Merge pull request slackhq#19 from ramosbugs/user_messages

Make event range configurable
CSdread · Feb 17, 2017 · e011a29 · e011a29
2 parents 752b335 + 4f23c60
commit e011a29
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 12 deletions.
diff --git a/audit.go b/audit.go
@@ -30,6 +30,8 @@ func loadConfig(configFile string) (*viper.Viper, error) {
 	config := viper.New()
 	config.SetConfigFile(configFile)
 
+        config.SetDefault("events.min", 1300)
+        config.SetDefault("events.max", 1399)
 	config.SetDefault("message_tracking.enabled", true)
 	config.SetDefault("message_tracking.log_out_of_order", false)
 	config.SetDefault("message_tracking.max_out_of_order", 500)
@@ -334,13 +336,15 @@ func main() {
 	nlClient := NewNetlinkClient(config.GetInt("socket_buffer.receive"))
 	marshaller := NewAuditMarshaller(
 		writer,
+                uint16(config.GetInt("events.min")),
+                uint16(config.GetInt("events.max")),
 		config.GetBool("message_tracking.enabled"),
 		config.GetBool("message_tracking.log_out_of_order"),
 		config.GetInt("message_tracking.max_out_of_order"),
 		createFilters(config),
 	)
 
-	l.Println("Started processing events")
+	l.Printf("Started processing events in the range [%d, %d]\n", config.GetInt("events.min"), config.GetInt("events.max"))
 
 	//Main loop. Get data from netlink and send it to the json lib for processing
 	for {

diff --git a/audit_test.go b/audit_test.go
@@ -22,6 +22,8 @@ func Test_loadConfig(t *testing.T) {
 
 	// defaults
 	config, err := loadConfig(file)
+	assert.Equal(t, 1300, config.GetInt("events.min"), "events.min should default to 1300")
+	assert.Equal(t, 1399, config.GetInt("events.max"), "events.max should default to 1399")
 	assert.Equal(t, true, config.GetBool("message_tracking.enabled"), "message_tracking.enabled should default to true")
 	assert.Equal(t, false, config.GetBool("message_tracking.log_out_of_order"), "message_tracking.log_out_of_order should default to false")
 	assert.Equal(t, 500, config.GetInt("message_tracking.max_out_of_order"), "message_tracking.max_out_of_order should default to 500")
@@ -326,7 +328,7 @@ func Test_createOutput(t *testing.T) {
 }
 
 func Benchmark_MultiPacketMessage(b *testing.B) {
-	marshaller := NewAuditMarshaller(NewAuditWriter(&noopWriter{}, 1), false, false, 1, []AuditFilter{})
+	marshaller := NewAuditMarshaller(NewAuditWriter(&noopWriter{}, 1), uint16(1300), uint16(1399), false, false, 1, []AuditFilter{})
 
 	data := make([][]byte, 6)
 

diff --git a/go-audit.yaml.example b/go-audit.yaml.example
@@ -12,6 +12,12 @@ socket_buffer:
   # Maximum max is net.core.rmem_max (/proc/sys/net/core/rmem_max)
   receive: 16384
 
+events:
+  # Minimum event type to capture, default 1300
+  min: 1300
+  # Maximum event type to capture, default 1399
+  max: 1399
+
 # Configure message sequence tracking
 message_tracking:
   # Track messages and identify if we missed any, default true

diff --git a/marshaller.go b/marshaller.go
@@ -8,8 +8,6 @@ import (
 )
 
 const (
-	EVENT_START = 1300 // Start of the audit type ids that we care about
-	EVENT_END   = 1399 // End of the audit type ids that we care about
 	EVENT_EOE   = 1320 // End of multi packet event
 )
 
@@ -19,6 +17,8 @@ type AuditMarshaller struct {
 	lastSeq       int
 	missed        map[int]bool
 	worstLag      int
+        eventMin      uint16
+        eventMax      uint16
 	trackMessages bool
 	logOutOfOrder bool
 	maxOutOfOrder int
@@ -33,11 +33,13 @@ type AuditFilter struct {
 }
 
 // Create a new marshaller
-func NewAuditMarshaller(w *AuditWriter, trackMessages, logOOO bool, maxOOO int, filters []AuditFilter) *AuditMarshaller {
+func NewAuditMarshaller(w *AuditWriter, eventMin uint16, eventMax uint16, trackMessages, logOOO bool, maxOOO int, filters []AuditFilter) *AuditMarshaller {
 	am := AuditMarshaller{
 		writer:        w,
 		msgs:          make(map[int]*AuditMessageGroup, 5), // It is not typical to have more than 2 message groups at any given time
 		missed:        make(map[int]bool, 10),
+                eventMin:      eventMin,
+                eventMax:      eventMax,
 		trackMessages: trackMessages,
 		logOutOfOrder: logOOO,
 		maxOutOfOrder: maxOOO,
@@ -73,7 +75,7 @@ func (a *AuditMarshaller) Consume(nlMsg *syscall.NetlinkMessage) {
 		a.detectMissing(aMsg.Seq)
 	}
 
-	if nlMsg.Header.Type < EVENT_START || nlMsg.Header.Type > EVENT_END {
+	if nlMsg.Header.Type < a.eventMin || nlMsg.Header.Type > a.eventMax {
 		// Drop all audit messages that aren't things we care about or end a multi packet event
 		a.flushOld()
 		return

diff --git a/marshaller_test.go b/marshaller_test.go
@@ -10,14 +10,12 @@ import (
 )
 
 func TestMarshallerConstants(t *testing.T) {
-	assert.Equal(t, 1300, EVENT_START)
-	assert.Equal(t, 1399, EVENT_END)
 	assert.Equal(t, 1320, EVENT_EOE)
 }
 
 func TestAuditMarshaller_Consume(t *testing.T) {
 	w := &bytes.Buffer{}
-	m := NewAuditMarshaller(NewAuditWriter(w, 1), false, false, 0, []AuditFilter{})
+	m := NewAuditMarshaller(NewAuditWriter(w, 1), uint16(1100), uint16(1399), false, false, 0, []AuditFilter{})
 
 	// Flush group on 1320
 	m.Consume(&syscall.NetlinkMessage{
@@ -51,12 +49,12 @@ func TestAuditMarshaller_Consume(t *testing.T) {
 	)
 	assert.Equal(t, 0, len(m.msgs))
 
-	// Ignore below 1300
+	// Ignore below 1100
 	w.Reset()
 	m.Consume(&syscall.NetlinkMessage{
 		Header: syscall.NlMsghdr{
 			Len:   uint32(44),
-			Type:  uint16(1299),
+			Type:  uint16(1099),
 			Flags: uint16(0),
 			Seq:   uint32(0),
 			Pid:   uint32(0),
@@ -125,7 +123,7 @@ func TestAuditMarshaller_completeMessage(t *testing.T) {
 	t.Skip()
 	return
 	lb, elb := hookLogger()
-	m := NewAuditMarshaller(NewAuditWriter(&FailWriter{}, 1), false, false, 0, []AuditFilter{})
+	m := NewAuditMarshaller(NewAuditWriter(&FailWriter{}, 1), uint16(1300), uint16(1399), false, false, 0, []AuditFilter{})
 
 	m.Consume(&syscall.NetlinkMessage{
 		Header: syscall.NlMsghdr{