Remove unused field AlertId - #53

Author: VincentD06

README.md

@@ -16,7 +16,7 @@ Please also take note that if message field values are included in the log messa
 
 Alert example recorded as an internal log message:
 
-![](https://raw.githubusercontent.com/airbus-cyber/graylog-plugin-logging-alert/master/images/alert.png)
+![](images/alert.png)
 
 ## Version Compatibility
 
@@ -54,14 +54,14 @@ Restart `graylog-server` and you are done.
 
 First you have to select **Logging Alert Notification** as the notification type.
 
-![](https://raw.githubusercontent.com/airbus-cyber/graylog-plugin-logging-alert/master/images/select_notification.png)
+![](images/select_notification.png)
 
 Then, in the popup that occurs, you can configure the **Title** of the notification.
 
 You can configure the **Alert Severity**. You have the choice between 4 levels of severity.
 
 You can also configure the **Log Content** to log the information you want. 
-Please see the [Graylog Documentation](https://go2docs.graylog.org/4-x/interacting_with_your_log_data/notifications.html#DataAvailabletoNotifications)
+Please see the [Graylog Documentation](https://go2docs.graylog.org/6-3/interacting_with_your_log_data/alerts.html#MetadataAvailabletoAlerts)
 
 Some plugin-specific fields values can be added to the log content.
 
@@ -77,11 +77,11 @@ The parameter **Split Fields** allow you to split the alert based on message fie
 
 The parameter **Aggregation Time Range** allow you to aggregate alerts received in the given number of minutes. Thus, the alerts are logged with the same alert id during the time range.
 
-![](https://raw.githubusercontent.com/airbus-cyber/graylog-plugin-logging-alert/master/images/edit_notification.png)
+![](images/edit_notification.png)
 
-The parameter **Single message** allow you to sent only one notification by alert
+The parameter **Single message** allow you to send only one notification by alert
 
-![](https://raw.githubusercontent.com/airbus-cyber/graylog-plugin-logging-alert/master/images/edit_notification2.png)
+![](images/edit_notification2.png)
 
 You can optionally add any **Comment** about the configuration of the notification.
 
@@ -96,13 +96,11 @@ In the popup that occurs, you can configure the default value of the parameters
 
 You can define a **Line Break Substitution** of the log content in order to help parsing log fields and their values. Thus a separator can be inserted between the fields of the log content.
 
-You can also configure the **Alerts Stream**. This stream must receive the log messages of alerts to enable the alert aggregation feature. Use the [Internal Logs Input Plugin for Graylog](https://github.com/graylog-labs/graylog-plugin-internal-logs) for this purpose.
-
 You can also set the **Alert ID Field** which is the field that is checked to get the alert id in the log messages of the Alerts Stream.
 
 You can optionally define an **Overflow Limit**. From this given number of log messages per triggered alert, all the following log messages generated by the notification are tagged as overflow. This limit prevents you from forwarding too many log messages per alert to a Security Incident Response Platform by filtering the log messages according to their tag. For this purpose you can choose the name of the tags: **Alert Tag** and **Overflow Tag**.
 
-![](https://raw.githubusercontent.com/airbus-cyber/graylog-plugin-logging-alert/master/images/edit_plugin_configuration.png)
+![](images/edit_plugin_configuration.png)
 
 ## Build
 

images/edit_plugin_configuration.png

@@ -23,8 +23,6 @@
 
 import jakarta.annotation.Nullable;
 
-import static org.graylog2.plugin.streams.Stream.DEFAULT_STREAM_ID;
-
 /**
  * This is the general configuration of the plugin (see System/Configurations)
  * It is probably linked to the IHM, just by the configuration in the web index.jsx.
@@ -54,6 +52,7 @@ public abstract class LoggingAlertConfig {
     @JsonProperty("log_body")
     public abstract String accessLogBody();
 
+    // Note: do not remove this field : Backward compatibility
     @JsonProperty("aggregation_stream")
     @Nullable
     public abstract String accessAggregationStream();
@@ -64,7 +63,9 @@ public abstract class LoggingAlertConfig {
     @JsonProperty("limit_overflow")
     public abstract int accessLimitOverflow();
 
+    // Note: do not remove this field : Backward compatibility
     @JsonProperty("field_alert_id")
+    @Nullable
     public abstract String accessFieldAlertId();
 
     @JsonProperty("alert_tag")
@@ -79,15 +80,13 @@ public static LoggingAlertConfig create(
             @JsonProperty("log_body") String logBody,
             @JsonProperty("aggregation_time") int aggregationTime,
             @JsonProperty("limit_overflow") int limitOverflow,
-            @JsonProperty("field_alert_id") String fieldAlertId,
             @JsonProperty("alert_tag") String alertTag,
             @JsonProperty("overflow_tag") String overflowTag){
         return builder()
                 .accessSeparator(separator)
                 .accessLogBody(logBody)
                 .accessAggregationTime(aggregationTime)
                 .accessLimitOverflow(limitOverflow)
-                .accessFieldAlertId(fieldAlertId)
                 .accessAlertTag(alertTag)
                 .accessOverflowTag(overflowTag)
                 .build();
@@ -99,7 +98,6 @@ public static LoggingAlertConfig createDefault() {
                 .accessLogBody(BODY_TEMPLATE)
                 .accessAggregationTime(0)
                 .accessLimitOverflow(0)
-                .accessFieldAlertId(FIELD_ALERT_ID)
                 .accessAlertTag("LoggingAlert")
                 .accessOverflowTag("LoggingOverflow")
                 .build();

src/main/java/com/airbus_cyber_security/graylog/events/config/LoggingAlertConfig.java

@@ -83,12 +83,12 @@ public void execute(EventNotificationContext context) {
         Collection<String> listMessagesToLog = new ArrayList<>();
         if (backlog.isEmpty() || config.singleMessage()) {
             LOGGER.debug("Add log to list message for empty backlog or single message...");
-            String messageToLog = this.messageBodyBuilder.buildMessageBodyForBacklog(logTemplate, context, config, generalConfig, date, backlog);
+            String messageToLog = this.messageBodyBuilder.buildMessageBodyForBacklog(logTemplate, context, config, date, backlog);
             listMessagesToLog.add(messageToLog);
         } else {
             LOGGER.debug("Add log to list message for backlog...");
             for (MessageSummary message: backlog) {
-                String messageToLog = this.messageBodyBuilder.buildMessageBodyForMessage(logTemplate, context, config, generalConfig, date, message);
+                String messageToLog = this.messageBodyBuilder.buildMessageBodyForMessage(logTemplate, context, config, date, message);
                 listMessagesToLog.add(messageToLog);
             }
         }

src/main/java/com/airbus_cyber_security/graylog/events/notifications/types/LoggingAlert.java

@@ -16,9 +16,7 @@
  */
 package com.airbus_cyber_security.graylog.events.notifications.types;
 
-import com.airbus_cyber_security.graylog.events.config.LoggingAlertConfig;
 import com.airbus_cyber_security.graylog.events.config.SeverityType;
-import com.airbus_cyber_security.graylog.events.storage.MessagesSearches;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.floreysoft.jmte.Engine;
 import com.google.common.collect.ImmutableList;
@@ -44,26 +42,22 @@ public class MessageBodyBuilder {
 
     private final Engine templateEngine;
 
-    private final MessagesSearches searches;
-
     private final ObjectMapper objectMapper;
 
     private final MessagesURLBuilder messagesURLBuilder;
 
     private final DBNotificationService notificationService;
 
     @Inject
-    public MessageBodyBuilder(ObjectMapper objectMapper, MessagesSearches searches, DBNotificationService notificationService) {
+    public MessageBodyBuilder(ObjectMapper objectMapper, DBNotificationService notificationService) {
         this.templateEngine = new Engine();
         this.objectMapper = objectMapper;
-        this.searches = searches;
         this.notificationService = notificationService;
         this.messagesURLBuilder = new MessagesURLBuilder();
     }
 
     // package-protected
-    String getAlertIdentifier(int aggregationTime, LoggingAlertConfig generalConfig,
-                                      EventNotificationContext context) {
+    String getAlertIdentifier(EventNotificationContext context) {
         String key = generateKeyFromGroupBy(context.event().groupByFields());
 
         String events_definition_id = "";
@@ -72,17 +66,7 @@ String getAlertIdentifier(int aggregationTime, LoggingAlertConfig generalConfig,
         }
         String suffix = "-" + getHashFromString(events_definition_id + "-" + key);
 
-        String loggingAlertID = null;
-
-        if (aggregationTime > 0) {
-            String alertIdentifierFieldName = generalConfig.accessFieldAlertId();
-            loggingAlertID = this.searches.getAggregationAlertIdentifier(aggregationTime, alertIdentifierFieldName, suffix);
-        }
-
-        if (loggingAlertID == null || loggingAlertID.isEmpty()) {
-            loggingAlertID = context.event().id() + suffix;
-        }
-        return loggingAlertID;
+        return context.event().id() + suffix;
     }
 
     private String getHashFromString(String value) {
@@ -94,9 +78,9 @@ private String getHashFromString(String value) {
         return String.valueOf(hash);
     }
 
-    private LoggingAlertFields buildLoggingAlertFields(EventNotificationContext context, LoggingNotificationConfig config, LoggingAlertConfig generalConfig, DateTime date) {
+    private LoggingAlertFields buildLoggingAlertFields(EventNotificationContext context, LoggingNotificationConfig config, DateTime date) {
         String messagesUrl = this.messagesURLBuilder.buildMessagesUrl(context, date);
-        String loggingAlertID = getAlertIdentifier(config.aggregationTime(), generalConfig, context);
+        String loggingAlertID = getAlertIdentifier(context);
         String severity = getSeverityFromContext(context);
         String notifTitle = getNotificationTitleFromContext(context);
 
@@ -140,8 +124,8 @@ private String buildMessageBody(String logTemplate, EventNotificationContext con
         return this.templateEngine.transform(logTemplate, model);
     }
 
-    public String buildMessageBodyForBacklog(String logTemplate, EventNotificationContext context, LoggingNotificationConfig config, LoggingAlertConfig generalConfig, DateTime date, ImmutableList<MessageSummary> backlog) {
-        String identifier = this.getAlertIdentifier(config.aggregationTime(), generalConfig, context);
+    public String buildMessageBodyForBacklog(String logTemplate, EventNotificationContext context, LoggingNotificationConfig config, DateTime date, ImmutableList<MessageSummary> backlog) {
+        String identifier = this.getAlertIdentifier(context);
         String severity = getSeverityFromContext(context);
         String notifTitle = getNotificationTitleFromContext(context);
 
@@ -150,8 +134,8 @@ public String buildMessageBodyForBacklog(String logTemplate, EventNotificationCo
         return this.buildMessageBody(logTemplate, context, backlog, loggingAlertFields);
     }
 
-    public String buildMessageBodyForMessage(String logTemplate, EventNotificationContext context, LoggingNotificationConfig config, LoggingAlertConfig generalConfig, DateTime date, MessageSummary message) {
-        LoggingAlertFields loggingAlertFields = this.buildLoggingAlertFields(context, config, generalConfig, date);
+    public String buildMessageBodyForMessage(String logTemplate, EventNotificationContext context, LoggingNotificationConfig config, DateTime date, MessageSummary message) {
+        LoggingAlertFields loggingAlertFields = this.buildLoggingAlertFields(context, config, date);
         ImmutableList<MessageSummary> backlogWithMessage = new ImmutableList.Builder<MessageSummary>().add(message).build();
 
         return this.buildMessageBody(logTemplate, context, backlogWithMessage, loggingAlertFields);

src/main/java/com/airbus_cyber_security/graylog/events/notifications/types/MessageBodyBuilder.java

@@ -18,7 +18,6 @@
 package com.airbus_cyber_security.graylog.events.notifications.types;
 
 import com.airbus_cyber_security.graylog.events.config.LoggingAlertConfig;
-import com.airbus_cyber_security.graylog.events.storage.MessagesSearches;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.collect.ImmutableList;
 import org.graylog.events.event.EventDto;
@@ -41,23 +40,14 @@
 import java.util.Collections;
 import java.util.HashSet;
 
-import static org.mockito.ArgumentMatchers.anyString;
-import static org.mockito.Mockito.when;
-import static org.mockito.ArgumentMatchers.anyInt;
-
 @RunWith(MockitoJUnitRunner.class)
 public class MessageBodyBuilderTest {
 
-    private static final String AGGREGATION_STREAM = "aggregationStream-0";
-    private static final String ALERT_ID_FIELD = "alert_id";
     private static final String EVENT_DEFINITION_ID = "eventDefinitionId-0";
     private static final String EVENT_ID = "eventId-0";
     private static final String EVENT_ID_1 = "eventId-1";
     private static final String NOTIFICATION_ID = "notificationId-0";
 
-    @Mock
-    private MessagesSearches messagesSearches;
-
     @Mock
     private ObjectMapper objectMapper;
 
@@ -66,33 +56,17 @@ public class MessageBodyBuilderTest {
 
     @Test
     public void testGetAlertIdentifierWithoutAlert() {
-        when(messagesSearches.getAggregationAlertIdentifier(anyInt(), anyString(), anyString())).thenReturn(null);
-        MessageBodyBuilder messageBodyBuilder = new MessageBodyBuilder(objectMapper, messagesSearches, notificationService);
+        MessageBodyBuilder messageBodyBuilder = new MessageBodyBuilder(objectMapper, notificationService);
 
-        LoggingAlertConfig generalConfig = buildLoggingAlertConfig();
         EventNotificationContext context = buildEventNotificationContext();
 
-        String result = messageBodyBuilder.getAlertIdentifier(1, generalConfig, context);
+        String result = messageBodyBuilder.getAlertIdentifier(context);
 
         Assert.assertTrue(result.startsWith(EVENT_ID));
     }
 
-    @Test
-    public void testGetAlertIdentifierWithExistingAlert() {
-        when(messagesSearches.getAggregationAlertIdentifier(anyInt(), anyString(), anyString())).thenReturn(EVENT_ID_1);
-        MessageBodyBuilder messageBodyBuilder = new MessageBodyBuilder(objectMapper, messagesSearches, notificationService);
-
-        LoggingAlertConfig generalConfig = buildLoggingAlertConfig();
-        EventNotificationContext context = buildEventNotificationContext();
-
-        String result = messageBodyBuilder.getAlertIdentifier(1, generalConfig, context);
-
-        Assert.assertTrue(result.startsWith(EVENT_ID_1));
-    }
-
     private static LoggingAlertConfig buildLoggingAlertConfig() {
         return LoggingAlertConfig.builder()
-                .accessFieldAlertId(ALERT_ID_FIELD)
                 .accessSeparator("|")
                 .accessLogBody("")
                 .accessAggregationTime(60)

src/main/java/com/airbus_cyber_security/graylog/events/storage/MessagesSearches.java

@@ -39,7 +39,6 @@ export const DEFAULT_BODY_TEMPLATE = "type: alert"  + "\n" +
     "${end}";
 
 const DEFAULT_CONFIG = {
-    field_alert_id: 'id',
     separator: ' | ',
     log_body: DEFAULT_BODY_TEMPLATE,
     alert_tag: 'LoggingAlert',
@@ -119,12 +118,6 @@ const LoggingAlertConfig = ({ config = DEFAULT_CONFIG, updateConfig }) => {
                     {_displayOptionalConfigurationValue(config.aggregation_time)}
                 </dd>
             </dl>
-            <dl className="deflist">
-                <dt>Alert ID Field: </dt>
-                <dd>
-                    {_displayOptionalConfigurationValue(config.field_alert_id)}
-                </dd>
-            </dl>
             <dl className="deflist">
                 <dt>Overflow Limit: </dt>
                 <dd>
@@ -185,15 +178,6 @@ const LoggingAlertConfig = ({ config = DEFAULT_CONFIG, updateConfig }) => {
                         value={nextConfiguration.aggregation_time}
                         onChange={_onUpdate('aggregation_time')}
                     />
-                    <Input
-                        id="field_alert_id"
-                        type="text"
-                        label="Alert ID Field"
-                        name="field_alert_id"
-                        help="Field that should be checked to get the alert id in the messages of the Alerts Stream"
-                        value={nextConfiguration.field_alert_id}
-                        onChange={_onUpdate('field_alert_id')}
-                    />
                     <Input
                         id="limit-overflow"
                         type="number"