digital.nedra.commons.starter.audit.service.AuditService Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of audit-starter Show documentation
Show all versions of audit-starter Show documentation
Spring Boot starter for logging data through Logback in common event format (CEF) in accordance with the
requirements of ArcSight.
/*
* Copyright 2022 Nedra Team
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package digital.nedra.commons.starter.audit.service;
import digital.nedra.commons.starter.audit.config.AuditProperties;
import digital.nedra.commons.starter.audit.dto.AuditEvent;
import digital.nedra.commons.starter.audit.dto.Extension;
import java.time.Instant;
import java.time.ZoneId;
import java.time.ZonedDateTime;
import java.time.format.DateTimeFormatter;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import java.util.StringJoiner;
import lombok.RequiredArgsConstructor;
import org.apache.commons.text.StringSubstitutor;
import org.springframework.lang.NonNull;
import org.springframework.lang.Nullable;
import org.springframework.stereotype.Service;
@Service
@RequiredArgsConstructor
public class AuditService {
private final AuditPropertiesResolver auditPropertiesResolver;
private final AuditProperties auditProperties;
private final AuditLogger auditLogger;
public void logEvent(@NonNull AuditEvent event) {
this.logEvent(event, null);
}
public void logEvent(@NonNull AuditEvent event, @Nullable Extension extension) {
Map values = new HashMap<>();
fillFromProps(values);
fillFromEvent(event, values);
values.put("extension", Optional.ofNullable(extension)
.map(this::buildExtension)
.orElse(""));
StringSubstitutor sub = new StringSubstitutor(values);
String result = sub.replace(auditProperties.getCef().getTemplate());
auditLogger.logEvent(result);
}
private String buildExtension(Extension ext) {
StringJoiner stringJoiner = new StringJoiner(" ", "", "|");
addClearedValueIfPresent(stringJoiner, "src", ext.getSrc());
addClearedValueIfPresent(stringJoiner, "dst", ext.getDst());
addClearedValueIfPresent(stringJoiner, "shost", ext.getShost());
addClearedValueIfPresent(stringJoiner, "suid", ext.getSuid());
addClearedValueIfPresent(stringJoiner, "suser", ext.getSuser());
addClearedValueIfPresent(stringJoiner, "msg", ext.getMsg());
Optional.ofNullable(ext.getEnd())
.ifPresent(s -> stringJoiner.add("end=" + buildEndTime(s)));
return stringJoiner.toString();
}
private void addClearedValueIfPresent(StringJoiner stringJoiner, String key, String value) {
Optional.ofNullable(value)
.map(this::cleanUp)
.ifPresent(s -> stringJoiner.add(key + "=" + s));
}
private String buildEndTime(Long endTimeMillis) {
AuditProperties.EndTime endTimeProperties = auditProperties.getEndTime();
ZoneId zoneId = ZoneId.of(endTimeProperties.getTimeZone());
ZonedDateTime endDateTime =
ZonedDateTime.ofInstant(Instant.ofEpochMilli(endTimeMillis), zoneId);
return Optional.ofNullable(endTimeProperties.getFormat())
.map(DateTimeFormatter::ofPattern)
.map(endDateTime::format)
.orElseGet(() -> Long.toString(endDateTime.toInstant().toEpochMilli()));
}
private String cleanUp(String value) {
return Optional.ofNullable(value)
.map(i -> i.replace("=", ""))
.map(i -> i.replace("|", ""))
.map(i -> i.replaceAll("[\\t\\n\\r]+", " "))
.orElse(null);
}
private void fillFromEvent(AuditEvent event, Map values) {
values.put("event.id", cleanUp(event.getId()));
values.put("event.name", cleanUp(event.getName()));
values.put("event.severity", event.getSeverity().getValue());
}
private void fillFromProps(Map values) {
values.put("cef.version", auditProperties.getCef().getVersion());
values.put("company.name", cleanUp(auditProperties.getCompany().getName()));
values.put("product.name", cleanUp(auditPropertiesResolver.getProductName().orElse("")));
values.put("product.version", auditPropertiesResolver.getProductVersion().orElse(""));
}
}