Merge branch 'main' into dev-refreshable-http-getters

# Conflicts:
#	CHANGELOG.md

Author: ppcad

CHANGELOG.md

@@ -4,6 +4,7 @@
 
 ### Features
 
+* implement first prototype of ng logprep runner
 * make http getters periodically refresh if configured in file path defined by environment variable `LOGPREP_GETTER_CONFIG`.
 * cache http getter results by utilising the etag header.
 * add per-target (i.e. `localhost:1234/foo`) callbacks to http getters that are called when getters are refreshed with new data.

doc/source/user_manual/execution.rst

@@ -15,6 +15,34 @@ To get help on the different parameters use:
 
     logprep --help
 
+Running logprep-ng
+==================
+
+Logprep-ng is the next generation of logprep and is still in an experimental state.
+To execute logprep-ng, use the following command:
+
+.. code-block:: bash
+
+    logprep-ng run $CONFIG
+
+Where :code:`$CONFIG` is the path or a url to a configuration file (see :ref:`configuration`).
+This command starts the logprep-ng processing pipeline with the specified configuration and options.
+
+Common usage examples:
+
+.. code-block:: bash
+
+    # Run with default configuration
+    logprep-ng run
+
+    # Run with custom configuration file
+    logprep-ng run /path/to/config.yml
+
+Available options can be viewed using:
+
+.. code-block:: bash
+
+    logprep-ng run --help
 
 Event Generation
 ----------------

examples/exampledata/config/ng_http_pipeline.yml

@@ -0,0 +1,84 @@
+version: 2
+process_count: 4
+config_refresh_interval: 5
+profile_pipelines: false
+restart_count: 3
+logger:
+  level: INFO
+  loggers:
+    uvicorn:
+      level: INFO
+    uvicorn.access:
+      level: INFO
+    uvicorn.error:
+      level: INFO
+    KafkaOutput:
+      level: ERROR
+
+metrics:
+  enabled: true
+  port: 8003
+  uvicorn_config:
+    host: 0.0.0.0
+    access_log: true
+    server_header: false
+    date_header: false
+    workers: 1
+    ws: none
+    interface: asgi3
+    backlog: 16384
+    timeout_keep_alive: 65
+input:
+  httpinput:
+    type: ng_http_input
+    message_backlog_size: 1500000
+    collect_meta: true
+    metafield_name: "@metadata"
+    uvicorn_config:
+      host: 0.0.0.0
+      port: 9000
+      workers: 1
+      access_log: true
+      server_header: false
+      date_header: false
+      ws: none
+      interface: asgi3
+      backlog: 16384
+      timeout_keep_alive: 65
+    endpoints:
+      /auth-json: json
+      /json: json
+      /lab/123/(ABC|DEF)/pl.*: plaintext
+      /lab/123/ABC/auditlog: jsonl
+
+output:
+  kafka:
+    type: ng_confluentkafka_output
+    topic: consumer
+    flush_timeout: 300
+    send_timeout: 0
+    kafka_config:
+      bootstrap.servers: 127.0.0.1:9092
+      compression.type: none
+      statistics.interval.ms: "60000"
+      queue.buffering.max.messages: "100000000"
+      queue.buffering.max.kbytes: "1048576"
+      queue.buffering.max.ms: "10000"
+      batch.size: "1000000"
+      request.required.acks: "-1"
+
+error_output:
+  kafka:
+    type: ng_confluentkafka_output
+    topic: errors
+    flush_timeout: 300
+    send_timeout: 0
+    kafka_config:
+      bootstrap.servers: 127.0.0.1:9092
+      compression.type: none
+      statistics.interval.ms: "60000"
+      queue.buffering.max.messages: "100000000"
+      queue.buffering.max.kbytes: "1048576"
+      queue.buffering.max.ms: "10000"
+      batch.size: "1000000"
+      request.required.acks: "-1"

examples/exampledata/config/ng_pipeline.yml

@@ -0,0 +1,143 @@
+version: 2
+process_count: 500
+timeout: 5.0
+restart_count: 2
+config_refresh_interval: 300
+error_backlog_size: 1500000
+logger:
+  level: INFO
+  format: "%(asctime)-15s %(hostname)-5s %(name)-10s %(levelname)-8s: %(message)s"
+  datefmt: "%Y-%m-%d %H:%M:%S"
+  loggers:
+    "py.warnings": { "level": "ERROR" }
+    "Runner": { "level": "INFO" }
+    "Processor": { "level": "ERROR" }
+    "Exporter": { "level": "ERROR" }
+    "uvicorn": { "level": "ERROR" }
+    "uvicorn.access": { "level": "ERROR" }
+    "OpenSearchOutput": { "level": "DEBUG" }
+    "KafkaOutput": { "level": "ERROR" }
+metrics:
+  enabled: true
+  port: 8001
+
+pipeline:
+  - labelername:
+      type: ng_labeler
+      schema: examples/exampledata/rules/labeler/schema.json
+      include_parent_labels: true
+      rules:
+        - examples/exampledata/rules/labeler/rules
+
+  - dissector:
+      type: ng_dissector
+      rules:
+        - examples/exampledata/rules/dissector/rules
+
+  - dropper:
+      type: ng_dropper
+      rules:
+        - examples/exampledata/rules/dropper/rules
+        - filter: "test_dropper"
+          dropper:
+            drop:
+              - drop_me
+          description: "..."
+
+  - pre_detector:
+      type: ng_pre_detector
+      rules:
+        - examples/exampledata/rules/pre_detector/rules
+      outputs:
+        - opensearch: sre
+      tree_config: examples/exampledata/rules/pre_detector/tree_config.json
+      alert_ip_list_path: examples/exampledata/rules/pre_detector/alert_ips.yml
+
+  - amides:
+      type: ng_amides
+      rules:
+        - examples/exampledata/rules/amides/rules
+      models_path: examples/exampledata/models/model.zip
+      num_rule_attributions: 10
+      max_cache_entries: 1000000
+      decision_threshold: 0.32
+
+  - pseudonymizer:
+      type: ng_pseudonymizer
+      pubkey_analyst: examples/exampledata/rules/pseudonymizer/example_analyst_pub.pem
+      pubkey_depseudo: examples/exampledata/rules/pseudonymizer/example_depseudo_pub.pem
+      regex_mapping: examples/exampledata/rules/pseudonymizer/regex_mapping.yml
+      hash_salt: a_secret_tasty_ingredient
+      outputs:
+        - opensearch: pseudonyms
+      rules:
+        - examples/exampledata/rules/pseudonymizer/rules/
+      max_cached_pseudonyms: 1000000
+
+  - calculator:
+      type: ng_calculator
+      rules:
+        - filter: "test_label: execute"
+          calculator:
+            target_field: "calculation"
+            calc: "1 + 1"
+
+input:
+  kafka:
+    type: ng_confluentkafka_input
+    topic: consumer
+    kafka_config:
+      bootstrap.servers: 127.0.0.1:9092
+      group.id: cgroup3
+      enable.auto.commit: "true"
+      auto.commit.interval.ms: "10000"
+      enable.auto.offset.store: "false"
+      queued.min.messages: "100000"
+      queued.max.messages.kbytes: "65536"
+      statistics.interval.ms: "60000"
+    preprocessing:
+      version_info_target_field: Logprep_version_info
+      log_arrival_time_target_field: event.ingested
+      hmac:
+        target: <RAW_MSG>
+        key: "thisisasecureandrandomkey"
+        output_field: Full_event
+
+output:
+  opensearch:
+    type: ng_opensearch_output
+    hosts:
+      - 127.0.0.1:9200
+    default_index: processed
+    default_op_type: create
+    message_backlog_size: 7000
+    timeout: 10000
+    flush_timeout: 60
+    user: admin
+    secret: admin
+    desired_cluster_status: ["green", "yellow"]
+    chunk_size: 25
+  kafka:
+    type: ng_confluentkafka_output
+    default: false
+    topic: producer
+    flush_timeout: 300
+    kafka_config:
+      bootstrap.servers: 127.0.0.1:9092
+      statistics.interval.ms: "60000"
+
+error_output:
+  kafka_error_output:
+    type: ng_confluentkafka_output
+    topic: errors
+    flush_timeout: 300
+    send_timeout: 0
+    kafka_config:
+      bootstrap.servers: 127.0.0.1:9092
+      compression.type: none
+      statistics.interval.ms: "60000"
+      queue.buffering.max.messages: "10"
+      queue.buffering.max.kbytes: "1024"
+      queue.buffering.max.ms: "1000"
+      batch.size: "100"
+      request.required.acks: "-1"

examples/exampledata/config/pipeline.yml

@@ -5,7 +5,7 @@ restart_count: 2
 config_refresh_interval: 5
 error_backlog_size: 1500000
 logger:
-  level: INFO
+  level: DEBUG
   format: "%(asctime)-15s %(hostname)-5s %(name)-10s %(levelname)-8s: %(message)s"
   datefmt: "%Y-%m-%d %H:%M:%S"
   loggers:

logprep/framework/pipeline.py

@@ -9,7 +9,6 @@
 
 import itertools
 import logging
-import logging.handlers
 import multiprocessing
 
 # pylint: disable=logging-fstring-interpolation

logprep/framework/pipeline_manager.py

@@ -2,9 +2,7 @@
 
 # pylint: disable=logging-fstring-interpolation
 import logging
-import logging.handlers
 import multiprocessing
-import multiprocessing.managers
 import multiprocessing.queues
 import random
 import sys
@@ -288,7 +286,7 @@ def restart_failed_pipeline(self):
 
         if not failed_pipelines:
             self.restart_count = 0
-            self.restart_timeout_ms: int = random.randint(100, 1000)
+            self.restart_timeout_ms = random.randint(100, 1000)
             return
 
         for index, failed_pipeline in failed_pipelines:

logprep/ng/abc/input.py

@@ -5,6 +5,7 @@
 import base64
 import hashlib
 import json
+import logging
 import os
 import zlib
 from abc import abstractmethod
@@ -29,6 +30,8 @@
 from logprep.util.time import UTC, TimeParser, TimeParserException
 from logprep.util.validators import dict_structure_validator
 
+logger = logging.getLogger("Input")
+
 
 class InputError(LogprepException):
     """Base class for Input related exceptions."""
@@ -154,8 +157,13 @@ def __next__(self) -> LogEvent | None:
         LogEvent | None
             The next event retrieved from the underlying data source.
         """
-
-        return self.input_connector.get_next(timeout=self.timeout)
+        event = self.input_connector.get_next(timeout=self.timeout)
+        logger.debug(
+            "InputIterator fetching next event with timeout %s, is None: %s",
+            self.timeout,
+            event is None,
+        )
+        return event
 
 
 class Input(Connector):
@@ -423,9 +431,7 @@ def get_next(self, timeout: float) -> LogEvent | None:
         input : LogEvent, None
             Input log data.
         """
-
         self.acknowledge()
-
         event: dict | None = None
         raw_event: bytearray | None = None
         metadata: dict | None = None

logprep/ng/connector/dummy/input.py

@@ -52,7 +52,6 @@ def _get_event(self, timeout: float) -> tuple:
             if not self._config.repeat_documents:
                 raise SourceDisconnectedWarning(self, "no documents left")
             del self.__dict__["_documents"]
-
         document = self._documents.pop(0)
 
         if (document.__class__ == type) and issubclass(document, Exception):

logprep/ng/connector/dummy/output.py

@@ -17,6 +17,7 @@
         type: dummy_output
 """
 
+import logging
 from typing import TYPE_CHECKING, List
 
 from attr import define, field
@@ -29,6 +30,8 @@
 if TYPE_CHECKING:
     from logprep.abc.connector import Connector  # pragma: no cover
 
+logger = logging.getLogger("DummyOutput")
+
 
 class DummyOutput(Output):
     """
@@ -54,6 +57,8 @@ class Config(Output.Config):
         for testing purposes. If an exception is raised, the exception is handled
         by the output decorator.
         """
+        reset_on_flush: bool = field(default=False)
+        """If set to True, the stored events will be cleared when flush() is called."""
 
     events: list[LogEvent]
     failed_events: list[LogEvent]
@@ -106,3 +111,6 @@ def shut_down(self):
 
     def flush(self):
         """Flush not implemented because it has not backlog."""
+        if self._config.reset_on_flush:
+            self.events.clear()
+        logger.debug("DummyOutput flushed %s events", len(self.events))