-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add correlation rule layer for events-correlation-engine #7132
Conversation
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
First round review. Let's get a solid foundation here and iterate quickly in followup PRs.
...relation-engine/src/main/java/org/opensearch/plugin/correlation/EventsCorrelationPlugin.java
Outdated
Show resolved
Hide resolved
...src/main/java/org/opensearch/plugin/correlation/rules/action/IndexCorrelationRuleAction.java
Show resolved
Hide resolved
...ion-engine/src/main/java/org/opensearch/plugin/correlation/rules/model/CorrelationQuery.java
Show resolved
Hide resolved
...ion-engine/src/main/java/org/opensearch/plugin/correlation/rules/model/CorrelationQuery.java
Outdated
Show resolved
Hide resolved
...tion-engine/src/main/java/org/opensearch/plugin/correlation/rules/model/CorrelationRule.java
Show resolved
Hide resolved
...ion-engine/src/main/java/org/opensearch/plugin/correlation/rules/model/CorrelationQuery.java
Outdated
Show resolved
Hide resolved
...ion-engine/src/main/java/org/opensearch/plugin/correlation/rules/model/CorrelationQuery.java
Outdated
Show resolved
Hide resolved
...nts-correlation-engine/src/main/java/org/opensearch/plugin/correlation/utils/IndexUtils.java
Outdated
Show resolved
Hide resolved
...nts-correlation-engine/src/main/java/org/opensearch/plugin/correlation/utils/IndexUtils.java
Show resolved
Hide resolved
ca63ad7
to
9f43a02
Compare
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Next round cleanup comments. It's coming together. We need to add the explicit javadoc checker and I left some cleanup comments. I think we can simplify the CorrelationConstants approach and possibly just remove that class altogether? If the public facing API needs it we might figure a cleaner way of doing it.
import java.util.stream.Collectors; | ||
import java.util.stream.Stream; | ||
|
||
public class EventsCorrelationPluginTransportIT extends OpenSearchIntegTestCase { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need javadocs here. all public classes will need javadocs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added javadocs
@Override | ||
public List<Route> routes() { | ||
return List.of( | ||
new Route(RestRequest.Method.POST, EventsCorrelationPlugin.CORRELATION_RULES_BASE_URI), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From the RFC it looks like users can only create rules through the global _correlation
endpoint.
POST /_correlation/rules
Request Body:
{
"correlate": [
{
"index": "vpc_flow",
"query": "dstaddr:4.5.6.7 or dstaddr:4.5.6.6"
},
{
"index": "windows",
"query": "winlog.event_data.SubjectDomainName:NTAUTHORI*"
},
{
"index": "ad_logs",
"query": "ResultType:50126"
},
{
"index": "app_logs",
"query": "endpoint:/customer_records.txt"
}
]
}
Would it also make sense to enable users to do this on a per index basis?
POST /my_ndex/_correlation/rule/{$rule_id}
where {$rule_id} is the (optional) existing rule
If so, we can do this in a follow up PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will address this in follow-up pr.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe open an issue for this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
created the issue: #7184
|
||
void start() { | ||
try { | ||
if (!correlationRuleIndices.correlationRuleIndexExists()) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit, avoid negative conditionals.
Change to be explicit:
if (!correlationRuleIndices.correlationRuleIndexExists()) { | |
if (correlationRuleIndices.correlationRuleIndexExists() == false) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
changed this.
...a/org/opensearch/plugin/correlation/rules/transport/TransportIndexCorrelationRuleAction.java
Show resolved
Hide resolved
/** | ||
* Settings for events-correlation-engine. | ||
* | ||
* @opensearch.api |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do you also want to mark as @opensearch.experimental
for now? It's largely superficial but a nice flag if you think these Settings might change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
marked as @opensearch.experimental
* @param correlationQueries list of correlation queries part of rule | ||
*/ | ||
public CorrelationRule(String id, Long version, String name, List<CorrelationQuery> correlationQueries) { | ||
this.id = id != null ? id : NO_ID; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we just have another ctor that doesn't take an ID as a parameter?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added a new ctor.
*/ | ||
public CorrelationRule(String id, Long version, String name, List<CorrelationQuery> correlationQueries) { | ||
this.id = id != null ? id : NO_ID; | ||
this.version = version != null ? version : NO_VERSION; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same, just have a ctor that doesn't take a version?
I think we can remove the CorrelationConstants#NO_ID
and CorrelationConstants#NO_VERSION
altogether.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added a new ctor.
removed CorrelationConstants
class.
Also make sure you rebase from main to pick up some of the BWC version check fixes. |
hi @nknize , addressed all the review comments. also rebased from main. please have a look. |
Gradle Check (Jenkins) Run Completed with:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left a few minor nits. Otherwise LGTM!
} | ||
}, | ||
"timestampField": { | ||
"type": "text", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this be a long or date type?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is the timestamp field name which is a string.
...ion-engine/src/main/java/org/opensearch/plugin/correlation/utils/CorrelationRuleIndices.java
Outdated
Show resolved
Hide resolved
...a/org/opensearch/plugin/correlation/rules/transport/TransportIndexCorrelationRuleAction.java
Outdated
Show resolved
Hide resolved
@Override | ||
public List<Route> routes() { | ||
return List.of( | ||
new Route(RestRequest.Method.POST, EventsCorrelationPlugin.CORRELATION_RULES_BASE_URI), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe open an issue for this?
...tion-engine/src/main/java/org/opensearch/plugin/correlation/rules/model/CorrelationRule.java
Show resolved
Hide resolved
Signed-off-by: Subhobrata Dey <sbcd90@gmail.com>
Signed-off-by: Subhobrata Dey <sbcd90@gmail.com>
Gradle Check (Jenkins) Run Completed with:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@@ -8,6 +8,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), | |||
- Support for HTTP/2 (server-side) ([#3847](https://github.com/opensearch-project/OpenSearch/pull/3847)) | |||
- Add getter for path field in NestedQueryBuilder ([#4636](https://github.com/opensearch-project/OpenSearch/pull/4636)) | |||
- Allow mmap to use new JDK-19 preview APIs in Apache Lucene 9.4+ ([#5151](https://github.com/opensearch-project/OpenSearch/pull/5151)) | |||
- Add events correlation engine plugin ([#6854](https://github.com/opensearch-project/OpenSearch/issues/6854)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We'll need to move this to the 2.x section assuming this is to be backported
.collect(Collectors.toList()); | ||
Assert.assertTrue( | ||
pluginInfos.stream() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nitpick...no need to collect to a list here when you just use it as a stream again
@@ -204,5 +204,6 @@ public static class CommonFields { | |||
public static final ParseField FORMAT = new ParseField("format"); | |||
public static final ParseField MISSING = new ParseField("missing"); | |||
public static final ParseField TIME_ZONE = new ParseField("time_zone"); | |||
public static final ParseField _META = new ParseField("_meta"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not really a "common field throughout the project" if it is only used in one place. If you're sure this will be used any multiple places this is fine, otherwise it might be simpler to keep it defined where it is used.
Also, the leading underscore (in the Java constant name, not the text) technically violates the standard convention for constant names.
Maybe add a comment too unless you think the meaning of a "meta" field is self-evident.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree, this could me moved to scope local once we start using it.
private String correlationRuleId; | ||
|
||
private CorrelationRule correlationRule; | ||
|
||
private RestRequest.Method method; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can these be final?
private String id; | ||
|
||
private Long version; | ||
|
||
private RestStatus status; | ||
|
||
private CorrelationRule correlationRule; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can these be final?
*/ | ||
public IndexCorrelationRuleRequest(CorrelationRule correlationRule, RestRequest.Method method) { | ||
super(); | ||
this.correlationRuleId = ""; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it really okay for one of these instances to exist without a rule id? The meaning of a magic empty string is usually not clear. If this is really an optional field, it is better to store it as null and codify the behavior in the getter type by returning an Optional so that the caller has to explicitly deal with the set/not set cases.
@nknize shouldn't the plugin go to |
What’s the plan for getting this into 2.x? |
…project#7132) Adds new correlation engine feature by way of a new `:plugins:events-correlation-engine` plugin. The endpoint is /_correlation and users can create new rules using the following example DSL: { "name": "s3 to app logs", "correlate": [ { "index": "s3_access_logs", "query": "aws.cloudtrail.eventName:ReplicateObject", "timestampField": "@timestamp", "tags": [ "s3" ] } ] } Signed-off-by: Subhobrata Dey <sbcd90@gmail.com>
Description
add correlation rule layer for events-correlation-engine
Issues Resolved
#6854
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.