Skip to content

Commit

Permalink
add Zincsearch output
Browse files Browse the repository at this point in the history
Signed-off-by: Thomas Labarussias <issif_github@gadz.org>
  • Loading branch information
Issif authored and poiana committed Sep 1, 2022
1 parent 1d5ef75 commit ae6bbbc
Show file tree
Hide file tree
Showing 8 changed files with 96 additions and 1 deletion.
15 changes: 15 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ It works as a single endpoint for as many as you want `Falco` instances :
- [**AWS CloudWatchLogs**](https://aws.amazon.com/cloudwatch/features/)
- [**Grafana**](https://grafana.com/) (annotations)
- **Syslog**
- [**Zincsearch**](https://docs.zincsearch.com/)

### Object Storage

Expand Down Expand Up @@ -500,6 +501,14 @@ mqtt:
# password: "" # Password if the authentication is enabled in the broker
# checkcert: true # check if ssl certificate of the output is valid (default: true)
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)

zincsearch:
# hostport: "" # http://{domain or ip}:{port}, if not empty, ZincSearch output is enabled
# index: "falco" # index (default: falco)
# username: "" # use this username to authenticate to ZincSearch (default: "")
# password: "" # use this password to authenticate to ZincSearch (default: "")
# checkcert: true # check if ssl certificate of the output is valid (default: true)
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```

Usage :
Expand Down Expand Up @@ -932,6 +941,12 @@ care of lower/uppercases**) : `yaml: a.b --> envvar: A_B` :
- **MQTT_PASSWORD**: password if the authentication is enabled in the broker
- **MQTT_CHECKCERT**: check if ssl certificate of the output is valid (default: `true`)
- **MQTT_PRUNEBYPRIORITY**: if true; the events with lowest severity are pruned first, in FIFO order (default: `false`)
- **ZINC_HOSTPORT**: http://{domain or ip}:{port}, if not empty, ZincSearch output is enabled
- **ZINC_INDEX**: index (default: falco)
- **ZINC_USERNAME**: this username to authenticate to ZincSearch (default: "")
- **ZINC_PASSWORD**: use this password to authenticate to ZincSearch (default: "")
- **ZINC_CHECKCERT**: if ssl certificate of the output is valid (default: true)
- **ZINC_MINIMUMPRIORITY**: minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug

#### Slack/Rocketchat/Mattermost/Googlechat Message Formatting

Expand Down
7 changes: 7 additions & 0 deletions config.go
Original file line number Diff line number Diff line change
Expand Up @@ -349,6 +349,13 @@ func getConfig() *types.Configuration {
v.SetDefault("MQTT.CheckCert", true)
v.SetDefault("MQTT.MinimumPriority", "")

v.SetDefault("Zincsearch.HostPort", "")
v.SetDefault("Zincsearch.Index", "falco")
v.SetDefault("Zincsearch.Username", "")
v.SetDefault("Zincsearch.Password", "")
v.SetDefault("Zincsearch.CheckCert", true)
v.SetDefault("Zincsearch.MinimumPriority", "")

v.SetEnvKeyReplacer(strings.NewReplacer(".", "_"))
v.AutomaticEnv()
if *configFile != "" {
Expand Down
10 changes: 9 additions & 1 deletion config_example.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -334,4 +334,12 @@ mqtt:
# user: "" # User if the authentication is enabled in the broker
# password: "" # Password if the authentication is enabled in the broker
# checkcert: true # check if ssl certificate of the output is valid (default: true)
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)

zincsearch:
# hostport: "" # http://{domain or ip}:{port}, if not empty, ZincSearch output is enabled
# index: "falco" # index (default: falco)
# username: "" # use this username to authenticate to ZincSearch (default: "")
# password: "" # use this password to authenticate to ZincSearch (default: "")
# checkcert: true # check if ssl certificate of the output is valid (default: true)
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
4 changes: 4 additions & 0 deletions handlers.go
Original file line number Diff line number Diff line change
Expand Up @@ -336,4 +336,8 @@ func forwardEvent(falcopayload types.FalcoPayload) {
if config.MQTT.Broker != "" && (falcopayload.Priority >= types.Priority(config.MQTT.MinimumPriority) || falcopayload.Rule == testRule) {
go mqttClient.MQTTPublish(falcopayload)
}

if config.Zincsearch.HostPort != "" && (falcopayload.Priority >= types.Priority(config.Zincsearch.MinimumPriority) || falcopayload.Rule == testRule) {
go zincsearchClient.ZincsearchPost(falcopayload)
}
}
11 changes: 11 additions & 0 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ var (
yandexClient *outputs.Client
syslogClient *outputs.Client
mqttClient *outputs.Client
zincsearchClient *outputs.Client

statsdClient, dogstatsdClient *statsd.Client
config *types.Configuration
Expand Down Expand Up @@ -570,6 +571,16 @@ func init() {
}
}

if config.Zincsearch.HostPort != "" {
var err error
zincsearchClient, err = outputs.NewClient("Zincsearch", config.Zincsearch.HostPort+"/api/"+config.Zincsearch.Index+"/_doc", false, config.Zincsearch.CheckCert, config, stats, promStats, statsdClient, dogstatsdClient)
if err != nil {
config.Zincsearch.HostPort = ""
} else {
outputs.EnabledOutputs = append(outputs.EnabledOutputs, "Zincsearch")
}
}

log.Printf("[INFO] : Falco Sidekick version: %s\n", GetVersionInfo().GitVersion)
log.Printf("[INFO] : Enabled Outputs : %s\n", outputs.EnabledOutputs)

Expand Down
37 changes: 37 additions & 0 deletions outputs/zincsearch.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
package outputs

import (
"fmt"
"log"

"github.com/falcosecurity/falcosidekick/types"
)

// ZincsearchPost posts event to Zincsearch
func (c *Client) ZincsearchPost(falcopayload types.FalcoPayload) {
c.Stats.Zincsearch.Add(Total, 1)

if c.Config.Zincsearch.Username != "" && c.Config.Zincsearch.Password != "" {
c.BasicAuth(c.Config.Zincsearch.Username, c.Config.Zincsearch.Password)
}

fmt.Println(c.EndpointURL)
err := c.Post(falcopayload)
if err != nil {
c.setZincsearchErrorMetrics()
log.Printf("[ERROR] : Zincsearch - %v\n", err)
return
}

// Setting the success status
go c.CountMetric(Outputs, 1, []string{"output:zincsearch", "status:ok"})
c.Stats.Zincsearch.Add(OK, 1)
c.PromStats.Outputs.With(map[string]string{"destination": "zincsearch", "status": OK}).Inc()
}

// setZincsearchErrorMetrics set the error stats
func (c *Client) setZincsearchErrorMetrics() {
go c.CountMetric(Outputs, 1, []string{"output:zincsearch", "status:error"})
c.Stats.Zincsearch.Add(Error, 1)
c.PromStats.Outputs.With(map[string]string{"destination": "zincsearch", "status": Error}).Inc()
}
1 change: 1 addition & 0 deletions stats.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ func getInitStats() *types.Statistics {
MQTT: getOutputNewMap("mqtt"),
PolicyReport: getOutputNewMap("policyreport"),
NodeRed: getOutputNewMap("nodered"),
Zincsearch: getOutputNewMap("zincsearch"),
}
stats.Falco.Add(outputs.Emergency, 0)
stats.Falco.Add(outputs.Alert, 0)
Expand Down
12 changes: 12 additions & 0 deletions types/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ type Configuration struct {
Syslog SyslogConfig
NodeRed NodeRedOutputConfig
MQTT MQTTConfig
Zincsearch zincsearchOutputConfig
}

// SlackOutputConfig represents parameters for Slack
Expand Down Expand Up @@ -524,6 +525,16 @@ type fissionConfig struct {
MutualTLS bool
}

// zincsearchOutputConfig represents config parameters for Zincsearch
type zincsearchOutputConfig struct {
HostPort string
Index string
Username string
Password string
CheckCert bool
MinimumPriority string
}

// Statistics is a struct to store stastics
type Statistics struct {
Requests *expvar.Map
Expand Down Expand Up @@ -577,6 +588,7 @@ type Statistics struct {
PolicyReport *expvar.Map
NodeRed *expvar.Map
MQTT *expvar.Map
Zincsearch *expvar.Map
}

// PromStatistics is a struct to store prometheus metrics
Expand Down

0 comments on commit ae6bbbc

Please sign in to comment.