Support new Suricata JSON format which includes arrays and strings (#9338)
This commit is contained in:
Sebastian Spaink
GitHub
parent
da7f2c7a93
commit
1d4b8d62f5
|
|
@ -148,6 +148,15 @@ func flexFlatten(outmap map[string]interface{}, field string, v interface{}, del
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
case []interface{}:
|
||||||
|
for _, v := range t {
|
||||||
|
err := flexFlatten(outmap, field, v, delimiter)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
case string:
|
||||||
|
outmap[field] = v
|
||||||
case float64:
|
case float64:
|
||||||
outmap[field] = v.(float64)
|
outmap[field] = v.(float64)
|
||||||
default:
|
default:
|
||||||
|
|
|
||||||
|
|
@ -296,3 +296,41 @@ func TestSuricataStartStop(t *testing.T) {
|
||||||
require.NoError(t, s.Start(&acc))
|
require.NoError(t, s.Start(&acc))
|
||||||
s.Stop()
|
s.Stop()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestSuricataParse(t *testing.T) {
|
||||||
|
tests := []struct {
|
||||||
|
filename string
|
||||||
|
expected []telegraf.Metric
|
||||||
|
}{{
|
||||||
|
filename: "test2.json",
|
||||||
|
expected: []telegraf.Metric{
|
||||||
|
testutil.MustMetric(
|
||||||
|
"suricata",
|
||||||
|
map[string]string{
|
||||||
|
"thread": "W#01-ens2f1",
|
||||||
|
},
|
||||||
|
map[string]interface{}{
|
||||||
|
"detect_alert": float64(0),
|
||||||
|
"detect_engines_id": float64(0),
|
||||||
|
"detect_engines_last_reload": "2021-06-08T06:33:05.084872+0000",
|
||||||
|
"detect_engines_rules_failed": float64(0),
|
||||||
|
"detect_engines_rules_loaded": float64(22712),
|
||||||
|
},
|
||||||
|
time.Unix(0, 0),
|
||||||
|
),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, tc := range tests {
|
||||||
|
data, err := ioutil.ReadFile("testdata/" + tc.filename)
|
||||||
|
require.NoError(t, err)
|
||||||
|
s := Suricata{
|
||||||
|
Delimiter: "_",
|
||||||
|
}
|
||||||
|
acc := testutil.Accumulator{}
|
||||||
|
s.parse(&acc, data)
|
||||||
|
|
||||||
|
testutil.RequireMetricsEqual(t, tc.expected, acc.GetTelegrafMetrics(), testutil.IgnoreTime())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,21 @@
|
||||||
|
{
|
||||||
|
"timestamp": "2021-06-08T06:34:49.237367+0000",
|
||||||
|
"event_type": "stats",
|
||||||
|
"stats": {
|
||||||
|
"threads": {
|
||||||
|
"W#01-ens2f1": {
|
||||||
|
"detect": {
|
||||||
|
"engines": [
|
||||||
|
{
|
||||||
|
"id": 0,
|
||||||
|
"last_reload": "2021-06-08T06:33:05.084872+0000",
|
||||||
|
"rules_loaded": 22712,
|
||||||
|
"rules_failed": 0
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"alert": 0
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
Loading…
Reference in New Issue