From 33a4d936cd81a2a871f979cf656eaad1cfeada56 Mon Sep 17 00:00:00 2001 From: Ward Poelmans Date: Thu, 6 Jun 2024 21:12:56 +0200 Subject: [PATCH 1/3] fix pixiu pattern: a dtree can be -- --- files/pixiu | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/pixiu b/files/pixiu index 7acdd04..b89dd23 100644 --- a/files/pixiu +++ b/files/pixiu @@ -14,7 +14,7 @@ PIXIU_BYTES [0-9]+(?:K|M|G|T|P)?B PIXIU_QUOTA_SIZE_TYPE (?:(?%{NUMBER:int})|(?%{PIXIU_BYTES})) -PIXIU_ALARM_COMMON The used (?%{WORD}) \(%{PIXIU_QUOTA_SIZE_TYPE}\) of (?:the )?quota \(type (?%{WORD}) quota(?:, %{PIXIU_ALARM_USER_TYPE})?\) of dtree \(name (?%{WORD}), ID (?%{NUMBER:int})\) at %{UNIXPATH:path} in namespace \(name (?%{WORD}), ID (?%{NUMBER:int})\) +PIXIU_ALARM_COMMON The used (?%{WORD}) \(%{PIXIU_QUOTA_SIZE_TYPE}\) of (?:the )?quota \(type (?%{WORD}) quota(?:, %{PIXIU_ALARM_USER_TYPE})?\) of dtree \(name (?%{NOTSPACE}), ID (?%{NUMBER:int})\) at %{UNIXPATH:path} in namespace \(name (?%{WORD}), ID (?%{NUMBER:int})\) PIXIU_USER_INODE_ALARM %{PIXIU_ALARM_PREFIX} %{PIXIU_ALARM_COMMON} reaches (?:or approaches )?to the (:?(?%{WORD}) (?:file|space) quantity quota of|(?:file|space) quantity (?%{WORD}) quota of) \((?%{NUMBER:int})\)\..* From 4542cf0e7d651d1e48c488307192e0caa8f8a442 Mon Sep 17 00:00:00 2001 From: Ward Poelmans Date: Thu, 6 Jun 2024 21:13:27 +0200 Subject: [PATCH 2/3] add tests + log in/out adjustement --- files/pixiu | 4 +++- tests/data/pixiu | 28 ++++++++++++++++++++++++++++ tests/logstash_7.6.2.conf | 2 +- 3 files changed, 32 insertions(+), 2 deletions(-) diff --git a/files/pixiu b/files/pixiu index b89dd23..89d253a 100644 --- a/files/pixiu +++ b/files/pixiu @@ -21,7 +21,9 @@ PIXIU_USER_INODE_ALARM %{PIXIU_ALARM_PREFIX} %{PIXIU_ALARM_COMMON} reaches (?:or PIXIU_USER_SPACE_ALARM %{PIXIU_ALARM_PREFIX} %{PIXIU_ALARM_COMMON} reaches (?:or approaches )?to the (:?(?%{WORD}) space(?: quantity)? quota of|space(?: quantity)? (?%{WORD}) quota of) \((?%{PIXIU_BYTES})\)\..* PIXIU_LOGIN_STATUS failed|succeeded +PIXIU_LOGIN_ACTION in|out -PIXIU_LOGIN_ALARM %{PIXIU_ALARM_PREFIX} User \(user name %{USERNAME:username}\) %{PIXIU_LOGIN_STATUS:state} (?:to log in|in logging in) from source \(%{IPORHOST:source_ip}\)\..* + +PIXIU_LOGIN_ALARM %{PIXIU_ALARM_PREFIX} User \(user name %{USERNAME:username}\) %{PIXIU_LOGIN_STATUS:state} (?:to log %{PIXIU_LOGIN_ACTION:action}|in logging %{PIXIU_LOGIN_ACTION:action})(?: upon timeout)? from source \(%{IPORHOST:source_ip}\)\..* PIXIU_ALARM %{PIXIU_USER_INODE_ALARM}|%{PIXIU_USER_SPACE_ALARM}|%{PIXIU_LOGIN_ALARM} diff --git a/tests/data/pixiu b/tests/data/pixiu index 854ad7e..1e59cb8 100644 --- a/tests/data/pixiu +++ b/tests/data/pixiu @@ -208,6 +208,7 @@ data = [ "username": "bsdfsdf", "source_ip": "172.18.124.113", "state": "failed", + "action": "in", }, }, { @@ -218,4 +219,31 @@ data = [ "path": "/108", }, }, + { + "raw": "<187>Jun 5 10:19:28 HKSTO03-Node1 alarm[2003199]: <186>2024-06-05 10:19:26 DST 172.19.96.130 OceanStor-Distributed-Storage 908704 0xFEA6A000E Major(1): The used space (18MB) of quota (type directory quota) of dtree (name --, ID 0) at / in namespace (name zzzzbucket, ID 242) reaches to the space soft quota of (15MB).", + "expected": { + "program": "alarm", + "quota_used_type": "directory", + "namespace": "zzzzbucket", + "namespace_id": 242, + "dtree": "--", + "dtree_id": 0, + "used_space": 18000000, + "quota_used_type": "space", + "quota_type": "directory", + "quota_limit_type": "soft", + "quota_space_limit": 15000000, + "path": "/", + }, + }, + { + "raw": "<190>Jun 5 11:19:57 C4STO01-Node1 alarm[4162768]: <189>2024-06-05 11:19:57 DST 172.19.104.10 OceanStor-Distributed-Storage 1140981 0x100F00C90022 Informational(9): User (user name adm_CV000080) succeeded in logging out upon timeout from source (172.18.252.67).", + "expected": { + "program": "alarm", + "username": "adm_CV000080", + "source_ip": "172.18.252.67", + "state": "succeeded", + "action": "out", + }, + }, ] diff --git a/tests/logstash_7.6.2.conf b/tests/logstash_7.6.2.conf index 6fa37fc..2fabedf 100644 --- a/tests/logstash_7.6.2.conf +++ b/tests/logstash_7.6.2.conf @@ -25,7 +25,7 @@ filter { } date { - match => [ "syslog_timestamp", "yyyy-MM-dd'T'HH:mm:ss.SSSSSSZZ", "yyyy-MM-dd'T'HH:mm:ssZZ", "yyyy-MM-dd HH:mm:ss.SSSSSS", "MMM dd HH:mm:ss" ] + match => [ "syslog_timestamp", "yyyy-MM-dd'T'HH:mm:ss.SSSSSSZZ", "yyyy-MM-dd'T'HH:mm:ssZZ", "yyyy-MM-dd HH:mm:ss.SSSSSS", "MMM d HH:mm:ss", "MMM d HH:mm:ss" ] } if ("exclude_tags" not in [tags]) { From 5c43e8e49d7fc9f7d06aba1917ccfe1df45f3b82 Mon Sep 17 00:00:00 2001 From: Ward Poelmans Date: Fri, 7 Jun 2024 08:25:28 +0200 Subject: [PATCH 3/3] make namespace also more general --- files/pixiu | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/pixiu b/files/pixiu index 89d253a..f5b5617 100644 --- a/files/pixiu +++ b/files/pixiu @@ -14,7 +14,7 @@ PIXIU_BYTES [0-9]+(?:K|M|G|T|P)?B PIXIU_QUOTA_SIZE_TYPE (?:(?%{NUMBER:int})|(?%{PIXIU_BYTES})) -PIXIU_ALARM_COMMON The used (?%{WORD}) \(%{PIXIU_QUOTA_SIZE_TYPE}\) of (?:the )?quota \(type (?%{WORD}) quota(?:, %{PIXIU_ALARM_USER_TYPE})?\) of dtree \(name (?%{NOTSPACE}), ID (?%{NUMBER:int})\) at %{UNIXPATH:path} in namespace \(name (?%{WORD}), ID (?%{NUMBER:int})\) +PIXIU_ALARM_COMMON The used (?%{WORD}) \(%{PIXIU_QUOTA_SIZE_TYPE}\) of (?:the )?quota \(type (?%{WORD}) quota(?:, %{PIXIU_ALARM_USER_TYPE})?\) of dtree \(name (?%{NOTSPACE}), ID (?%{NUMBER:int})\) at %{UNIXPATH:path} in namespace \(name (?%{NOTSPACE}), ID (?%{NUMBER:int})\) PIXIU_USER_INODE_ALARM %{PIXIU_ALARM_PREFIX} %{PIXIU_ALARM_COMMON} reaches (?:or approaches )?to the (:?(?%{WORD}) (?:file|space) quantity quota of|(?:file|space) quantity (?%{WORD}) quota of) \((?%{NUMBER:int})\)\..*