feat: more fields for papertrail event webhook (#9940)

2021-10-18 10:04:53 -04:00 · 2021-10-18 10:04:53 -04:00 · c4c32025c8
parent 34c2b6232d
commit c4c32025c8
3 changed files with 58 additions and 9 deletions
--- a/plugins/inputs/webhooks/papertrail/README.md
+++ b/plugins/inputs/webhooks/papertrail/README.md
@ -14,6 +14,23 @@ Events from Papertrail come in two forms:
  * Each point has a field counter (`count`), which is set to `1` (signifying the event occurred)
  * Each event "hostname" object is converted to a `host` tag
  * The "saved_search" name in the payload is added as an `event` tag
+  * The "saved_search" id in the payload is added as a `search_id` field
+  * The papertrail url to view the event is built and added as a `url` field
+  * The rest of the data in the event is converted directly to fields on the point:
+    * `id`
+    * `source_ip`
+    * `source_name`
+    * `source_id`
+    * `program`
+    * `severity`
+    * `facility`
+    * `message`
+
+When a callback is received, an event-based point will look similar to:
+
+```
+papertrail,host=myserver.example.com,event=saved_search_name count=1i,source_name="abc",program="CROND",severity="Info",source_id=2i,message="message body",source_ip="208.75.57.121",id=7711561783320576i,facility="Cron",url="https://papertrailapp.com/searches/42?centered_on_id=7711561783320576",search_id=42i 1453248892000000000
+```

 * The [count-based callback](http://help.papertrailapp.com/kb/how-it-works/web-hooks/#count-only-webhooks)

@ -22,10 +39,7 @@ Events from Papertrail come in two forms:
  * Each count "source_name" object is converted to a `host` tag
  * The "saved_search" name in the payload is added as an `event` tag

-The current functionality is very basic, however this allows you to
-track the number of events by host and saved search.
-
-When an event is received, any point will look similar to:
+When a callback is received, a count-based point will look similar to:

 ```
 papertrail,host=myserver.example.com,event=saved_search_name count=3i 1453248892000000000
--- a/plugins/inputs/webhooks/papertrail/papertrail_test.go
+++ b/plugins/inputs/webhooks/papertrail/papertrail_test.go
@ -67,8 +67,32 @@ func TestEventPayload(t *testing.T) {
 	resp := post(pt, contentType, form.Encode())
 	require.Equal(t, http.StatusOK, resp.Code)

-	fields := map[string]interface{}{
-		"count": uint64(1),
+	fields1 := map[string]interface{}{
+		"count":       uint64(1),
+		"id":          int64(7711561783320576),
+		"source_ip":   "208.75.57.121",
+		"source_name": "abc",
+		"source_id":   int64(2),
+		"program":     "CROND",
+		"severity":    "Info",
+		"facility":    "Cron",
+		"message":     "message body",
+		"url":         "https://papertrailapp.com/searches/42?centered_on_id=7711561783320576",
+		"search_id":   int64(42),
+	}
+
+	fields2 := map[string]interface{}{
+		"count":       uint64(1),
+		"id":          int64(7711562567655424),
+		"source_ip":   "208.75.57.120",
+		"source_name": "server1",
+		"source_id":   int64(19),
+		"program":     "CROND",
+		"severity":    "Info",
+		"facility":    "Cron",
+		"message":     "A short event",
+		"url":         "https://papertrailapp.com/searches/42?centered_on_id=7711562567655424",
+		"search_id":   int64(42),
 	}

 	tags1 := map[string]string{
@ -80,8 +104,8 @@ func TestEventPayload(t *testing.T) {
 		"host":  "def",
 	}

-	acc.AssertContainsTaggedFields(t, "papertrail", fields, tags1)
-	acc.AssertContainsTaggedFields(t, "papertrail", fields, tags2)
+	acc.AssertContainsTaggedFields(t, "papertrail", fields1, tags1)
+	acc.AssertContainsTaggedFields(t, "papertrail", fields2, tags2)
 }

 func TestCountPayload(t *testing.T) {
--- a/plugins/inputs/webhooks/papertrail/papertrail_webhooks.go
+++ b/plugins/inputs/webhooks/papertrail/papertrail_webhooks.go
@ -2,6 +2,7 @@ package papertrail

 import (
 	"encoding/json"
+	"fmt"
 	"log"
 	"net/http"
 	"time"
@ -49,7 +50,17 @@ func (pt *PapertrailWebhook) eventHandler(w http.ResponseWriter, r *http.Request
 				"event": payload.SavedSearch.Name,
 			}
 			fields := map[string]interface{}{
-				"count": uint64(1),
+				"count":       uint64(1),
+				"id":          e.ID,
+				"source_ip":   e.SourceIP,
+				"source_name": e.SourceName,
+				"source_id":   int64(e.SourceID),
+				"program":     e.Program,
+				"severity":    e.Severity,
+				"facility":    e.Facility,
+				"message":     e.Message,
+				"url":         fmt.Sprintf("%s?centered_on_id=%d", payload.SavedSearch.SearchURL, e.ID),
+				"search_id":   payload.SavedSearch.ID,
 			}
 			pt.acc.AddFields("papertrail", fields, tags, e.ReceivedAt)
 		}