3个版本 (破坏性更新)

0.2.0	2023年8月3日
0.1.0	2023年3月13日
0.0.1	2022年3月27日

#3 in #siem

MIT许可证

22KB
407 行

µSIEM增强器

一个基本的日志增强组件。

使用方法

let mut enrichers: Vec<Box<dyn LogEnrichment>> = Vec::with_capacity(128);  
let mac_enricher = MacEnricher {
    name : "MacEnricher"
};
enrichers.push(Box::new(mac_enricher));
let mut enricher = LogEnricherComponent::new(&enrichers[..]);

度量

默认启用度量功能。

# HELP enricher_processed_logs Processed logs
# TYPE enricher_processed_logs histogram 
enricher_processed_logs_bucket{name="Enricher1",le=0.000001} 99948
enricher_processed_logs_bucket{name="Enricher1",le=0.0001} 99948
enricher_processed_logs_bucket{name="Enricher1",le=0.01} 100000
enricher_processed_logs_sum{name="Enricher1"} 0.208
enricher_processed_logs_count{name="Enricher1"} 100000
enricher_processed_logs_bucket{name="Enricher2",le=0.000001} 99959
enricher_processed_logs_bucket{name="Enricher2",le=0.0001} 99959
enricher_processed_logs_bucket{name="Enricher2",le=0.01} 100000
enricher_processed_logs_sum{name="Enricher2"} 0.164
enricher_processed_logs_count{name="Enricher2"} 100000
enricher_processed_logs_bucket{name="Enricher3",le=0.000001} 99963
enricher_processed_logs_bucket{name="Enricher3",le=0.0001} 99963
enricher_processed_logs_bucket{name="Enricher3",le=0.01} 100000
enricher_processed_logs_sum{name="Enricher3"} 0.148
enricher_processed_logs_count{name="Enricher3"} 100000
enricher_processed_logs_bucket{name="Enricher4",le=0.000001} 99953
enricher_processed_logs_bucket{name="Enricher4",le=0.0001} 99953
enricher_processed_logs_bucket{name="Enricher4",le=0.01} 100000
enricher_processed_logs_sum{name="Enricher4"} 0.188
enricher_processed_logs_count{name="Enricher4"} 100000
enricher_processed_logs_bucket{name="Enricher5",le=0.000001} 99968
enricher_processed_logs_bucket{name="Enricher5",le=0.0001} 99968
enricher_processed_logs_bucket{name="Enricher5",le=0.01} 100000
enricher_processed_logs_sum{name="Enricher5"} 0.128
enricher_processed_logs_count{name="Enricher5"} 100000
enricher_processed_logs_bucket{le=0.000001} 99725
enricher_processed_logs_bucket{le=0.0001} 99725
enricher_processed_logs_bucket{le=0.01} 100000
enricher_processed_logs_sum{} 1.1
enricher_processed_logs_count{} 100000

增强器示例

使用LogEnrichment特性创建日志增强器

#[derive(Clone)]
struct MacEnricher {
    pub name : &'static str
}

impl LogEnrichment for MacEnricher {
    fn enrich(&self, mut log: SiemLog, datasets: &DatasetHolder) -> SiemLog {
        let mut fields_to_add = vec![];
        let mac_dataset: &IpMapSynDataset = match datasets.get(&SiemDatasetType::IpMac) {
            Some(dst) => match dst.try_into() {
                Ok(v) => v,
                Err(_) => return log,
            },
            None => return log,
        };

        for (name, field) in log.fields() {
            if let SiemField::IP(ip) = field {
                match mac_dataset.get(ip) {
                    Some(val) => {
                        fields_to_add.push((
                            format!("{}.mac", field_name(name)),
                            SiemField::Text(val.clone()),
                        ));
                    }
                    None => {}
                }
            }
        }
        for (name, val) in fields_to_add {
            log.insert(LogString::Owned(name), val);
        }
        log
    }

    fn name(&self) -> &'static str {
        self.name
    }

    fn description(&self) -> &'static str {
        "Adds a Mac to each IP field"
    }
}

依赖项

~5.5–8MB
~129K SLoC