367 100644 --- a/files/pixiu +++ b/files/pixiu @@ -6,7 +6,7 @@ PIXIU_NGINX \s*%{IPORHOST:syslog_hostname} %{SYSLOGPROG} %{IPORHOST:clientip} - PIXIU_TOMCAT \s*%{IPORHOST:syslog_hostname} %{SYSLOGPROG} \[%{HTTPDATE:timestamp}\]\^%{IPORHOST:clientip}\^%{HTTPDUSER:auth}\^%{WORD:verb} %{NOTSPACE:request} HTTP/%{NUMBER:httpversion}\^%{GREEDYDATA:other} -PIXIU_ALARM_PREFIX \s*%{IPORHOST:syslog_hostname} %{SYSLOGPROG}: .+%{IPORHOST} (?OceanStor-Distributed-Storage)\s+%{NUMBER} (?0x[A-F0-9]+) (?%{WORD}).*: +PIXIU_ALARM_PREFIX \s*%{IPORHOST:syslog_hostname} %{SYSLOGPROG}: .+%{IPORHOST} (?OceanStor-Distributed-Storage)\s+%{NUMBER} (?0x[A-F0-9]+) (?%{WORD})\(%{NUMBER:alarm_severity_level}\): PIXIU_ALARM_USER_TYPE user name, owner name %{USERNAME:username} @@ -26,4 +26,6 @@ PIXIU_LOGIN_ACTION in|out PIXIU_LOGIN_ALARM %{PIXIU_ALARM_PREFIX} User \(user name %{USERNAME:username}\) %{PIXIU_LOGIN_STATUS:state} (?:to log %{PIXIU_LOGIN_ACTION:action}|in logging %{PIXIU_LOGIN_ACTION:action})(?: upon timeout)? from source \(%{IPORHOST:source_ip}\)\..* -PIXIU_ALARM %{PIXIU_USER_INODE_ALARM}|%{PIXIU_USER_SPACE_ALARM}|%{PIXIU_LOGIN_ALARM} +PIXIU_ALARM_GENERAL %{PIXIU_ALARM_PREFIX} %{GREEDYDATA:alarm_message} + +PIXIU_ALARM %{PIXIU_USER_INODE_ALARM}|%{PIXIU_USER_SPACE_ALARM}|%{PIXIU_LOGIN_ALARM}|%{PIXIU_ALARM_GENERAL} diff --git a/tests/data/pixiu b/tests/data/pixiu index bbd99c3..0b0a0d5 100644 --- a/tests/data/pixiu +++ b/tests/data/pixiu @@ -303,4 +303,41 @@ data = [ "used_space": 6108000000, }, }, + { + "raw": "<190>Aug 12 14:05:08 C4STO01-Node1 alarm[4162768]: <189>2024-08-12 14:05:08 DST 172.19.104.10 OceanStor-Distributed-Storage 1478853 0x200FEA670009 Informational(8): adm_wpoelmans:172.18.252.110 succeeded in setting alarm severity (alarm ID: 0xFEA6A000C, severity: warning).", + "expected": { + "program": "alarm", + "alarm_severity": "Informational", + "alarm_object": "OceanStor-Distributed-Storage", + "alarm_id": "0x200FEA670009", + "alarm_message": "adm_wpoelmans:172.18.252.110 succeeded in setting alarm severity (alarm ID: 0xFEA6A000C, severity: warning).", + }, + }, + { + "raw": "<190>Aug 13 15:04:36 HKSTO03-Node1 alarm[2003199]: <189>2024-08-13 15:04:34 DST 172.19.96.130 OceanStor-Distributed-Storage 1253732 0x200FEA6A009F Informational(8): objectrest:134.184.143.132 succeeded in creating namespace snapshot (name SNAP_2024_08_13_130433, namespace ID 702, namespace name sarl -auditlog, dtree ID --, dtree name --, whether it is a secure snapshot no, secure snapshot retention period - -, whether automatic deletion is supported no).", + "expected": { + "program": "alarm", + "alarm_severity": "Informational", + "alarm_severity_level": "8", + "alarm_object": "OceanStor-Distributed-Storage", + "alarm_id": "0x200FEA6A009F", + "alarm_message": "objectrest:134.184.143.132 succeeded in creating namespace snapshot (name SNAP_2024_08_13_130433, namespace ID 702, namespace name sarl -auditlog, dtree ID --, dtree name --, whether it is a secure snapshot no, secure snapshot retention period - -, whether automatic deletion is supported no).", + }, + }, + { + "raw": "<187>Aug 13 14:26:28 HKSTO03-Node1 alarm[2003199]: <186>2024-08-13 14:26:26 DST 172.19.96.130 OceanStor-Distributed-Storage 1253626 0xFEA6A001A Major(1): The used (space) quota (549755813888000) of account (ID 319307833) reaches or approaches (549755813888000) of the (space hard quota). Data writing is about to be rejected.", + "expected": { + "program": "alarm", + "alarm_severity": "Major", + "alarm_object": "OceanStor-Distributed-Storage", + }, + }, + { + "raw": "<187>Aug 13 14:27:19 HKSTO03-Node1 alarm[2003199]: <186>2024-08-13 14:26:26 DST 2024-08-13 14:27:17 DST 172.19.96.130 OceanStor-Distributed-Storage 1253626 0xFEA6A001A Major(2): The used (space) quota (549755813888000) of account (ID 319307833) reaches or approaches (549755813888000) of the (space hard quota). Data writing is about to be rejected.", + "expected": { + "program": "alarm", + "alarm_severity": "Major", + "alarm_object": "OceanStor-Distributed-Storage", + }, + }, ] From fc26c91cb02eb300635e4153ec2aa1c28be20648 Mon Sep 17 00:00:00 2001 From: Ward Poelmans Date: Wed, 14 Aug 2024 09:12:54 +0200 Subject: [PATCH 2/3] add quota account alerts for Pixiu --- files/pixiu | 4 +++- tests/data/pixiu | 4 ++++ tests/logstash_7.6.2.conf | 3 +++ 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/files/pixiu b/files/pixiu index ecd5367..8c9faa5 100644 --- a/files/pixiu +++ b/files/pixiu @@ -23,9 +23,11 @@ PIXIU_USER_SPACE_ALARM %{PIXIU_ALARM_PREFIX} %{PIXIU_ALARM_COMMON} reaches (?:or PIXIU_LOGIN_STATUS failed|succeeded PIXIU_LOGIN_ACTION in|out +PIXIU_ACCOUNT_QUOTA %{PIXIU_ALARM_PREFIX} The used \((?%{WORD})\) quota \(%{NUMBER:quota_used}\) of account \(ID (?%{NUMBER:int})\) reaches or approaches \(%{NUMBER:quota_limit}\) of the \(%{WORD} %{WORD} quota\)\..* PIXIU_LOGIN_ALARM %{PIXIU_ALARM_PREFIX} User \(user name %{USERNAME:username}\) %{PIXIU_LOGIN_STATUS:state} (?:to log %{PIXIU_LOGIN_ACTION:action}|in logging %{PIXIU_LOGIN_ACTION:action})(?: upon timeout)? from source \(%{IPORHOST:source_ip}\)\..* PIXIU_ALARM_GENERAL %{PIXIU_ALARM_PREFIX} %{GREEDYDATA:alarm_message} -PIXIU_ALARM %{PIXIU_USER_INODE_ALARM}|%{PIXIU_USER_SPACE_ALARM}|%{PIXIU_LOGIN_ALARM}|%{PIXIU_ALARM_GENERAL} +# PIXIU_ALARM_GENERAL must be last +PIXIU_ALARM %{PIXIU_USER_INODE_ALARM}|%{PIXIU_USER_SPACE_ALARM}|%{PIXIU_LOGIN_ALARM}|%{PIXIU_ACCOUNT_QUOTA}|%{PIXIU_ALARM_GENERAL} diff --git a/tests/data/pixiu b/tests/data/pixiu index 0b0a0d5..5043d91 100644 --- a/tests/data/pixiu +++ b/tests/data/pixiu @@ -338,6 +338,10 @@ data = [ "program": "alarm", "alarm_severity": "Major", "alarm_object": "OceanStor-Distributed-Storage", + "account_id": 319307833, + "quota_used_type": "space", + "quota_used": 549755813888000, + "quota_limit": 549755813888000, }, }, ] diff --git a/tests/logstash_7.6.2.conf b/tests/logstash_7.6.2.conf index b7e46b6..545f33e 100644 --- a/tests/logstash_7.6.2.conf +++ b/tests/logstash_7.6.2.conf @@ -76,10 +76,13 @@ filter { "actread" => "integer" "dtree_id" => "integer" "namespace_id" => "integer" + "account_id" => "integer" "used_files" => "integer" "used_space" => "integer" "quota_files_limit" => "integer" "quota_space_limit" => "integer" + "quota_used" => "integer" + "quota_limit" => "integer" } } } From d6e44a5e804db2d9502122803ce1487ccd22918e Mon Sep 17 00:00:00 2001 From: Ward Poelmans Date: Wed, 14 Aug 2024 09:26:20 +0200 Subject: [PATCH 3/3] fix nginx patterns for pixiu --- files/pixiu | 2 +- tests/data/pixiu | 13 +++++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/files/pixiu b/files/pixiu index 8c9faa5..ba25cdc 100644 --- a/files/pixiu +++ b/files/pixiu @@ -2,7 +2,7 @@ PIXIU_BASH \s*%{IPORHOST:syslog_hostname} \[%{PROG:program}\]: \[%{YEAR}-%{MONTH PIXIU_APACHE \[%{HTTPDATE:timestamp}\] %{IPORHOST:clientip} %{HTTPDUSER:auth} %{WORD:verb} %{NOTSPACE:request} %{GREEDYDATA:other} -PIXIU_NGINX \s*%{IPORHOST:syslog_hostname} %{SYSLOGPROG} %{IPORHOST:clientip} - %{HTTPDUSER:auth}\s+\[%{HTTPDATE:timestamp}\] \"%{WORD:verb} %{NOTSPACE:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:response:int} %{GREEDYDATA:other} +PIXIU_NGINX \s*%{IPORHOST:syslog_hostname} %{SYSLOGPROG} %{IPORHOST:clientip} (?:- %{HTTPDUSER:auth}\s+)?\[%{HTTPDATE:timestamp}\] \"%{WORD:verb} %{NOTSPACE:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:response:int} %{GREEDYDATA:other} PIXIU_TOMCAT \s*%{IPORHOST:syslog_hostname} %{SYSLOGPROG} \[%{HTTPDATE:timestamp}\]\^%{IPORHOST:clientip}\^%{HTTPDUSER:auth}\^%{WORD:verb} %{NOTSPACE:request} HTTP/%{NUMBER:httpversion}\^%{GREEDYDATA:other} diff --git a/tests/data/pixiu b/tests/data/pixiu index 5043d91..a6d9a4b 100644 --- a/tests/data/pixiu +++ b/tests/data/pixiu @@ -344,4 +344,17 @@ data = [ "quota_limit": 549755813888000, }, }, + { +# "raw": '<174>Oct 17 12:50:42 HKSTO03-Node1 nginx 127.0.0.1 - - [17/Oct/2022:12:50:42 +0200] "GET /dsware/service/cluster/storagepool/query*** HTTP/1.1" 200 "0.062" 924 "-" "Apache-HttpClient/5.1 (Java/1.8.0_322)" "-" 127.0.0.1:9527 200 "0.064" "********" "********" "********" "127.0.0.1" "application/json;charset=UTF-8" "-" "-" "gzip, x-gzip, deflate"', + + "raw": '<174>Aug 14 09:15:16 C4STO01-Node1 nginx 127.0.0.1 [14/Aug/2024:09:15:16 +0200] "GET /api/v2/cluster/se*** HTTP/1.1" 200 "0.046" 3072 "Apache-HttpClient/5.1 (Java/1.8.0_372)" "-" 127.0.0.1:8099 200 "0.046" "********" "********" "********" "127.0.0.1" "application/json;charset=UTF-8" "-" ', + "expected": { + "@source_host": "C4STO01-Node1", + "program": "nginx", + "clientip": "127.0.0.1", + "verb": "GET", + "request": "/api/v2/cluster/se***", + "response": 200, + }, + }, ]