com.airbus_cyber_security.graylog.alert.bundles.AlertRuleExporter Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of graylog-plugin-alert-wizard Show documentation
Show all versions of graylog-plugin-alert-wizard Show documentation
Graylog ${project.artifactId} plugin.
package com.airbus_cyber_security.graylog.alert.bundles;
import com.airbus_cyber_security.graylog.alert.AlertRule;
import com.airbus_cyber_security.graylog.alert.AlertRuleService;
import com.airbus_cyber_security.graylog.alert.AlertRuleStreamImpl;
import com.airbus_cyber_security.graylog.alert.FieldRuleImpl;
import com.airbus_cyber_security.graylog.alert.utilities.AlertRuleUtils;
import com.airbus_cyber_security.graylog.events.notifications.types.LoggingNotificationConfig;
import com.google.common.collect.Lists;
import org.graylog.events.processor.EventProcessorConfig;
import org.graylog.events.rest.EventDefinitionsResource;
import org.graylog.events.rest.EventNotificationsResource;
import org.graylog2.plugin.streams.Stream;
import org.graylog2.streams.StreamService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.util.*;
public class AlertRuleExporter {
private static final Logger LOG = LoggerFactory.getLogger(AlertRuleExporter.class);
private final AlertRuleService alertRuleService;
private final StreamService streamService;
private final AlertRuleUtils alertRuleUtils;
private final EventDefinitionsResource eventDefinitionsResource;
private final EventNotificationsResource eventNotificationsResource;
public AlertRuleExporter(AlertRuleService alertRuleService,
StreamService streamService,
AlertRuleUtils alertRuleUtils,
EventDefinitionsResource eventDefinitionsResource,
EventNotificationsResource eventNotificationsResource){
this.alertRuleService = alertRuleService;
this.streamService = streamService;
this.alertRuleUtils = alertRuleUtils;
this.eventDefinitionsResource = eventDefinitionsResource;
this.eventNotificationsResource = eventNotificationsResource;
}
public List export(List titles){
List listAlertRules = Lists.newArrayListWithCapacity(titles.size()) ;
for (String title : titles) {
try {
final AlertRule alert = alertRuleService.load(title);
final String streamID = alert.getStreamID();
final Stream stream = streamService.load(streamID);
List fieldRules = new ArrayList<>();
Optional.ofNullable(alert.getPipelineFieldRules()).ifPresent(fieldRules::addAll);
Optional.ofNullable(alertRuleUtils.getListFieldRule(stream.getStreamRules())).ifPresent(fieldRules::addAll);
AlertRuleStreamImpl alertRuleStream = AlertRuleStreamImpl.create(streamID, stream.getMatchingType().toString(), fieldRules);
AlertRuleStreamImpl alertRuleStream2;
if(alert.getSecondStreamID() != null && !alert.getSecondStreamID().isEmpty()) {
final Stream stream2 = streamService.load(alert.getSecondStreamID());
List fieldRules2 = new ArrayList<>();
Optional.ofNullable(alert.getSecondPipelineFieldRules()).ifPresent(fieldRules2::addAll);
Optional.ofNullable(alertRuleUtils.getListFieldRule(stream2.getStreamRules())).ifPresent(fieldRules2::addAll);
alertRuleStream2 = AlertRuleStreamImpl.create(alert.getSecondStreamID(), stream2.getMatchingType().toString(), fieldRules2);
}else {
alertRuleStream2 = AlertRuleStreamImpl.create("", "", Collections.emptyList());
}
//Get the condition parameters
EventProcessorConfig eventConfig = eventDefinitionsResource.get(alert.getEventID()).config();
Map parametersCondition = alertRuleUtils.getConditionParameters(eventConfig);
//Get the notification parameters
LoggingNotificationConfig loggingNotificationConfig = (LoggingNotificationConfig) eventNotificationsResource.get(alert.getNotificationID()).config();
Map parametersNotification = alertRuleUtils.getNotificationParameters(loggingNotificationConfig);
listAlertRules.add(ExportAlertRule.create(
title,
parametersNotification,
alert.getDescription(),
alert.getConditionType(),
parametersCondition,
alertRuleStream,
alertRuleStream2));
}catch(Exception e) {
/* Can't find stream, condition or notification */
LOG.warn("Can't export alert rule "+ title + ": "+e.getMessage());
}
}
return listAlertRules;
}
}