Skip to content

GitLab

Switch branch/tag
Find file Normal viewHistoryPermalink
log_consumer.go 8.64 KB
Newer Older
qiuqunfeng's avatar
Add support for bulk listener WAF configuration  
qiuqunfeng committed
1 2 3 4 
package service

import (
	"context"
qiuqunfeng's avatar
Implement Kafka log consumer with Elasticsearch and database integration  
qiuqunfeng committed
5 
	"encoding/json"
qiuqunfeng's avatar
Add Kafka log consumer with dynamic authentication and configuration  
qiuqunfeng committed
6 
	"errors"
qiuqunfeng's avatar
Refactor API router and WAF handling to support additional parameters and...  
qiuqunfeng committed
7 8 
	"fmt"
	"time"
qiuqunfeng's avatar
Add support for bulk listener WAF configuration  
qiuqunfeng committed
9 10 11 

	"github.com/rs/zerolog/log"
	"github.com/segmentio/kafka-go"
qiuqunfeng's avatar
Add Kafka log consumer with dynamic authentication and configuration  
qiuqunfeng committed
12 
	"github.com/segmentio/kafka-go/sasl/scram"
qiuqunfeng's avatar
Refactor API router and WAF handling to support additional parameters and...  
qiuqunfeng committed
13 
	"gitlab.com/tensorsecurity-rd/waf-console/internal/config"
qiuqunfeng's avatar
Implement Kafka log consumer with Elasticsearch and database integration  
qiuqunfeng committed
14 15 16 17 18 
	"gitlab.com/tensorsecurity-rd/waf-console/internal/model"
	"gitlab.com/tensorsecurity-rd/waf-console/internal/utils/id"

	es "github.com/olivere/elastic/v7"
	esStore "gitlab.com/tensorsecurity-rd/waf-console/internal/store"
qiuqunfeng's avatar
Add support for bulk listener WAF configuration  
qiuqunfeng committed
19 20 21 
	"gorm.io/gorm"
)
qiuqunfeng's avatar
Implement Kafka log consumer with Elasticsearch and database integration  
qiuqunfeng committed
22 23 24 25 26 27 
const (
	KafkaTopicIvanWafDetections       = "ivan_waf_detections"
	KafkaGroupIvanWafDetectionsPalace = "ivan_waf_detections_palace"

	EsIndexWafDetections      = "waf-detections*"
	EsIndexWafDetectionsAlias = "waf-detections"
qiuqunfeng's avatar
Refactor WAF detection handling in LogConsumerService to improve event generation and error logging  
qiuqunfeng committed
28 
	ESIndexEvents             = "events"
qiuqunfeng's avatar
Implement Kafka log consumer with Elasticsearch and database integration  
qiuqunfeng committed
29 30 
)
qiuqunfeng's avatar
Add Kafka log consumer with dynamic authentication and configuration  
qiuqunfeng committed
31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 
var scramAlgo = map[string]scram.Algorithm{
	"SHA512": scram.SHA512,
	"SHA256": scram.SHA256,
}

var ErrMissingBrokers = errors.New("no KAFKA_BROKERS env variable set")
var ErrMissingAuthInfo = errors.New("no username or passwrod set when auth is enabled")
var ErrUnsupportedAuthMethod = errors.New("unsupported auth method")

const (
	EnvKafkaAuthMethod   = "KAFKA_AUTH_METHOD"
	EnvKafkaAuthUsername = "KAFKA_AUTH_USERNAME"
	EnvKafkaAuthPassword = "KAFKA_AUTH_PASSWORD"
	EnvKafkaScramAlgo    = "KAFKA_SCRAM_ALGO"
	EnvKafkaBrokers      = "KAFKA_BROKERS"
	KafkaAuthPlain       = "plain"
	KafkaAuthScram       = "scram"
)
qiuqunfeng's avatar
Implement dynamic log level configuration and refactor Elasticsearch client creation  
qiuqunfeng committed
50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 
// func getSASLMechanismByEnv() (sasl.Mechanism, bool, error) {
// 	authMethod := os.Getenv(EnvKafkaAuthMethod)
// 	username := os.Getenv(EnvKafkaAuthUsername)
// 	password := os.Getenv(EnvKafkaAuthPassword)
// 	var mechanism sasl.Mechanism
// 	switch authMethod {
// 	case KafkaAuthPlain:
// 		if username == "" || password == "" {
// 			return nil, true, ErrMissingAuthInfo
// 		}
// 		mechanism = &plain.Mechanism{
// 			Username: username,
// 			Password: password,
// 		}
// 	case KafkaAuthScram:
// 		if username == "" || password == "" {
// 			return nil, true, ErrMissingAuthInfo
// 		}
// 		algoKey := os.Getenv(EnvKafkaScramAlgo)
// 		algo := scram.SHA512
// 		algoTmp, exist := scramAlgo[algoKey]
// 		if exist {
// 			algo = algoTmp
// 		}
// 		var err error
// 		mechanism, err = scram.Mechanism(algo, username, password)
// 		if err != nil {
// 			return nil, true, err
// 		}
// 	}
// 	return mechanism, mechanism != nil, nil
// }
qiuqunfeng's avatar
Add Kafka log consumer with dynamic authentication and configuration  
qiuqunfeng committed
82
qiuqunfeng's avatar
Add support for bulk listener WAF configuration  
qiuqunfeng committed
83 84 85 
type LogConsumerService struct {
	consumer *kafka.Reader
	db       *gorm.DB
qiuqunfeng's avatar
Implement Kafka log consumer with Elasticsearch and database integration  
qiuqunfeng committed
86 
	esStore  *esStore.ESStore
qiuqunfeng's avatar
Add support for bulk listener WAF configuration  
qiuqunfeng committed
87 88 
}
qiuqunfeng's avatar
Implement dynamic log level configuration and refactor Elasticsearch client creation  
qiuqunfeng committed
89 90 91 92 93 94 95 96 97 
func NewLogConsumerService(db *gorm.DB, esStore *esStore.ESStore, config *config.KafkaConfig) *LogConsumerService {
	// mechanism, _, err := getSASLMechanismByEnv()
	// if err != nil {
	// 	log.Fatal().Err(err).Msg("failed to get SASL mechanism")
	// }
	// brokers := strings.Split(os.Getenv(EnvKafkaBrokers), ",")
	// if len(brokers) == 0 {
	// 	log.Fatal().Msg("no KAFKA_BROKERS env variable set")
	// }
qiuqunfeng's avatar
Add Kafka log consumer with dynamic authentication and configuration  
qiuqunfeng committed
98
qiuqunfeng's avatar
Implement dynamic log level configuration and refactor Elasticsearch client creation  
qiuqunfeng committed
99 100 101 102 103 104 105 106 107 108 109 
	// consumer := kafka.NewReader(kafka.ReaderConfig{
	// 	Brokers: brokers,
	// 	GroupID: KafkaGroupIvanWafDetectionsPalace,
	// 	Topic:   KafkaTopicIvanWafDetections,
	// 	Dialer: &kafka.Dialer{
	// 		SASLMechanism: mechanism,
	// 		Timeout:       10 * time.Second,
	// 		DualStack:     true,
	// 	},
	// })
	consumer := NewKafkaReader(config)
qiuqunfeng's avatar
Add Kafka log consumer with dynamic authentication and configuration  
qiuqunfeng committed
110
qiuqunfeng's avatar
Add support for bulk listener WAF configuration  
qiuqunfeng committed
111 112 113 
	return &LogConsumerService{
		consumer: consumer,
		db:       db,
qiuqunfeng's avatar
Implement Kafka log consumer with Elasticsearch and database integration  
qiuqunfeng committed
114 
		esStore:  esStore,
qiuqunfeng's avatar
Add support for bulk listener WAF configuration  
qiuqunfeng committed
115 116 117 118 
	}
}

func (s *LogConsumerService) Consume() {
qiuqunfeng's avatar
Add logging for Kafka message consumption  
qiuqunfeng committed
119 
	log.Info().Msg("start consume kafka message")
qiuqunfeng's avatar
Add support for bulk listener WAF configuration  
qiuqunfeng committed
120 121 122 123 124 125 126 127 128 129 130 131 132 
	for {
		m, err := s.consumer.ReadMessage(context.Background())
		if err != nil {
			log.Error().Err(err).Msg("failed to read message")
			continue
		}
		log.Info().Msgf("message: %s", string(m.Value))
		go s.processMessage(m)
	}
}

func (s *LogConsumerService) processMessage(m kafka.Message) {
	log.Info().Msgf("processing message: %s", string(m.Value))
qiuqunfeng's avatar
Implement Kafka log consumer with Elasticsearch and database integration  
qiuqunfeng committed
133 134 135 
	s.Handle(context.Background(), m.Value)
}
qiuqunfeng's avatar
Refactor API router and WAF handling to support additional parameters and...  
qiuqunfeng committed
136 137 138 139 
func (s *LogConsumerService) genWafDetection(wafDetectionMessage model.WafDetectionMessage, attackedLog model.WafDetectionAttackedLog) (model.WafDetection, error) {
	if attackedLog.AttackIP == "" {
		return model.WafDetection{}, errors.New("attack_ip is empty")
	}
qiuqunfeng's avatar
Refactor WAF service listener deletion logic to include namespace and region...  
qiuqunfeng committed
140
qiuqunfeng's avatar
Refactor API router and WAF handling to support additional parameters and...  
qiuqunfeng committed
141 142 143 144 145 146 147 148 149 
	wafDetection := model.WafDetection{
		WafDetectionMessageBasic: wafDetectionMessage.WafDetectionMessageBasic,
		WafDetectionAttackedLog:  attackedLog,
		CreatedAt:                wafDetectionMessage.CreatedAt,
	}
	wafDetection.WafDetectionAttackedLog.ID = id.Str()
	return wafDetection, nil
}
qiuqunfeng's avatar
Enhance WAF detection event generation in LogConsumerService by adding...  
qiuqunfeng committed
150 
func (s *LogConsumerService) genWafDetectionEvent(wafDetectionMessage model.WafDetectionMessage, attackedLog model.WafDetectionAttackedLog) (model.Event, error) {
qiuqunfeng's avatar
Refactor API router and WAF handling to support additional parameters and...  
qiuqunfeng committed
151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 
	event := model.Event{
		ID:          id.Str(),
		Type:        "waf_detection",
		Description: "waf detection",
		RuleKeys:    []model.RuleKey{},
		Scopes: map[string][]model.Scope{
			"cluster": {
				{
					Kind: "cluster",
					ID:   wafDetectionMessage.WafDetectionMessageBasic.ClusterKey,
					Name: wafDetectionMessage.WafDetectionMessageBasic.ClusterKey,
				},
			},
			"namespace": {
				{
					Kind: "namespace",
					ID:   wafDetectionMessage.WafDetectionMessageBasic.Namespace,
					Name: wafDetectionMessage.WafDetectionMessageBasic.Namespace,
				},
			},
			"resource": {
				{
					Kind: "resource",
					ID:   "",
					Name: fmt.Sprintf("%s(%s)", wafDetectionMessage.WafDetectionMessageBasic.ResName, wafDetectionMessage.WafDetectionMessageBasic.ResKind),
				},
			},
		},
		Resources: []map[string]model.Scope{
			{
				"cluster": {
					Kind: "cluster",
					ID:   wafDetectionMessage.WafDetectionMessageBasic.ClusterKey,
					Name: wafDetectionMessage.WafDetectionMessageBasic.ClusterKey,
				},
				"namespace": {
					Kind: "namespace",
					ID:   wafDetectionMessage.WafDetectionMessageBasic.Namespace,
					Name: wafDetectionMessage.WafDetectionMessageBasic.Namespace,
				},
				"resource": {
					Kind: "resource",
					ID:   "",
					Name: fmt.Sprintf("%s(%s)", wafDetectionMessage.WafDetectionMessageBasic.ResName, wafDetectionMessage.WafDetectionMessageBasic.ResKind),
				},
			},
		},
		Relation: model.Relation{
			Type: "timeline",
		},
		CreatedAt: wafDetectionMessage.CreatedAt,
		UpdatedAt: wafDetectionMessage.CreatedAt,
		Timestamp: time.Now(),
		Context: map[string]interface{}{
qiuqunfeng's avatar
Enhance WAF detection event generation in LogConsumerService by adding...  
qiuqunfeng committed
205 206 
			"attack_ip":   attackedLog.AttackIP,
			"attack_time": attackedLog.AttackTime,
qiuqunfeng's avatar
Enhance WAF detection event handling in LogConsumerService by adding attack...  
qiuqunfeng committed
207 
			"attack_url":  attackedLog.AttackedURL,
qiuqunfeng's avatar
Enhance WAF detection event generation in LogConsumerService by adding...  
qiuqunfeng committed
208 209 210 
			"attack_app":  attackedLog.AttackedApp,
			"attack_load": attackedLog.AttackLoad,
			"rule_name":   attackedLog.RuleName,
qiuqunfeng's avatar
Enhance WAF detection event handling in LogConsumerService by adding attack...  
qiuqunfeng committed
211 
			"action":      attackedLog.Action,
qiuqunfeng's avatar
Enhance WAF detection event generation in LogConsumerService by adding...  
qiuqunfeng committed
212 213 214 215 216 
			"waf_body": map[string]interface{}{
				"type":     "code",
				"request":  attackedLog.ReqPkg,
				"response": attackedLog.RspPkg,
			},
qiuqunfeng's avatar
Refactor API router and WAF handling to support additional parameters and...  
qiuqunfeng committed
217 218 219 220 221 
		},
	}
	return event, nil
}
qiuqunfeng's avatar
Implement Kafka log consumer with Elasticsearch and database integration  
qiuqunfeng committed
222 223 224 225 226 227 228 229 230 
func (s *LogConsumerService) Handle(ctx context.Context, message []byte) error {
	WafDetectionMessage := model.WafDetectionMessage{}
	err := json.Unmarshal(message, &WafDetectionMessage)
	if err != nil {
		log.Err(err).Str("message.Value", string(message)).Msg("unmarshal kafka message fails")
		return err
	}

	bulkableRequests := make([]es.BulkableRequest, 0)
qiuqunfeng's avatar
Comment out WAF detection and event generation logic in LogConsumerService to...  
qiuqunfeng committed
231 
	// WafDetections := make([]model.WafDetection, len(WafDetectionMessage.AttackedLog))
qiuqunfeng's avatar
Implement Kafka log consumer with Elasticsearch and database integration  
qiuqunfeng committed
232 233 234 235 236 237 238 239 240 241 

	unPassCount := 0
	for i := range WafDetectionMessage.AttackedLog {
		if WafDetectionMessage.AttackedLog[i].AttackIP == "" {
			log.Err(err).Str("message.Value", string(message)).Msg("WafDetectionMessage.AttackedLog[i].AttackIP empty")
			continue
		}
		if WafDetectionMessage.AttackedLog[i].Action != "pass" {
			unPassCount++
		}
qiuqunfeng's avatar
Refactor WAF detection handling in LogConsumerService to improve event generation and error logging  
qiuqunfeng committed
242 243 244 245 246 247 248 249 250 
		// WafDetections[i].WafDetectionMessageBasic = WafDetectionMessage.WafDetectionMessageBasic
		// WafDetections[i].WafDetectionAttackedLog = WafDetectionMessage.AttackedLog[i]
		// WafDetections[i].WafDetectionAttackedLog.ID = id.Str()
		// WafDetections[i].CreatedAt = WafDetectionMessage.CreatedAt
		wafDetection, err := s.genWafDetection(WafDetectionMessage, WafDetectionMessage.AttackedLog[i])
		if err != nil {
			log.Err(err).Str("message.Value", string(message)).Msg("gen waf detection fails")
			continue
		}
qiuqunfeng's avatar
Comment out WAF detection and event generation logic in LogConsumerService to...  
qiuqunfeng committed
251
qiuqunfeng's avatar
Implement Kafka log consumer with Elasticsearch and database integration  
qiuqunfeng committed
252 
		bulkIndexSignal := es.NewBulkIndexRequest().Index(EsIndexWafDetectionsAlias)
qiuqunfeng's avatar
Refactor WAF detection handling in LogConsumerService to improve event generation and error logging  
qiuqunfeng committed
253 
		bulkableRequests = append(bulkableRequests, bulkIndexSignal.Id(wafDetection.WafDetectionAttackedLog.ID).Doc(wafDetection))
qiuqunfeng's avatar
Enhance WAF detection event handling in LogConsumerService by adding attack...  
qiuqunfeng committed
254 255 256 257 258 259 260 261 

		event, err := s.genWafDetectionEvent(WafDetectionMessage, WafDetectionMessage.AttackedLog[i])
		if err != nil {
			log.Err(err).Str("message.Value", string(message)).Msg("gen waf detection event fails")
			continue
		}
		bulkIndexEvent := es.NewBulkIndexRequest().Index(ESIndexEvents)
		bulkableRequests = append(bulkableRequests, bulkIndexEvent.Id(event.ID).Doc(event))
qiuqunfeng's avatar
Implement Kafka log consumer with Elasticsearch and database integration  
qiuqunfeng committed
262 263 264 265 
	}

	s.esStore.Save(ctx, bulkableRequests)
qiuqunfeng's avatar
Refactor API router and WAF handling to support additional parameters and...  
qiuqunfeng committed
266 267 268 269 270 
	// err = s.db.WithContext(ctx).Model(&model.WafService{}).Where("id = ?", WafDetectionMessage.ServiceID).Update("attack_num", gorm.Expr("attack_num + ?", 1)).Error
	// if err != nil {
	// 	log.Err(err).Int64("WafDetectionMessage.ServiceID", WafDetectionMessage.ServiceID).Msg("update waf_service attack_number fails")
	// 	return err
	// }
qiuqunfeng's avatar
Implement Kafka log consumer with Elasticsearch and database integration  
qiuqunfeng committed
271 272 

	return nil
qiuqunfeng's avatar
Add support for bulk listener WAF configuration  
qiuqunfeng committed
273 
}