├── validation ├── graylog │ ├── __init__.py │ ├── server_timeout_error.py │ ├── server.py │ ├── gelf_input.py │ ├── driver.py │ └── rest_api.py ├── end_to_end │ ├── requirements.txt │ └── test_end_to_end.py ├── server │ ├── requirements.txt │ └── test.py ├── manual.md └── README.md ├── runtime ├── graylog │ └── config │ │ ├── node-id │ │ └── log4j2.xml └── docker-compose.yml ├── images ├── alert.png ├── edit_notification.png ├── select_notification.png └── edit_plugin_configuration.png ├── src ├── main │ ├── resources │ │ ├── META-INF │ │ │ └── services │ │ │ │ └── org.graylog2.plugin.Plugin │ │ └── com.airbus-cyber-security.graylog.graylog-plugin-logging-alert │ │ │ └── graylog-plugin.properties │ └── java │ │ └── com │ │ └── airbus_cyber_security │ │ └── graylog │ │ ├── LoggingAlertPlugin.java │ │ ├── events │ │ ├── config │ │ │ ├── SeverityType.java │ │ │ └── LoggingAlertConfig.java │ │ ├── notifications │ │ │ └── types │ │ │ │ ├── LoggingAlertFields.java │ │ │ │ ├── LoggingNotificationConfig.java │ │ │ │ ├── LoggingAlert.java │ │ │ │ ├── MessageBodyBuilder.java │ │ │ │ └── MessagesURLBuilder.java │ │ ├── LoggingAlertModule.java │ │ └── contentpack │ │ │ └── entities │ │ │ └── LoggingNotificationConfigEntity.java │ │ └── LoggingAlertMetaData.java ├── deb │ └── control │ │ └── control ├── web │ ├── components │ │ ├── event-notifications │ │ │ ├── CommonNotificationSummary.css │ │ │ ├── LoggingAlertSummary.css │ │ │ ├── LoggingAlertFormContainer.tsx │ │ │ ├── LoggingAlertNotificationDetails.jsx │ │ │ ├── LoggingAlertSummary.jsx │ │ │ ├── CommonNotificationSummary.jsx │ │ │ └── LoggingAlertForm.tsx │ │ ├── LoggingAlertConfig.test.tsx │ │ └── LoggingAlertConfig.jsx │ ├── webpack-entry.js │ └── index.jsx └── test │ └── java │ └── com │ └── airbus_cyber_security │ └── graylog │ └── events │ └── notifications │ └── types │ ├── LoggingNotificationConfigTest.java │ └── MessagesURLBuilderTest.java ├── .mvn ├── README.md ├── jvm.config └── wrapper │ └── maven-wrapper.properties ├── deployment ├── signingkey.asc.enc └── settings.xml ├── babel.config.js ├── .gitignore ├── webpack.config.js ├── package.json ├── jest.config.js ├── tsconfig.json ├── README.md ├── .github └── workflows │ └── ci.yml ├── CHANGELOG.md ├── mvnw ├── pom.xml └── LICENSE /validation/graylog/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /runtime/graylog/config/node-id: -------------------------------------------------------------------------------- 1 | dd18c58a-f4b5-46ba-85b0-1a7cebb33b79 -------------------------------------------------------------------------------- /validation/end_to_end/requirements.txt: -------------------------------------------------------------------------------- 1 | pytest-playwright~=0.4 2 | -------------------------------------------------------------------------------- /validation/server/requirements.txt: -------------------------------------------------------------------------------- 1 | requests >= 2.26.0, < 3.0.0 2 | -------------------------------------------------------------------------------- /validation/manual.md: -------------------------------------------------------------------------------- 1 | # Manual scenarios which should be made automatic 2 | -------------------------------------------------------------------------------- /validation/graylog/server_timeout_error.py: -------------------------------------------------------------------------------- 1 | 2 | class ServerTimeoutError(Exception): 3 | pass -------------------------------------------------------------------------------- /images/alert.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/airbus-cyber/graylog-plugin-logging-alert/HEAD/images/alert.png -------------------------------------------------------------------------------- /src/main/resources/META-INF/services/org.graylog2.plugin.Plugin: -------------------------------------------------------------------------------- 1 | com.airbus_cyber_security.graylog.LoggingAlertPlugin 2 | -------------------------------------------------------------------------------- /images/edit_notification.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/airbus-cyber/graylog-plugin-logging-alert/HEAD/images/edit_notification.png -------------------------------------------------------------------------------- /.mvn/README.md: -------------------------------------------------------------------------------- 1 | ## How to create/update the maven wrapper 2 | 3 | `mvn wrapper:wrapper -Dtype=only-script -Dmaven=` 4 | -------------------------------------------------------------------------------- /deployment/signingkey.asc.enc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/airbus-cyber/graylog-plugin-logging-alert/HEAD/deployment/signingkey.asc.enc -------------------------------------------------------------------------------- /images/select_notification.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/airbus-cyber/graylog-plugin-logging-alert/HEAD/images/select_notification.png -------------------------------------------------------------------------------- /images/edit_plugin_configuration.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/airbus-cyber/graylog-plugin-logging-alert/HEAD/images/edit_plugin_configuration.png -------------------------------------------------------------------------------- /babel.config.js: -------------------------------------------------------------------------------- 1 | const coreBabelConfig = require('../graylog2-server/graylog2-web-interface/babel.config.js'); 2 | 3 | module.exports = { ...coreBabelConfig }; 4 | -------------------------------------------------------------------------------- /src/deb/control/control: -------------------------------------------------------------------------------- 1 | Package: [[name]] 2 | Version: [[version]] 3 | Architecture: all 4 | Maintainer: Airbus CyberSecurity 5 | Section: web 6 | Priority: optional 7 | Depends: graylog-server 8 | Description: [[description]] 9 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | /target/ 2 | /node/ 3 | /node_modules/ 4 | 5 | # For the runtime docker-compose 6 | /runtime/graylog/plugin/ 7 | /runtime/.env 8 | 9 | # For backend tests in python 10 | /validation/graylog/__pycache__/ 11 | /validation/server/__pycache__/ 12 | /validation/server/venv/ 13 | /validation/end_to_end/__pycache__/ 14 | /validation/end_to_end/venv/ 15 | /validation/test-results/ 16 | 17 | # IDE 18 | .idea 19 | *.iml -------------------------------------------------------------------------------- /webpack.config.js: -------------------------------------------------------------------------------- 1 | const { PluginWebpackConfig } = require('graylog-web-plugin'); 2 | const { loadBuildConfig } = require('graylog-web-plugin'); 3 | const path = require('path'); 4 | 5 | // Remember to use the same name here and in `getUniqueId()` in the java MetaData class 6 | module.exports = new PluginWebpackConfig(__dirname, 'com.airbus_cyber_security.graylog.LoggingAlertPlugin', loadBuildConfig(path.resolve(__dirname, './build.config')), { 7 | // Here goes your additional webpack configuration. 8 | }); 9 | -------------------------------------------------------------------------------- /src/main/resources/com.airbus-cyber-security.graylog.graylog-plugin-logging-alert/graylog-plugin.properties: -------------------------------------------------------------------------------- 1 | # The plugin version 2 | version=${project.version} 3 | 4 | # The required Graylog server version 5 | graylog.version=${graylog.version} 6 | 7 | # When set to true (the default) the plugin gets a separate class loader 8 | # when loading the plugin. When set to false, the plugin shares a class loader 9 | # with other plugins that have isolated=false. 10 | # 11 | # Do not disable this unless this plugin depends on another plugin! 12 | isolated=false 13 | -------------------------------------------------------------------------------- /.mvn/jvm.config: -------------------------------------------------------------------------------- 1 | --add-exports jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED 2 | --add-exports jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED 3 | --add-exports jdk.compiler/com.sun.tools.javac.main=ALL-UNNAMED 4 | --add-exports jdk.compiler/com.sun.tools.javac.model=ALL-UNNAMED 5 | --add-exports jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED 6 | --add-exports jdk.compiler/com.sun.tools.javac.processing=ALL-UNNAMED 7 | --add-exports jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED 8 | --add-exports jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED 9 | --add-opens jdk.compiler/com.sun.tools.javac.code=ALL-UNNAMED 10 | --add-opens jdk.compiler/com.sun.tools.javac.comp=ALL-UNNAMED 11 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "LoggingAlert", 3 | "version": "6.1.8", 4 | "description": "Graylog plugin LoggingAlert Web Interface", 5 | "repository": { 6 | "type": "git", 7 | "url": "https://github.com/airbus-cyber/graylog-plugin-logging-alert" 8 | }, 9 | "scripts": { 10 | "build": "webpack --bail", 11 | "test": "jest" 12 | }, 13 | "keywords": [ 14 | "graylog" 15 | ], 16 | "author": "Airbus CyberSecurity", 17 | "license": "SSPL-1.0", 18 | "dependencies": {}, 19 | "devDependencies": { 20 | "graylog-web-plugin": "file:../graylog2-server/graylog2-web-interface/packages/graylog-web-plugin", 21 | "urijs": "^1.19.11" 22 | }, 23 | "private": true 24 | } 25 | -------------------------------------------------------------------------------- /jest.config.js: -------------------------------------------------------------------------------- 1 | const fs = require('fs'); 2 | const buildConfig = require('./build.config'); 3 | 4 | const webSrcPrefix = buildConfig.web_src_path; 5 | 6 | const jestConfig = { 7 | preset: 'jest-preset-graylog', 8 | setupFiles: [], 9 | roots: [ 10 | 'src' 11 | ], 12 | transform: { 13 | '^.+\\.[tj]sx?$': 'babel-jest' 14 | }, 15 | moduleDirectories: [].concat([ 16 | 'src', 17 | 'src/test', 18 | 'node_modules' 19 | ], [`${webSrcPrefix}/src`, `${webSrcPrefix}/test`]), 20 | moduleNameMapper: { 21 | '^react$': `${webSrcPrefix}/node_modules/react/index.js`, 22 | '^react-dom$': `${webSrcPrefix}/node_modules/react-dom/index.js`, 23 | '^styled-components$': `${webSrcPrefix}/node_modules/styled-components`, 24 | }, 25 | }; 26 | module.exports = jestConfig; 27 | -------------------------------------------------------------------------------- /src/web/components/event-notifications/CommonNotificationSummary.css: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | :local(.fixedTable) { 18 | table-layout: fixed; 19 | overflow-wrap: break-word; 20 | } 21 | -------------------------------------------------------------------------------- /src/web/components/event-notifications/LoggingAlertSummary.css: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | :local(.bodyPreview) { 18 | font-family: monospace; 19 | font-size: 12px; 20 | overflow-wrap: break-word; 21 | white-space: pre-wrap; 22 | } -------------------------------------------------------------------------------- /validation/graylog/server.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | 3 | 4 | class Server: 5 | 6 | def __init__(self, docker_compose_path): 7 | self._docker_compose_path = docker_compose_path 8 | self._log_offset = 0 9 | 10 | def start(self): 11 | subprocess.run(['docker', 'compose', 'up', '--detach'], cwd=self._docker_compose_path) 12 | 13 | def extract_all_logs(self): 14 | return subprocess.check_output(['docker', 'compose', 'logs', '--no-color', 'graylog'], cwd=self._docker_compose_path, universal_newlines=True) 15 | 16 | def start_logs_capture(self): 17 | logs = self.extract_all_logs() 18 | self._log_offset = len(logs) 19 | 20 | def extract_logs(self): 21 | logs = self.extract_all_logs() 22 | return logs[self._log_offset:] 23 | 24 | def stop(self): 25 | subprocess.run(['docker', 'compose', 'down'], cwd=self._docker_compose_path) 26 | subprocess.run(['docker', 'volume', 'prune', '--force']) 27 | -------------------------------------------------------------------------------- /validation/graylog/gelf_input.py: -------------------------------------------------------------------------------- 1 | import json 2 | import socket 3 | 4 | _INPUT_ADDRESS = ('127.0.0.1', 12201) 5 | 6 | 7 | class GelfInput: 8 | 9 | def __init__(self, api, identifier): 10 | self._api = api 11 | self._identifier = identifier 12 | self._socket = None 13 | 14 | def is_running(self): 15 | return self._api.gelf_input_is_running(self._identifier) 16 | 17 | def connect(self): 18 | self._socket = socket.create_connection(_INPUT_ADDRESS) 19 | 20 | def close(self): 21 | self._socket.close() 22 | 23 | def __enter__(self): 24 | return self 25 | 26 | def __exit__(self, exc_type, exc_value, exc_traceback): 27 | self.close() 28 | 29 | def send(self, args): 30 | data = dict({'version': '1.1', 'host': 'host', 'short_message': 'short_message'}, **args) 31 | print('Sending {}'.format(data)) 32 | message = '{}\0'.format(json.dumps(data)) 33 | self._socket.send(message.encode()) 34 | -------------------------------------------------------------------------------- /tsconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "compilerOptions": { 3 | "target": "es5", 4 | "lib": [ 5 | "dom", 6 | "dom.iterable", 7 | "esnext" 8 | ], 9 | "allowJs": false, 10 | "downlevelIteration": true, 11 | "skipLibCheck": true, 12 | "esModuleInterop": true, 13 | "allowSyntheticDefaultImports": true, 14 | "strict": false, 15 | "forceConsistentCasingInFileNames": true, 16 | "module": "esnext", 17 | "moduleResolution": "node", 18 | "resolveJsonModule": true, 19 | "isolatedModules": true, 20 | "noEmit": true, 21 | "jsx": "react", 22 | "baseUrl": ".", 23 | "paths": { 24 | "*": [ 25 | "*", 26 | "./src/web/*", 27 | "./test/web/*", 28 | "../graylog2-server/graylog2-web-interface/src/*", 29 | "../graylog2-server/graylog2-web-interface/test/*", 30 | ] 31 | } 32 | }, 33 | "include": [ 34 | "src", 35 | "../graylog2-server/graylog2-web-interface/src/@types/**/*", 36 | "../graylog2-server/graylog2-web-interface/src/**/*.d.ts" 37 | ] 38 | } 39 | -------------------------------------------------------------------------------- /.mvn/wrapper/maven-wrapper.properties: -------------------------------------------------------------------------------- 1 | # Licensed to the Apache Software Foundation (ASF) under one 2 | # or more contributor license agreements. See the NOTICE file 3 | # distributed with this work for additional information 4 | # regarding copyright ownership. The ASF licenses this file 5 | # to you under the Apache License, Version 2.0 (the 6 | # "License"); you may not use this file except in compliance 7 | # with the License. You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, 12 | # software distributed under the License is distributed on an 13 | # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 14 | # KIND, either express or implied. See the License for the 15 | # specific language governing permissions and limitations 16 | # under the License. 17 | distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.6/apache-maven-3.9.6-bin.zip 18 | wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.2.0/maven-wrapper-3.2.0.jar 19 | -------------------------------------------------------------------------------- /deployment/settings.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | central 5 | ${env.SONATYPE_USERNAME} 6 | ${env.SONATYPE_PASSWORD} 7 | 8 | 9 | gpg.passphrase 10 | ${env.PASSPHRASE} 11 | 12 | 13 | 14 | 15 | ossrh 16 | 17 | true 18 | 19 | 20 | gpg2 21 | ${env.PASSPHRASE} 22 | Airbus CyberSecurity 23 | 24 | 25 | 26 | jdeb-signing 27 | 28 | F8D87B13 29 | ${env.PASSPHRASE} 30 | 31 | 32 | 33 | 34 | jdeb-signing 35 | 36 | 37 | -------------------------------------------------------------------------------- /validation/README.md: -------------------------------------------------------------------------------- 1 | # Validation 2 | 3 | Organization: 4 | * `server` contains tests of the REST API 5 | * `end_to_end` contains end-to-end tests starting with the graphical user interface 6 | * `graylog` contains python library to control Graylog (start/stop docker-compose, send API requests, extract logs) 7 | 8 | # Server tests 9 | 10 | First: 11 | ``` 12 | cd server 13 | ``` 14 | 15 | ## Venv setup 16 | 17 | If it doesn't exist yet, create the venv and install dependencies: 18 | ``` 19 | python3 -m venv venv 20 | source ./venv/bin/activate 21 | pip install -r requirements.txt 22 | ``` 23 | 24 | ## Execution 25 | To run: 26 | ``` 27 | PYTHONPATH=.. python -m unittest --verbose 28 | ``` 29 | Running only one test: 30 | ``` 31 | PYTHONPATH=.. python -m unittest test.Test.test_notification_identifier_should_not_be_from_the_message_in_the_backlog_issue22 32 | ``` 33 | 34 | # End-to-end tests 35 | 36 | First: 37 | ``` 38 | cd end_to_end 39 | source venv/bin/activate 40 | ``` 41 | 42 | Running a test and watch it execute: 43 | ``` 44 | PYTHONPATH=.. pytest --headed -k test_plugin_logging_alert_configuration_save_button_should_close_popup_50 45 | ``` 46 | 47 | To generate a test: 48 | ``` 49 | playwright codegen http://127.0.0.1:9000/ 50 | ``` 51 | -------------------------------------------------------------------------------- /src/web/components/event-notifications/LoggingAlertFormContainer.tsx: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | 18 | // sources of inspiration for this code: components/event-definitions/event-definition-form/field-value-providers/LookupTableFieldValueProviderFormContainer.tsx 19 | import React from 'react'; 20 | 21 | import type { EventNotificationTypes } from 'components/event-notifications/types'; 22 | import LoggingAlertForm from './LoggingAlertForm'; 23 | type Props = React.ComponentProps; 24 | 25 | const LoggingAlertFormContainer = (props: Props) => { 26 | return ; 27 | } 28 | 29 | export default LoggingAlertFormContainer; -------------------------------------------------------------------------------- /src/web/webpack-entry.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | import URI from 'urijs'; 18 | 19 | import AppConfig from 'util/AppConfig'; 20 | 21 | // This is the identifier defined in the PluginMetaData (com.airbus_cyber_security.graylog.LoggingAlertMetaData) 22 | const pluginUniqueIdentifier = 'com.airbus-cyber-security.graylog.LoggingAlertPlugin'; 23 | 24 | // The webpack-dev-server serves the assets from "/" 25 | const assetPrefix = AppConfig.gl2DevMode() ? '/' : '/assets/plugin/' + pluginUniqueIdentifier + '/'; 26 | 27 | // If app prefix was not set, we need to tell webpack to load chunks from root instead of the relative URL path 28 | __webpack_public_path__ = URI.joinPaths(AppConfig.gl2AppPathPrefix(), assetPrefix).path() || assetPrefix; 29 | -------------------------------------------------------------------------------- /src/main/java/com/airbus_cyber_security/graylog/LoggingAlertPlugin.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | package com.airbus_cyber_security.graylog; 18 | 19 | import com.airbus_cyber_security.graylog.events.LoggingAlertModule; 20 | import org.graylog2.plugin.Plugin; 21 | import org.graylog2.plugin.PluginMetaData; 22 | import org.graylog2.plugin.PluginModule; 23 | 24 | import java.util.Arrays; 25 | import java.util.Collection; 26 | 27 | /** 28 | * Implement the Plugin interface here. 29 | */ 30 | public class LoggingAlertPlugin implements Plugin { 31 | @Override 32 | public PluginMetaData metadata() { 33 | return new LoggingAlertMetaData(); 34 | } 35 | 36 | @Override 37 | public Collection modules () { 38 | return Arrays.asList(new LoggingAlertModule()); 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /src/main/java/com/airbus_cyber_security/graylog/events/config/SeverityType.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | package com.airbus_cyber_security.graylog.events.config; 18 | 19 | public enum SeverityType { 20 | INFO("info"), 21 | LOW("low"), 22 | MEDIUM("medium"), 23 | HIGH("high"); 24 | 25 | private final String type; 26 | 27 | SeverityType(String type){ 28 | this.type = type; 29 | } 30 | 31 | public String getType(){ 32 | return type; 33 | } 34 | 35 | /** 36 | * Priority :
37 | * - 1 : Low
38 | * - 2 : Normal
39 | * - 3 : High 40 | * @param priority priority value of event definition 41 | */ 42 | public static SeverityType getSeverityTypeFromPriority(int priority){ 43 | return switch (priority) { 44 | case 2 -> MEDIUM; 45 | case 3 -> HIGH; 46 | default -> LOW; 47 | }; 48 | } 49 | } 50 | -------------------------------------------------------------------------------- /runtime/graylog/config/log4j2.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /runtime/docker-compose.yml: -------------------------------------------------------------------------------- 1 | # sources of inspiration for this file 2 | # * https://go2docs.graylog.org/5-1/downloading_and_installing_graylog/docker_installation.htm 3 | # * https://github.com/Graylog2/docker-compose 4 | 5 | services: 6 | 7 | # MongoDB: https://hub.docker.com/_/mongo/ 8 | mongo: 9 | image: "mongo:6.0" 10 | container_name: mongo 11 | 12 | # OpenSearch: 13 | # * https://hub.docker.com/r/opensearchproject/opensearch 14 | # * https://opensearch.org/docs/2.12/install-and-configure/install-opensearch/docker/#sample-docker-composeyml 15 | opensearch: 16 | image: "opensearchproject/opensearch:2.15.0" 17 | container_name: opensearch2.15 18 | environment: 19 | - plugins.security.disabled=true 20 | - discovery.type=single-node 21 | - action.auto_create_index=false 22 | - bootstrap.memory_lock=true 23 | - OPENSEARCH_INITIAL_ADMIN_PASSWORD=T3st-P@ssword! 24 | ulimits: 25 | memlock: 26 | soft: -1 27 | hard: -1 28 | 29 | # Graylog: https://hub.docker.com/r/graylog/graylog/ 30 | graylog: 31 | image: "graylog/graylog:${GRAYLOG_VERSION?Missing GRAYLOG_VERSION. Create a .env from pom: echo GRAYLOG_VERSION=$(cd ..&&mvn help:evaluate -Dexpression=project.parent.version -q -DforceStdout) > .env}" 32 | container_name: graylog 33 | links: 34 | - mongo:mongo 35 | - opensearch 36 | depends_on: 37 | - mongo 38 | - opensearch 39 | ports: 40 | # Graylog web interface and REST API 41 | - 9000:9000 42 | # Raw/Plaintext TCP 43 | - 5555:5555 44 | # Syslog TCP 45 | - 514:514 46 | # Syslog UDP 47 | - 514:514/udp 48 | # GELF TCP 49 | - 12201:12201 50 | # GELF UDP 51 | - 12201:12201/udp 52 | volumes: 53 | - ./graylog/config:/usr/share/graylog/data/config 54 | - ./graylog/plugin:/usr/share/graylog/plugin/ 55 | -------------------------------------------------------------------------------- /src/web/components/event-notifications/LoggingAlertNotificationDetails.jsx: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | 18 | // sources of inspiration for this code 19 | // * components/event-definitions/event-definition-form/EventDefinitionSummary.tsx 20 | // * components/event-definitions/event-definition-types/FilterAggregationSummary.jsx 21 | 22 | import * as React from 'react'; 23 | import PropTypes from 'prop-types'; 24 | 25 | import { ReadOnlyFormGroup } from 'components/common'; 26 | import { Well } from 'components/bootstrap'; 27 | 28 | import styles from './LoggingAlertSummary.css'; 29 | 30 | 31 | const LoggingAlertNotificationDetails = ({ notification }) => { 32 | return ( 33 | <> 34 | 37 | {notification.config.log_body} 38 | 39 | )} 40 | /> 41 | 42 | 43 | 44 | ); 45 | }; 46 | 47 | LoggingAlertNotificationDetails.propTypes = { 48 | notification: PropTypes.object.isRequired, 49 | }; 50 | 51 | export default LoggingAlertNotificationDetails; 52 | -------------------------------------------------------------------------------- /src/web/components/LoggingAlertConfig.test.tsx: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | 18 | // sources of inspiration for this code: 19 | // * pages/ShowMessagePage.test.tsx 20 | // * views/components/widgets/Widget.aggregations.test.tsx 21 | import React from 'react'; 22 | import { render } from 'wrappedTestingLibrary'; 23 | import MockStore from 'helpers/mocking/StoreMock'; 24 | import CurrentUserContext from 'contexts/CurrentUserContext'; 25 | import { adminUser } from 'fixtures/users'; 26 | 27 | import LoggingAlertConfig from './LoggingAlertConfig'; 28 | 29 | describe('', () => { 30 | it('should display the button with the correct color (issue 33)', async () => { 31 | // Note: CurrentUserContext.Provider is necessary for the IfPermitted tag 32 | const { findByText } = render( 33 | 34 | ); 35 | // TODO: I don't understand why getByText does not work here. 36 | // note: findByText is a getByText+waitFor (https://testing-library.com/docs/dom-testing-library/api-async#findby-queries) 37 | // so there must be a reason for waitFor to be necessary 38 | // maybe because of the wrap with CurrentUserContext.Provider 39 | const elem = await findByText('Edit configuration'); 40 | expect(elem.parentElement.parentElement).toHaveStyle('--button-bg: #03C2FF') 41 | }); 42 | }); 43 | -------------------------------------------------------------------------------- /src/main/java/com/airbus_cyber_security/graylog/events/notifications/types/LoggingAlertFields.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | package com.airbus_cyber_security.graylog.events.notifications.types; 18 | 19 | import org.joda.time.DateTime; 20 | 21 | public class LoggingAlertFields { 22 | 23 | private final String id; 24 | private final String title; 25 | private final String severity; 26 | private final DateTime detectTime; 27 | private final String messagesURL; 28 | 29 | public LoggingAlertFields(String id, String title, String severity, DateTime detectTime, String messagesURL) { 30 | this.id = id; 31 | this.title = title; 32 | this.severity = severity; 33 | this.detectTime = detectTime; 34 | this.messagesURL = messagesURL; 35 | } 36 | 37 | public String getId() { 38 | return id; 39 | } 40 | 41 | public String getTitle() { 42 | return title; 43 | } 44 | 45 | public String getSeverity() { 46 | return severity; 47 | } 48 | 49 | // Note: do not remove this field, if I am understanding well, it is required by jmte (see: https://github.com/DJCordhose/jmte/blob/5.0.0/src/com/floreysoft/jmte/DefaultModelAdaptor.java#L352) 50 | public DateTime getDetect_time() { 51 | return detectTime; 52 | } 53 | 54 | // Note: do not remove this field, if I am understanding well, it is required by jmte (see: https://github.com/DJCordhose/jmte/blob/5.0.0/src/com/floreysoft/jmte/DefaultModelAdaptor.java#L352) 55 | public String getMessages_url() { 56 | return messagesURL; 57 | } 58 | } 59 | -------------------------------------------------------------------------------- /src/main/java/com/airbus_cyber_security/graylog/events/LoggingAlertModule.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | package com.airbus_cyber_security.graylog.events; 18 | 19 | import com.airbus_cyber_security.graylog.events.contentpack.entities.LoggingNotificationConfigEntity; 20 | import com.airbus_cyber_security.graylog.events.notifications.types.LoggingAlert; 21 | import com.airbus_cyber_security.graylog.events.notifications.types.LoggingNotificationConfig; 22 | import org.graylog2.plugin.PluginConfigBean; 23 | import org.graylog2.plugin.PluginModule; 24 | 25 | import java.util.Collections; 26 | import java.util.Set; 27 | 28 | /** 29 | * Extend the PluginModule abstract class here to add you plugin to the system. 30 | */ 31 | public class LoggingAlertModule extends PluginModule { 32 | /** 33 | * Returns all configuration beans required by this plugin. 34 | * 35 | * Implementing this method is optional. The default method returns an empty {@link Set}. 36 | */ 37 | 38 | @Override 39 | public Set getConfigBeans() { 40 | return Collections.emptySet(); 41 | } 42 | 43 | @Override 44 | protected void configure() { 45 | addNotificationType(LoggingNotificationConfig.TYPE_NAME, 46 | LoggingNotificationConfig.class, 47 | LoggingAlert.class, 48 | LoggingAlert.Factory.class, 49 | LoggingNotificationConfigEntity.TYPE_NAME, 50 | LoggingNotificationConfigEntity.class); 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /src/web/components/event-notifications/LoggingAlertSummary.jsx: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | import React from 'react'; 18 | import PropTypes from 'prop-types'; 19 | import { Well } from 'components/bootstrap'; 20 | 21 | import CommonNotificationSummary from "./CommonNotificationSummary"; 22 | import styles from './LoggingAlertSummary.css'; 23 | 24 | class LoggingAlertSummary extends React.Component { 25 | static propTypes = { 26 | type: PropTypes.string.isRequired, 27 | notification: PropTypes.object, 28 | definitionNotification: PropTypes.object.isRequired, 29 | }; 30 | 31 | static defaultProps = { 32 | notification: {}, 33 | }; 34 | 35 | render() { 36 | const { notification } = this.props; 37 | return ( 38 | 39 | 40 | 41 | Log Content: 42 | 43 | {notification.config.log_body || Empty body} 44 | 45 | 46 | 47 | Alert Tag: 48 | {notification.config.alert_tag} 49 | 50 | 51 | Single Notification: 52 | {notification.config.single_notification? 'true' : 'false'} 53 | 54 | 55 | 56 | ); 57 | } 58 | } 59 | 60 | export default LoggingAlertSummary; 61 | -------------------------------------------------------------------------------- /src/web/index.jsx: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | // sources of inspiration for this code: 18 | // * components/maps/configurations/index.ts 19 | // * graylog-plugin-integrations, src/web/index.jsx (see https://github.com/Graylog2/graylog-plugin-integrations/pull/964) 20 | // * https://github.com/Graylog2/graylog-plugin-threatintel, index.jsx, now threatintel/bindings.jsx 21 | // * https://github.com/Graylog2/graylog-plugin-aws, index.jsx 22 | // * https://github.com/Graylog2/graylog-plugin-collector, index.jsx 23 | import './webpack-entry'; 24 | import packageJson from '../../package.json'; 25 | import { PluginManifest, PluginStore } from 'graylog-web-plugin/plugin'; 26 | import LoggingAlertConfig from 'components/LoggingAlertConfig'; 27 | import LoggingAlertFormContainer from 'components/event-notifications/LoggingAlertFormContainer'; 28 | import LoggingAlertSummary from 'components/event-notifications/LoggingAlertSummary'; 29 | import LoggingAlertNotificationDetails from 'components/event-notifications/LoggingAlertNotificationDetails'; 30 | export { DEFAULT_BODY_TEMPLATE } from 'components/LoggingAlertConfig'; 31 | 32 | const metadata = { 33 | name: packageJson.name 34 | }; 35 | 36 | PluginStore.register(new PluginManifest(metadata, { 37 | systemConfigurations: [ 38 | { 39 | component: LoggingAlertConfig, 40 | displayName: 'Logging Alert', 41 | configType: 'com.airbus_cyber_security.graylog.events.config.LoggingAlertConfig' 42 | }, 43 | ], 44 | eventNotificationTypes: [ 45 | { 46 | type: 'logging-alert-notification', 47 | displayName: 'Logging Alert Notification', 48 | formComponent: LoggingAlertFormContainer, 49 | summaryComponent: LoggingAlertSummary, 50 | detailsComponent: LoggingAlertNotificationDetails 51 | } 52 | ], 53 | })); 54 | -------------------------------------------------------------------------------- /validation/graylog/driver.py: -------------------------------------------------------------------------------- 1 | import time 2 | from graylog.server import Server 3 | from graylog.rest_api import RestApi 4 | from graylog.server_timeout_error import ServerTimeoutError 5 | 6 | 7 | class Driver: 8 | 9 | def __init__(self, docker_compose_path): 10 | self._server = Server(docker_compose_path) 11 | self._api = RestApi() 12 | 13 | def _wait(self, condition, attempts, sleep_duration=1): 14 | count = 0 15 | while not condition(): 16 | time.sleep(sleep_duration) 17 | count += 1 18 | if count > attempts: 19 | print(self._server.extract_all_logs()) 20 | raise ServerTimeoutError() 21 | 22 | def _wait_until_graylog_has_started(self): 23 | """ 24 | We wait until the default deflector is up, as it seems to be the last operation done on startup 25 | This might have to change in the future, if graylog changes its ways... 26 | :return: 27 | """ 28 | print('Waiting for graylog to start...') 29 | self._wait(self._api.default_deflector_is_up, 180) 30 | 31 | def start(self): 32 | self._server.start() 33 | self._wait_until_graylog_has_started() 34 | 35 | def stop(self): 36 | self._server.stop() 37 | 38 | def start_logs_capture(self): 39 | self._server.start_logs_capture() 40 | 41 | def extract_logs(self): 42 | return self._server.extract_logs() 43 | 44 | def create_notification(self, **kwargs): 45 | return self._api.create_notification(**kwargs) 46 | 47 | def create_event_definition(self, notification_identifier, streams=None, backlog_size=None, conditions=None, 48 | series=None, period=5): 49 | self._api.create_event_definition(notification_identifier, streams, backlog_size, conditions, series, period) 50 | 51 | def create_gelf_input(self): 52 | gelf_input = self._api.create_gelf_input() 53 | self._wait(gelf_input.is_running, 10, sleep_duration=.1) 54 | gelf_input.connect() 55 | return gelf_input 56 | 57 | def create_stream_with_rule(self, title, field, value): 58 | return self._api.create_stream_with_rule(title, field, value) 59 | 60 | def update_plugin_configuration(self, aggregation_stream=None): 61 | return self._api.update_plugin_configuration(aggregation_stream) 62 | 63 | def configure_telemetry(self): 64 | self._api.configure_telemetry() 65 | -------------------------------------------------------------------------------- /src/main/java/com/airbus_cyber_security/graylog/LoggingAlertMetaData.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | package com.airbus_cyber_security.graylog; 18 | 19 | import org.graylog2.plugin.PluginMetaData; 20 | import org.graylog2.plugin.ServerStatus; 21 | import org.graylog2.plugin.Version; 22 | 23 | import java.net.URI; 24 | import java.util.Collections; 25 | import java.util.Set; 26 | 27 | /** 28 | * Implement the PluginMetaData interface here. 29 | */ 30 | public class LoggingAlertMetaData implements PluginMetaData { 31 | private static final String PLUGIN_PROPERTIES = "com.airbus-cyber-security.graylog.graylog-plugin-logging-alert/graylog-plugin.properties"; 32 | 33 | @Override 34 | public String getUniqueId() { 35 | return "com.airbus-cyber-security.graylog.LoggingAlertPlugin"; 36 | } 37 | 38 | @Override 39 | public String getName() { 40 | return "Logging Alert Notification"; 41 | } 42 | 43 | @Override 44 | public String getAuthor() { 45 | return "Airbus CyberSecurity"; 46 | } 47 | 48 | @Override 49 | public URI getURL() { 50 | return URI.create("https://www.airbus-cyber-security.com"); 51 | } 52 | 53 | @Override 54 | public Version getVersion() { 55 | return Version.fromPluginProperties(getClass(), PLUGIN_PROPERTIES, "version", Version.from(0, 0, 1, "unknown")); 56 | } 57 | 58 | @Override 59 | public String getDescription() { 60 | return "This notification generates a log message when an alert is triggered."; 61 | } 62 | 63 | @Override 64 | public Version getRequiredVersion() { 65 | return Version.fromPluginProperties(getClass(), PLUGIN_PROPERTIES, "graylog.version", Version.from(5, 0, 0)); 66 | } 67 | 68 | @Override 69 | public Set getRequiredCapabilities() { 70 | return Collections.emptySet(); 71 | } 72 | } 73 | -------------------------------------------------------------------------------- /src/test/java/com/airbus_cyber_security/graylog/events/notifications/types/LoggingNotificationConfigTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | package com.airbus_cyber_security.graylog.events.notifications.types; 18 | 19 | import org.graylog.events.notifications.NotificationDto; 20 | import org.graylog2.plugin.rest.ValidationResult; 21 | import org.junit.Test; 22 | import org.junit.Rule; 23 | import org.junit.Assert; 24 | import org.mockito.junit.MockitoJUnit; 25 | import org.mockito.junit.MockitoRule; 26 | 27 | import java.util.HashSet; 28 | 29 | import static org.assertj.core.api.Assertions.assertThat; 30 | 31 | public class LoggingNotificationConfigTest { 32 | 33 | @Rule 34 | public final MockitoRule mockitoRule = MockitoJUnit.rule(); 35 | 36 | private NotificationDto getEmptyLoggingAlertNotification() { 37 | return NotificationDto.builder() 38 | .title("") 39 | .description("") 40 | .config(LoggingNotificationConfig.Builder.create() 41 | .logBody("") 42 | .alertTag("") 43 | .build()) 44 | .build(); 45 | } 46 | 47 | private NotificationDto getLoggingAlertNotification() { 48 | return NotificationDto.builder() 49 | .title("Logging Alert Title") 50 | .description("Logging alert") 51 | .config(LoggingNotificationConfig.Builder.create() 52 | .logBody("body test ") 53 | .alertTag("alert_tag_test") 54 | .build()) 55 | .build(); 56 | } 57 | 58 | @Test 59 | public void testValidateWithEmptyConfig() { 60 | final NotificationDto invalidNotification = getEmptyLoggingAlertNotification(); 61 | final ValidationResult validationResult = invalidNotification.validate(); 62 | Assert.assertTrue(validationResult.failed()); 63 | } 64 | 65 | @Test 66 | public void testValidateLoggingAlertNotification() { 67 | final NotificationDto validNotification = getLoggingAlertNotification(); 68 | 69 | final ValidationResult validationResult = validNotification.validate(); 70 | assertThat(validationResult.failed()).isFalse(); 71 | assertThat(validationResult.getErrors().size()).isEqualTo(0); 72 | } 73 | } 74 | -------------------------------------------------------------------------------- /src/web/components/event-notifications/CommonNotificationSummary.jsx: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | import React from 'react'; 18 | import PropTypes from 'prop-types'; 19 | import { Table, Button } from 'components/bootstrap'; 20 | import { Icon } from 'components/common'; 21 | import styles from './CommonNotificationSummary.css'; 22 | 23 | class CommonNotificationSummary extends React.Component { 24 | static propTypes = { 25 | type: PropTypes.string.isRequired, 26 | notification: PropTypes.object.isRequired, 27 | definitionNotification: PropTypes.object.isRequired, 28 | children: PropTypes.element.isRequired, 29 | }; 30 | 31 | state = { 32 | displayDetails: false, 33 | }; 34 | 35 | toggleDisplayDetails = () => { 36 | const { displayDetails } = this.state; 37 | this.setState({ displayDetails: !displayDetails }); 38 | }; 39 | 40 | render() { 41 | const { type, notification, definitionNotification, children } = this.props; 42 | const { displayDetails } = this.state; 43 | return ( 44 | 45 |

{notification.title || definitionNotification.notification_id}

46 |
47 |
{type}
48 |
49 | 53 | {displayDetails && ( 54 | 55 | 56 | 57 | 58 | 59 | 60 | {children} 61 | 62 |
Description{notification.description || 'No description given'}
63 | )} 64 |
65 |
66 | 67 | ); 68 | } 69 | } 70 | 71 | export default CommonNotificationSummary; 72 | -------------------------------------------------------------------------------- /validation/end_to_end/test_end_to_end.py: -------------------------------------------------------------------------------- 1 | from pytest import fixture 2 | from graylog.driver import Driver 3 | 4 | from playwright.sync_api import Page, expect 5 | 6 | 7 | @fixture(scope="function", autouse=True) 8 | def before_each_after_each(page: Page): 9 | subject = Driver('../../runtime') 10 | subject.start() 11 | subject.configure_telemetry() 12 | 13 | page.goto('http://127.0.0.1:9000/') 14 | # note: could also be: getByRole('textbox', { name: 'Username' }) 15 | page.get_by_label('Username').fill('admin') 16 | page.get_by_label('Password').fill('admin') 17 | page.get_by_role('button', name='Sign in').click() 18 | 19 | yield 20 | subject.stop() 21 | 22 | def _go_to_plugin_configuration(page: Page): 23 | page.get_by_role('button', name='System').click() 24 | page.get_by_role('menuitem', name='Configurations').click() 25 | page.get_by_title('Plugins').click() 26 | page.get_by_title('Logging Alert').click() 27 | 28 | def test_plugin_logging_alert_should_be_registered_issue_50(page: Page): 29 | _go_to_plugin_configuration(page) 30 | expect(page.get_by_title('Logging Alert')).to_be_visible() 31 | 32 | def test_plugin_logging_alert_configuration_save_button_should_close_popup_issue_50(page: Page): 33 | _go_to_plugin_configuration(page) 34 | page.get_by_role('button', name='Edit configuration').click() 35 | page.get_by_text('Save').click() 36 | expect(page.get_by_text('Update Logging Alert Notification Configuration')).not_to_be_attached() 37 | 38 | def test_plugin_logging_alert_configuration_save_button_update_should_not_fail_issue_50(page: Page): 39 | _go_to_plugin_configuration(page) 40 | page.get_by_role('button', name='Edit configuration').click() 41 | # note: we could also have done something with page.on('response', lambda response: print('<<', response.status, response.url, response.request.method, response.ok)) 42 | with page.expect_response(lambda response: response.request.method == 'PUT' and '/api/system/cluster_config/' in response.url) as event: 43 | page.get_by_text('Save').click() 44 | assert event.value.ok 45 | 46 | def test_plugin_logging_alert_configuration_cancel_button_should_revert_changes_issue_50(page: Page): 47 | _go_to_plugin_configuration(page) 48 | page.get_by_role('button', name='Edit configuration').click() 49 | page.get_by_label('Line Break Substitution').fill('+') 50 | page.get_by_text('Cancel').click() 51 | page.get_by_role('button', name='Edit configuration').click() 52 | expect(page.get_by_label('Line Break Substitution')).to_have_value(' | ') 53 | 54 | def test_plugin_logging_alert_configuration_cancel_button_should_close_popup_issue_50(page: Page): 55 | _go_to_plugin_configuration(page) 56 | page.get_by_role('button', name='Edit configuration').click() 57 | page.get_by_text('Cancel').click() 58 | expect(page.get_by_text('Update Logging Alert Notification Configuration')).not_to_be_attached() 59 | 60 | def test_plugin_logging_alert_configuration_window_close_should_close_popup_issue_50(page: Page): 61 | _go_to_plugin_configuration(page) 62 | page.get_by_role('button', name='Edit configuration').click() 63 | page.get_by_text("×Close").click() 64 | expect(page.get_by_text('Update Logging Alert Notification Configuration')).not_to_be_attached() 65 | -------------------------------------------------------------------------------- /src/main/java/com/airbus_cyber_security/graylog/events/contentpack/entities/LoggingNotificationConfigEntity.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | package com.airbus_cyber_security.graylog.events.contentpack.entities; 18 | 19 | import com.airbus_cyber_security.graylog.events.notifications.types.LoggingNotificationConfig; 20 | import com.fasterxml.jackson.annotation.JsonCreator; 21 | import com.fasterxml.jackson.annotation.JsonProperty; 22 | import com.fasterxml.jackson.annotation.JsonTypeName; 23 | import com.fasterxml.jackson.databind.annotation.JsonDeserialize; 24 | import com.google.auto.value.AutoValue; 25 | import org.graylog.events.contentpack.entities.EventNotificationConfigEntity; 26 | import org.graylog.events.notifications.EventNotificationConfig; 27 | import org.graylog2.contentpacks.model.entities.EntityDescriptor; 28 | import org.graylog2.contentpacks.model.entities.references.ValueReference; 29 | 30 | import java.util.Map; 31 | 32 | @AutoValue 33 | @JsonTypeName(LoggingNotificationConfigEntity.TYPE_NAME) 34 | @JsonDeserialize(builder = LoggingNotificationConfigEntity.Builder.class) 35 | public abstract class LoggingNotificationConfigEntity implements EventNotificationConfigEntity { 36 | 37 | public static final String TYPE_NAME = "logging-alert-notification"; 38 | 39 | private static final String FIELD_LOG_BODY = "log_body"; 40 | private static final String FIELD_ALERT_TAG = "alert_tag"; 41 | private static final String FIELD_SINGLE_MESSAGE = "single_notification"; 42 | 43 | @JsonProperty(FIELD_LOG_BODY) 44 | public abstract ValueReference logBody(); 45 | 46 | @JsonProperty(FIELD_ALERT_TAG) 47 | public abstract ValueReference alertTag(); 48 | 49 | @JsonProperty(FIELD_SINGLE_MESSAGE) 50 | public abstract boolean singleMessage(); 51 | 52 | public static Builder builder() { 53 | return Builder.create(); 54 | } 55 | 56 | public abstract Builder toBuilder(); 57 | 58 | @AutoValue.Builder 59 | public static abstract class Builder implements EventNotificationConfigEntity.Builder { 60 | @JsonCreator 61 | public static Builder create() { 62 | return new AutoValue_LoggingNotificationConfigEntity.Builder() 63 | .type(TYPE_NAME); 64 | } 65 | 66 | @JsonProperty(FIELD_LOG_BODY) 67 | public abstract Builder logBody(ValueReference logBody); 68 | @JsonProperty(FIELD_ALERT_TAG) 69 | public abstract Builder alertTag(ValueReference alertTag); 70 | @JsonProperty(FIELD_SINGLE_MESSAGE) 71 | public abstract Builder singleMessage(boolean singleMessage); 72 | 73 | public abstract LoggingNotificationConfigEntity build(); 74 | } 75 | 76 | @Override 77 | public EventNotificationConfig toNativeEntity(Map parameters, 78 | Map nativeEntities) { 79 | return LoggingNotificationConfig.builder() 80 | .logBody(logBody().asString(parameters)) 81 | .alertTag(alertTag().asString(parameters)) 82 | .singleMessage(singleMessage()) 83 | .build(); 84 | } 85 | } 86 | -------------------------------------------------------------------------------- /src/main/java/com/airbus_cyber_security/graylog/events/notifications/types/LoggingNotificationConfig.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | package com.airbus_cyber_security.graylog.events.notifications.types; 18 | 19 | import com.airbus_cyber_security.graylog.events.config.LoggingAlertConfig; 20 | import com.airbus_cyber_security.graylog.events.contentpack.entities.LoggingNotificationConfigEntity; 21 | import com.fasterxml.jackson.annotation.JsonCreator; 22 | import com.fasterxml.jackson.annotation.JsonIgnore; 23 | import com.fasterxml.jackson.annotation.JsonProperty; 24 | import com.fasterxml.jackson.annotation.JsonTypeName; 25 | import com.fasterxml.jackson.databind.annotation.JsonDeserialize; 26 | import com.google.auto.value.AutoValue; 27 | import org.graylog.events.contentpack.entities.EventNotificationConfigEntity; 28 | import org.graylog.events.event.EventDto; 29 | import org.graylog.events.notifications.EventNotificationConfig; 30 | import org.graylog.events.notifications.EventNotificationExecutionJob; 31 | import org.graylog.scheduler.JobTriggerData; 32 | import org.graylog2.contentpacks.EntityDescriptorIds; 33 | import org.graylog2.contentpacks.model.entities.references.ValueReference; 34 | import org.graylog2.plugin.rest.ValidationResult; 35 | import org.slf4j.Logger; 36 | import org.slf4j.LoggerFactory; 37 | 38 | 39 | /** 40 | * This is the configuration of a notification 41 | */ 42 | @AutoValue 43 | @JsonTypeName(LoggingNotificationConfig.TYPE_NAME) 44 | @JsonDeserialize(builder = LoggingNotificationConfig.Builder.class) 45 | public abstract class LoggingNotificationConfig implements EventNotificationConfig { 46 | private static final Logger LOGGER = LoggerFactory.getLogger(LoggingNotificationConfig.class); 47 | 48 | public static final String TYPE_NAME = "logging-alert-notification"; 49 | 50 | private static final String FIELD_LOG_BODY = "log_body"; 51 | private static final String FIELD_ALERT_TAG = "alert_tag"; 52 | private static final String FIELD_SINGLE_MESSAGE = "single_notification"; 53 | 54 | @JsonProperty(FIELD_LOG_BODY) 55 | public abstract String logBody(); 56 | 57 | @JsonProperty(FIELD_ALERT_TAG) 58 | public abstract String alertTag(); 59 | 60 | @JsonProperty(FIELD_SINGLE_MESSAGE) 61 | public abstract boolean singleMessage(); 62 | 63 | @JsonIgnore 64 | @Override 65 | public JobTriggerData toJobTriggerData(EventDto dto) { 66 | return EventNotificationExecutionJob.Data.builder().eventDto(dto).build(); 67 | } 68 | 69 | @JsonIgnore 70 | @Override 71 | public ValidationResult validate() { 72 | final ValidationResult validation = new ValidationResult(); 73 | String errorMessage; 74 | if(logBody() == null || logBody().isEmpty()) { 75 | errorMessage = "Log Body cannot be empty"; 76 | LOGGER.error(errorMessage); 77 | validation.addError(FIELD_LOG_BODY, errorMessage); 78 | } 79 | return validation; 80 | } 81 | 82 | public static LoggingNotificationConfig.Builder builder() { 83 | return LoggingNotificationConfig.Builder.create(); 84 | } 85 | 86 | @AutoValue.Builder 87 | public static abstract class Builder implements EventNotificationConfig.Builder { 88 | 89 | @JsonCreator 90 | public static Builder create() { 91 | return new AutoValue_LoggingNotificationConfig.Builder() 92 | .type(TYPE_NAME) 93 | .logBody(LoggingAlertConfig.BODY_TEMPLATE) 94 | .alertTag("LoggingAlert") 95 | .singleMessage(false); 96 | } 97 | 98 | @JsonProperty(FIELD_LOG_BODY) 99 | public abstract Builder logBody(String logBody); 100 | @JsonProperty(FIELD_ALERT_TAG) 101 | public abstract Builder alertTag(String alertTag); 102 | @JsonProperty(FIELD_SINGLE_MESSAGE) 103 | public abstract Builder singleMessage(boolean singleMessage); 104 | 105 | public abstract LoggingNotificationConfig build(); 106 | } 107 | 108 | @Override 109 | public EventNotificationConfigEntity toContentPackEntity(EntityDescriptorIds entityDescriptorIds) { 110 | return LoggingNotificationConfigEntity.builder() 111 | .logBody(ValueReference.of(logBody())) 112 | .alertTag(ValueReference.of(alertTag())) 113 | .singleMessage(singleMessage()) 114 | .build(); 115 | } 116 | } 117 | -------------------------------------------------------------------------------- /src/main/java/com/airbus_cyber_security/graylog/events/notifications/types/LoggingAlert.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | package com.airbus_cyber_security.graylog.events.notifications.types; 18 | 19 | import com.airbus_cyber_security.graylog.events.config.LoggingAlertConfig; 20 | import com.google.common.collect.ImmutableList; 21 | import org.graylog.events.event.EventDto; 22 | import org.graylog.events.notifications.EventNotification; 23 | import org.graylog.events.notifications.EventNotificationContext; 24 | import org.graylog.events.notifications.EventNotificationService; 25 | import org.graylog2.plugin.MessageSummary; 26 | import org.graylog2.plugin.cluster.ClusterConfigService; 27 | import org.joda.time.DateTime; 28 | import org.slf4j.Logger; 29 | import org.slf4j.LoggerFactory; 30 | 31 | import jakarta.inject.Inject; 32 | 33 | import java.util.ArrayList; 34 | import java.util.Collection; 35 | 36 | /** 37 | * This is the plugin. Your class should implement one of the existing plugin 38 | * interfaces. (i.e. AlarmCallback, MessageInput, MessageOutput) 39 | * UPDATE Graylog 3.2 : the class should implement EventNotification 40 | */ 41 | public class LoggingAlert implements EventNotification { 42 | 43 | private static final Logger LOGGER = LoggerFactory.getLogger(LoggingAlert.class); 44 | 45 | private static final String SEPARATOR_TEMPLATE = "\n"; 46 | 47 | private final EventNotificationService notificationCallbackService; 48 | 49 | private final ClusterConfigService clusterConfigService; 50 | 51 | private final MessageBodyBuilder messageBodyBuilder; 52 | 53 | public interface Factory extends EventNotification.Factory { 54 | @Override 55 | LoggingAlert create(); 56 | } 57 | 58 | @Inject 59 | public LoggingAlert(ClusterConfigService clusterConfigService, EventNotificationService notificationCallbackService, 60 | MessageBodyBuilder messageBodyBuilder) { 61 | this.notificationCallbackService = notificationCallbackService; 62 | this.clusterConfigService = clusterConfigService; 63 | this.messageBodyBuilder = messageBodyBuilder; 64 | } 65 | 66 | @Override 67 | public void execute(EventNotificationContext context) { 68 | LOGGER.debug("Start of execute..."); 69 | LoggingAlertConfig generalConfig = this.clusterConfigService.getOrDefault(LoggingAlertConfig.class, LoggingAlertConfig.createDefault()); 70 | LoggingNotificationConfig config = (LoggingNotificationConfig) context.notificationConfig(); 71 | ImmutableList backlog = this.notificationCallbackService.getBacklogForEvent(context); 72 | String logTemplate = config.logBody().replace(SEPARATOR_TEMPLATE, generalConfig.accessSeparator()); 73 | 74 | EventDto event = context.event(); 75 | DateTime date = event.eventTimestamp(); 76 | 77 | for (MessageSummary messageSummary: backlog) { 78 | if (messageSummary.getTimestamp().isBefore(date)) { 79 | date = messageSummary.getTimestamp(); 80 | } 81 | } 82 | 83 | Collection listMessagesToLog = new ArrayList<>(); 84 | if (backlog.isEmpty() || config.singleMessage()) { 85 | LOGGER.debug("Add log to list message for empty backlog or single message..."); 86 | String messageToLog = this.messageBodyBuilder.buildMessageBodyForBacklog(logTemplate, context, date, backlog); 87 | listMessagesToLog.add(messageToLog); 88 | } else { 89 | LOGGER.debug("Add log to list message for backlog..."); 90 | for (MessageSummary message: backlog) { 91 | String messageToLog = this.messageBodyBuilder.buildMessageBodyForMessage(logTemplate, context, date, message); 92 | listMessagesToLog.add(messageToLog); 93 | } 94 | } 95 | 96 | Logger localLogger = LoggerFactory.getLogger(config.alertTag()); 97 | Logger loggerOverflow = LoggerFactory.getLogger(generalConfig.accessOverflowTag()); 98 | 99 | /* Log each messages */ 100 | int iter = 0; 101 | for (String message: listMessagesToLog) { 102 | if (generalConfig.accessLimitOverflow() <= 0 || iter < generalConfig.accessLimitOverflow()) { 103 | localLogger.info(message); 104 | } else { 105 | loggerOverflow.info(message); 106 | } 107 | iter++; 108 | } 109 | 110 | LOGGER.debug("End of execute..."); 111 | } 112 | } 113 | -------------------------------------------------------------------------------- /src/main/java/com/airbus_cyber_security/graylog/events/config/LoggingAlertConfig.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | package com.airbus_cyber_security.graylog.events.config; 18 | 19 | import com.fasterxml.jackson.annotation.JsonAutoDetect; 20 | import com.fasterxml.jackson.annotation.JsonCreator; 21 | import com.fasterxml.jackson.annotation.JsonInclude; 22 | import com.fasterxml.jackson.annotation.JsonProperty; 23 | import com.google.auto.value.AutoValue; 24 | 25 | import jakarta.annotation.Nullable; 26 | 27 | /** 28 | * This is the general configuration of the plugin (see System/Configurations) 29 | * It is probably linked to the IHM, just by the configuration in the web index.jsx. 30 | */ 31 | @JsonAutoDetect 32 | @AutoValue 33 | @JsonInclude(JsonInclude.Include.NON_NULL) 34 | public abstract class LoggingAlertConfig { 35 | 36 | private static final String FIELD_ALERT_ID = "id"; 37 | private static final String SEPARATOR_TEMPLATE = "\n"; 38 | public static final String BODY_TEMPLATE = 39 | "type: alert" + SEPARATOR_TEMPLATE + 40 | FIELD_ALERT_ID + ": ${logging_alert.id}" + SEPARATOR_TEMPLATE + 41 | "aggregation_id: ${event.fields.aggregation_id}" + SEPARATOR_TEMPLATE + 42 | "severity: ${logging_alert.severity}" + SEPARATOR_TEMPLATE + 43 | "app: graylog" + SEPARATOR_TEMPLATE + 44 | "subject: ${event_definition_title}" + SEPARATOR_TEMPLATE + 45 | "body: ${event_definition_description}" + SEPARATOR_TEMPLATE + 46 | "${if backlog && backlog[0]} src: ${backlog[0].fields.src_ip}" + SEPARATOR_TEMPLATE + 47 | "src_category: ${backlog[0].fields.src_category}" + SEPARATOR_TEMPLATE + 48 | "dest: ${backlog[0].fields.dest_ip}" + SEPARATOR_TEMPLATE + 49 | "dest_category: ${backlog[0].fields.dest_category}" + SEPARATOR_TEMPLATE + 50 | "${end}"; 51 | 52 | @JsonProperty("separator") 53 | public abstract String accessSeparator(); 54 | 55 | @JsonProperty("log_body") 56 | public abstract String accessLogBody(); 57 | 58 | // Note: do not remove this field : Backward compatibility 59 | @JsonProperty("aggregation_stream") 60 | @Nullable 61 | public abstract String accessAggregationStream(); 62 | 63 | // Note: do not remove this field : Backward compatibility 64 | @JsonProperty("aggregation_time") 65 | @Nullable 66 | public abstract Integer accessAggregationTime(); 67 | 68 | @JsonProperty("limit_overflow") 69 | public abstract int accessLimitOverflow(); 70 | 71 | // Note: do not remove this field : Backward compatibility 72 | @JsonProperty("field_alert_id") 73 | @Nullable 74 | public abstract String accessFieldAlertId(); 75 | 76 | @JsonProperty("alert_tag") 77 | public abstract String accessAlertTag(); 78 | 79 | @JsonProperty("overflow_tag") 80 | public abstract String accessOverflowTag(); 81 | 82 | @JsonCreator 83 | public static LoggingAlertConfig create( 84 | @JsonProperty("separator") String separator, 85 | @JsonProperty("log_body") String logBody, 86 | @JsonProperty("limit_overflow") int limitOverflow, 87 | @JsonProperty("alert_tag") String alertTag, 88 | @JsonProperty("overflow_tag") String overflowTag){ 89 | return builder() 90 | .accessSeparator(separator) 91 | .accessLogBody(logBody) 92 | .accessLimitOverflow(limitOverflow) 93 | .accessAlertTag(alertTag) 94 | .accessOverflowTag(overflowTag) 95 | .build(); 96 | } 97 | 98 | public static LoggingAlertConfig createDefault() { 99 | return builder() 100 | .accessSeparator(" | ") 101 | .accessLogBody(BODY_TEMPLATE) 102 | .accessLimitOverflow(0) 103 | .accessAlertTag("LoggingAlert") 104 | .accessOverflowTag("LoggingOverflow") 105 | .build(); 106 | } 107 | 108 | public static Builder builder() { 109 | return new AutoValue_LoggingAlertConfig.Builder(); 110 | } 111 | 112 | public abstract Builder toBuilder(); 113 | 114 | @AutoValue.Builder 115 | public abstract static class Builder { 116 | 117 | public abstract Builder accessSeparator(String accessSeparator); 118 | public abstract Builder accessLogBody(String accessLogBody); 119 | public abstract Builder accessAggregationStream(String accessAggregationStream); 120 | public abstract Builder accessAggregationTime(int accessAggregationTime); 121 | public abstract Builder accessLimitOverflow(int accessLimitOverflow); 122 | public abstract Builder accessFieldAlertId(String accessFieldAlertId); 123 | public abstract Builder accessAlertTag(String accessAlertTag); 124 | public abstract Builder accessOverflowTag(String accessOverflowTag); 125 | 126 | public abstract LoggingAlertConfig build(); 127 | } 128 | } 129 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Logging Alert Plugin for Graylog 2 | 3 | [![Continuous Integration](https://github.com/airbus-cyber/graylog-plugin-logging-alert/actions/workflows/ci.yml/badge.svg)](https://github.com/airbus-cyber/graylog-plugin-logging-alert/actions/workflows/ci.yml) 4 | [![License](https://img.shields.io/badge/license-SSPL-green)](https://www.mongodb.com/licensing/server-side-public-license) 5 | [![GitHub Release](https://img.shields.io/github/v/release/airbus-cyber/graylog-plugin-logging-alert)](https://github.com/airbus-cyber/graylog-plugin-logging-alert/releases) 6 | 7 | #### Alert notification plugin for Graylog to generate log messages from alerts 8 | 9 | The alert notification generate a log message when an alert is triggered. 10 | 11 | Perfect for example to record alerts as internal log messages in Graylog itself using the [Internal Logs Input Plugin for Graylog](https://github.com/graylog-labs/graylog-plugin-internal-logs). Thus you can create a stream to receive and manage alerts. 12 | 13 | Also perfect for example to forward alerts via log messages to a Security Incident Response Platform. 14 | 15 | Please also take note that if message field values are included in the log message template and these values vary based on the messages that triggered the alert, then multiple log messages may be generated per alert. 16 | 17 | Alert example recorded as an internal log message: 18 | 19 | ![](images/alert.png) 20 | 21 | ## Version Compatibility 22 | 23 | | Plugin Version | Graylog Version | 24 | |----------------|-----------------| 25 | | 6.1.3+ | 6.1.4+ | 26 | | 6.1.0 to 6.1.2 | 6.1.0+ | 27 | | 6.0.0 | 6.0.x | 28 | | 5.1.x | \>=5.1.9 | 29 | | 5.0.x | 5.0.x | 30 | | 4.3.x | 4.3.x | 31 | | 4.2.x | 4.3.x | 32 | | 4.1.x | 4.2.x | 33 | | 4.0.x | 4.1.x | 34 | | 2.2.x | 3.3.x | 35 | | 2.1.x | 3.2.x | 36 | | 2.0.x | 3.2.x | 37 | | 1.3.x | 3.0.x | 38 | | 1.2.x | 3.0.x | 39 | | 1.1.x | 2.5.x | 40 | | 1.0.x | 2.4.x | 41 | 42 | ## Installation 43 | 44 | [Download the plugin](https://github.com/airbus-cyber/graylog-plugin-logging-alert/releases) 45 | and place the `.jar` file in your Graylog plugin directory. The plugin directory 46 | is the `plugins/` folder relative from your `graylog-server` directory by default 47 | and can be configured in your `graylog.conf` file. 48 | 49 | Restart `graylog-server` and you are done. 50 | 51 | ## Usage 52 | 53 | ### Configure a notification 54 | 55 | First you have to select **Logging Alert Notification** as the notification type. 56 | 57 | ![](images/select_notification.png) 58 | 59 | Then, in the popup that occurs, you can configure the **Title** of the notification. 60 | 61 | You can configure the **Alert Severity**. You have the choice between 4 levels of severity. 62 | 63 | You can also configure the **Log Content** to log the information you want. 64 | Please see the [Graylog Documentation](https://go2docs.graylog.org/6-3/interacting_with_your_log_data/alerts.html#MetadataAvailabletoAlerts) 65 | 66 | Some plugin-specific fields values can be added to the log content. 67 | 68 | | Plugin-specific Fields | Description | 69 | |----------------------------|---------------------------------------------------------| 70 | | logging_alert.id | ID of the alert | 71 | | logging_alert.title | Title of the notification | 72 | | logging_alert.severity | Severity of the alert | 73 | | logging_alert.detect_time | Timestamp of the first message that triggered the alert | 74 | | logging_alert.messages_url | URI to the retrieve messages that triggered the alert | 75 | 76 | ![](images/edit_notification.png) 77 | 78 | The parameter **Single message** allow you to send only one notification by alert 79 | 80 | You can optionally add a **Comment** about the configuration of the notification. 81 | 82 | Make sure you also configured alert conditions for the stream so that the alerts are actually triggered. 83 | 84 | ### Configure the plugin parameters 85 | 86 | Click on **Configure** in the **System / Configurations** section to update the plugin configuration. 87 | 88 | In the popup that occurs, you can configure the **Default Log Content** of the parameters that are set when adding a new notification. 89 | 90 | You can define a **Line Break Substitution** of the log content in order to help parsing log fields and their values. Thus a separator can be inserted between the fields of the log content. 91 | 92 | You can optionally define an **Overflow Limit**. From this given number of log messages per triggered alert, all the following log messages generated by the notification are tagged as overflow. This limit prevents you from forwarding too many log messages per alert to a Security Incident Response Platform by filtering the log messages according to their tag. For this purpose you can choose the name of the tags: **Alert Tag** and **Overflow Tag**. 93 | 94 | ![](images/edit_plugin_configuration.png) 95 | 96 | ## Build 97 | 98 | This project requires Java 17 JDK. 99 | 100 | * Clone this repository. 101 | * Clone [graylog2-server](https://github.com/Graylog2/graylog2-server) repository next to this repository. 102 | * Build Graylog2-server with `./mvnw compile -DskipTests=true` (in graylog2-server folder) 103 | * Run `./mvnw package` to build a JAR file (in this project folder). 104 | * Optional: Run `./mvnw org.vafer:jdeb:jdeb` and `./mvnw rpm:rpm` to create a DEB and RPM package respectively. 105 | * Copy generated JAR file in target directory to your Graylog plugin directory. 106 | * Restart the Graylog. 107 | 108 | A docker to build can be generated from [Dockerfile](https://github.com/airbus-cyber/graylog-plugin-logging-alert/blob/master/build_docker/Dockerfile). 109 | 110 | ## License 111 | 112 | This plugin is released under version 1 of the [Server Side Public License (SSPL)](LICENSE). 113 | -------------------------------------------------------------------------------- /src/web/components/event-notifications/LoggingAlertForm.tsx: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | import React from 'react'; 18 | import PropTypes from 'prop-types'; 19 | 20 | import { ControlLabel, FormGroup, HelpBlock } from 'components/bootstrap'; 21 | import lodash from 'lodash'; 22 | // TODO this works, but should rather load the SourceCodeEditor from the index (it will then use lazy-loading) 23 | // => import { SourceCodeEditor } from 'components/common'; 24 | // however, it doesn't work, since the graylog server does not serve the js file corresponding to the SourceCodeEditor 25 | import SourceCodeEditor from 'components/common/SourceCodeEditor'; 26 | import { Input } from 'components/bootstrap'; 27 | import FormsUtils from 'util/FormsUtils'; 28 | import { ConfigurationsActions, ConfigurationsStore } from 'stores/configurations/ConfigurationsStore'; 29 | import { DEFAULT_BODY_TEMPLATE } from '../LoggingAlertConfig'; 30 | import connect from 'stores/connect'; 31 | import type { EventNotification } from 'stores/event-notifications/EventNotificationsStore'; 32 | const LOGGING_ALERT_CONFIG = 'com.airbus_cyber_security.graylog.events.config.LoggingAlertConfig'; 33 | 34 | type Props = { 35 | config: EventNotification['config']; 36 | validation: { errors: { [key: string]: Array } }; 37 | onChange: (newConfig: EventNotification['config']) => void; 38 | setIsSubmitEnabled: (enabled: boolean) => void; 39 | configurationsStore: typeof ConfigurationsStore; 40 | }; 41 | 42 | class LoggingAlertForm extends React.Component { 43 | 44 | constructor(props: Props) { 45 | super(props); 46 | this.state = {}; 47 | } 48 | 49 | componentDidMount() { 50 | ConfigurationsActions.list(LOGGING_ALERT_CONFIG); 51 | } 52 | 53 | propagateChange = (key, value) => { 54 | const { config, onChange } = this.props; 55 | const nextConfig = lodash.cloneDeep(config); 56 | nextConfig[key] = value; 57 | onChange(nextConfig); 58 | }; 59 | 60 | handleChange = (event) => { 61 | const { name } = event.target; 62 | this.propagateChange(name, FormsUtils.getValueFromInput(event.target)); 63 | }; 64 | 65 | handleBodyTemplateChange = (nextValue) => { 66 | this.propagateChange('log_body', nextValue); 67 | }; 68 | 69 | handleFieldsChange = (key) => { 70 | return nextValue => { 71 | this.propagateChange(key, nextValue === '' ? [] : nextValue.split(',')); 72 | }; 73 | }; 74 | 75 | getAlertConfig = (configuration) => { 76 | if (configuration && configuration[LOGGING_ALERT_CONFIG]) { 77 | if (this.props.config.log_body === undefined) { 78 | this.handleBodyTemplateChange(configuration[LOGGING_ALERT_CONFIG].log_body); 79 | } 80 | if (this.props.config.alert_tag === undefined) { 81 | this.propagateChange('alert_tag', configuration[LOGGING_ALERT_CONFIG].alert_tag); 82 | } 83 | return configuration[LOGGING_ALERT_CONFIG]; 84 | } else { 85 | return { 86 | log_body: DEFAULT_BODY_TEMPLATE, 87 | alert_tag: 'LoggingAlert', 88 | single_notification: false, 89 | } 90 | } 91 | }; 92 | 93 | render() { 94 | const { config, validation } = this.props; 95 | 96 | const alertConfig = this.getAlertConfig(this.props.configurationsStore.configuration); 97 | delete alertConfig['aggregation_time']; 98 | 99 | return ( 100 | 101 | 102 | Body Template 103 | 108 | 109 | {lodash.get(validation, 'errors.log_body[0]', 'The template to generate the log content form')} 110 | 111 | 112 | 113 | Alert Tag (Optional) 114 | 122 |
123 | 131 | 132 | 133 | Check this box to send only one message by alert 134 | 135 |
136 | 137 | ); 138 | } 139 | } 140 | 141 | export default connect(LoggingAlertForm, { 142 | configurationsStore: ConfigurationsStore 143 | }); -------------------------------------------------------------------------------- /src/main/java/com/airbus_cyber_security/graylog/events/notifications/types/MessageBodyBuilder.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | package com.airbus_cyber_security.graylog.events.notifications.types; 18 | 19 | import com.airbus_cyber_security.graylog.events.config.SeverityType; 20 | import com.fasterxml.jackson.databind.ObjectMapper; 21 | import com.floreysoft.jmte.Engine; 22 | import com.google.common.collect.ImmutableList; 23 | import org.graylog.events.notifications.DBNotificationService; 24 | import org.graylog.events.notifications.EventNotificationContext; 25 | import org.graylog.events.notifications.EventNotificationModelData; 26 | import org.graylog.events.notifications.NotificationDto; 27 | import org.graylog.events.notifications.NotificationTestData; 28 | import org.graylog.events.processor.EventDefinitionDto; 29 | import org.graylog.scheduler.JobTriggerDto; 30 | import org.graylog2.jackson.TypeReferences; 31 | import org.graylog2.plugin.MessageSummary; 32 | import org.joda.time.DateTime; 33 | 34 | import jakarta.inject.Inject; 35 | import java.util.Map; 36 | import java.util.Optional; 37 | 38 | 39 | public class MessageBodyBuilder { 40 | 41 | private static final String UNKNOWN = ""; 42 | 43 | private final Engine templateEngine; 44 | 45 | private final ObjectMapper objectMapper; 46 | 47 | private final MessagesURLBuilder messagesURLBuilder; 48 | 49 | private final DBNotificationService notificationService; 50 | 51 | @Inject 52 | public MessageBodyBuilder(ObjectMapper objectMapper, DBNotificationService notificationService) { 53 | this.templateEngine = new Engine(); 54 | this.objectMapper = objectMapper; 55 | this.notificationService = notificationService; 56 | this.messagesURLBuilder = new MessagesURLBuilder(); 57 | } 58 | 59 | // package-protected 60 | String getAlertIdentifier(EventNotificationContext context) { 61 | return context.event().id(); 62 | } 63 | 64 | private LoggingAlertFields buildLoggingAlertFields(EventNotificationContext context, DateTime date) { 65 | String messagesUrl = this.messagesURLBuilder.buildMessagesUrl(context, date); 66 | String loggingAlertID = getAlertIdentifier(context); 67 | String severity = getSeverityFromContext(context); 68 | String notifTitle = getNotificationTitleFromContext(context); 69 | 70 | return new LoggingAlertFields(loggingAlertID, notifTitle, severity, date, messagesUrl); 71 | } 72 | 73 | private Map getModel(EventNotificationContext context, ImmutableList backlog, LoggingAlertFields loggingAlertFields) { 74 | Optional definitionDto = context.eventDefinition(); 75 | Optional jobTriggerDto = context.jobTrigger(); 76 | EventNotificationModelData modelData = EventNotificationModelData.builder() 77 | .eventDefinitionId(definitionDto.map(EventDefinitionDto::id).orElse(UNKNOWN)) 78 | .eventDefinitionType(definitionDto.map(d -> d.config().type()).orElse(UNKNOWN)) 79 | .eventDefinitionTitle(definitionDto.map(EventDefinitionDto::title).orElse(UNKNOWN)) 80 | .eventDefinitionDescription(definitionDto.map(EventDefinitionDto::description).orElse(UNKNOWN)) 81 | .jobDefinitionId(jobTriggerDto.map(JobTriggerDto::jobDefinitionId).orElse(UNKNOWN)) 82 | .jobTriggerId(jobTriggerDto.map(JobTriggerDto::id).orElse(UNKNOWN)) 83 | .event(context.event()) 84 | .backlog(backlog) 85 | .build(); 86 | Map model = this.objectMapper.convertValue(modelData, TypeReferences.MAP_STRING_OBJECT); 87 | model.put("logging_alert", loggingAlertFields); 88 | return model; 89 | } 90 | 91 | private String buildMessageBody(String logTemplate, EventNotificationContext context, ImmutableList backlog, LoggingAlertFields loggingAlertFields) { 92 | Map model = this.getModel(context, backlog, loggingAlertFields); 93 | return this.templateEngine.transform(logTemplate, model); 94 | } 95 | 96 | public String buildMessageBodyForBacklog(String logTemplate, EventNotificationContext context, DateTime date, ImmutableList backlog) { 97 | String identifier = this.getAlertIdentifier(context); 98 | String severity = getSeverityFromContext(context); 99 | String notifTitle = getNotificationTitleFromContext(context); 100 | 101 | String messagesURL = this.messagesURLBuilder.buildMessagesUrl(context, date); 102 | LoggingAlertFields loggingAlertFields = new LoggingAlertFields(identifier, notifTitle, severity, date, messagesURL); 103 | return this.buildMessageBody(logTemplate, context, backlog, loggingAlertFields); 104 | } 105 | 106 | public String buildMessageBodyForMessage(String logTemplate, EventNotificationContext context, DateTime date, MessageSummary message) { 107 | LoggingAlertFields loggingAlertFields = this.buildLoggingAlertFields(context, date); 108 | ImmutableList backlogWithMessage = new ImmutableList.Builder().add(message).build(); 109 | 110 | return this.buildMessageBody(logTemplate, context, backlogWithMessage, loggingAlertFields); 111 | } 112 | 113 | private String getSeverityFromContext(EventNotificationContext context) { 114 | String severity = SeverityType.LOW.getType(); 115 | if(context.eventDefinition().isPresent()) { 116 | severity = SeverityType.getSeverityTypeFromPriority(context.eventDefinition().get().priority()).getType(); 117 | } 118 | 119 | return severity; 120 | } 121 | 122 | private String getNotificationTitleFromContext(EventNotificationContext context) { 123 | if (NotificationTestData.TEST_NOTIFICATION_ID.equals(context.notificationId())) { 124 | return "Notification Test Title"; 125 | } 126 | Optional notif = notificationService.get(context.notificationId()); 127 | return notif.map(NotificationDto::title).orElse("No Title Notification"); 128 | } 129 | } 130 | -------------------------------------------------------------------------------- /validation/graylog/rest_api.py: -------------------------------------------------------------------------------- 1 | from urllib import parse 2 | import requests 3 | from requests.exceptions import ConnectionError 4 | from graylog.gelf_input import GelfInput 5 | 6 | STREAM_ALL_MESSAGES = "000000000000000000000001" 7 | _AUTH = ('admin', 'admin') 8 | _HEADERS = {'X-Requested-By': 'test-program'} 9 | 10 | _DEFAULT_LOG_BODY = 'type: alert\nid: ${logging_alert.id}\naggregation_id: ${event.fields.aggregation_id}\nseverity: ${logging_alert.severity}\napp: graylog\nsubject: ${event_definition_title}\nbody: ${event_definition_description}\n${if backlog && backlog[0]} src: ${backlog[0].fields.src_ip}\nsrc_category: ${backlog[0].fields.src_category}\ndest: ${backlog[0].fields.dest_ip}\ndest_category: ${backlog[0].fields.dest_category}\n${end}' 11 | 12 | 13 | class RestApi: 14 | 15 | def _build_url(self, path): 16 | return parse.urljoin('http://127.0.0.1:9000/api/', path) 17 | 18 | def _get(self, path): 19 | url = self._build_url(path) 20 | response = requests.get(url, auth=_AUTH, headers=_HEADERS) 21 | print('GET {} => {}'.format(url, response.status_code)) 22 | return response 23 | 24 | def _put(self, path, payload): 25 | url = self._build_url(path) 26 | response = requests.put(url, json=payload, auth=_AUTH, headers=_HEADERS) 27 | print('PUT {} {} => {}'.format(url, payload, response.status_code)) 28 | return response 29 | 30 | def _post(self, path, payload=None): 31 | url = self._build_url(path) 32 | response = requests.post(url, json=payload, auth=_AUTH, headers=_HEADERS) 33 | print('POST {} {} => {}'.format(url, payload, response.status_code)) 34 | return response 35 | 36 | def default_deflector_is_up(self): 37 | try: 38 | response = self._get('system/deflector') 39 | body = response.json() 40 | if body['is_up']: 41 | return True 42 | return False 43 | except ConnectionError: 44 | return False 45 | 46 | def create_notification(self, single_message=False, log_body=_DEFAULT_LOG_BODY, description='', title='N'): 47 | notification_configuration = { 48 | 'config': { 49 | 'log_body': log_body, 50 | 'single_notification': single_message, 51 | 'type': 'logging-alert-notification' 52 | }, 53 | 'description': description, 54 | 'title': title 55 | } 56 | response = self._post('events/notifications', notification_configuration) 57 | notification = response.json() 58 | return notification['id'] 59 | 60 | def create_event_definition(self, notification_identifier, streams=None, backlog_size=None, conditions=None, 61 | series=None, period=5): 62 | if series is None: 63 | series = [] 64 | if conditions is None: 65 | conditions = {} 66 | if streams is None: 67 | streams = [] 68 | events_definition_configuration = { 69 | 'alert': True, 70 | 'config': { 71 | 'conditions': conditions, 72 | 'event_limit': 100, 73 | 'execute_every_ms': period*1000, 74 | 'filters': [], 75 | 'group_by': [], 76 | 'query': '', 77 | 'query_parameters': [], 78 | 'search_within_ms': period*1000, 79 | 'series': series, 80 | 'streams': streams, 81 | 'type': 'aggregation-v1' 82 | }, 83 | 'description': '', 84 | 'field_spec': {}, 85 | 'key_spec': [], 86 | 'notification_settings': { 87 | 'backlog_size': backlog_size, 88 | 'grace_period_ms': 0 89 | }, 90 | 'notifications': [{ 91 | 'notification_id': notification_identifier 92 | }], 93 | 'priority': 2, 94 | 'title': 'E' 95 | } 96 | self._post('events/definitions', events_definition_configuration) 97 | 98 | def gelf_input_is_running(self, identifier): 99 | response = self._get('system/inputstates/') 100 | body = response.json() 101 | for state in body['states']: 102 | if state['id'] != identifier: 103 | continue 104 | return state['state'] == 'RUNNING' 105 | return False 106 | 107 | def create_gelf_input(self): 108 | payload = { 109 | 'configuration': { 110 | 'bind_address': '0.0.0.0', 111 | 'decompress_size_limit': 8388608, 112 | 'max_message_size': 2097152, 113 | 'number_worker_threads': 8, 114 | 'override_source': None, 115 | 'port': 12201, 116 | 'recv_buffer_size': 1048576, 117 | 'tcp_keepalive': False, 118 | 'tls_cert_file': '', 119 | 'tls_client_auth': 'disabled', 120 | 'tls_client_auth_cert_file': '', 121 | 'tls_enable': False, 122 | 'tls_key_file': 'admin', 123 | 'tls_key_password': 'admin', 124 | 'use_null_delimiter': True 125 | }, 126 | 'global': True, 127 | 'title': 'Inputs', 128 | 'type': 'org.graylog2.inputs.gelf.tcp.GELFTCPInput' 129 | } 130 | response = self._post('system/inputs', payload) 131 | identifier = response.json()['id'] 132 | return GelfInput(self, identifier) 133 | 134 | def create_stream_with_rule(self, title, field, value): 135 | response = self._get('system/indices/index_sets') 136 | default_index_set_identifier = response.json()['index_sets'][0]['id'] 137 | stream = { 138 | 'description': title, 139 | 'index_set_id': default_index_set_identifier, 140 | 'remove_matches_from_default_stream': False, 141 | 'title': title 142 | } 143 | response = self._post('streams', stream) 144 | stream_identifier = response.json()['stream_id'] 145 | rule = { 146 | 'description': '', 147 | 'field': field, 148 | 'inverted': False, 149 | 'type': 1, 150 | 'value': value 151 | } 152 | self._post('streams/{}/rules'.format(stream_identifier), rule) 153 | self._post('streams/{}/resume'.format(stream_identifier)) 154 | return stream_identifier 155 | 156 | def update_plugin_configuration(self, aggregation_stream=None): 157 | plugin_configuration = { 158 | 'alert_tag': 'LoggingAlert', 159 | 'log_body': _DEFAULT_LOG_BODY, 160 | 'separator': ' | ', 161 | 'overflow_tag': 'LoggingOverflow' 162 | } 163 | if aggregation_stream: 164 | plugin_configuration['aggregation_stream'] = aggregation_stream 165 | response = self._put('system/cluster_config/com.airbus_cyber_security.graylog.events.config.LoggingAlertConfig', plugin_configuration) 166 | return response.status_code 167 | 168 | def configure_telemetry(self): 169 | configuration = { 170 | 'telemetry_enabled': False, 171 | 'telemetry_permission_asked': True 172 | } 173 | self._put('telemetry/user/settings', configuration) 174 | 175 | -------------------------------------------------------------------------------- /.github/workflows/ci.yml: -------------------------------------------------------------------------------- 1 | name: Continuous Integration 2 | 3 | on: push 4 | 5 | env: 6 | JAVA_VERSION: 17 7 | 8 | jobs: 9 | build: 10 | runs-on: ubuntu-22.04 11 | steps: 12 | - name: Check out repository code 13 | uses: actions/checkout@v3 14 | with: 15 | path: plugin 16 | - name: Setup Java JDK ${{ env.JAVA_VERSION }} 17 | uses: actions/setup-java@v3 18 | with: 19 | java-version: ${{ env.JAVA_VERSION }} 20 | distribution: temurin 21 | cache: maven 22 | - name: Retrieve variables from pom 23 | id: requestPom 24 | working-directory: plugin 25 | run: | 26 | echo "GRAYLOG_VERSION=$(mvn help:evaluate -Dexpression=project.parent.version -q -DforceStdout)" >> $GITHUB_OUTPUT 27 | 28 | NAME=$(mvn help:evaluate -Dexpression=project.name -q -DforceStdout) 29 | VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout) 30 | echo "VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)" >> $GITHUB_OUTPUT 31 | echo "JAR_PATH=target/$NAME-$VERSION.jar" >> $GITHUB_OUTPUT 32 | echo "RPM_PATH=target/rpm/$NAME/RPMS/noarch/$NAME-$VERSION-1.noarch.rpm" >> $GITHUB_OUTPUT 33 | echo "DEB_PATH=target/$NAME-$VERSION.deb" >> $GITHUB_OUTPUT 34 | - name: Cache Graylog 35 | uses: actions/cache@v3 36 | id: cache 37 | with: 38 | path: graylog2-server 39 | key: ${{ steps.requestPom.outputs.GRAYLOG_VERSION }} 40 | - name: Check out Graylog ${{ steps.requestPom.outputs.GRAYLOG_VERSION }} 41 | if: steps.cache.outputs.cache-hit != 'true' 42 | uses: actions/checkout@v3 43 | with: 44 | repository: Graylog2/graylog2-server 45 | ref: ${{ steps.requestPom.outputs.GRAYLOG_VERSION }} 46 | path: graylog2-server 47 | - name: Build Graylog 48 | if: steps.cache.outputs.cache-hit != 'true' 49 | working-directory: graylog2-server 50 | run: | 51 | ./mvnw compile -DskipTests=true --batch-mode 52 | - name: Cache node_modules 53 | uses: actions/cache@v3 54 | with: 55 | path: plugin/node_modules 56 | key: ${{ hashFiles('plugin/yarn.lock') }} 57 | - name: Build plugin 58 | working-directory: plugin 59 | run: | 60 | ./mvnw package --batch-mode 61 | - name: Prepare backend tests runtime 62 | working-directory: plugin 63 | run: | 64 | mkdir runtime/graylog/plugin 65 | cp ${{ steps.requestPom.outputs.JAR_PATH }} runtime/graylog/plugin 66 | echo GRAYLOG_VERSION=${{ steps.requestPom.outputs.GRAYLOG_VERSION }} > runtime/.env 67 | - name: Cache backend tests python dependencies 68 | uses: actions/cache@v3 69 | with: 70 | path: plugin/validation/server/venv 71 | key: ${{ hashFiles('plugin/validation/server/requirements.txt') }} 72 | - name: Execute backend tests 73 | working-directory: plugin/validation/server 74 | run: | 75 | python -m venv venv 76 | source venv/bin/activate 77 | pip install -r requirements.txt 78 | docker compose --project-directory ../../runtime pull 79 | PYTHONUNBUFFERED=true PYTHONPATH=.. python -m unittest --verbose 80 | # TODO improve this, see https://playwright.dev/python/docs/ci-intro (in particular, use setup-python?) 81 | - name: Cache Playwright tests python dependencies 82 | uses: actions/cache@v3 83 | with: 84 | path: plugin/validation/server/venv 85 | key: ${{ hashFiles('plugin/validation/end_to_end/requirements.txt') }} 86 | - name: Run Playwright tests 87 | working-directory: plugin/validation/end_to_end 88 | run: | 89 | python -m venv venv 90 | source venv/bin/activate 91 | pip install -r requirements.txt 92 | playwright install chromium 93 | docker compose --project-directory ../../runtime pull 94 | PYTHONPATH=.. pytest --tracing=retain-on-failure 95 | - uses: actions/upload-artifact@v4 96 | if: always() 97 | with: 98 | name: playwright-report 99 | path: plugin/validation/end_to_end/test-results/ 100 | - name: Package signed .rpm 101 | if: endsWith(steps.requestPom.outputs.VERSION,'SNAPSHOT') == false 102 | working-directory: plugin 103 | env: 104 | GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} 105 | PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} 106 | run: | 107 | ./mvnw rpm:rpm 108 | echo -n "$GPG_PRIVATE_KEY" | gpg2 --batch --allow-secret-key-import --import 109 | rpm --define "_gpg_name Airbus CyberSecurity" --define "_gpg_sign_cmd_extra_args --pinentry-mode loopback --passphrase $PASSPHRASE" --addsign "${{ steps.requestPom.outputs.RPM_PATH }}" 110 | - name: Package signed .deb 111 | if: endsWith(steps.requestPom.outputs.VERSION,'SNAPSHOT') == false 112 | working-directory: plugin 113 | env: 114 | GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} 115 | PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} 116 | run: | 117 | echo -n "$GPG_PRIVATE_KEY" | gpg2 --batch --allow-secret-key-import --import 118 | gpg2 --export-secret-keys --batch --pinentry-mode loopback --passphrase "$PASSPHRASE" > $HOME/.gnupg/secring.gpg 119 | ./mvnw org.vafer:jdeb:jdeb --settings deployment/settings.xml 120 | - name: Check license headers 121 | working-directory: plugin 122 | run: | 123 | ./mvnw license:check 124 | - name: Archive .jar 125 | uses: actions/upload-artifact@v4 126 | with: 127 | name: jar 128 | path: plugin/${{ steps.requestPom.outputs.JAR_PATH }} 129 | if-no-files-found: error 130 | - name: Archive .rpm 131 | if: endsWith(steps.requestPom.outputs.VERSION,'SNAPSHOT') == false 132 | uses: actions/upload-artifact@v4 133 | with: 134 | name: rpm 135 | path: plugin/${{ steps.requestPom.outputs.RPM_PATH }} 136 | if-no-files-found: error 137 | - name: Archive .deb 138 | if: endsWith(steps.requestPom.outputs.VERSION,'SNAPSHOT') == false 139 | uses: actions/upload-artifact@v4 140 | with: 141 | name: deb 142 | path: plugin/${{ steps.requestPom.outputs.DEB_PATH }} 143 | if-no-files-found: error 144 | - name: Release 145 | if: startsWith(github.ref, 'refs/tags/') 146 | uses: softprops/action-gh-release@v1 147 | with: 148 | files: | 149 | plugin/${{ steps.requestPom.outputs.JAR_PATH }} 150 | plugin/${{ steps.requestPom.outputs.RPM_PATH }} 151 | plugin/${{ steps.requestPom.outputs.DEB_PATH }} 152 | fail_on_unmatched_files: true 153 | - name: Deploy to Maven Central 154 | if: startsWith(github.ref, 'refs/tags/') || endsWith(steps.requestPom.outputs.VERSION,'SNAPSHOT') 155 | working-directory: plugin 156 | env: 157 | SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }} 158 | SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }} 159 | GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} 160 | PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} 161 | run: | 162 | echo -n "$GPG_PRIVATE_KEY" | gpg2 --batch --allow-secret-key-import --import 163 | ./mvnw clean deploy -DskipTests=true --settings deployment/settings.xml 164 | -------------------------------------------------------------------------------- /src/main/java/com/airbus_cyber_security/graylog/events/notifications/types/MessagesURLBuilder.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | package com.airbus_cyber_security.graylog.events.notifications.types; 18 | 19 | import org.graylog.events.event.EventDto; 20 | import org.graylog.events.notifications.EventNotificationContext; 21 | import org.graylog.events.processor.EventDefinitionDto; 22 | import org.graylog.events.processor.EventProcessorConfig; 23 | import org.graylog.events.processor.aggregation.AggregationEventProcessorConfig; 24 | import org.joda.time.DateTime; 25 | import org.joda.time.format.DateTimeFormat; 26 | import org.joda.time.format.DateTimeFormatter; 27 | 28 | import java.lang.reflect.Method; 29 | import java.util.ArrayList; 30 | import java.util.List; 31 | import java.util.Map; 32 | import java.util.Optional; 33 | import java.util.Set; 34 | 35 | public class MessagesURLBuilder { 36 | 37 | private static final String MSGS_URL_BEGIN = "/search?rangetype=absolute&from="; 38 | private static final String MSGS_URL_TO = "&to="; 39 | private static final String MSGS_URL_QUERY = "&q="; 40 | private static final String MSGS_URL_STREAM = "&streams="; 41 | private static final String COMMA_SEPARATOR = "%2C"; 42 | private static final String EMPTY_VALUE = "(Empty Value)"; 43 | private static final DateTimeFormatter TIME_FORMATTER = DateTimeFormat.forPattern("yyy-MM-dd'T'HH'%3A'mm'%3A'ss.SSS'Z'"); 44 | 45 | private String buildSourceStreams(EventDto event) { 46 | Set sourceStreams = event.sourceStreams(); 47 | if (sourceStreams.isEmpty()) { 48 | return ""; 49 | } 50 | StringBuilder result = new StringBuilder(); 51 | for (String stream: sourceStreams) { 52 | if (!result.isEmpty()) { 53 | result.append(COMMA_SEPARATOR); 54 | } 55 | result.append(stream); 56 | } 57 | return MSGS_URL_STREAM + result; 58 | } 59 | 60 | private String buildSearchQuery(Optional eventDefinitionOpt, Map groupByFields) { 61 | if (eventDefinitionOpt.isPresent()) { 62 | EventDefinitionDto eventDefinition = eventDefinitionOpt.get(); 63 | EventProcessorConfig config = eventDefinition.config(); 64 | String configType = getEventProcessorConfigType(config); 65 | 66 | List filters = new ArrayList<>(); 67 | 68 | if (configType.equals(AggregationEventProcessorConfig.TYPE_NAME)) { 69 | filters.addAll(getFiltersFromAggregation((AggregationEventProcessorConfig) config)); 70 | } else if (configType.equals("correlation-count")) { 71 | filters.addAll(getFiltersFromCorrelationCount(config)); 72 | } 73 | 74 | // Add groupByFields in filters (separate empty value) 75 | groupByFields.entrySet().stream().filter(MessagesURLBuilder::emptyValue) 76 | .map(entry -> "NOT _exists_:" + entry.getKey()).forEach(filters::add); 77 | groupByFields.entrySet().stream().filter(MessagesURLBuilder::notEmptyValue) 78 | .map( entry -> entry.getKey() + ":" + entry.getValue()).forEach(filters::add); 79 | 80 | // Build query 81 | Optional filterResult = filters.stream().reduce((x, y) -> "(" + x + ") AND (" + y + ")"); 82 | 83 | if (filterResult.isPresent()) { 84 | return MSGS_URL_QUERY + filterResult.get(); 85 | } 86 | } 87 | 88 | return ""; 89 | } 90 | 91 | /** 92 | * Get type and avoid Exception for FallbackConfig 93 | */ 94 | private String getEventProcessorConfigType(EventProcessorConfig config) { 95 | try { 96 | return config.type(); 97 | } catch (UnsupportedOperationException e) { 98 | return ""; 99 | } 100 | } 101 | 102 | private List getFiltersFromAggregation(AggregationEventProcessorConfig aggregationConfig) { 103 | List filters = new ArrayList<>(); 104 | 105 | String searchQuery = aggregationConfig.query(); 106 | if (isValidSearchQuery(searchQuery)) { 107 | filters.add(searchQuery); 108 | } 109 | 110 | return filters; 111 | } 112 | 113 | /** 114 | * Use Reflexion for CorrelationCountProcessorConfig to avoid dependency with graylog-plugin-correlation-count 115 | */ 116 | private List getFiltersFromCorrelationCount(EventProcessorConfig config) { 117 | try { 118 | List filters = new ArrayList<>(); 119 | Class correlationCountClass = config.getClass().getSuperclass(); 120 | Method methodSearchQuery = correlationCountClass.getMethod("searchQuery"); 121 | String searchQuery = (String) methodSearchQuery.invoke(config); 122 | if (isValidSearchQuery(searchQuery)) { 123 | filters.add(searchQuery); 124 | } 125 | 126 | Method additionalSearchQueryMethod = correlationCountClass.getMethod("additionalSearchQuery"); 127 | String additionalSearchQuery = (String) additionalSearchQueryMethod.invoke(config); 128 | if (isValidSearchQuery(additionalSearchQuery)) { 129 | filters.add(additionalSearchQuery); 130 | } 131 | 132 | return filters; 133 | } catch (Exception e) { 134 | // Keep Exception to be noticed if class signature changed 135 | throw new RuntimeException(e); 136 | } 137 | } 138 | 139 | private boolean isValidSearchQuery(String searchQuery) { 140 | return searchQuery != null && !searchQuery.isEmpty() && !searchQuery.equals("*"); 141 | } 142 | 143 | private static boolean emptyValue(Map.Entry entry) { 144 | return EMPTY_VALUE.equals(entry.getValue()); 145 | } 146 | 147 | private static boolean notEmptyValue(Map.Entry entry) { 148 | return !EMPTY_VALUE.equals(entry.getValue()); 149 | } 150 | 151 | private DateTime evaluateEndTime(EventDto event, DateTime beginTime) { 152 | if (event.timerangeEnd().isEmpty()) { 153 | return beginTime.plusMinutes(1); 154 | } 155 | return event.timerangeEnd().get(); 156 | } 157 | 158 | // TODO simplify code: remove beginTime, replace the full context by event 159 | public String buildMessagesUrl(EventNotificationContext context, DateTime beginTime) { 160 | EventDto event = context.event(); 161 | if (event.timerangeStart().isPresent()) { 162 | beginTime = event.timerangeStart().get(); 163 | } 164 | DateTime endTime = evaluateEndTime(event, beginTime); 165 | // TODO review how beginTime/endTime are computed: they do not seem to correspond to the aggregation time range shown when viewing the alert!! 166 | return MSGS_URL_BEGIN + beginTime.toString(TIME_FORMATTER) 167 | + MSGS_URL_TO + endTime.toString(TIME_FORMATTER) 168 | + this.buildSearchQuery(context.eventDefinition(), event.groupByFields()) 169 | + this.buildSourceStreams(event); 170 | } 171 | } 172 | -------------------------------------------------------------------------------- /src/web/components/LoggingAlertConfig.jsx: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | 18 | // sources of inspiration for this code: 19 | // * components/common/URLWhiteListFormModal.tsx 20 | // * components/maps/configurations/GeoIpResolverConfig.tsx 21 | // * views/components/messagelist/MessageTableEntry.tsx 22 | // * pages/ShowMessagePage.tsx 23 | // * components/pipelines/ProcessingTimelineComponent.tsx (with useEffect for StreamsStore 24 | // * threatintel/components/ThreatIntelPluginConfig.jsx 25 | import React, { useState } from 'react'; 26 | import { BootstrapModalForm, Button, Input } from 'components/bootstrap'; 27 | import IfPermitted from 'components/common/IfPermitted'; 28 | 29 | export const DEFAULT_BODY_TEMPLATE = "type: alert" + "\n" + 30 | "id: ${logging_alert.id}" + "\n" + 31 | "aggregation_id: ${event.fields.aggregation_id}" + "\n" + 32 | "severity: ${logging_alert.severity}" + "\n" + 33 | "app: graylog" + "\n" + 34 | "subject: ${event_definition_title}" + "\n" + 35 | "body: ${event_definition_description}" + "\n" + 36 | "${if backlog && backlog[0]} src: ${backlog[0].fields.src_ip}" + "\n" + 37 | "src_category: ${backlog[0].fields.src_category}" + "\n" + 38 | "dest: ${backlog[0].fields.dest_ip}" + "\n" + 39 | "dest_category: ${backlog[0].fields.dest_category}" + "\n" + 40 | "${end}"; 41 | 42 | const DEFAULT_CONFIG = { 43 | separator: ' | ', 44 | log_body: DEFAULT_BODY_TEMPLATE, 45 | alert_tag: 'LoggingAlert', 46 | overflow_tag: 'LoggingOverflow', 47 | }; 48 | 49 | const _displayOptionalConfigurationValue = (value) => { 50 | if (!value) { 51 | return '[not set]'; 52 | } 53 | return value; 54 | }; 55 | 56 | const LoggingAlertConfig = ({ config = DEFAULT_CONFIG, updateConfig }) => { 57 | const [nextConfiguration, setNextConfiguration] = useState(config); 58 | const [showModal, setShowModal] = useState(false); 59 | 60 | const _openModal = () => { 61 | setShowModal(true); 62 | }; 63 | 64 | const _closeModal = () => { 65 | setShowModal(false); 66 | }; 67 | 68 | const _saveConfiguration = () => { 69 | updateConfig(nextConfiguration).then(() => { 70 | _closeModal(); 71 | }); 72 | }; 73 | 74 | const _resetConfiguration = () => { 75 | // note: this is necessary to cancel current configuration changes 76 | // scenario: open the configuration popup, change a field value, cancel, reopen the configuration popup 77 | // the field value should be back to what it was before its change 78 | setNextConfiguration(config); 79 | _closeModal(); 80 | }; 81 | 82 | const _updateConfigurationField = (field, value) => { 83 | const newConfiguration = {...nextConfiguration}; 84 | newConfiguration[field] = value; 85 | setNextConfiguration(newConfiguration); 86 | }; 87 | 88 | const _onUpdate = (field) => { 89 | return e => { 90 | _updateConfigurationField(field, e.target.value); 91 | }; 92 | }; 93 | 94 | return ( 95 |
96 |

Logging Alert Notification Configuration

97 | 98 |

99 | Base configuration for all plugins the Logging Alert Notification module is providing. Note 100 | that some parameters will be stored in MongoDB without encryption. 101 | Graylog users with required permissions will be able to read them in 102 | the configuration dialog on this page. 103 |

104 |
105 |
Log Content:
106 |
107 | {_displayOptionalConfigurationValue(config.log_body)} 108 |
109 |
110 |
111 |
Line Break Substitution:
112 |
113 | {_displayOptionalConfigurationValue(config.separator)} 114 |
115 |
116 |
117 |
Overflow Limit:
118 |
119 | {_displayOptionalConfigurationValue(config.limit_overflow)} 120 |
121 |
122 |
123 |
Alert Tag:
124 |
125 | {_displayOptionalConfigurationValue(config.alert_tag)} 126 |
127 |
128 |
129 |
Overflow Tag:
130 |
131 | {_displayOptionalConfigurationValue(config.overflow_tag)} 132 |
133 |
134 | 135 | 136 | 139 | 140 | 141 | 147 |
148 | 158 | 167 | 176 | 185 | 194 | 195 |
196 | 197 |
198 | ); 199 | }; 200 | 201 | export default LoggingAlertConfig; 202 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Change Log 2 | 3 | All notable changes to this project will be documented in this file. 4 | 5 | ## [6.1.8](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/6.1.7...6.1.8) 6 | ### Bug Fixes 7 | * Fix notification creation error ([issue #60](https://github.com/airbus-cyber/graylog-plugin-logging-alert/issues/60)) 8 | 9 | 10 | ## [6.1.7](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/6.1.6...6.1.7) 11 | ### Changes 12 | * Fully Remove Aggregation Feature ([issue #53](https://github.com/airbus-cyber/graylog-plugin-logging-alert/issues/53)) 13 | 14 | 15 | ## [6.1.6](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/6.1.5...6.1.6) 16 | ### Changes 17 | * Remove Aggregation Stream ([issue #53](https://github.com/airbus-cyber/graylog-plugin-logging-alert/issues/53)) 18 | 19 | 20 | ## [6.1.5](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/6.1.4...6.1.5) 21 | ### Bug Fixes 22 | * Fix logging_alert.messages_url, remove spaces ([issue #57](https://github.com/airbus-cyber/graylog-plugin-logging-alert/issues/57)) 23 | 24 | 25 | ## [6.1.4](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/6.1.3...6.1.4) 26 | ### Bug Fixes 27 | * Improve Fix logging_alert.messages_url ([issue #56](https://github.com/airbus-cyber/graylog-plugin-logging-alert/issues/56)) 28 | 29 | 30 | ## [6.1.3](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/6.1.2...6.1.3) 31 | ### Changes 32 | * Change Graylog minimum version to 6.1.4 33 | ### Bug Fixes 34 | * Fix logging_alert.messages_url ([issue #56](https://github.com/airbus-cyber/graylog-plugin-logging-alert/issues/56)) 35 | 36 | 37 | ## [6.1.2](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/6.1.1...6.1.2) 38 | ### Features 39 | * Add logging_alert.title ([issue #54](https://github.com/airbus-cyber/graylog-plugin-logging-alert/issues/54)) 40 | 41 | 42 | ## [6.1.1](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/6.1.0...6.1.1) 43 | ### Bug Fixes 44 | * Fix alert aggregation ([issue #101](https://github.com/airbus-cyber/graylog-plugin-logging-alert/issues/101)) 45 | 46 | 47 | ## [6.1.0](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/6.0.0...6.1.0) 48 | ### Features 49 | * Add compatibility with [Graylog 6.1.0](https://graylog.org/post/announcing-graylog-v6-1/) 50 | ### Changes 51 | * Removed split fields in favor of group-by field on the event ([issue #101](https://github.com/airbus-cyber/graylog-plugin-logging-alert/issues/101)) 52 | 53 | 54 | ## [6.0.0](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/5.1.4...6.0.0) 55 | ### Features 56 | * Add compatibility with [Graylog 6.0.6](https://graylog.org/post/announcing-graylog-6-0-6/) 57 | 58 | ### Bug Fixes 59 | * Remove severity and use event definition priority ([issue #100](https://github.com/airbus-cyber/graylog-plugin-logging-alert/issues/100)) 60 | 61 | ## [5.1.4](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/5.1.3...5.1.4) 62 | ### Bug Fixes 63 | * FIX Plugin compatibility with Graylog 5.1.9 64 | 65 | ## [5.1.3](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/5.1.2...5.1.3) 66 | ### Bug Fixes 67 | * Inserted commas between split fields when they are displayed in the notification details ([issue #51](https://github.com/airbus-cyber/graylog-plugin-logging-alert/issues/51)) 68 | 69 | ## [5.1.2](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/5.1.1...5.1.2) 70 | ### Bug Fixes 71 | * Cancel button of configuration was not working 72 | * Revert the display name of the plugin, as requests do not work anymore see ([issue #50](https://github.com/airbus-cyber/graylog-plugin-logging-alert/issues/50)) and Graylog issue Graylog2/graylog2-server#15939 73 | 74 | ## [5.1.1](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/5.1.0...5.1.1) 75 | ### Bug Fixes 76 | * Plugin configuration name is shortened so that it is nicely displayed ([issue #50](https://github.com/airbus-cyber/graylog-plugin-logging-alert/issues/50)) 77 | * The `message_url` is correctly computed when there is no backlog (such as aggregation event definitions of the form `count() < 1`) ([issue #47](https://github.com/airbus-cyber/graylog-plugin-logging-alert/issues/47)) 78 | * The Aggregation time range is used to compute the `message_url` query parameters `from` and `to` ([issue #47](https://github.com/airbus-cyber/graylog-plugin-logging-alert/issues/47)) 79 | 80 | ## [5.1.0](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/5.0.0...5.1.0) 81 | ### Features 82 | * Add compatibility with [Graylog 5.1](https://www.graylog.org/post/announcing-graylog-v5-1-3/) 83 | 84 | ## [5.0.0](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/4.4.1...5.0.0) 85 | ### Features 86 | * Add compatibility with [Graylog 5.0](https://www.graylog.org/post/announcing-graylog-v5-0-8/) 87 | 88 | ## [4.4.1](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/4.4.0...4.4.1) 89 | ### Bug Fixes 90 | * Plugin configuration is correctly displayed after being modified ([issue #44](https://github.com/airbus-cyber/graylog-plugin-logging-alert/issues/44)) 91 | 92 | ## [4.4.0](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/4.3.0...4.4.0) 93 | ### Changes 94 | * Removed the possibility to use variable `${logging_alert.description}` in the body template 95 | 96 | ## [4.3.0](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/4.2.0...4.3.0) 97 | ### Features 98 | * Variable `${logging_alert.description}` can now be used in the body template to insert the notification description 99 | 100 | ## [4.2.0](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/4.1.2...4.2.0) 101 | ### Features 102 | * Add compatibility with [Graylog 4.3](https://www.graylog.org/post/announcing-graylog-v4-3-graylog-operations-graylog-security) 103 | 104 | ## [4.1.2](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/4.1.1...4.1.2) 105 | ### Bug Fixes 106 | * Exception on numeric split fields ([issue #38](https://github.com/airbus-cyber/graylog-plugin-logging-alert/issues/38)) 107 | * Missing generation of signed rpms 108 | 109 | ## [4.1.1](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/4.1.0...4.1.1) 110 | ### Bug Fixes 111 | * Escape special characters \ and " in graylog url ([issue #14](https://github.com/airbus-cyber/graylog-plugin-logging-alert/issues/14)) 112 | * Fixed color of Configure button ([issue #33](https://github.com/airbus-cyber/graylog-plugin-logging-alert/issues/33)) 113 | 114 | ## [4.1.0](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/4.0.4...4.1.0) 115 | ### Features 116 | * Add compatibility with Graylog 4.2 117 | 118 | ## [4.0.4](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/4.0.3...4.0.4) 119 | ### Bug Fixes 120 | * Missing license header 121 | 122 | ## [4.0.3](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/4.0.2...4.0.3) 123 | ### Features 124 | * New page for the notification detail ([issue #31](https://github.com/airbus-cyber/graylog-plugin-logging-alert/issues/31)) 125 | ### Bug Fixes 126 | * Do not reuse the logging identifier when it is already present in messages of the backlog ([issue #22](https://github.com/airbus-cyber/graylog-plugin-logging-alert/issues/22)) 127 | * Exception when looking for the logging identifier to perform aggregation ([issue #30](https://github.com/airbus-cyber/graylog-plugin-logging-alert/issues/30)) 128 | 129 | ## [4.0.2](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/4.0.1...4.0.2) 130 | ### Bug Fixes 131 | * License was incorrectly specified in pom.xml 132 | 133 | ## [4.0.1](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/4.0.0...4.0.1) 134 | ### Features 135 | * Changed plugin license to SSPL version 1 136 | 137 | ## [4.0.0](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/2.2.0...4.0.0) 138 | ### Features 139 | * Add compatibility with Graylog 4.1 140 | 141 | ## [2.2.0](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/2.1.5...2.2.0) 142 | ### Features 143 | * Add compatibility with Graylog 3.3 144 | 145 | ## [2.1.5](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/2.1.4...2.1.5) 146 | ### Bug Fixes 147 | * Fix the alert ID generation 148 | 149 | ## [2.1.4](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/2.1.3...2.1.4) 150 | ### Bug Fixes 151 | * Fix default configuration when creating notification event 152 | 153 | ## [2.1.3](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/2.1.2...2.1.3) 154 | ### Bug Fixes 155 | * Fix logging_alert messages_url when split field 156 | 157 | ## [2.1.2](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/2.1.1...2.1.2) 158 | * Clean code, remove logging_alert.alert_url 159 | 160 | ## [2.1.1](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/2.1.0...2.1.1) 161 | ### Bug Fixes 162 | * Fix error when configuration update 163 | 164 | ## [2.1.0](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/2.0.2...2.1.0) 165 | * Refactoring 166 | 167 | ## [2.0.2](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/2.0.1...2.0.2) 168 | ### Bug Fixes 169 | * Add default log body when no general configuration 170 | 171 | ## [2.0.1](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/2.0.0...2.0.1) 172 | ### Bug Fixes 173 | * Fix notification error with backlog 174 | * Fix for single notification 175 | * Fix default template 176 | 177 | ## [2.0.0](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/1.3.0...2.0.0) 178 | ### Features 179 | * Add compatibility with Graylog 3.2 180 | 181 | ## [1.3.0](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/1.2.0...1.3.0) 182 | ### Features 183 | * Add single message notification 184 | 185 | ## [1.2.0](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/1.1.0...1.2.0) 186 | ### Features 187 | * Add compatibility with Graylog 3.0 188 | 189 | ## [1.1.0](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/1.0.1...1.1.0) 190 | ### Features 191 | * Add compatibility with Graylog 2.5 192 | 193 | ## [1.0.1](https://github.com/airbus-cyber/graylog-plugin-logging-alert/compare/1.0.0...1.0.1) 194 | ### Bug Fixes 195 | * Fix a notification error when aggregating alerts 196 | 197 | ## [1.0.0](https://github.com/airbus-cyber/graylog-plugin-logging-alert/tree/1.0.0) 198 | * First release 199 | -------------------------------------------------------------------------------- /src/test/java/com/airbus_cyber_security/graylog/events/notifications/types/MessagesURLBuilderTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | 18 | // sources of inspiration: 19 | // * org.graylog.events.notifications.NotificationTestData.NotificationTestData 20 | package com.airbus_cyber_security.graylog.events.notifications.types; 21 | 22 | import org.graylog.events.event.EventDto; 23 | import org.graylog.events.notifications.EventNotificationConfig; 24 | import org.graylog.events.notifications.EventNotificationContext; 25 | import com.google.common.collect.ImmutableSet; 26 | import com.google.common.collect.ImmutableList; 27 | import com.google.common.collect.ImmutableMap; 28 | import org.graylog.events.notifications.EventNotificationSettings; 29 | import org.graylog.events.processor.EventDefinitionDto; 30 | import org.graylog.events.processor.EventProcessorConfig; 31 | import org.graylog.events.processor.aggregation.AggregationEventProcessorConfig; 32 | import org.graylog.scheduler.JobSchedule; 33 | import org.graylog.scheduler.JobTriggerDto; 34 | import org.graylog2.plugin.Tools; 35 | import org.joda.time.DateTime; 36 | import org.junit.Assert; 37 | import org.junit.Before; 38 | import org.junit.Test; 39 | import org.graylog2.plugin.streams.Stream; 40 | import org.graylog.events.event.EventOriginContext; 41 | 42 | import java.util.Collections; 43 | 44 | public class MessagesURLBuilderTest { 45 | 46 | private MessagesURLBuilder subject; 47 | 48 | private DateTime dummyTime; 49 | 50 | private static final String TEST_NOTIFICATION_ID = "NotificationTestId"; 51 | private static final String TEST_SEARCH_QUERY = "src: x"; 52 | 53 | @Before 54 | public void setup() { 55 | this.subject = new MessagesURLBuilder(); 56 | this.dummyTime = DateTime.parse("2023-06-21T14:43:25Z"); 57 | } 58 | 59 | private EventDto.Builder dummyEventBuilder() { 60 | return EventDto.builder() 61 | .alert(true) 62 | .eventDefinitionId("EventDefinitionTestId") 63 | .eventDefinitionType("notification-test-v1") 64 | .eventTimestamp(this.dummyTime) 65 | .processingTimestamp(Tools.nowUTC()) 66 | .id("TEST_NOTIFICATION_ID") 67 | .streams(ImmutableSet.of(Stream.DEFAULT_EVENTS_STREAM_ID)) 68 | .message("Notification test message triggered from user") 69 | .source(Stream.DEFAULT_STREAM_ID) 70 | .keyTuple(ImmutableList.of("testkey")) 71 | .key("testkey") 72 | .originContext(EventOriginContext.elasticsearchMessage("testIndex_42", "b5e53442-12bb-4374-90ed-0deadbeefbaz")) 73 | .priority(2) 74 | .fields(ImmutableMap.of("field1", "value1", "field2", "value2")); 75 | } 76 | 77 | EventDefinitionDto buildDummyEventDefinition(boolean isFallback) { 78 | return EventDefinitionDto.builder() 79 | .alert(true) 80 | .id(TEST_NOTIFICATION_ID) 81 | .title("Event Definition Test Title") 82 | .description("Event Definition Test Description") 83 | .config(dummyEventProcessorConfig(isFallback)) 84 | .fieldSpec(ImmutableMap.of()) 85 | .priority(2) 86 | .keySpec(ImmutableList.of()) 87 | .notificationSettings(new EventNotificationSettings() { 88 | @Override 89 | public long gracePeriodMs() { 90 | return 0; 91 | } 92 | @Override 93 | // disable to avoid errors in getBacklogForEvent() 94 | public long backlogSize() { 95 | return 0; 96 | } 97 | @Override 98 | public Builder toBuilder() { 99 | return null; 100 | } 101 | } 102 | 103 | ).build(); 104 | } 105 | 106 | private EventNotificationContext.Builder dummyContextBuilder(boolean isFallback) { 107 | EventNotificationConfig notificationConfig = new EventNotificationConfig.FallbackNotificationConfig(); 108 | EventDefinitionDto eventDefinitionDto = buildDummyEventDefinition(isFallback); 109 | EventDto event = dummyEventBuilder() 110 | .timerangeStart(this.dummyTime) 111 | .timerangeEnd(this.dummyTime.plusMinutes(1)) 112 | .build(); 113 | return EventNotificationContext.builder() 114 | .notificationId(TEST_NOTIFICATION_ID) 115 | .notificationConfig(notificationConfig) 116 | .eventDefinition(eventDefinitionDto) 117 | .event(event); 118 | } 119 | 120 | private EventProcessorConfig dummyEventProcessorConfig(boolean isFallback) { 121 | if (isFallback) { 122 | return new EventProcessorConfig.FallbackConfig(); 123 | } else { 124 | EventProcessorConfig eventProcessorConfig = AggregationEventProcessorConfig.builder() 125 | .query(TEST_SEARCH_QUERY) 126 | .streams(Collections.emptySet()) 127 | .groupBy(Collections.emptyList()) 128 | .series(Collections.emptyList()) 129 | .searchWithinMs(60000) 130 | .executeEveryMs(60000) 131 | .build(); 132 | 133 | return eventProcessorConfig; 134 | } 135 | } 136 | 137 | private JobTriggerDto buildJobTrigger(DateTime jobTriggerTime) { 138 | return JobTriggerDto.builder() 139 | .jobDefinitionId("jobDefinitionId") 140 | .jobDefinitionType("jobDefinitionType") 141 | .schedule(new JobSchedule.FallbackSchedule()) 142 | .triggeredAt(jobTriggerTime) 143 | .build(); 144 | } 145 | 146 | private EventNotificationContext buildDummyContext(DateTime jobTriggerTime) { 147 | JobTriggerDto jobTrigger = buildJobTrigger(jobTriggerTime); 148 | return dummyContextBuilder(true) 149 | .jobTrigger(jobTrigger) 150 | .build(); 151 | } 152 | 153 | @Test 154 | public void buildMessagesUrlShouldNotFailWhenSplitFieldIsNotPresent() { 155 | EventNotificationContext context = this.buildDummyContext(this.dummyTime); 156 | this.subject.buildMessagesUrl(context, this.dummyTime); 157 | } 158 | 159 | @Test 160 | public void getStreamSearchUrlShouldNotFailWhenThereIsNoJobTrigger() { 161 | EventNotificationContext context = dummyContextBuilder(true).build(); 162 | this.subject.buildMessagesUrl(context, this.dummyTime); 163 | } 164 | 165 | @Test 166 | public void getStreamSearchUrlShouldNotFailWhenThereIsNoTimerangeStart() { 167 | EventDto event = dummyEventBuilder().timerangeEnd(this.dummyTime.plusMinutes(1)).build(); 168 | EventNotificationContext context = dummyContextBuilder(true).event(event).build(); 169 | this.subject.buildMessagesUrl(context, this.dummyTime); 170 | } 171 | 172 | @Test 173 | public void getStreamSearchUrlShouldNotFailWhenThereIsNoTimerangeEnd() { 174 | EventDto event = dummyEventBuilder().timerangeStart(this.dummyTime).build(); 175 | EventNotificationContext context = dummyContextBuilder(true).event(event).build(); 176 | this.subject.buildMessagesUrl(context, this.dummyTime); 177 | } 178 | 179 | @Test 180 | public void getStreamSearchUrlShouldNotContainsSearchQuery() { 181 | EventDto event = dummyEventBuilder().timerangeStart(this.dummyTime).build(); 182 | EventNotificationContext context = dummyContextBuilder(true).event(event).build(); 183 | String messageUrl = this.subject.buildMessagesUrl(context, this.dummyTime); 184 | 185 | Assert.assertFalse(messageUrl.contains("&q=")); 186 | } 187 | 188 | @Test 189 | public void getStreamSearchUrlShouldContainsSearchQuery() { 190 | EventDto event = dummyEventBuilder().timerangeStart(this.dummyTime).build(); 191 | EventNotificationContext context = dummyContextBuilder(false).event(event).build(); 192 | String messageUrl = this.subject.buildMessagesUrl(context, this.dummyTime); 193 | Assert.assertTrue(messageUrl.contains(TEST_SEARCH_QUERY)); 194 | } 195 | 196 | @Test 197 | public void getStreamSearchUrlShouldContainsSearchQueryAndGroupByFields() { 198 | String expectedValue = "(" + TEST_SEARCH_QUERY + ") AND (user:x)"; 199 | 200 | EventDto event = dummyEventBuilder().groupByFields(ImmutableMap.of("user", "x")).timerangeStart(this.dummyTime).build(); 201 | EventNotificationContext context = dummyContextBuilder(false).event(event).build(); 202 | String messageUrl = this.subject.buildMessagesUrl(context, this.dummyTime); 203 | Assert.assertTrue(messageUrl.contains(expectedValue)); 204 | } 205 | 206 | @Test 207 | public void getStreamSearchUrlShouldContainsSearchQueryAndEmptyGroupByFields() { 208 | String expectedValue = "(" + TEST_SEARCH_QUERY + ") AND (NOT _exists_:user)"; 209 | 210 | EventDto event = dummyEventBuilder().groupByFields(ImmutableMap.of("user", "(Empty Value)")).timerangeStart(this.dummyTime).build(); 211 | EventNotificationContext context = dummyContextBuilder(false).event(event).build(); 212 | String messageUrl = this.subject.buildMessagesUrl(context, this.dummyTime); 213 | Assert.assertTrue(messageUrl.contains(expectedValue)); 214 | } 215 | } 216 | -------------------------------------------------------------------------------- /mvnw: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # ---------------------------------------------------------------------------- 3 | # Licensed to the Apache Software Foundation (ASF) under one 4 | # or more contributor license agreements. See the NOTICE file 5 | # distributed with this work for additional information 6 | # regarding copyright ownership. The ASF licenses this file 7 | # to you under the Apache License, Version 2.0 (the 8 | # "License"); you may not use this file except in compliance 9 | # with the License. You may obtain a copy of the License at 10 | # 11 | # http://www.apache.org/licenses/LICENSE-2.0 12 | # 13 | # Unless required by applicable law or agreed to in writing, 14 | # software distributed under the License is distributed on an 15 | # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 16 | # KIND, either express or implied. See the License for the 17 | # specific language governing permissions and limitations 18 | # under the License. 19 | # ---------------------------------------------------------------------------- 20 | 21 | # ---------------------------------------------------------------------------- 22 | # Apache Maven Wrapper startup batch script, version 3.2.0 23 | # 24 | # Optional ENV vars 25 | # ----------------- 26 | # JAVA_HOME - location of a JDK home dir, required when download maven via java source 27 | # MVNW_REPOURL - repo url base for downloading maven distribution 28 | # MVNW_USERNAME/MVNW_PASSWORD - user and password for downloading maven 29 | # MVNW_VERBOSE - true: enable verbose log; debug: trace the mvnw script; others: silence the output 30 | # ---------------------------------------------------------------------------- 31 | 32 | set -euf 33 | [ "${MVNW_VERBOSE-}" != debug ] || set -x 34 | 35 | # OS specific support. 36 | native_path() { printf %s\\n "$1"; } 37 | case "$(uname)" in 38 | (CYGWIN*|MINGW*) [ -z "${JAVA_HOME-}" ] || JAVA_HOME="$(cygpath --unix "$JAVA_HOME")" 39 | native_path() { cygpath --path --windows "$1"; } ;; 40 | esac 41 | 42 | # set JAVACMD and JAVACCMD 43 | set_java_home() { 44 | # For Cygwin and MinGW, ensure paths are in Unix format before anything is touched 45 | if [ -n "${JAVA_HOME-}" ] ; then 46 | if [ -x "$JAVA_HOME/jre/sh/java" ] ; then 47 | # IBM's JDK on AIX uses strange locations for the executables 48 | JAVACMD="$JAVA_HOME/jre/sh/java" 49 | JAVACCMD="$JAVA_HOME/jre/sh/javac" 50 | else 51 | JAVACMD="$JAVA_HOME/bin/java" 52 | JAVACCMD="$JAVA_HOME/bin/javac" 53 | 54 | if [ ! -x "$JAVACMD" ] || [ ! -x "$JAVACCMD" ] ; then 55 | echo "The JAVA_HOME environment variable is not defined correctly, so mvnw cannot run." >&2 56 | echo "JAVA_HOME is set to \"$JAVA_HOME\", but \"\$JAVA_HOME/bin/java\" or \"\$JAVA_HOME/bin/javac\" does not exist." >&2 57 | return 1 58 | fi 59 | fi 60 | else 61 | JAVACMD="$('set' +e; 'unset' -f command 2>/dev/null; 'command' -v java)" || : 62 | JAVACCMD="$('set' +e; 'unset' -f command 2>/dev/null; 'command' -v javac)" || : 63 | 64 | if [ ! -x "${JAVACMD-}" ] || [ ! -x "${JAVACCMD-}" ] ; then 65 | echo "The java/javac command does not exist in PATH nor is JAVA_HOME set, so mvnw cannot run." >&2 66 | return 1 67 | fi 68 | fi 69 | } 70 | 71 | # hash string like Java String::hashCode 72 | hash_string() { 73 | str="${1:-}" h=0 74 | while [ -n "$str" ]; do 75 | h=$(( ( h * 31 + $(LC_CTYPE=C printf %d "'$str") ) % 4294967296 )) 76 | str="${str#?}" 77 | done 78 | printf %x\\n $h 79 | } 80 | 81 | verbose() { :; } 82 | [ "${MVNW_VERBOSE-}" != true ] || verbose() { printf %s\\n "${1-}"; } 83 | 84 | die() { 85 | printf %s\\n "$1" >&2 86 | exit 1 87 | } 88 | 89 | # parse distributionUrl and optional distributionSha256Sum, requires .mvn/wrapper/maven-wrapper.properties 90 | while IFS="=" read -r key value; do 91 | case "${key-}" in 92 | distributionUrl) distributionUrl="${value-}" ;; 93 | distributionSha256Sum) distributionSha256Sum="${value-}" ;; 94 | esac 95 | done < "${0%/*}/.mvn/wrapper/maven-wrapper.properties" 96 | [ -n "${distributionUrl-}" ] || die "cannot read distributionUrl property in ${0%/*}/.mvn/wrapper/maven-wrapper.properties" 97 | 98 | 99 | case "${distributionUrl##*/}" in 100 | (maven-mvnd-*bin.*) 101 | MVN_CMD=mvnd.sh _MVNW_REPO_PATTERN=/maven/mvnd/ 102 | case "${PROCESSOR_ARCHITECTURE-}${PROCESSOR_ARCHITEW6432-}:$(uname -a)" in 103 | (*AMD64:CYGWIN*|*AMD64:MINGW*) distributionPlatform=windows-amd64 ;; 104 | (:Darwin*x86_64) distributionPlatform=darwin-amd64 ;; 105 | (:Darwin*arm64) distributionPlatform=darwin-aarch64 ;; 106 | (:Linux*x86_64*) distributionPlatform=linux-amd64 ;; 107 | (*) echo "Cannot detect native platform for mvnd on $(uname)-$(uname -m), use pure java version" >&2 108 | distributionPlatform=linux-amd64 109 | ;; 110 | esac 111 | distributionUrl="${distributionUrl%-bin.*}-$distributionPlatform.zip" 112 | ;; 113 | (maven-mvnd-*) MVN_CMD=mvnd.sh _MVNW_REPO_PATTERN=/maven/mvnd/ ;; 114 | (*) MVN_CMD="mvn${0##*/mvnw}" _MVNW_REPO_PATTERN=/org/apache/maven/ ;; 115 | esac 116 | 117 | # apply MVNW_REPOURL and calculate MAVEN_HOME 118 | # maven home pattern: ~/.m2/wrapper/dists/{apache-maven-,maven-mvnd--}/ 119 | [ -z "${MVNW_REPOURL-}" ] || distributionUrl="$MVNW_REPOURL$_MVNW_REPO_PATTERN${distributionUrl#*"$_MVNW_REPO_PATTERN"}" 120 | distributionUrlName="${distributionUrl##*/}" 121 | distributionUrlNameMain="${distributionUrlName%.*}" 122 | distributionUrlNameMain="${distributionUrlNameMain%-bin}" 123 | MAVEN_HOME="$HOME/.m2/wrapper/dists/${distributionUrlNameMain-}/$(hash_string "$distributionUrl")" 124 | 125 | exec_maven() { 126 | unset MVNW_VERBOSE MVNW_USERNAME MVNW_PASSWORD MVNW_REPOURL || : 127 | exec "$MAVEN_HOME/bin/$MVN_CMD" "$@" || die "cannot exec $MAVEN_HOME/bin/$MVN_CMD" 128 | } 129 | 130 | if [ -d "$MAVEN_HOME" ]; then 131 | verbose "found existing MAVEN_HOME at $MAVEN_HOME" 132 | exec_maven "$@" 133 | fi 134 | 135 | case "${distributionUrl-}" in 136 | (*?-bin.zip|*?maven-mvnd-?*-?*.zip) ;; 137 | (*) die "distributionUrl is not valid, must match *-bin.zip or maven-mvnd-*.zip, but found '${distributionUrl-}'" ;; 138 | esac 139 | 140 | # prepare tmp dir 141 | if TMP_DOWNLOAD_DIR="$(mktemp -d)" && [ -d "$TMP_DOWNLOAD_DIR" ]; then 142 | clean() { rm -rf -- "$TMP_DOWNLOAD_DIR"; } 143 | trap clean HUP INT TERM EXIT 144 | else 145 | die "cannot create temp dir" 146 | fi 147 | 148 | mkdir -p -- "${MAVEN_HOME%/*}" 149 | 150 | # Download and Install Apache Maven 151 | verbose "Couldn't find MAVEN_HOME, downloading and installing it ..." 152 | verbose "Downloading from: $distributionUrl" 153 | verbose "Downloading to: $TMP_DOWNLOAD_DIR/$distributionUrlName" 154 | 155 | # select .zip or .tar.gz 156 | if ! command -v unzip >/dev/null; then 157 | distributionUrl="${distributionUrl%.zip}.tar.gz" 158 | distributionUrlName="${distributionUrl##*/}" 159 | fi 160 | 161 | # verbose opt 162 | __MVNW_QUIET_WGET=--quiet __MVNW_QUIET_CURL=--silent __MVNW_QUIET_UNZIP=-q __MVNW_QUIET_TAR='' 163 | [ "${MVNW_VERBOSE-}" != true ] || __MVNW_QUIET_WGET='' __MVNW_QUIET_CURL='' __MVNW_QUIET_UNZIP='' __MVNW_QUIET_TAR=v 164 | 165 | # normalize http auth 166 | case "${MVNW_PASSWORD:+has-password}" in 167 | '') MVNW_USERNAME='' MVNW_PASSWORD='' ;; 168 | has-password) [ -n "${MVNW_USERNAME-}" ] || MVNW_USERNAME='' MVNW_PASSWORD='' ;; 169 | esac 170 | 171 | if [ -z "${MVNW_USERNAME-}" ] && command -v wget > /dev/null; then 172 | verbose "Found wget ... using wget" 173 | wget ${__MVNW_QUIET_WGET:+"$__MVNW_QUIET_WGET"} "$distributionUrl" -O "$TMP_DOWNLOAD_DIR/$distributionUrlName" 174 | elif [ -z "${MVNW_USERNAME-}" ] && command -v curl > /dev/null; then 175 | verbose "Found curl ... using curl" 176 | curl ${__MVNW_QUIET_CURL:+"$__MVNW_QUIET_CURL"} -f -L -o "$TMP_DOWNLOAD_DIR/$distributionUrlName" "$distributionUrl" 177 | elif set_java_home; then 178 | verbose "Falling back to use Java to download" 179 | javaSource="$TMP_DOWNLOAD_DIR/Downloader.java" 180 | targetZip="$TMP_DOWNLOAD_DIR/$distributionUrlName" 181 | cat > "$javaSource" <<-END 182 | public class Downloader extends java.net.Authenticator 183 | { 184 | protected java.net.PasswordAuthentication getPasswordAuthentication() 185 | { 186 | return new java.net.PasswordAuthentication( System.getenv( "MVNW_USERNAME" ), System.getenv( "MVNW_PASSWORD" ).toCharArray() ); 187 | } 188 | public static void main( String[] args ) throws Exception 189 | { 190 | setDefault( new Downloader() ); 191 | java.nio.file.Files.copy( new java.net.URL( args[0] ).openStream(), java.nio.file.Paths.get( args[1] ).toAbsolutePath().normalize() ); 192 | } 193 | } 194 | END 195 | # For Cygwin/MinGW, switch paths to Windows format before running javac and java 196 | verbose " - Compiling Downloader.java ..." 197 | "$(native_path "$JAVACCMD")" "$(native_path "$javaSource")" 198 | verbose " - Running Downloader.java ..." 199 | "$(native_path "$JAVACMD")" -cp "$(native_path "$TMP_DOWNLOAD_DIR")" Downloader "$distributionUrl" "$(native_path "$targetZip")" 200 | fi 201 | 202 | # If specified, validate the SHA-256 sum of the Maven distribution zip file 203 | if [ -n "${distributionSha256Sum-}" ]; then 204 | distributionSha256Result=false 205 | if [ "$MVN_CMD" = mvnd.sh ]; then 206 | echo "Checksum validation is not supported for maven-mvnd." >&2 207 | echo "Please disable validation by removing 'distributionSha256Sum' from your maven-wrapper.properties." >&2 208 | exit 1 209 | elif command -v sha256sum > /dev/null; then 210 | if echo "$distributionSha256Sum $TMP_DOWNLOAD_DIR/$distributionUrlName" | sha256sum -c > /dev/null 2>&1; then 211 | distributionSha256Result=true 212 | fi 213 | elif command -v shasum > /dev/null; then 214 | if echo "$distributionSha256Sum $TMP_DOWNLOAD_DIR/$distributionUrlName" | shasum -a 256 -c > /dev/null 2>&1; then 215 | distributionSha256Result=true 216 | fi 217 | else 218 | echo "Checksum validation was requested but neither 'sha256sum' or 'shasum' are available." >&2 219 | echo "Please install either command, or disable validation by removing 'distributionSha256Sum' from your maven-wrapper.properties." >&2 220 | exit 1 221 | fi 222 | if [ $distributionSha256Result = false ]; then 223 | echo "Error: Failed to validate Maven distribution SHA-256, your Maven distribution might be compromised." >&2 224 | echo "If you updated your Maven version, you need to update the specified distributionSha256Sum property." >&2 225 | exit 1 226 | fi 227 | fi 228 | 229 | # unzip and move 230 | if command -v unzip > /dev/null; then 231 | unzip ${__MVNW_QUIET_UNZIP:+"$__MVNW_QUIET_UNZIP"} "$TMP_DOWNLOAD_DIR/$distributionUrlName" -d "$TMP_DOWNLOAD_DIR" 232 | else 233 | tar xzf${__MVNW_QUIET_TAR:+"$__MVNW_QUIET_TAR"} "$TMP_DOWNLOAD_DIR/$distributionUrlName" -C "$TMP_DOWNLOAD_DIR" 234 | fi 235 | printf %s\\n "$distributionUrl" > "$TMP_DOWNLOAD_DIR/$distributionUrlNameMain/mvnw.url" 236 | mv -- "$TMP_DOWNLOAD_DIR/$distributionUrlNameMain" "$MAVEN_HOME" || [ -d "$MAVEN_HOME" ] || die "fail to move MAVEN_HOME" 237 | 238 | clean || : 239 | exec_maven "$@" 240 | -------------------------------------------------------------------------------- /validation/server/test.py: -------------------------------------------------------------------------------- 1 | # to create and populate the test venv: 2 | # * python3 -m venv venv 3 | # * source venv/bin/activate 4 | # * pip install -r requirements.txt 5 | # to execute these tests: 6 | # * activate venv 7 | # source ./venv/bin/activate 8 | # * execute tests 9 | # python -m unittest --verbose 10 | # * execute only one test 11 | # PYTHONPATH=.. python -m unittest test.Test.test_notification_identifier_should_not_be_from_the_message_in_the_backlog_issue22 12 | 13 | from unittest import TestCase, skip 14 | import time 15 | from graylog.driver import Driver 16 | 17 | _PERIOD = 5 18 | 19 | 20 | class Test(TestCase): 21 | 22 | def setUp(self) -> None: 23 | self._subject = Driver('../../runtime') 24 | self._subject.start() 25 | 26 | def tearDown(self) -> None: 27 | self._subject.stop() 28 | 29 | def _count_notification_log(self, logs): 30 | result = 0 31 | for log in logs.splitlines(): 32 | if 'INFO : LoggingAlert' not in log: 33 | continue 34 | result += 1 35 | return result 36 | 37 | def _parse_notification_log(self, logs): 38 | for log in logs.splitlines(): 39 | if 'INFO : LoggingAlert' not in log: 40 | continue 41 | return log 42 | return None 43 | 44 | # TODO try to simplify the default log body so that this parsing is easier 45 | def _parse_notification_identifier(self, log): 46 | log_sections = log.split(' | ') 47 | _, identifier = log_sections[2].split(': ') 48 | return identifier 49 | 50 | def _parse_notification_url(self, log): 51 | log_sections = log.split(' | ') 52 | _, url = log_sections[3].split(': ') 53 | return url 54 | 55 | def _wait_until_notification(self): 56 | duration = 60 57 | for i in range(duration): 58 | time.sleep(1) 59 | logs = self._subject.extract_logs() 60 | notification_identifier = self._parse_notification_log(logs) 61 | if notification_identifier is not None: 62 | return notification_identifier 63 | print('All logs') 64 | print(self._subject._server.extract_all_logs()) 65 | print('Latest logs') 66 | print(logs) 67 | self.fail(f'Notification not logged within {duration} seconds') 68 | 69 | def test_process_an_event_should_not_fail_for_a_notification_with_aggregation_issue30(self): 70 | notification_identifier = self._subject.create_notification() 71 | self._subject.create_event_definition(notification_identifier, period=_PERIOD) 72 | 73 | with self._subject.create_gelf_input() as gelf_inputs: 74 | self._subject.start_logs_capture() 75 | gelf_inputs.send({}) 76 | time.sleep(2*_PERIOD) 77 | 78 | gelf_inputs.send({}) 79 | time.sleep(_PERIOD) 80 | 81 | gelf_inputs.send({'short_message': 'pop'}) 82 | # wait long enough for potential exception to occur (even on slow machines) 83 | time.sleep(2*_PERIOD) 84 | logs = self._subject.extract_logs() 85 | self.assertNotIn('ElasticsearchException', logs) 86 | 87 | def test_notification_identifier_should_not_be_from_the_message_in_the_backlog_issue22(self): 88 | notification_definition_identifier = self._subject.create_notification() 89 | self._subject.create_event_definition(notification_definition_identifier, backlog_size=50, period=_PERIOD) 90 | 91 | with self._subject.create_gelf_input() as gelf_inputs: 92 | self._subject.start_logs_capture() 93 | gelf_inputs.send({'_id': 'message_identifier'}) 94 | time.sleep(_PERIOD) 95 | 96 | gelf_inputs.send({'short_message': 'pop'}) 97 | notification_identifier = self._parse_notification_identifier(self._wait_until_notification()) 98 | 99 | self.assertNotEqual(notification_identifier, 'message_identifier') 100 | 101 | def test_set_logging_alert_configuration_should_not_fail(self): 102 | status_code = self._subject.update_plugin_configuration() 103 | # TODO should be 200 instead of 202!! 104 | self.assertEqual(202, status_code) 105 | 106 | def test_aggregation_should_not_reuse_identifier_from_different_event_definition(self): 107 | stream_input1_identifier = self._subject.create_stream_with_rule('input1', 'stream', 'input1') 108 | stream_input2_identifier = self._subject.create_stream_with_rule('input2', 'stream', 'input2') 109 | stream_log_identifier = self._subject.create_stream_with_rule('log', 'stream', 'log') 110 | self._subject.create_stream_with_rule('pop', 'stream', 'pop') 111 | self._subject.update_plugin_configuration(stream_log_identifier) 112 | notification_definition_identifier = self._subject.create_notification() 113 | self._subject.create_event_definition(notification_definition_identifier, 114 | streams=[stream_input1_identifier], 115 | period=_PERIOD) 116 | self._subject.create_event_definition(notification_definition_identifier, 117 | streams=[stream_input2_identifier], 118 | period=_PERIOD) 119 | 120 | with self._subject.create_gelf_input() as gelf_inputs: 121 | self._subject.start_logs_capture() 122 | gelf_inputs.send({'_stream': 'input1'}) 123 | time.sleep(_PERIOD) 124 | 125 | gelf_inputs.send({'short_message': 'pop', '_stream': 'pop'}) 126 | notification_identifier1 = self._parse_notification_identifier(self._wait_until_notification()) 127 | 128 | self._subject.start_logs_capture() 129 | gelf_inputs.send({'_id': notification_identifier1, '_stream': 'log'}) 130 | gelf_inputs.send({'_stream': 'input2'}) 131 | time.sleep(_PERIOD) 132 | 133 | gelf_inputs.send({'short_message': 'pop', '_stream': 'pop'}) 134 | # Seems like this test sometimes fails here, should we wait a little bit longer? Or is this truly a bug, a misisng notification? 135 | notification_identifier2 = self._parse_notification_identifier(self._wait_until_notification()) 136 | 137 | self.assertNotEqual(notification_identifier2, notification_identifier1) 138 | 139 | def test_aggregation_should_send_several_messages_when_there_is_a_backlog(self): 140 | stream_input_identifier = self._subject.create_stream_with_rule('input', 'stream', 'input') 141 | stream_log_identifier = self._subject.create_stream_with_rule('log', 'stream', 'log') 142 | self._subject.create_stream_with_rule('pop', 'stream', 'pop') 143 | self._subject.update_plugin_configuration(stream_log_identifier) 144 | notification_definition_identifier = self._subject.create_notification() 145 | conditions = { 146 | 'expression': { 147 | 'expr': '>', 148 | 'left': { 149 | 'expr': 'number-ref', 150 | 'ref': 'count-' 151 | }, 152 | 'right': { 153 | 'expr': 'number', 154 | 'value': 1 155 | } 156 | } 157 | } 158 | serie = { 159 | 'type': 'count', 160 | 'id': 'count-' 161 | } 162 | self._subject.create_event_definition(notification_definition_identifier, 163 | streams=[stream_input_identifier], backlog_size=50, 164 | conditions=conditions, 165 | series=[serie], 166 | period=_PERIOD) 167 | 168 | with self._subject.create_gelf_input() as gelf_inputs: 169 | self._subject.start_logs_capture() 170 | gelf_inputs.send({'_stream': 'input'}) 171 | gelf_inputs.send({'_stream': 'input'}) 172 | time.sleep(_PERIOD) 173 | 174 | gelf_inputs.send({'short_message': 'pop', '_stream': 'pop'}) 175 | self._wait_until_notification() 176 | 177 | logs = self._subject.extract_logs() 178 | self.assertEqual(self._count_notification_log(logs), 2) 179 | 180 | def test_aggregation_should_send_one_messages_when_there_is_a_backlog_and_single_message(self): 181 | stream_input_identifier = self._subject.create_stream_with_rule('input', 'stream', 'input') 182 | stream_log_identifier = self._subject.create_stream_with_rule('log', 'stream', 'log') 183 | self._subject.create_stream_with_rule('pop', 'stream', 'pop') 184 | self._subject.update_plugin_configuration(stream_log_identifier) 185 | notification_definition_identifier = self._subject.create_notification(single_message=True) 186 | conditions = { 187 | 'expression': { 188 | 'expr': '>', 189 | 'left': { 190 | 'expr': 'number-ref', 191 | 'ref': 'count-' 192 | }, 193 | 'right': { 194 | 'expr': 'number', 195 | 'value': 1 196 | } 197 | } 198 | } 199 | serie = { 200 | 'type': 'count', 201 | 'id': 'count-' 202 | } 203 | self._subject.create_event_definition(notification_definition_identifier, 204 | streams=[stream_input_identifier], backlog_size=50, 205 | conditions=conditions, 206 | series=[serie], 207 | period=_PERIOD) 208 | 209 | with self._subject.create_gelf_input() as gelf_inputs: 210 | self._subject.start_logs_capture() 211 | gelf_inputs.send({'_stream': 'input'}) 212 | gelf_inputs.send({'_stream': 'input'}) 213 | time.sleep(_PERIOD) 214 | 215 | gelf_inputs.send({'short_message': 'pop', '_stream': 'pop'}) 216 | self._wait_until_notification() 217 | 218 | logs = self._subject.extract_logs() 219 | self.assertEqual(self._count_notification_log(logs), 1) 220 | 221 | def test_notification_logging_alert_title_issue54(self): 222 | notif_title = 'Notification Title Test' 223 | notif_log_body = 'type: alert\nid: ${logging_alert.id}\nseverity: ${logging_alert.severity}\napp: graylog\nsubject: ${logging_alert.title}' 224 | notification_definition_identifier = self._subject.create_notification(title=notif_title, log_body=notif_log_body) 225 | self._subject.create_event_definition(notification_definition_identifier, period=_PERIOD) 226 | 227 | with self._subject.create_gelf_input() as gelf_inputs: 228 | self._subject.start_logs_capture() 229 | gelf_inputs.send({}) 230 | time.sleep(2*_PERIOD) 231 | 232 | gelf_inputs.send({}) 233 | time.sleep(_PERIOD) 234 | 235 | gelf_inputs.send({'short_message': 'pop'}) 236 | # wait long enough for potential exception to occur (even on slow machines) 237 | time.sleep(2*_PERIOD) 238 | logs = self._subject.extract_logs() 239 | self.assertIn(notif_title, logs) 240 | -------------------------------------------------------------------------------- /pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 20 | 21 | 4.0.0 22 | 23 | 24 | org.graylog.plugins 25 | graylog-plugin-web-parent 26 | 6.1.4 27 | 28 | 29 | com.airbus-cyber-security.graylog 30 | graylog-plugin-logging-alert 31 | 6.1.8 32 | jar 33 | ${project.artifactId} 34 | Graylog ${project.artifactId} plugin. 35 | https://github.com/airbus-cyber/graylog-plugin-logging-alert 36 | 37 | 38 | 39 | Server Side Public License (SSPL) version 1 40 | https://www.mongodb.com/licensing/server-side-public-license 41 | 42 | 43 | 44 | 45 | 46 | Airbus CyberSecurity 47 | Airbus CyberSecurity 48 | https://www.airbus-cyber-security.com 49 | 50 | 51 | 52 | 53 | scm:git:git@github.com:airbus-cyber/graylog-plugin-logging-alert.git 54 | scm:git:git@github.com:airbus-cyber/graylog-plugin-logging-alert.git 55 | https://github.com/airbus-cyber/graylog-plugin-logging-alert 56 | HEAD 57 | 58 | 59 | 60 | UTF-8 61 | ${project.parent.version} 62 | /usr/share/graylog-server/plugin 63 | 64 | 65 | 66 | 67 | 68 | 69 | io.dropwizard.metrics 70 | metrics-core 71 | ${metrics.version} 72 | runtime 73 | 74 | 75 | com.swrve 76 | rate-limited-logger 77 | 2.0.2 78 | runtime 79 | 80 | 81 | org.mongodb 82 | bson 83 | ${mongodb-driver.version} 84 | runtime 85 | 86 | 87 | 88 | jakarta.annotation 89 | jakarta.annotation-api 90 | ${jakarta.annotation-api.version} 91 | provided 92 | 93 | 94 | javax.annotation 95 | javax.annotation-api 96 | ${javax.annotation-api.version} 97 | provided 98 | 99 | 100 | org.bouncycastle 101 | bcprov-jdk18on 102 | ${bouncycastle.version} 103 | provided 104 | 105 | 106 | commons-io 107 | commons-io 108 | ${commons-io.version} 109 | provided 110 | 111 | 112 | com.floreysoft 113 | jmte 114 | ${jmte.version} 115 | provided 116 | 117 | 118 | org.apache.logging.log4j 119 | log4j-core 120 | ${log4j.version} 121 | provided 122 | 123 | 124 | org.slf4j 125 | slf4j-api 126 | ${slf4j.version} 127 | provided 128 | 129 | 130 | joda-time 131 | joda-time 132 | ${joda-time.version} 133 | provided 134 | 135 | 136 | com.google.inject 137 | guice 138 | ${guice.version} 139 | provided 140 | 141 | 142 | com.fasterxml.jackson.core 143 | jackson-annotations 144 | ${jackson.version} 145 | provided 146 | 147 | 148 | com.fasterxml.jackson.core 149 | jackson-databind 150 | ${jackson.version} 151 | provided 152 | 153 | 154 | org.mongodb 155 | mongodb-driver-sync 156 | ${mongodb-driver.version} 157 | provided 158 | 159 | 160 | 161 | junit 162 | junit 163 | ${junit.version} 164 | test 165 | 166 | 167 | org.assertj 168 | assertj-core 169 | ${assertj-core.version} 170 | test 171 | 172 | 173 | org.mockito 174 | mockito-core 175 | ${mockito.version} 176 | test 177 | 178 | 179 | 180 | 181 | 182 | 183 | ${web.build-dir} 184 | 185 | 186 | src/main/resources 187 | true 188 | 189 | 190 | 191 | 199 | 200 | com.mycila 201 | license-maven-plugin 202 | 203 | 204 | 205 |
com/mycila/maven/plugin/license/templates/SSPL-1.txt
206 | 207 | 2018 208 | Airbus CyberSecurity (SAS) 209 | 210 | 211 | **/src/main/java/** 212 | **/src/test/java/** 213 | **/pom.xml 214 | 215 | *.js 216 | src/web/**/*.js 217 | src/web/**/*.jsx 218 | src/web/**/*.ts 219 | src/web/**/*.tsx 220 | src/web/**/*.css 221 | 222 | 223 | *.config.js 224 | 225 | 226 | 227 | 228 | 229 | 230 | 231 | check 232 | 233 | 234 | 235 | 236 | 237 | org.apache.maven.plugins 238 | maven-enforcer-plugin 239 | 240 | 241 | enforce-versions 242 | validate 243 | 244 | enforce 245 | 246 | 247 | true 248 | false 249 | 250 | 251 | 252 | [3.9.0,) 253 | 254 | 255 | [17.0,17.99] 256 | 257 | 258 | unix 259 | 260 | 261 | 262 | 263 | 264 | 265 | 266 | maven-assembly-plugin 267 | 268 | true 269 | 270 | 271 | 272 | org.apache.maven.plugins 273 | maven-jar-plugin 274 | 275 | 276 | 277 | ${project.groupId}.${project.artifactId} 278 | 279 | 280 | target 281 | 282 | 283 | 284 | org.apache.maven.plugins 285 | maven-shade-plugin 286 | 287 | false 288 | 289 | 290 | 291 | 292 | 293 | com.airbus-cyber-security.graylog:* 294 | 295 | 296 | 297 | 298 | 299 | package 300 | 301 | shade 302 | 303 | 304 | 305 | 306 | 307 | org.vafer 308 | jdeb 309 | 310 | ${project.build.directory}/${project.artifactId}-${project.version}.deb 311 | 312 | 313 | ${project.build.directory}/${project.build.finalName}.jar 314 | file 315 | 316 | perm 317 | ${graylog.plugin-dir} 318 | 644 319 | root 320 | root 321 | 322 | 323 | 324 | true 325 | dpkg-sig 326 | builder 327 | 328 | 329 | 330 | org.codehaus.mojo 331 | rpm-maven-plugin 332 | 333 | Application/Internet 334 | 335 | /usr 336 | 337 | 338 | _unpackaged_files_terminate_build 0 339 | _binaries_in_noarch_packages_terminate_build 0 340 | 341 | 644 342 | 755 343 | root 344 | root 345 | 346 | 347 | ${graylog.plugin-dir} 348 | 349 | 350 | ${project.build.directory}/ 351 | 352 | ${project.build.finalName}.jar 353 | 354 | 355 | 356 | 357 | 358 | 359 | 360 | 361 | org.apache.maven.plugins 362 | maven-gpg-plugin 363 | 364 | 365 | sign-artifacts 366 | verify 367 | 368 | sign 369 | 370 | 371 | 372 | --pinentry-mode 373 | loopback 374 | 375 | 376 | 377 | 378 | 379 | 380 | org.apache.maven.plugins 381 | maven-source-plugin 382 | 383 | 384 | attach-sources 385 | 386 | jar-no-fork 387 | 388 | 389 | 390 | 391 | 392 | org.apache.maven.plugins 393 | maven-javadoc-plugin 394 | 395 | -missing 396 | 397 | 398 | 399 | attach-javadocs 400 | 401 | jar 402 | 403 | 404 | 405 | 406 | 407 | org.sonatype.central 408 | central-publishing-maven-plugin 409 | 0.7.0 410 | true 411 | 412 | central 413 | true 414 | published 415 | 10 416 | 3600 417 | 418 | 419 | 420 | 421 | 422 | 423 | 424 | 425 | web-interface-build 426 | 427 | 428 | !skip.web.build 429 | 430 | 431 | 432 | 433 | 434 | com.github.eirslett 435 | frontend-maven-plugin 436 | 437 | false 438 | 439 | 440 | 441 | yarn test 442 | 443 | yarn 444 | 445 | test 446 | 447 | test 448 | 449 | 450 | 451 | 452 | 453 | 454 | 455 | 456 | 457 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Server Side Public License 2 | VERSION 1, OCTOBER 16, 2018 3 | 4 | Copyright © 2018 MongoDB, Inc. 5 | 6 | Everyone is permitted to copy and distribute verbatim copies of this 7 | license document, but changing it is not allowed. 8 | 9 | TERMS AND CONDITIONS 10 | 11 | 0. Definitions. 12 | 13 | “This License” refers to Server Side Public License. 14 | 15 | “Copyright” also means copyright-like laws that apply to other kinds of 16 | works, such as semiconductor masks. 17 | 18 | “The Program” refers to any copyrightable work licensed under this 19 | License. Each licensee is addressed as “you”. “Licensees” and 20 | “recipients” may be individuals or organizations. 21 | 22 | To “modify” a work means to copy from or adapt all or part of the work in 23 | a fashion requiring copyright permission, other than the making of an 24 | exact copy. The resulting work is called a “modified version” of the 25 | earlier work or a work “based on” the earlier work. 26 | 27 | A “covered work” means either the unmodified Program or a work based on 28 | the Program. 29 | 30 | To “propagate” a work means to do anything with it that, without 31 | permission, would make you directly or secondarily liable for 32 | infringement under applicable copyright law, except executing it on a 33 | computer or modifying a private copy. Propagation includes copying, 34 | distribution (with or without modification), making available to the 35 | public, and in some countries other activities as well. 36 | 37 | To “convey” a work means any kind of propagation that enables other 38 | parties to make or receive copies. Mere interaction with a user through a 39 | computer network, with no transfer of a copy, is not conveying. 40 | 41 | An interactive user interface displays “Appropriate Legal Notices” to the 42 | extent that it includes a convenient and prominently visible feature that 43 | (1) displays an appropriate copyright notice, and (2) tells the user that 44 | there is no warranty for the work (except to the extent that warranties 45 | are provided), that licensees may convey the work under this License, and 46 | how to view a copy of this License. If the interface presents a list of 47 | user commands or options, such as a menu, a prominent item in the list 48 | meets this criterion. 49 | 50 | 1. Source Code. 51 | 52 | The “source code” for a work means the preferred form of the work for 53 | making modifications to it. “Object code” means any non-source form of a 54 | work. 55 | 56 | A “Standard Interface” means an interface that either is an official 57 | standard defined by a recognized standards body, or, in the case of 58 | interfaces specified for a particular programming language, one that is 59 | widely used among developers working in that language. The “System 60 | Libraries” of an executable work include anything, other than the work as 61 | a whole, that (a) is included in the normal form of packaging a Major 62 | Component, but which is not part of that Major Component, and (b) serves 63 | only to enable use of the work with that Major Component, or to implement 64 | a Standard Interface for which an implementation is available to the 65 | public in source code form. A “Major Component”, in this context, means a 66 | major essential component (kernel, window system, and so on) of the 67 | specific operating system (if any) on which the executable work runs, or 68 | a compiler used to produce the work, or an object code interpreter used 69 | to run it. 70 | 71 | The “Corresponding Source” for a work in object code form means all the 72 | source code needed to generate, install, and (for an executable work) run 73 | the object code and to modify the work, including scripts to control 74 | those activities. However, it does not include the work's System 75 | Libraries, or general-purpose tools or generally available free programs 76 | which are used unmodified in performing those activities but which are 77 | not part of the work. For example, Corresponding Source includes 78 | interface definition files associated with source files for the work, and 79 | the source code for shared libraries and dynamically linked subprograms 80 | that the work is specifically designed to require, such as by intimate 81 | data communication or control flow between those subprograms and other 82 | parts of the work. 83 | 84 | The Corresponding Source need not include anything that users can 85 | regenerate automatically from other parts of the Corresponding Source. 86 | 87 | The Corresponding Source for a work in source code form is that same work. 88 | 89 | 2. Basic Permissions. 90 | 91 | All rights granted under this License are granted for the term of 92 | copyright on the Program, and are irrevocable provided the stated 93 | conditions are met. This License explicitly affirms your unlimited 94 | permission to run the unmodified Program, subject to section 13. The 95 | output from running a covered work is covered by this License only if the 96 | output, given its content, constitutes a covered work. This License 97 | acknowledges your rights of fair use or other equivalent, as provided by 98 | copyright law. Subject to section 13, you may make, run and propagate 99 | covered works that you do not convey, without conditions so long as your 100 | license otherwise remains in force. You may convey covered works to 101 | others for the sole purpose of having them make modifications exclusively 102 | for you, or provide you with facilities for running those works, provided 103 | that you comply with the terms of this License in conveying all 104 | material for which you do not control copyright. Those thus making or 105 | running the covered works for you must do so exclusively on your 106 | behalf, under your direction and control, on terms that prohibit them 107 | from making any copies of your copyrighted material outside their 108 | relationship with you. 109 | 110 | Conveying under any other circumstances is permitted solely under the 111 | conditions stated below. Sublicensing is not allowed; section 10 makes it 112 | unnecessary. 113 | 114 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 115 | 116 | No covered work shall be deemed part of an effective technological 117 | measure under any applicable law fulfilling obligations under article 11 118 | of the WIPO copyright treaty adopted on 20 December 1996, or similar laws 119 | prohibiting or restricting circumvention of such measures. 120 | 121 | When you convey a covered work, you waive any legal power to forbid 122 | circumvention of technological measures to the extent such circumvention is 123 | effected by exercising rights under this License with respect to the 124 | covered work, and you disclaim any intention to limit operation or 125 | modification of the work as a means of enforcing, against the work's users, 126 | your or third parties' legal rights to forbid circumvention of 127 | technological measures. 128 | 129 | 4. Conveying Verbatim Copies. 130 | 131 | You may convey verbatim copies of the Program's source code as you 132 | receive it, in any medium, provided that you conspicuously and 133 | appropriately publish on each copy an appropriate copyright notice; keep 134 | intact all notices stating that this License and any non-permissive terms 135 | added in accord with section 7 apply to the code; keep intact all notices 136 | of the absence of any warranty; and give all recipients a copy of this 137 | License along with the Program. You may charge any price or no price for 138 | each copy that you convey, and you may offer support or warranty 139 | protection for a fee. 140 | 141 | 5. Conveying Modified Source Versions. 142 | 143 | You may convey a work based on the Program, or the modifications to 144 | produce it from the Program, in the form of source code under the terms 145 | of section 4, provided that you also meet all of these conditions: 146 | 147 | a) The work must carry prominent notices stating that you modified it, 148 | and giving a relevant date. 149 | 150 | b) The work must carry prominent notices stating that it is released 151 | under this License and any conditions added under section 7. This 152 | requirement modifies the requirement in section 4 to “keep intact all 153 | notices”. 154 | 155 | c) You must license the entire work, as a whole, under this License to 156 | anyone who comes into possession of a copy. This License will therefore 157 | apply, along with any applicable section 7 additional terms, to the 158 | whole of the work, and all its parts, regardless of how they are 159 | packaged. This License gives no permission to license the work in any 160 | other way, but it does not invalidate such permission if you have 161 | separately received it. 162 | 163 | d) If the work has interactive user interfaces, each must display 164 | Appropriate Legal Notices; however, if the Program has interactive 165 | interfaces that do not display Appropriate Legal Notices, your work 166 | need not make them do so. 167 | 168 | A compilation of a covered work with other separate and independent 169 | works, which are not by their nature extensions of the covered work, and 170 | which are not combined with it such as to form a larger program, in or on 171 | a volume of a storage or distribution medium, is called an “aggregate” if 172 | the compilation and its resulting copyright are not used to limit the 173 | access or legal rights of the compilation's users beyond what the 174 | individual works permit. Inclusion of a covered work in an aggregate does 175 | not cause this License to apply to the other parts of the aggregate. 176 | 177 | 6. Conveying Non-Source Forms. 178 | 179 | You may convey a covered work in object code form under the terms of 180 | sections 4 and 5, provided that you also convey the machine-readable 181 | Corresponding Source under the terms of this License, in one of these 182 | ways: 183 | 184 | a) Convey the object code in, or embodied in, a physical product 185 | (including a physical distribution medium), accompanied by the 186 | Corresponding Source fixed on a durable physical medium customarily 187 | used for software interchange. 188 | 189 | b) Convey the object code in, or embodied in, a physical product 190 | (including a physical distribution medium), accompanied by a written 191 | offer, valid for at least three years and valid for as long as you 192 | offer spare parts or customer support for that product model, to give 193 | anyone who possesses the object code either (1) a copy of the 194 | Corresponding Source for all the software in the product that is 195 | covered by this License, on a durable physical medium customarily used 196 | for software interchange, for a price no more than your reasonable cost 197 | of physically performing this conveying of source, or (2) access to 198 | copy the Corresponding Source from a network server at no charge. 199 | 200 | c) Convey individual copies of the object code with a copy of the 201 | written offer to provide the Corresponding Source. This alternative is 202 | allowed only occasionally and noncommercially, and only if you received 203 | the object code with such an offer, in accord with subsection 6b. 204 | 205 | d) Convey the object code by offering access from a designated place 206 | (gratis or for a charge), and offer equivalent access to the 207 | Corresponding Source in the same way through the same place at no 208 | further charge. You need not require recipients to copy the 209 | Corresponding Source along with the object code. If the place to copy 210 | the object code is a network server, the Corresponding Source may be on 211 | a different server (operated by you or a third party) that supports 212 | equivalent copying facilities, provided you maintain clear directions 213 | next to the object code saying where to find the Corresponding Source. 214 | Regardless of what server hosts the Corresponding Source, you remain 215 | obligated to ensure that it is available for as long as needed to 216 | satisfy these requirements. 217 | 218 | e) Convey the object code using peer-to-peer transmission, provided you 219 | inform other peers where the object code and Corresponding Source of 220 | the work are being offered to the general public at no charge under 221 | subsection 6d. 222 | 223 | A separable portion of the object code, whose source code is excluded 224 | from the Corresponding Source as a System Library, need not be included 225 | in conveying the object code work. 226 | 227 | A “User Product” is either (1) a “consumer product”, which means any 228 | tangible personal property which is normally used for personal, family, 229 | or household purposes, or (2) anything designed or sold for incorporation 230 | into a dwelling. In determining whether a product is a consumer product, 231 | doubtful cases shall be resolved in favor of coverage. For a particular 232 | product received by a particular user, “normally used” refers to a 233 | typical or common use of that class of product, regardless of the status 234 | of the particular user or of the way in which the particular user 235 | actually uses, or expects or is expected to use, the product. A product 236 | is a consumer product regardless of whether the product has substantial 237 | commercial, industrial or non-consumer uses, unless such uses represent 238 | the only significant mode of use of the product. 239 | 240 | “Installation Information” for a User Product means any methods, 241 | procedures, authorization keys, or other information required to install 242 | and execute modified versions of a covered work in that User Product from 243 | a modified version of its Corresponding Source. The information must 244 | suffice to ensure that the continued functioning of the modified object 245 | code is in no case prevented or interfered with solely because 246 | modification has been made. 247 | 248 | If you convey an object code work under this section in, or with, or 249 | specifically for use in, a User Product, and the conveying occurs as part 250 | of a transaction in which the right of possession and use of the User 251 | Product is transferred to the recipient in perpetuity or for a fixed term 252 | (regardless of how the transaction is characterized), the Corresponding 253 | Source conveyed under this section must be accompanied by the 254 | Installation Information. But this requirement does not apply if neither 255 | you nor any third party retains the ability to install modified object 256 | code on the User Product (for example, the work has been installed in 257 | ROM). 258 | 259 | The requirement to provide Installation Information does not include a 260 | requirement to continue to provide support service, warranty, or updates 261 | for a work that has been modified or installed by the recipient, or for 262 | the User Product in which it has been modified or installed. Access 263 | to a network may be denied when the modification itself materially 264 | and adversely affects the operation of the network or violates the 265 | rules and protocols for communication across the network. 266 | 267 | Corresponding Source conveyed, and Installation Information provided, in 268 | accord with this section must be in a format that is publicly documented 269 | (and with an implementation available to the public in source code form), 270 | and must require no special password or key for unpacking, reading or 271 | copying. 272 | 273 | 7. Additional Terms. 274 | 275 | “Additional permissions” are terms that supplement the terms of this 276 | License by making exceptions from one or more of its conditions. 277 | Additional permissions that are applicable to the entire Program shall be 278 | treated as though they were included in this License, to the extent that 279 | they are valid under applicable law. If additional permissions apply only 280 | to part of the Program, that part may be used separately under those 281 | permissions, but the entire Program remains governed by this License 282 | without regard to the additional permissions. When you convey a copy of 283 | a covered work, you may at your option remove any additional permissions 284 | from that copy, or from any part of it. (Additional permissions may be 285 | written to require their own removal in certain cases when you modify the 286 | work.) You may place additional permissions on material, added by you to 287 | a covered work, for which you have or can give appropriate copyright 288 | permission. 289 | 290 | Notwithstanding any other provision of this License, for material you add 291 | to a covered work, you may (if authorized by the copyright holders of 292 | that material) supplement the terms of this License with terms: 293 | 294 | a) Disclaiming warranty or limiting liability differently from the 295 | terms of sections 15 and 16 of this License; or 296 | 297 | b) Requiring preservation of specified reasonable legal notices or 298 | author attributions in that material or in the Appropriate Legal 299 | Notices displayed by works containing it; or 300 | 301 | c) Prohibiting misrepresentation of the origin of that material, or 302 | requiring that modified versions of such material be marked in 303 | reasonable ways as different from the original version; or 304 | 305 | d) Limiting the use for publicity purposes of names of licensors or 306 | authors of the material; or 307 | 308 | e) Declining to grant rights under trademark law for use of some trade 309 | names, trademarks, or service marks; or 310 | 311 | f) Requiring indemnification of licensors and authors of that material 312 | by anyone who conveys the material (or modified versions of it) with 313 | contractual assumptions of liability to the recipient, for any 314 | liability that these contractual assumptions directly impose on those 315 | licensors and authors. 316 | 317 | All other non-permissive additional terms are considered “further 318 | restrictions” within the meaning of section 10. If the Program as you 319 | received it, or any part of it, contains a notice stating that it is 320 | governed by this License along with a term that is a further restriction, 321 | you may remove that term. If a license document contains a further 322 | restriction but permits relicensing or conveying under this License, you 323 | may add to a covered work material governed by the terms of that license 324 | document, provided that the further restriction does not survive such 325 | relicensing or conveying. 326 | 327 | If you add terms to a covered work in accord with this section, you must 328 | place, in the relevant source files, a statement of the additional terms 329 | that apply to those files, or a notice indicating where to find the 330 | applicable terms. Additional terms, permissive or non-permissive, may be 331 | stated in the form of a separately written license, or stated as 332 | exceptions; the above requirements apply either way. 333 | 334 | 8. Termination. 335 | 336 | You may not propagate or modify a covered work except as expressly 337 | provided under this License. Any attempt otherwise to propagate or modify 338 | it is void, and will automatically terminate your rights under this 339 | License (including any patent licenses granted under the third paragraph 340 | of section 11). 341 | 342 | However, if you cease all violation of this License, then your license 343 | from a particular copyright holder is reinstated (a) provisionally, 344 | unless and until the copyright holder explicitly and finally terminates 345 | your license, and (b) permanently, if the copyright holder fails to 346 | notify you of the violation by some reasonable means prior to 60 days 347 | after the cessation. 348 | 349 | Moreover, your license from a particular copyright holder is reinstated 350 | permanently if the copyright holder notifies you of the violation by some 351 | reasonable means, this is the first time you have received notice of 352 | violation of this License (for any work) from that copyright holder, and 353 | you cure the violation prior to 30 days after your receipt of the notice. 354 | 355 | Termination of your rights under this section does not terminate the 356 | licenses of parties who have received copies or rights from you under 357 | this License. If your rights have been terminated and not permanently 358 | reinstated, you do not qualify to receive new licenses for the same 359 | material under section 10. 360 | 361 | 9. Acceptance Not Required for Having Copies. 362 | 363 | You are not required to accept this License in order to receive or run a 364 | copy of the Program. Ancillary propagation of a covered work occurring 365 | solely as a consequence of using peer-to-peer transmission to receive a 366 | copy likewise does not require acceptance. However, nothing other than 367 | this License grants you permission to propagate or modify any covered 368 | work. These actions infringe copyright if you do not accept this License. 369 | Therefore, by modifying or propagating a covered work, you indicate your 370 | acceptance of this License to do so. 371 | 372 | 10. Automatic Licensing of Downstream Recipients. 373 | 374 | Each time you convey a covered work, the recipient automatically receives 375 | a license from the original licensors, to run, modify and propagate that 376 | work, subject to this License. You are not responsible for enforcing 377 | compliance by third parties with this License. 378 | 379 | An “entity transaction” is a transaction transferring control of an 380 | organization, or substantially all assets of one, or subdividing an 381 | organization, or merging organizations. If propagation of a covered work 382 | results from an entity transaction, each party to that transaction who 383 | receives a copy of the work also receives whatever licenses to the work 384 | the party's predecessor in interest had or could give under the previous 385 | paragraph, plus a right to possession of the Corresponding Source of the 386 | work from the predecessor in interest, if the predecessor has it or can 387 | get it with reasonable efforts. 388 | 389 | You may not impose any further restrictions on the exercise of the rights 390 | granted or affirmed under this License. For example, you may not impose a 391 | license fee, royalty, or other charge for exercise of rights granted 392 | under this License, and you may not initiate litigation (including a 393 | cross-claim or counterclaim in a lawsuit) alleging that any patent claim 394 | is infringed by making, using, selling, offering for sale, or importing 395 | the Program or any portion of it. 396 | 397 | 11. Patents. 398 | 399 | A “contributor” is a copyright holder who authorizes use under this 400 | License of the Program or a work on which the Program is based. The work 401 | thus licensed is called the contributor's “contributor version”. 402 | 403 | A contributor's “essential patent claims” are all patent claims owned or 404 | controlled by the contributor, whether already acquired or hereafter 405 | acquired, that would be infringed by some manner, permitted by this 406 | License, of making, using, or selling its contributor version, but do not 407 | include claims that would be infringed only as a consequence of further 408 | modification of the contributor version. For purposes of this definition, 409 | “control” includes the right to grant patent sublicenses in a manner 410 | consistent with the requirements of this License. 411 | 412 | Each contributor grants you a non-exclusive, worldwide, royalty-free 413 | patent license under the contributor's essential patent claims, to make, 414 | use, sell, offer for sale, import and otherwise run, modify and propagate 415 | the contents of its contributor version. 416 | 417 | In the following three paragraphs, a “patent license” is any express 418 | agreement or commitment, however denominated, not to enforce a patent 419 | (such as an express permission to practice a patent or covenant not to 420 | sue for patent infringement). To “grant” such a patent license to a party 421 | means to make such an agreement or commitment not to enforce a patent 422 | against the party. 423 | 424 | If you convey a covered work, knowingly relying on a patent license, and 425 | the Corresponding Source of the work is not available for anyone to copy, 426 | free of charge and under the terms of this License, through a publicly 427 | available network server or other readily accessible means, then you must 428 | either (1) cause the Corresponding Source to be so available, or (2) 429 | arrange to deprive yourself of the benefit of the patent license for this 430 | particular work, or (3) arrange, in a manner consistent with the 431 | requirements of this License, to extend the patent license to downstream 432 | recipients. “Knowingly relying” means you have actual knowledge that, but 433 | for the patent license, your conveying the covered work in a country, or 434 | your recipient's use of the covered work in a country, would infringe 435 | one or more identifiable patents in that country that you have reason 436 | to believe are valid. 437 | 438 | If, pursuant to or in connection with a single transaction or 439 | arrangement, you convey, or propagate by procuring conveyance of, a 440 | covered work, and grant a patent license to some of the parties receiving 441 | the covered work authorizing them to use, propagate, modify or convey a 442 | specific copy of the covered work, then the patent license you grant is 443 | automatically extended to all recipients of the covered work and works 444 | based on it. 445 | 446 | A patent license is “discriminatory” if it does not include within the 447 | scope of its coverage, prohibits the exercise of, or is conditioned on 448 | the non-exercise of one or more of the rights that are specifically 449 | granted under this License. You may not convey a covered work if you are 450 | a party to an arrangement with a third party that is in the business of 451 | distributing software, under which you make payment to the third party 452 | based on the extent of your activity of conveying the work, and under 453 | which the third party grants, to any of the parties who would receive the 454 | covered work from you, a discriminatory patent license (a) in connection 455 | with copies of the covered work conveyed by you (or copies made from 456 | those copies), or (b) primarily for and in connection with specific 457 | products or compilations that contain the covered work, unless you 458 | entered into that arrangement, or that patent license was granted, prior 459 | to 28 March 2007. 460 | 461 | Nothing in this License shall be construed as excluding or limiting any 462 | implied license or other defenses to infringement that may otherwise be 463 | available to you under applicable patent law. 464 | 465 | 12. No Surrender of Others' Freedom. 466 | 467 | If conditions are imposed on you (whether by court order, agreement or 468 | otherwise) that contradict the conditions of this License, they do not 469 | excuse you from the conditions of this License. If you cannot use, 470 | propagate or convey a covered work so as to satisfy simultaneously your 471 | obligations under this License and any other pertinent obligations, then 472 | as a consequence you may not use, propagate or convey it at all. For 473 | example, if you agree to terms that obligate you to collect a royalty for 474 | further conveying from those to whom you convey the Program, the only way 475 | you could satisfy both those terms and this License would be to refrain 476 | entirely from conveying the Program. 477 | 478 | 13. Offering the Program as a Service. 479 | 480 | If you make the functionality of the Program or a modified version 481 | available to third parties as a service, you must make the Service Source 482 | Code available via network download to everyone at no charge, under the 483 | terms of this License. Making the functionality of the Program or 484 | modified version available to third parties as a service includes, 485 | without limitation, enabling third parties to interact with the 486 | functionality of the Program or modified version remotely through a 487 | computer network, offering a service the value of which entirely or 488 | primarily derives from the value of the Program or modified version, or 489 | offering a service that accomplishes for users the primary purpose of the 490 | Program or modified version. 491 | 492 | “Service Source Code” means the Corresponding Source for the Program or 493 | the modified version, and the Corresponding Source for all programs that 494 | you use to make the Program or modified version available as a service, 495 | including, without limitation, management software, user interfaces, 496 | application program interfaces, automation software, monitoring software, 497 | backup software, storage software and hosting software, all such that a 498 | user could run an instance of the service using the Service Source Code 499 | you make available. 500 | 501 | 14. Revised Versions of this License. 502 | 503 | MongoDB, Inc. may publish revised and/or new versions of the Server Side 504 | Public License from time to time. Such new versions will be similar in 505 | spirit to the present version, but may differ in detail to address new 506 | problems or concerns. 507 | 508 | Each version is given a distinguishing version number. If the Program 509 | specifies that a certain numbered version of the Server Side Public 510 | License “or any later version” applies to it, you have the option of 511 | following the terms and conditions either of that numbered version or of 512 | any later version published by MongoDB, Inc. If the Program does not 513 | specify a version number of the Server Side Public License, you may 514 | choose any version ever published by MongoDB, Inc. 515 | 516 | If the Program specifies that a proxy can decide which future versions of 517 | the Server Side Public License can be used, that proxy's public statement 518 | of acceptance of a version permanently authorizes you to choose that 519 | version for the Program. 520 | 521 | Later license versions may give you additional or different permissions. 522 | However, no additional obligations are imposed on any author or copyright 523 | holder as a result of your choosing to follow a later version. 524 | 525 | 15. Disclaimer of Warranty. 526 | 527 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 528 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 529 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY 530 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 531 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 532 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 533 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 534 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 535 | 536 | 16. Limitation of Liability. 537 | 538 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 539 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 540 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING 541 | ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF 542 | THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO 543 | LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU 544 | OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 545 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 546 | POSSIBILITY OF SUCH DAMAGES. 547 | 548 | 17. Interpretation of Sections 15 and 16. 549 | 550 | If the disclaimer of warranty and limitation of liability provided above 551 | cannot be given local legal effect according to their terms, reviewing 552 | courts shall apply local law that most closely approximates an absolute 553 | waiver of all civil liability in connection with the Program, unless a 554 | warranty or assumption of liability accompanies a copy of the Program in 555 | return for a fee. 556 | 557 | END OF TERMS AND CONDITIONS 558 | --------------------------------------------------------------------------------