Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unify Sync #578

Merged
merged 7 commits into from
Jul 8, 2024
Merged

Unify Sync #578

merged 7 commits into from
Jul 8, 2024

Conversation

coreyogburn
Copy link
Contributor

Refactor sync to eliminate duplicate code and processes shared between the engines. The timing of when syncs happen are all managed the same way and have been simplified with the new SyncScheduler. This also introduces syncIds to the log statements so every individual sync can have it's logs correlated. Logging between the engines has also been made more consistent.

@coreyogburn
SyncScheduler - ElastAlert
87a7631 
Rough pass on the SyncSchedular, it handles all the timing of when a sync happens. Only ElastAlert is using it at this time.

Updated existing tests with consistent variable naming, added forgotten calls to ctrl.Finish, and to reflect changes to ElastAlertEngine's struct.

Added missing copyright comments to a few files.
@coreyogburn
Strelka
f69546f 
SyncScheduler now builds the logger for the sync process ensuring that every sync has an Id and the engine name. The scheduler now also times the duration of syncs (including the tailing integrity check).

Refactored Strelka to use the SyncScheduler.

Added logging to elastalert that mirrors strelka and vice versa. Now both engines log every rule they process and report added/updated/unchanged/deleted.
@coreyogburn
Suricata
8c633b3 
Removed IOManager from SyncSchedulerParams and put it back on each engine directly. Updated references.

Unified Suricata.

All tests currently pass.

Todo: Test Sync
@coreyogburn coreyogburn force-pushed the cogburn/unify-sync branch 4 times, most recently from 659e3d0 to a1742c8 Compare July 1, 2024 22:03
@coreyogburn
ElastAlert Sync Test
731f97d 
Test coverage went from 56.5% to 76.2% for the elastalert package.
@coreyogburn coreyogburn force-pushed the cogburn/unify-sync branch from a1742c8 to 731f97d Compare July 1, 2024 22:08
@coreyogburn
Strelka Sync Test
96bc476 
Test coverage went from 59.0% to 78.8%
@coreyogburn coreyogburn force-pushed the cogburn/unify-sync branch from d7fb725 to 96bc476 Compare July 2, 2024 16:36
@coreyogburn
Suricata Sync Test
5d4695a 
Test coverage went from 73.7% to 78.1%

Updated an elastalert test to better test sigmaToElastAlert with overrides.

Updated a strelka test to use forcesync.
@coreyogburn
Add optional logger to IntegrityCheck
47ee586 
IntegrityCheck now supports adaptive logging. If a logger is passed in the logger gets a new field (intCheckId) and is used. If a nil logger is passed in a new one is built with default fields. This allows IntegrityChecks after a Sync to have the syncId AND an intCheckId.

The IntegrityCheck report log has been condensed. The two lists of IDs enabledButNotDeployed and deployedButNotEnabled are now reported on the same log line as the pass/fail text. Failures are logged as warnings now.
@coreyogburn coreyogburn changed the title WIP: Unify Sync Unify Sync Jul 2, 2024
@coreyogburn coreyogburn merged commit 03a53cf into 2.4/dev Jul 8, 2024
3 checks passed
@coreyogburn coreyogburn deleted the cogburn/unify-sync branch July 8, 2024 14:58
@github-actions github-actions bot locked and limited conversation to collaborators Jul 8, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@TOoSmOotH TOoSmOotH TOoSmOotH approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@coreyogburn @TOoSmOotH