From c271b3c3dacece647f77523bbb953428301c7fa7 Mon Sep 17 00:00:00 2001 From: Dominik Rosiek <58699848+sumo-drosiek@users.noreply.github.com> Date: Wed, 11 May 2022 18:34:33 +0200 Subject: [PATCH] feat: add JSON support to windows sources (#193) * changelog 1.6.2 * docs for windows json support * add windows json support * add windows json support * fix typo * chore(vagrant): fix ip Signed-off-by: Dominik Rosiek * feat: add json related fields to windows event sources Signed-off-by: Dominik Rosiek * refactor: create types for windows related properties Signed-off-by: Dominik Rosiek * refactor: inherit windows remote source from windows local source Signed-off-by: Dominik Rosiek * docs(README): update Signed-off-by: Dominik Rosiek * fix: fix imports Signed-off-by: Dominik Rosiek * fix: lint Signed-off-by: Dominik Rosiek * feat: add enable_json_events property to windows sources Signed-off-by: Dominik Rosiek * feat: add enable_json_events configuration to README Signed-off-by: Dominik Rosiek * refactor: makes lint happy Signed-off-by: Dominik Rosiek * fix: add missing change Signed-off-by: Dominik Rosiek * tests: add tests for windows json events Signed-off-by: Dominik Rosiek * chore(changelog): update * Apply suggestions from code review * docs: update due to review Signed-off-by: Dominik Rosiek * docs: update due to review Signed-off-by: Dominik Rosiek * feat: remove enable_json_events Signed-off-by: Dominik Rosiek * Update CHANGELOG.md * Apply suggestions from code review * Delete remote_win_event_json_log_create_spec.rb * Delete local_win_event_json_log_create_spec.rb * tests: fix Signed-off-by: Dominik Rosiek * fix: defaults Signed-off-by: Dominik Rosiek * feat!: change default event_message to :message Co-authored-by: Rick Jury Co-authored-by: Andrzej Stencel --- CHANGELOG.md | 6 +++ README.md | 40 ++++++++++++++++++- Vagrantfile | 2 +- .../provider_local_win_event_log_source.rb | 5 +++ .../provider_remote_win_event_log_source.rb | 5 +-- .../resource_local_win_event_log_source.rb | 5 +++ .../resource_remote_win_event_log_source.rb | 5 +-- libraries/types.rb | 14 +++++++ .../recipes/local_win_event_log_create.rb | 5 +++ .../recipes/remote_win_event_log_create.rb | 5 +++ .../local_win_event_log_create_spec.rb | 5 +++ .../remote_win_event_log_create_spec.rb | 5 +++ 12 files changed, 94 insertions(+), 8 deletions(-) create mode 100644 libraries/types.rb diff --git a/CHANGELOG.md b/CHANGELOG.md index 3b7928e5..13ecefd1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,12 @@ This project adheres to [Semantic Versioning](http://semver.org/). This CHANGELOG (now) follows the format listed at [Keep A Changelog](http://keepachangelog.com/) +## Unreleased +### Added +- feat: add JSON support to windows sources [#193] + +[#193]: https://github.com/SumoLogic/sumologic-collector-chef-cookbook/pull/193 + ## [1.6.2] - 2022-01-05 ### Added - added `fields` support to sources (@majormoses) [#189] diff --git a/README.md b/README.md index 01b33586..359ff6aa 100644 --- a/README.md +++ b/README.md @@ -381,6 +381,13 @@ The following attribute parameters are in addition to the generic parameters listed above. - `log_names` - **required** +- `event_format` - `:legacy` for legacy format or `:json` for JSON format. `:legacy` is default. +- `event_message` - Use with JSON format. `:complete`, `:message` (recommended), or `:metadata` for metadata only. + `:message` is default. +- `allowlist` - Available in Collector version 19.351-4 and later. A comma-separated list of event IDs. + This is an empty string as default. +- `denylist` - Available in Collector version 19.351-4 and later. A comma-separated list of event IDs. + This is an empty string as default. ### Examples @@ -391,6 +398,19 @@ sumo_source_local_windows_event_log 'local_win_event_log' do end ``` +Use JSON log format instead of legacy format: + +```ruby +sumo_source_local_windows_event_log 'local_win_event_log' do + source_json_directory node['sumologic']['sumo_json_path'] + log_names ['security', 'application'] + event_format :json + event_message :message + allowlist "" + denylist "" +end +``` + sumo_source_remote_file --------- @@ -445,7 +465,7 @@ sumo_source_remote_windows_event_log See the [Sumo Logic documentation](https://help.sumologic.com/Send_Data/Sources/Use_JSON_to_Configure_Sources) for more information about these attributes. -The following attribute parameters are in addition to the generic parameters +The following attribute parameters are in addition to the generic and [sumo_source_local_windows_event_log](#sumosourcelocalwindowseventlog) parameters listed above. - `domain` - **required** @@ -467,6 +487,24 @@ sumo_source_remote_windows_event_log 'remote_win_event_log' do end ``` +Use JSON log format instead of legacy format: + +```ruby +sumo_source_remote_windows_event_log 'remote_win_event_log' do + source_json_directory node['sumologic']['sumo_json_path'] + domain 'mydomain' + username 'user' + password 'password' + hosts ['myremotehost1'] + log_names ['security', 'application'] + event_format :json + event_message :message + allowlist "" + denylist "" + +end +``` + sumo_source_script --------- diff --git a/Vagrantfile b/Vagrantfile index c7ea95d7..4b8fdd78 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -12,7 +12,7 @@ Vagrant.configure('2') do |config| config.disksize.size = '50GB' config.vm.box_check_update = false config.vm.host_name = 'sumologic-collector-chef-cookbook' - config.vm.network :private_network, ip: "192.168.78.46" + config.vm.network :private_network, ip: "192.168.56.46" config.vm.provider 'virtualbox' do |vb| vb.gui = false diff --git a/libraries/provider_local_win_event_log_source.rb b/libraries/provider_local_win_event_log_source.rb index 5b21c224..0516319a 100644 --- a/libraries/provider_local_win_event_log_source.rb +++ b/libraries/provider_local_win_event_log_source.rb @@ -2,6 +2,7 @@ require 'chef/provider/lwrp_base' require_relative 'provider_source' +require_relative 'types' class Chef class Provider @@ -11,6 +12,10 @@ class SumoSourceLocalWindowsEventLog < Chef::Provider::SumoSource def config_hash hash = super hash['source']['logNames'] = new_resource.log_names + hash['source']['eventFormat'] = EVENT_FORMAT[new_resource.event_format] + hash['source']['eventMessage'] = EVENT_MESSAGE[new_resource.event_message] + hash['source']['allowlist'] = new_resource.allowlist + hash['source']['denylist'] = new_resource.denylist hash end end diff --git a/libraries/provider_remote_win_event_log_source.rb b/libraries/provider_remote_win_event_log_source.rb index f6456b81..756642bc 100644 --- a/libraries/provider_remote_win_event_log_source.rb +++ b/libraries/provider_remote_win_event_log_source.rb @@ -1,11 +1,11 @@ # frozen_string_literal: true require 'chef/provider/lwrp_base' -require_relative 'provider_source' +require_relative 'provider_local_win_event_log_source' class Chef class Provider - class SumoSourceRemoteWindowsEventLog < Chef::Provider::SumoSource + class SumoSourceRemoteWindowsEventLog < Chef::Provider::SumoSourceLocalWindowsEventLog provides :sumo_source_remote_windows_event_log if respond_to?(:provides) def config_hash @@ -14,7 +14,6 @@ def config_hash hash['source']['username'] = new_resource.username hash['source']['password'] = new_resource.password hash['source']['hosts'] = new_resource.hosts - hash['source']['logNames'] = new_resource.log_names hash end end diff --git a/libraries/resource_local_win_event_log_source.rb b/libraries/resource_local_win_event_log_source.rb index f5076c47..0487c812 100644 --- a/libraries/resource_local_win_event_log_source.rb +++ b/libraries/resource_local_win_event_log_source.rb @@ -2,6 +2,7 @@ require 'chef/resource/lwrp_base' require_relative 'resource_source' +require_relative 'types' class Chef class Resource @@ -10,6 +11,10 @@ class SumoSourceLocalWindowsEventLog < Chef::Resource::SumoSource attribute :source_type, kind_of: Symbol, default: :local_windows_event_log, equal_to: [:local_windows_event_log] attribute :log_names, kind_of: Array, required: true + attribute :event_format, kind_of: Symbol, default: :legacy, equal_to: EVENT_FORMAT.keys + attribute :event_message, kind_of: Symbol, default: :message, equal_to: EVENT_MESSAGE.keys + attribute :allowlist, kind_of: String + attribute :denylist, kind_of: String end end end diff --git a/libraries/resource_remote_win_event_log_source.rb b/libraries/resource_remote_win_event_log_source.rb index 04271aa1..1362ee9f 100644 --- a/libraries/resource_remote_win_event_log_source.rb +++ b/libraries/resource_remote_win_event_log_source.rb @@ -1,11 +1,11 @@ # frozen_string_literal: true require 'chef/resource/lwrp_base' -require_relative 'resource_source' +require_relative 'resource_local_win_event_log_source' class Chef class Resource - class SumoSourceRemoteWindowsEventLog < Chef::Resource::SumoSource + class SumoSourceRemoteWindowsEventLog < Chef::Resource::SumoSourceLocalWindowsEventLog provides :sumo_source_remote_windows_event_log if respond_to?(:provides) attribute :source_type, kind_of: Symbol, default: :remote_windows_event_log, equal_to: [:remote_windows_event_log] @@ -13,7 +13,6 @@ class SumoSourceRemoteWindowsEventLog < Chef::Resource::SumoSource attribute :username, kind_of: String, required: true attribute :password, kind_of: String, required: true attribute :hosts, kind_of: Array, required: true - attribute :log_names, kind_of: Array, required: true end end end diff --git a/libraries/types.rb b/libraries/types.rb new file mode 100644 index 00000000..87b1264f --- /dev/null +++ b/libraries/types.rb @@ -0,0 +1,14 @@ +# frozen_string_literal: true + +EVENT_FORMAT = { + nil => nil, + :legacy => 0, + :json => 1 +}.freeze + +EVENT_MESSAGE = { + nil => nil, + :complete => 0, + :message => 1, + :metadata => 2 +}.freeze diff --git a/test/fixtures/cookbooks/source-resource/recipes/local_win_event_log_create.rb b/test/fixtures/cookbooks/source-resource/recipes/local_win_event_log_create.rb index 4927c829..4aca19d3 100644 --- a/test/fixtures/cookbooks/source-resource/recipes/local_win_event_log_create.rb +++ b/test/fixtures/cookbooks/source-resource/recipes/local_win_event_log_create.rb @@ -3,4 +3,9 @@ sumo_source_local_windows_event_log 'local_win_event_log' do source_json_directory node['sumologic']['sumo_json_path'] log_names %w[security application] + + event_format :legacy + event_message :message + allowlist "el1,el2" + denylist "el3,el4" end diff --git a/test/fixtures/cookbooks/source-resource/recipes/remote_win_event_log_create.rb b/test/fixtures/cookbooks/source-resource/recipes/remote_win_event_log_create.rb index 63776dc0..2bcd4d38 100644 --- a/test/fixtures/cookbooks/source-resource/recipes/remote_win_event_log_create.rb +++ b/test/fixtures/cookbooks/source-resource/recipes/remote_win_event_log_create.rb @@ -7,4 +7,9 @@ password 'password' hosts ['myremotehost1'] log_names %w[security application] + + event_format :legacy + event_message :message + allowlist "el1,el2" + denylist "el3,el4" end diff --git a/test/integration/source-resource/serverspec/local_win_event_log_create_spec.rb b/test/integration/source-resource/serverspec/local_win_event_log_create_spec.rb index 46e7a2b1..67823c1f 100644 --- a/test/integration/source-resource/serverspec/local_win_event_log_create_spec.rb +++ b/test/integration/source-resource/serverspec/local_win_event_log_create_spec.rb @@ -4,4 +4,9 @@ describe file('/etc/sumo.json/local_win_event_log.json') do it { is_expected.to exist } + + its(:content) { is_expected.to match(/"eventFormat":/) } + its(:content) { is_expected.to match(/"eventMessage":/) } + its(:content) { is_expected.to match(/"allowlist":/) } + its(:content) { is_expected.to match(/"denylist":/) } end diff --git a/test/integration/source-resource/serverspec/remote_win_event_log_create_spec.rb b/test/integration/source-resource/serverspec/remote_win_event_log_create_spec.rb index 44f3b28f..2708ea1a 100644 --- a/test/integration/source-resource/serverspec/remote_win_event_log_create_spec.rb +++ b/test/integration/source-resource/serverspec/remote_win_event_log_create_spec.rb @@ -4,4 +4,9 @@ describe file('/etc/sumo.json/remote_win_event_log.json') do it { is_expected.to exist } + + its(:content) { is_expected.to match(/"eventFormat":/) } + its(:content) { is_expected.to match(/"eventMessage":/) } + its(:content) { is_expected.to match(/"allowlist":/) } + its(:content) { is_expected.to match(/"denylist":/) } end