288 lines
5.3 KiB
Go
288 lines
5.3 KiB
Go
package events
|
|
|
|
import (
|
|
"fmt"
|
|
"github.com/olivere/elastic/v7"
|
|
log "github.com/sirupsen/logrus"
|
|
"iwarma.ru/console/correlator/es"
|
|
"iwarma.ru/console/correlator/util"
|
|
"reflect"
|
|
"testing"
|
|
)
|
|
|
|
func TestParseNormalizedEvents(t *testing.T) {
|
|
util.SetupTest(t)
|
|
defer util.TearDownTest(t)
|
|
|
|
index := "my_test_index"
|
|
|
|
client, err := es.NewElastic()
|
|
if err != nil {
|
|
t.Errorf("%v", err)
|
|
return
|
|
}
|
|
|
|
err = ClearIndex(client, index)
|
|
if err != nil {
|
|
t.Errorf("%v", err)
|
|
return
|
|
}
|
|
|
|
// Add documents
|
|
goodCount := 10
|
|
err = FillNormalizedEvents(index, goodCount, client)
|
|
if err != nil {
|
|
t.Errorf("%v", err)
|
|
return
|
|
}
|
|
|
|
query := elastic.NewMatchAllQuery()
|
|
|
|
raw, errs1 := client.Query(index, query)
|
|
events, errs2 := ParseEvents(raw, errs1, 1)
|
|
|
|
// Now let's count
|
|
eventCount := 0
|
|
for range events {
|
|
eventCount++
|
|
}
|
|
|
|
errCount := 0
|
|
for err = range errs2 {
|
|
if err != nil {
|
|
log.Errorf("Got error: %v", err)
|
|
errCount++
|
|
}
|
|
}
|
|
|
|
if eventCount != goodCount {
|
|
t.Errorf("Bad event count. Expect %v, got %v", goodCount, eventCount)
|
|
}
|
|
|
|
if errCount > 0 {
|
|
t.Error("Got some errors")
|
|
}
|
|
|
|
}
|
|
|
|
func TestParseAggregatedEvents(t *testing.T) {
|
|
util.SetupTest(t)
|
|
defer util.TearDownTest(t)
|
|
|
|
index := "my_test_index"
|
|
|
|
client, err := es.NewElastic()
|
|
if err != nil {
|
|
t.Errorf("%v", err)
|
|
return
|
|
}
|
|
|
|
err = ClearIndex(client, index)
|
|
if err != nil {
|
|
t.Errorf("%v", err)
|
|
return
|
|
}
|
|
|
|
// Add documents
|
|
goodCount := 10
|
|
err = FillAggregatedEvents(index, goodCount, client)
|
|
if err != nil {
|
|
t.Errorf("%v", err)
|
|
return
|
|
}
|
|
|
|
query := elastic.NewMatchAllQuery()
|
|
|
|
raw, errs1 := client.Query(index, query)
|
|
events, errs2 := ParseEvents(raw, errs1, 1)
|
|
|
|
// Now let's count
|
|
eventCount := 0
|
|
for range events {
|
|
eventCount++
|
|
}
|
|
|
|
errCount := 0
|
|
for err = range errs2 {
|
|
if err != nil {
|
|
log.Errorf("Got error: %v", err)
|
|
errCount++
|
|
}
|
|
}
|
|
|
|
if eventCount != goodCount {
|
|
t.Errorf("Bad event count. Expect %v, got %v", goodCount, eventCount)
|
|
}
|
|
|
|
if errCount > 0 {
|
|
t.Error("Got some errors")
|
|
}
|
|
|
|
}
|
|
|
|
func TestParseNormalizedEventsMassive(t *testing.T) {
|
|
util.SetupTest(t)
|
|
defer util.TearDownTest(t)
|
|
|
|
index := "my_test_index"
|
|
|
|
client, err := es.NewElastic()
|
|
if err != nil {
|
|
t.Errorf("%v", err)
|
|
return
|
|
}
|
|
|
|
err = ClearIndex(client, index)
|
|
if err != nil {
|
|
t.Errorf("%v", err)
|
|
return
|
|
}
|
|
|
|
// Add documents
|
|
goodCount := 50000
|
|
err = FillNormalizedEvents(index, goodCount, client)
|
|
if err != nil {
|
|
t.Errorf("%v", err)
|
|
return
|
|
}
|
|
|
|
query := elastic.NewMatchAllQuery()
|
|
|
|
raw, errs1 := client.Query(index, query)
|
|
events, errs2 := ParseEvents(raw, errs1, 20)
|
|
|
|
// Now let's count
|
|
eventCount := 0
|
|
for range events {
|
|
eventCount++
|
|
}
|
|
|
|
errCount := 0
|
|
for err = range errs2 {
|
|
if err != nil {
|
|
log.Errorf("Got error: %v", err)
|
|
errCount++
|
|
}
|
|
}
|
|
|
|
if eventCount != goodCount {
|
|
t.Errorf("Bad event count. Expect %v, got %v", goodCount, eventCount)
|
|
}
|
|
|
|
if errCount > 0 {
|
|
t.Error("Got some errors")
|
|
}
|
|
|
|
}
|
|
|
|
func TestAddTag(t *testing.T) {
|
|
events, err := PrepareEvents(2)
|
|
if err != nil {
|
|
t.Errorf("%v", err)
|
|
}
|
|
for event := range events {
|
|
// In new events tags is nil -> add tags will increment tags to nill
|
|
tags := event.AddTag("1")
|
|
exampleTags := []string{"1"}
|
|
if !reflect.DeepEqual(tags, exampleTags) {
|
|
t.Errorf("Bad event tags! Expect %v , have %v", exampleTags, tags)
|
|
}
|
|
tags = event.AddTag("2")
|
|
exampleDoubleTags := []string{"1", "2"}
|
|
if !reflect.DeepEqual(tags, exampleDoubleTags) {
|
|
t.Errorf("Bad event tags! Expect %v , have %v", exampleDoubleTags, tags)
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
func TestGetValue(t *testing.T) {
|
|
events, err := PrepareEvents(1)
|
|
if err != nil {
|
|
t.Errorf("%v", err)
|
|
}
|
|
for event := range events {
|
|
typeValue, ok := event.GetValue("type").(string)
|
|
if !ok {
|
|
t.Errorf("Can`t get event value")
|
|
}
|
|
severityValue, ok := event.GetValue("event_severity").(float64)
|
|
if !ok {
|
|
t.Errorf("Can`t get event value")
|
|
}
|
|
if typeValue != "test" {
|
|
t.Errorf("Bad event value! Expect %v , have %v", "test", typeValue)
|
|
}
|
|
if severityValue != 0 {
|
|
t.Errorf("Bad event value! Expect %v , have %v", 0, severityValue)
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
func TestGetString(t *testing.T) {
|
|
events, err := PrepareEvents(1)
|
|
if err != nil {
|
|
t.Errorf("%v", err)
|
|
}
|
|
for event := range events {
|
|
hostValue := event.GetString("source_host")
|
|
if hostValue != "localhost" {
|
|
t.Errorf("Bad event value! Expect %v , have %v", "localhost", hostValue)
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
func TestGetInt(t *testing.T) {
|
|
events, err := PrepareEvents(1)
|
|
if err != nil {
|
|
t.Errorf("%v", err)
|
|
}
|
|
for event := range events {
|
|
portValue := event.GetInt("destination_port")
|
|
if portValue != 0 {
|
|
t.Errorf("Bad event value! Expect %v , have %v", 0, portValue)
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
func PrepareEvents(eventsNeed int) (chan *Event, error) {
|
|
util.PrepareElastic()
|
|
index := "test-aggregated"
|
|
client, err := es.NewElastic()
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
}
|
|
err = ClearIndex(client, GetAggregatedIndexName())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
err = FillAggregatedEvents(GetAggregatedIndexName(), 1, client)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
query := elastic.NewMatchAllQuery()
|
|
|
|
raw, errs1 := client.Query(index, query)
|
|
events, error2 := ParseEvents(raw, errs1, eventsNeed)
|
|
|
|
errorsCount := 0
|
|
for err = range error2 {
|
|
if err != nil {
|
|
fmt.Printf("Got error: %v", err)
|
|
errorsCount += 1
|
|
}
|
|
}
|
|
if errorsCount != 0 {
|
|
return nil, fmt.Errorf("Can`t get events from elastic -> %v ", error2)
|
|
} else {
|
|
return events, nil
|
|
}
|
|
|
|
}
|