From 920c3a1e17166e0f4996a33cff94531fcdd47cbd Mon Sep 17 00:00:00 2001 From: Sam Arnold Date: Mon, 18 Oct 2021 07:53:05 -0400 Subject: [PATCH 1/4] feat: more fields for papertrail event webhook Note that the count-based version is unchanged and should be used instead of event-based if the previous behaviour is desired. --- plugins/inputs/webhooks/papertrail/README.md | 22 +++++++++++--- .../webhooks/papertrail/papertrail_test.go | 30 +++++++++++++++++-- .../papertrail/papertrail_webhooks.go | 13 +++++++- 3 files changed, 57 insertions(+), 8 deletions(-) diff --git a/plugins/inputs/webhooks/papertrail/README.md b/plugins/inputs/webhooks/papertrail/README.md index a3463dcaa6f8b..5853d65fda969 100644 --- a/plugins/inputs/webhooks/papertrail/README.md +++ b/plugins/inputs/webhooks/papertrail/README.md @@ -14,6 +14,23 @@ Events from Papertrail come in two forms: * Each point has a field counter (`count`), which is set to `1` (signifying the event occurred) * Each event "hostname" object is converted to a `host` tag * The "saved_search" name in the payload is added as an `event` tag + * The "saved_search" id in the payload is addes a a `search_id` field + * The papertrail url to view the event is built and added as the `url` field + * The rest of the data in the event is converted directly to fields on the point: + * `id` + * `source_ip` + * `source_name` + * `source_id` + * `program` + * `severity` + * `facility` + * `message` + +When an event is received, a count-based point will look similar to: + +``` +papertrail,host=myserver.example.com,event=saved_search_name count=1i,source_name="abc",program="CROND",severity="Info",source_id=2i,message="message body",source_ip="208.75.57.121",id=7711561783320576i,facility="Cron",url="https://papertrailapp.com/searches/42?centered_on_id=7711561783320576",search_id=42i 1453248892000000000 +``` * The [count-based callback](http://help.papertrailapp.com/kb/how-it-works/web-hooks/#count-only-webhooks) @@ -22,10 +39,7 @@ Events from Papertrail come in two forms: * Each count "source_name" object is converted to a `host` tag * The "saved_search" name in the payload is added as an `event` tag -The current functionality is very basic, however this allows you to -track the number of events by host and saved search. - -When an event is received, any point will look similar to: +When an event is received, a count-based point will look similar to: ``` papertrail,host=myserver.example.com,event=saved_search_name count=3i 1453248892000000000 diff --git a/plugins/inputs/webhooks/papertrail/papertrail_test.go b/plugins/inputs/webhooks/papertrail/papertrail_test.go index 14b8aec895c98..18d6db98b3746 100644 --- a/plugins/inputs/webhooks/papertrail/papertrail_test.go +++ b/plugins/inputs/webhooks/papertrail/papertrail_test.go @@ -67,8 +67,32 @@ func TestEventPayload(t *testing.T) { resp := post(pt, contentType, form.Encode()) require.Equal(t, http.StatusOK, resp.Code) - fields := map[string]interface{}{ + fields1 := map[string]interface{}{ "count": uint64(1), + "id": int64(7711561783320576), + "source_ip": "208.75.57.121", + "source_name": "abc", + "source_id": int64(2), + "program": "CROND", + "severity": "Info", + "facility": "Cron", + "message": "message body", + "url": "https://papertrailapp.com/searches/42?centered_on_id=7711561783320576", + "search_id": int64(42), + } + + fields2 := map[string]interface{}{ + "count": uint64(1), + "id": int64(7711562567655424), + "source_ip": "208.75.57.120", + "source_name": "server1", + "source_id": int64(19), + "program": "CROND", + "severity": "Info", + "facility": "Cron", + "message": "A short event", + "url": "https://papertrailapp.com/searches/42?centered_on_id=7711562567655424", + "search_id": int64(42), } tags1 := map[string]string{ @@ -80,8 +104,8 @@ func TestEventPayload(t *testing.T) { "host": "def", } - acc.AssertContainsTaggedFields(t, "papertrail", fields, tags1) - acc.AssertContainsTaggedFields(t, "papertrail", fields, tags2) + acc.AssertContainsTaggedFields(t, "papertrail", fields1, tags1) + acc.AssertContainsTaggedFields(t, "papertrail", fields2, tags2) } func TestCountPayload(t *testing.T) { diff --git a/plugins/inputs/webhooks/papertrail/papertrail_webhooks.go b/plugins/inputs/webhooks/papertrail/papertrail_webhooks.go index 7f11e31e79a11..5aa8ecaf83fc2 100644 --- a/plugins/inputs/webhooks/papertrail/papertrail_webhooks.go +++ b/plugins/inputs/webhooks/papertrail/papertrail_webhooks.go @@ -2,6 +2,7 @@ package papertrail import ( "encoding/json" + "fmt" "log" "net/http" "time" @@ -49,7 +50,17 @@ func (pt *PapertrailWebhook) eventHandler(w http.ResponseWriter, r *http.Request "event": payload.SavedSearch.Name, } fields := map[string]interface{}{ - "count": uint64(1), + "count": uint64(1), + "id": e.ID, + "source_ip": e.SourceIP, + "source_name": e.SourceName, + "source_id": int64(e.SourceID), + "program": e.Program, + "severity": e.Severity, + "facility": e.Facility, + "message": e.Message, + "url": fmt.Sprintf("%s?centered_on_id=%d", payload.SavedSearch.SearchURL, e.ID), + "search_id": payload.SavedSearch.ID, } pt.acc.AddFields("papertrail", fields, tags, e.ReceivedAt) } From 07ce93bf24c1b576a7468518daa1023f07ad05c0 Mon Sep 17 00:00:00 2001 From: Sam Arnold Date: Mon, 18 Oct 2021 08:18:50 -0400 Subject: [PATCH 2/4] chore: formatting fix --- .../webhooks/papertrail/papertrail_test.go | 40 +++++++++---------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/plugins/inputs/webhooks/papertrail/papertrail_test.go b/plugins/inputs/webhooks/papertrail/papertrail_test.go index 18d6db98b3746..6cba6730c9486 100644 --- a/plugins/inputs/webhooks/papertrail/papertrail_test.go +++ b/plugins/inputs/webhooks/papertrail/papertrail_test.go @@ -68,31 +68,31 @@ func TestEventPayload(t *testing.T) { require.Equal(t, http.StatusOK, resp.Code) fields1 := map[string]interface{}{ - "count": uint64(1), - "id": int64(7711561783320576), - "source_ip": "208.75.57.121", + "count": uint64(1), + "id": int64(7711561783320576), + "source_ip": "208.75.57.121", "source_name": "abc", - "source_id": int64(2), - "program": "CROND", - "severity": "Info", - "facility": "Cron", - "message": "message body", - "url": "https://papertrailapp.com/searches/42?centered_on_id=7711561783320576", - "search_id": int64(42), + "source_id": int64(2), + "program": "CROND", + "severity": "Info", + "facility": "Cron", + "message": "message body", + "url": "https://papertrailapp.com/searches/42?centered_on_id=7711561783320576", + "search_id": int64(42), } fields2 := map[string]interface{}{ - "count": uint64(1), - "id": int64(7711562567655424), - "source_ip": "208.75.57.120", + "count": uint64(1), + "id": int64(7711562567655424), + "source_ip": "208.75.57.120", "source_name": "server1", - "source_id": int64(19), - "program": "CROND", - "severity": "Info", - "facility": "Cron", - "message": "A short event", - "url": "https://papertrailapp.com/searches/42?centered_on_id=7711562567655424", - "search_id": int64(42), + "source_id": int64(19), + "program": "CROND", + "severity": "Info", + "facility": "Cron", + "message": "A short event", + "url": "https://papertrailapp.com/searches/42?centered_on_id=7711562567655424", + "search_id": int64(42), } tags1 := map[string]string{ From 7a33e9097e983c505e4fbde62351883911a9c79f Mon Sep 17 00:00:00 2001 From: Sam Arnold Date: Mon, 18 Oct 2021 08:44:55 -0400 Subject: [PATCH 3/4] chore: fix typo in README --- plugins/inputs/webhooks/papertrail/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/inputs/webhooks/papertrail/README.md b/plugins/inputs/webhooks/papertrail/README.md index 5853d65fda969..62ad55e6ac520 100644 --- a/plugins/inputs/webhooks/papertrail/README.md +++ b/plugins/inputs/webhooks/papertrail/README.md @@ -14,8 +14,8 @@ Events from Papertrail come in two forms: * Each point has a field counter (`count`), which is set to `1` (signifying the event occurred) * Each event "hostname" object is converted to a `host` tag * The "saved_search" name in the payload is added as an `event` tag - * The "saved_search" id in the payload is addes a a `search_id` field - * The papertrail url to view the event is built and added as the `url` field + * The "saved_search" id in the payload is added as a `search_id` field + * The papertrail url to view the event is built and added as a `url` field * The rest of the data in the event is converted directly to fields on the point: * `id` * `source_ip` From ba98b6731fd1ad644860991b2dd19cff1d3e2621 Mon Sep 17 00:00:00 2001 From: Sam Arnold Date: Mon, 18 Oct 2021 08:58:50 -0400 Subject: [PATCH 4/4] chore: reword the README --- plugins/inputs/webhooks/papertrail/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/inputs/webhooks/papertrail/README.md b/plugins/inputs/webhooks/papertrail/README.md index 62ad55e6ac520..3f9c33ec5320c 100644 --- a/plugins/inputs/webhooks/papertrail/README.md +++ b/plugins/inputs/webhooks/papertrail/README.md @@ -26,7 +26,7 @@ Events from Papertrail come in two forms: * `facility` * `message` -When an event is received, a count-based point will look similar to: +When a callback is received, an event-based point will look similar to: ``` papertrail,host=myserver.example.com,event=saved_search_name count=1i,source_name="abc",program="CROND",severity="Info",source_id=2i,message="message body",source_ip="208.75.57.121",id=7711561783320576i,facility="Cron",url="https://papertrailapp.com/searches/42?centered_on_id=7711561783320576",search_id=42i 1453248892000000000 @@ -39,7 +39,7 @@ papertrail,host=myserver.example.com,event=saved_search_name count=1i,source_nam * Each count "source_name" object is converted to a `host` tag * The "saved_search" name in the payload is added as an `event` tag -When an event is received, a count-based point will look similar to: +When a callback is received, a count-based point will look similar to: ``` papertrail,host=myserver.example.com,event=saved_search_name count=3i 1453248892000000000