Skip to content

Commit

Permalink
fixed GetFindings not searching all indices; fixed proper deletion of… (
Browse files Browse the repository at this point in the history
#122)

* fixed GetFindings not searching all indices; fixed proper deletion of old history indices


Signed-off-by: Petar Dzepina <petar.dzepina@gmail.com>
  • Loading branch information
petardz authored Nov 9, 2022
1 parent 1b36aa1 commit 8dd1c9f
Show file tree
Hide file tree
Showing 7 changed files with 327 additions and 34 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ public void onResponse(GetDetectorResponse getDetectorResponse) {
AlertsService.this.getAlertsByMonitorIds(
monitorToDetectorMapping,
monitorIds,
DetectorMonitorConfig.getAlertsIndex(detector.getDetectorType()),
DetectorMonitorConfig.getAllAlertsIndicesPattern(detector.getDetectorType()),
table,
severityLevel,
alertState,
Expand Down Expand Up @@ -193,7 +193,7 @@ public void getAlerts(
AlertsService.this.getAlertsByMonitorIds(
monitorToDetectorMapping,
allMonitorIds,
DetectorMonitorConfig.getAlertsIndex(detectorType.getDetectorType()),
DetectorMonitorConfig.getAllAlertsIndicesPattern(detectorType.getDetectorType()),
table,
severityLevel,
alertState,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@
*/
package org.opensearch.securityanalytics.config.monitors;

import java.util.ArrayList;
import java.util.List;
import java.util.stream.Collectors;
import org.opensearch.securityanalytics.model.Detector;

import java.util.Arrays;
Expand All @@ -18,9 +18,11 @@ public class DetectorMonitorConfig {

public static final String OPENSEARCH_DEFAULT_RULE_INDEX = ".opensearch-sap-detectors-queries-default";
public static final String OPENSEARCH_DEFAULT_ALERT_INDEX = ".opensearch-sap-alerts-default";
public static final String OPENSEARCH_DEFAULT_ALL_ALERT_INDICES_PATTERN = ".opensearch-sap-alerts-default*";
public static final String OPENSEARCH_DEFAULT_ALERT_HISTORY_INDEX = ".opensearch-sap-alerts-history-default";
public static final String OPENSEARCH_DEFAULT_ALERT_HISTORY_INDEX_PATTERN = "<.opensearch-sap-alerts-history-default-{now/d}-1>";
public static final String OPENSEARCH_DEFAULT_FINDINGS_INDEX = ".opensearch-sap-findings-default";
public static final String OPENSEARCH_DEFAULT_ALL_FINDINGS_INDICES_PATTERN = ".opensearch-sap-findings-default*";
public static final String OPENSEARCH_DEFAULT_FINDINGS_INDEX_PATTERN = "<.opensearch-sap-findings-default-{now/d}-1>";

private static Map<String, MonitorConfig> detectorTypeToIndicesMapping;
Expand All @@ -41,10 +43,16 @@ public class DetectorMonitorConfig {
Locale.getDefault(), ".opensearch-sap-%s-alerts*", detectorType.getDetectorType());
String findingsIndex = String.format(
Locale.getDefault(), ".opensearch-sap-%s-findings", detectorType.getDetectorType());
String allFindingsIndicesPattern = String.format(
Locale.getDefault(), ".opensearch-sap-%s-findings*", detectorType.getDetectorType());
String findingsIndexPattern = String.format(
Locale.getDefault(), "<.opensearch-sap-%s-findings-{now/d}-1>", detectorType.getDetectorType());

MonitorConfig monitor = new MonitorConfig(alertsIndex, alertsHistoryIndex, alertsHistoryIndexPattern, allAlertsIndicesPattern, findingsIndex, findingsIndexPattern, ruleIndex);
MonitorConfig monitor = new MonitorConfig(
alertsIndex, alertsHistoryIndex, alertsHistoryIndexPattern, allAlertsIndicesPattern,
findingsIndex, findingsIndexPattern, allFindingsIndicesPattern,
ruleIndex
);
detectorTypeToIndicesMapping.put(detectorType.getDetectorType(), monitor);
});
}
Expand Down Expand Up @@ -76,7 +84,14 @@ public static String getAlertsHistoryIndexPattern(String detectorType) {
public static String getAllAlertsIndicesPattern(String detectorType) {
return detectorTypeToIndicesMapping.containsKey(detectorType) ?
detectorTypeToIndicesMapping.get(detectorType).getAllAlertsIndicesPattern() :
"*";
OPENSEARCH_DEFAULT_ALL_ALERT_INDICES_PATTERN;
}

public static List<String> getAllAlertsIndicesPatternForAllTypes() {
return detectorTypeToIndicesMapping.entrySet()
.stream()
.map(e -> e.getValue().getAllAlertsIndicesPattern())
.collect(Collectors.toList());
}

public static String getFindingsIndex(String detectorType) {
Expand All @@ -85,6 +100,19 @@ public static String getFindingsIndex(String detectorType) {
OPENSEARCH_DEFAULT_FINDINGS_INDEX;
}

public static String getAllFindingsIndicesPattern(String detectorType) {
return detectorTypeToIndicesMapping.containsKey(detectorType) ?
detectorTypeToIndicesMapping.get(detectorType).getAllFindingsIndicesPattern() :
OPENSEARCH_DEFAULT_ALL_FINDINGS_INDICES_PATTERN;
}

public static List<String> getAllFindingsIndicesPatternForAllTypes() {
return detectorTypeToIndicesMapping.entrySet()
.stream()
.map(e -> e.getValue().getAllFindingsIndicesPattern())
.collect(Collectors.toList());
}

public static String getFindingsIndexPattern(String detectorType) {
return detectorTypeToIndicesMapping.containsKey(detectorType) ?
detectorTypeToIndicesMapping.get(detectorType).getFindingsIndexPattern() :
Expand All @@ -106,6 +134,7 @@ public static class MonitorConfig {
private final String allAlertsIndicesPattern;
private final String findingIndex;
private final String findingsIndexPattern;
private final String allFindingsIndicesPattern;
private final String ruleIndex;

private MonitorConfig(
Expand All @@ -115,6 +144,7 @@ private MonitorConfig(
String allAlertsIndicesPattern,
String findingsIndex,
String findingsIndexPattern,
String allFindingsIndicesPattern,
String ruleIndex
) {
this.alertsIndex = alertsIndex;
Expand All @@ -123,6 +153,7 @@ private MonitorConfig(
this.allAlertsIndicesPattern = allAlertsIndicesPattern;
this.findingIndex = findingsIndex;
this.findingsIndexPattern = findingsIndexPattern;
this.allFindingsIndicesPattern = allFindingsIndicesPattern;
this.ruleIndex = ruleIndex;
}

Expand Down Expand Up @@ -150,6 +181,10 @@ public String getFindingsIndexPattern() {
return findingsIndexPattern;
}

public String getAllFindingsIndicesPattern() {
return allFindingsIndicesPattern;
}

public String getRuleIndex() {
return ruleIndex;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ public void onFailure(Exception e) {
FindingsService.this.getFindingsByMonitorIds(
monitorToDetectorMapping,
monitorIds,
DetectorMonitorConfig.getFindingsIndex(detector.getDetectorType()),
DetectorMonitorConfig.getAllFindingsIndicesPattern(detector.getDetectorType()),
table,
getFindingsResponseListener
);
Expand Down Expand Up @@ -183,7 +183,7 @@ public void getFindings(
FindingsService.this.getFindingsByMonitorIds(
monitorToDetectorMapping,
allMonitorIds,
DetectorMonitorConfig.getFindingsIndex(detectorType.getDetectorType()),
DetectorMonitorConfig.getAllFindingsIndicesPattern(detectorType.getDetectorType()),
table,
new ActionListener<>() {
@Override
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -55,9 +55,6 @@ public class DetectorIndexManagementService extends AbstractLifecycleComponent i

private Logger logger = LogManager.getLogger(DetectorIndexManagementService.class);

private static final String ALERT_HISTORY_ALL = ".opensearch-sap-alerts-history-*";
private static final String FINDING_HISTORY_ALL = ".opensearch-sap-findings-*";

private final Client client;
private final ThreadPool threadPool;
private final ClusterService clusterService;
Expand Down Expand Up @@ -235,7 +232,7 @@ private String executorName() {
return ThreadPool.Names.MANAGEMENT;
}

private void deleteOldIndices(String tag, String indices) {
private void deleteOldIndices(String tag, String... indices) {
logger.error("info deleteOldIndices");
ClusterStateRequest clusterStateRequest = new ClusterStateRequest()
.clear()
Expand All @@ -250,7 +247,7 @@ private void deleteOldIndices(String tag, String indices) {
public void onResponse(ClusterStateResponse clusterStateResponse) {
if (!clusterStateResponse.getState().metadata().getIndices().isEmpty()) {
List<String> indicesToDelete = getIndicesToDelete(clusterStateResponse);
logger.info("Deleting old " + tag + " indices viz $indicesToDelete");
logger.info("Checking if we should delete " + tag + " indices: [" + indicesToDelete + "]");
deleteAllOldHistoryIndices(indicesToDelete);
} else {
logger.info("No Old " + tag + " Indices to delete");
Expand All @@ -269,12 +266,14 @@ private List<String> getIndicesToDelete(ClusterStateResponse clusterStateRespons
List<String> indicesToDelete = new ArrayList<>();
for (ObjectCursor<IndexMetadata> in : clusterStateResponse.getState().metadata().indices().values()) {
IndexMetadata indexMetaData = in.value;
indicesToDelete.add(
getHistoryIndexToDelete(indexMetaData, alertHistoryRetentionPeriod.millis(), alertHistoryIndices, alertHistoryEnabled)
);
indicesToDelete.add(
getHistoryIndexToDelete(indexMetaData, findingHistoryRetentionPeriod.millis(), findingHistoryIndices, findingHistoryEnabled)
);
String indexToDelete = getHistoryIndexToDelete(indexMetaData, alertHistoryRetentionPeriod.millis(), alertHistoryIndices, alertHistoryEnabled);
if (indexToDelete != null) {
indicesToDelete.add(indexToDelete);
}
indexToDelete = getHistoryIndexToDelete(indexMetaData, findingHistoryRetentionPeriod.millis(), findingHistoryIndices, findingHistoryEnabled);
if (indexToDelete != null) {
indicesToDelete.add(indexToDelete);
}
}
return indicesToDelete;
}
Expand Down Expand Up @@ -319,15 +318,17 @@ private void deleteAllOldHistoryIndices(List<String> indicesToDelete) {
public void onResponse(AcknowledgedResponse deleteIndicesResponse) {
if (!deleteIndicesResponse.isAcknowledged()) {
logger.error(
"Could not delete one or more Alerting/Finding history indices: $indicesToDelete. Retrying one by one."
"Could not delete one or more Alerting/Finding history indices: [" + indicesToDelete + "]. Retrying one by one."
);
deleteOldHistoryIndex(indicesToDelete);
} else {
logger.info("Succsessfuly deleted indices: [" + indicesToDelete + "]");
}
}

@Override
public void onFailure(Exception e) {
logger.error("Delete for Alerting/Finding History Indices $indicesToDelete Failed. Retrying one By one.");
logger.error("Delete for Alerting/Finding History Indices failed: [" + indicesToDelete + "]. Retrying one By one.");
deleteOldHistoryIndex(indicesToDelete);
}
}
Expand All @@ -351,7 +352,7 @@ public void onResponse(AcknowledgedResponse acknowledgedResponse) {

@Override
public void onFailure(Exception e) {
logger.debug("Exception ${e.message} while deleting the index " + index);
logger.debug("Exception: [" + e.getMessage() + "] while deleting the index " + index);
}
}
);
Expand All @@ -360,12 +361,12 @@ public void onFailure(Exception e) {

private void rolloverAndDeleteAlertHistoryIndices() {
if (alertHistoryEnabled) rolloverAlertHistoryIndices();
deleteOldIndices("History", ALERT_HISTORY_ALL);
deleteOldIndices("Alert", DetectorMonitorConfig.getAllAlertsIndicesPatternForAllTypes().toArray(new String[0]));
}

private void rolloverAndDeleteFindingHistoryIndices() {
if (findingHistoryEnabled) rolloverFindingHistoryIndices();
deleteOldIndices("Finding", FINDING_HISTORY_ALL);
deleteOldIndices("Finding", DetectorMonitorConfig.getAllFindingsIndicesPatternForAllTypes().toArray(new String[0]));
}

private void rolloverIndex(
Expand Down Expand Up @@ -393,13 +394,13 @@ private void rolloverIndex(
@Override
public void onResponse(RolloverResponse rolloverResponse) {
if (!rolloverResponse.isRolledOver()) {
logger.info(index + "not rolled over. Conditions were: ${response.conditionStatus}");
logger.info(index + "not rolled over. Conditions were: " + rolloverResponse.getConditionStatus());
}
}

@Override
public void onFailure(Exception e) {
logger.error(index + " not roll over failed.");
logger.error("rollover failed for index [" + index + "].");
}
}
);
Expand All @@ -417,9 +418,9 @@ private void rolloverAlertHistoryIndices() {
private void rolloverFindingHistoryIndices() {
for (HistoryIndexInfo h : findingHistoryIndices) {
rolloverIndex(
h.isInitialized, h.indexAlias,
h.indexPattern, h.indexMappings,
h.maxDocs, h.maxAge
h.isInitialized, h.indexAlias,
h.indexPattern, h.indexMappings,
h.maxDocs, h.maxAge
);
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1120,7 +1120,7 @@ public List<String> getAlertIndices(String detectorType) throws IOException {
}

public List<String> getFindingIndices(String detectorType) throws IOException {
Response response = client().performRequest(new Request("GET", "/_cat/indices/" + DetectorMonitorConfig.getFindingsIndex(detectorType) + "?format=json"));
Response response = client().performRequest(new Request("GET", "/_cat/indices/" + DetectorMonitorConfig.getAllFindingsIndicesPattern(detectorType) + "?format=json"));
XContentParser xcp = createParser(XContentType.JSON.xContent(), response.getEntity().getContent());
List<Object> responseList = xcp.list();
List<String> indices = new ArrayList<>();
Expand Down
Loading

0 comments on commit 8dd1c9f

Please sign in to comment.