Submit changes for GRD-90283.

Handling _grokparsefailure and MYSQL Error code. Signed-off-by: Piyush Desai <[email protected]>
IBM · Nov 27, 2024 · aac025b · aac025b
1 parent d4bfa35
commit aac025b
Show file tree

Hide file tree

Showing 4 changed files with 76 additions and 5 deletions.
diff --git a/filter-plugin/logstash-filter-aurora-mysql-guardium/Aurora-Mysql-offlinePlugin.zip b/filter-plugin/logstash-filter-aurora-mysql-guardium/Aurora-Mysql-offlinePlugin.zip
diff --git a/...-guardium/src/main/java/com/ibm/guardium/auroramysql/AuroraMysqlGuardiumPluginFilter.java b/...-guardium/src/main/java/com/ibm/guardium/auroramysql/AuroraMysqlGuardiumPluginFilter.java
@@ -52,9 +52,14 @@ public Collection<Event> filter(Collection<Event> events, FilterMatchListener ma
 			if(logger.isDebugEnabled()){
 				logger.debug("Event now {}:",e.getData());
 			}
-			if (e.getField("message") instanceof String && e.getField("message") != null) {
-				JsonObject data = new JsonObject();
-				data = inputData(e);
+
+			if(isGrokParseFailure(e) || checkSQLErrorCode(e)) {
+				addFailureLogging(e);
+				continue;
+			}
+
+			if (e.getField(Constants.MESSAGE) != null && e.getField(Constants.MESSAGE) instanceof String) {
+				JsonObject data = inputData(e);
 				try {
 					Record record = Parser.parseRecord(data);
 					final GsonBuilder builder = new GsonBuilder();
@@ -69,14 +74,37 @@ public Collection<Event> filter(Collection<Event> events, FilterMatchListener ma
 				}
 
 			} else {
-				logger.error("AWS_AURORA_MYSQL filter: Event has been skipped: " + e.getField("message"));
-				e.tag("_guardium_skip_not_AWS_AURORA_MYSQ");
+				addFailureLogging(e);
 			}
 		}
 
 		return events;
 	}
 
+	private static void addFailureLogging(Event e) {
+		logger.error("AWS_AURORA_MYSQL filter: Event has been skipped: " + e.getField("message"));
+		e.tag("_guardium_skip_not_AWS_AURORA_MYSQ");
+	}
+
+	private static boolean checkSQLErrorCode(Event e) {
+		if (null != e.getField(Constants.MESSAGE) && e.getField(Constants.MESSAGE) instanceof String
+				&&  !((String) e.getField(Constants.MESSAGE)).isEmpty()
+				&& ((String) e.getField(Constants.MESSAGE)).contains(Constants.SQL_ERROR_CODE_MY_010914)){
+			logger.debug("checkSQLErrorCode check for SQL error code[MY-010914] in message : {} ", e.getField(Constants.MESSAGE));
+			return true;
+		}
+		return false;
+	}
+
+	private static boolean isGrokParseFailure(Event e) {
+		if(null != e && e.includes(Constants.TAGS)){
+			ArrayList<String> tags = (ArrayList<String>) e.getField(Constants.TAGS);
+			logger.debug("tags check for _grokparsefailure : {} ", tags);
+			return tags.contains(Constants.GROK_PARSE_FAILURE);
+		}
+		return false;
+	}
+
 	private JsonObject inputData(Event e) {
 
 		JsonObject data = new JsonObject();

diff --git a/...sh-filter-aurora-mysql-guardium/src/main/java/com/ibm/guardium/auroramysql/Constants.java b/...sh-filter-aurora-mysql-guardium/src/main/java/com/ibm/guardium/auroramysql/Constants.java
@@ -23,4 +23,8 @@ public interface Constants {
 	public static final String SERVERHOSTNAME = "Server_Hostname";
 	public static final String LOGIN_FAILED = "LOGIN_FAILED";
 	public static final String SQL_ERROR = "SQL_ERROR";
+	public static final String TAGS = "tags";
+	public static final String GROK_PARSE_FAILURE = "_grokparsefailure";
+	public static final String MESSAGE = "message";
+	public static final String SQL_ERROR_CODE_MY_010914 = "MY-010914";
 }
diff --git a/...rdium/src/test/java/com/ibm/guardium/auroramysql/AuroraMysqlGuardiumPluginFilterTest.java b/...rdium/src/test/java/com/ibm/guardium/auroramysql/AuroraMysqlGuardiumPluginFilterTest.java
@@ -13,6 +13,8 @@
 import org.junit.Assert;
 import org.junit.Test;
 import org.logstash.plugins.ContextImpl;
+
+import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.concurrent.atomic.AtomicInteger;
@@ -60,6 +62,43 @@ public void testFieldGuardRecord_aurora_mysql() {
 		Assert.assertNotNull(e.getField(GuardConstants.GUARDIUM_RECORD_FIELD_NAME));
 		Assert.assertEquals(1, matchListener.getMatchCount());
 	}
+
+	/**
+	 * To check Message contains SQL Error code or if there is any "_grokparsefailure" present in tags
+	 **/
+	@Test
+	public void testSQLError_aurora_mysql() {
+
+		final String message = "2024-11-15T15:36:05.640887Z 3486 [Note] [MY-010914] [Server] Got packets out of order";
+
+		Context context = new ContextImpl(null, null);
+		AuroraMysqlGuardiumPluginFilter filter = new AuroraMysqlGuardiumPluginFilter("test-id", null, context);
+
+		Event e = new org.logstash.Event();
+		TestMatchListener matchListener = new TestMatchListener();
+
+		ArrayList<String> tags = new ArrayList<String>();
+		tags.add(Constants.GROK_PARSE_FAILURE);
+
+		e.setField(Constants.MESSAGE, message);
+		e.setField(Constants.TAGS, tags);
+		e.setField(Constants.TIMESTAMP, "1636962255474405");
+		e.setField(Constants.CLIENT_IP, "192.168.56.1");
+		e.setField(Constants.SESSION_ID, "1234");
+		e.setField(Constants.ACTION_STATUS, "0");
+		e.setField(Constants.EXEC_STATEMENT, "'SELECT CONVERT(DATE_FORMAT(joining_date,\\\"%Y-%m-%d-%H:%i:00\\\"),DATETIME) FROM Employee LIMIT 0, 1000'");
+		e.setField(Constants.DB_NAME, "music");
+		e.setField(Constants.SERVER_INSTANCE, "testauroracluster-instance-1");
+		e.setField(Constants.DB_USER, "admin");
+		e.setField(Constants.AUDIT_ACTION, "FAILED_CONNECT");
+		e.setField(Constants.SERVERHOSTNAME, "serverHostName");
+
+		Collection<Event> results = filter.filter(Collections.singletonList(e), matchListener);
+
+		Assert.assertEquals(1, results.size());
+		Assert.assertNull(e.getField(GuardConstants.GUARDIUM_RECORD_FIELD_NAME));
+
+	}
 }
 
 class TestMatchListener implements FilterMatchListener {