@@ -11,48 +11,66 @@ import (
1111 "github.com/crowdsecurity/crowdsec/pkg/pipeline"
1212)
1313
14+ func parseEvent (
15+ event pipeline.Event ,
16+ parserCTX parser.UnixParserCtx ,
17+ nodes []parser.Node ,
18+ ) * pipeline.Event {
19+ if ! event .Process {
20+ return nil
21+ }
22+
23+ // Application security engine is going to generate 2 events:
24+ // - one that is treated as a log and can go to scenarios
25+ // - another one that will go directly to LAPI
26+ if event .Type == pipeline .APPSEC {
27+ outputEventChan <- event
28+ return nil
29+ }
30+
31+ if event .Line .Module == "" {
32+ log .Errorf ("empty event.Line.Module field, the acquisition module must set it ! : %+v" , event .Line )
33+ return nil
34+ }
35+
36+ metrics .GlobalParserHits .With (prometheus.Labels {"source" : event .Line .Src , "type" : event .Line .Module }).Inc ()
37+
38+ startParsing := time .Now ()
39+ /* parse the log using magic */
40+ parsed , err := parser .Parse (parserCTX , event , nodes )
41+ if err != nil {
42+ log .Errorf ("failed parsing: %v" , err )
43+ }
44+
45+ elapsed := time .Since (startParsing )
46+ metrics .GlobalParsingHistogram .With (prometheus.Labels {"source" : event .Line .Src , "type" : event .Line .Module }).Observe (elapsed .Seconds ())
47+ if ! parsed .Process {
48+ metrics .GlobalParserHitsKo .With (prometheus.Labels {"source" : event .Line .Src , "type" : event .Line .Module , "acquis_type" : event .Line .Labels ["type" ]}).Inc ()
49+ log .Debugf ("Discarding line %+v" , parsed )
50+ return nil
51+ }
52+
53+ metrics .GlobalParserHitsOk .With (prometheus.Labels {"source" : event .Line .Src , "type" : event .Line .Module , "acquis_type" : event .Line .Labels ["type" ]}).Inc ()
54+ if parsed .Whitelisted {
55+ log .Debugf ("event whitelisted, discard" )
56+ return nil
57+ }
58+
59+ return & parsed
60+ }
61+
1462func runParse (input chan pipeline.Event , output chan pipeline.Event , parserCTX parser.UnixParserCtx , nodes []parser.Node ) error {
1563 for {
1664 select {
1765 case <- parsersTomb .Dying ():
1866 log .Infof ("Killing parser routines" )
1967 return nil
2068 case event := <- input :
21- if ! event .Process {
22- continue
23- }
24- /*Application security engine is going to generate 2 events:
25- - one that is treated as a log and can go to scenarios
26- - another one that will go directly to LAPI*/
27- if event .Type == pipeline .APPSEC {
28- outputEventChan <- event
29- continue
30- }
31- if event .Line .Module == "" {
32- log .Errorf ("empty event.Line.Module field, the acquisition module must set it ! : %+v" , event .Line )
33- continue
34- }
35- metrics .GlobalParserHits .With (prometheus.Labels {"source" : event .Line .Src , "type" : event .Line .Module }).Inc ()
36-
37- startParsing := time .Now ()
38- /* parse the log using magic */
39- parsed , err := parser .Parse (parserCTX , event , nodes )
40- if err != nil {
41- log .Errorf ("failed parsing: %v" , err )
42- }
43- elapsed := time .Since (startParsing )
44- metrics .GlobalParsingHistogram .With (prometheus.Labels {"source" : event .Line .Src , "type" : event .Line .Module }).Observe (elapsed .Seconds ())
45- if ! parsed .Process {
46- metrics .GlobalParserHitsKo .With (prometheus.Labels {"source" : event .Line .Src , "type" : event .Line .Module , "acquis_type" : event .Line .Labels ["type" ]}).Inc ()
47- log .Debugf ("Discarding line %+v" , parsed )
48- continue
49- }
50- metrics .GlobalParserHitsOk .With (prometheus.Labels {"source" : event .Line .Src , "type" : event .Line .Module , "acquis_type" : event .Line .Labels ["type" ]}).Inc ()
51- if parsed .Whitelisted {
52- log .Debugf ("event whitelisted, discard" )
69+ parsed := parseEvent (event , parserCTX , nodes )
70+ if parsed == nil {
5371 continue
5472 }
55- output <- parsed
73+ output <- * parsed
5674 }
5775 }
5876}
0 commit comments