Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Backport 2.4] fixed GetFindings not searching all indices; fixed proper deletion of… #136

Merged
merged 1 commit into from
Nov 9, 2022
Merged

[Backport 2.4] fixed GetFindings not searching all indices; fixed proper deletion of… #136

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions src/main/java/org/opensearch/securityanalytics/alerts/AlertsService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ public void onResponse(GetDetectorResponse getDetectorResponse) {
AlertsService.this.getAlertsByMonitorIds(
monitorToDetectorMapping,
monitorIds,
DetectorMonitorConfig.getAlertsIndex(detector.getDetectorType()),
DetectorMonitorConfig.getAllAlertsIndicesPattern(detector.getDetectorType()),
table,
severityLevel,
alertState,
Expand Down Expand Up @@ -193,7 +193,7 @@ public void getAlerts(
AlertsService.this.getAlertsByMonitorIds(
monitorToDetectorMapping,
allMonitorIds,
DetectorMonitorConfig.getAlertsIndex(detectorType.getDetectorType()),
DetectorMonitorConfig.getAllAlertsIndicesPattern(detectorType.getDetectorType()),
table,
severityLevel,
alertState,
Expand Down
41 changes: 38 additions & 3 deletions src/main/java/org/opensearch/securityanalytics/config/monitors/DetectorMonitorConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@
*/
package org.opensearch.securityanalytics.config.monitors;

import java.util.ArrayList;
import java.util.List;
import java.util.stream.Collectors;
import org.opensearch.securityanalytics.model.Detector;

import java.util.Arrays;
Expand All @@ -18,9 +18,11 @@ public class DetectorMonitorConfig {

public static final String OPENSEARCH_DEFAULT_RULE_INDEX = ".opensearch-sap-detectors-queries-default";
public static final String OPENSEARCH_DEFAULT_ALERT_INDEX = ".opensearch-sap-alerts-default";
public static final String OPENSEARCH_DEFAULT_ALL_ALERT_INDICES_PATTERN = ".opensearch-sap-alerts-default*";
public static final String OPENSEARCH_DEFAULT_ALERT_HISTORY_INDEX = ".opensearch-sap-alerts-history-default";
public static final String OPENSEARCH_DEFAULT_ALERT_HISTORY_INDEX_PATTERN = "<.opensearch-sap-alerts-history-default-{now/d}-1>";
public static final String OPENSEARCH_DEFAULT_FINDINGS_INDEX = ".opensearch-sap-findings-default";
public static final String OPENSEARCH_DEFAULT_ALL_FINDINGS_INDICES_PATTERN = ".opensearch-sap-findings-default*";
public static final String OPENSEARCH_DEFAULT_FINDINGS_INDEX_PATTERN = "<.opensearch-sap-findings-default-{now/d}-1>";

private static Map<String, MonitorConfig> detectorTypeToIndicesMapping;
Expand All @@ -41,10 +43,16 @@ public class DetectorMonitorConfig {
Locale.getDefault(), ".opensearch-sap-%s-alerts*", detectorType.getDetectorType());
String findingsIndex = String.format(
Locale.getDefault(), ".opensearch-sap-%s-findings", detectorType.getDetectorType());
String allFindingsIndicesPattern = String.format(
Locale.getDefault(), ".opensearch-sap-%s-findings*", detectorType.getDetectorType());
String findingsIndexPattern = String.format(
Locale.getDefault(), "<.opensearch-sap-%s-findings-{now/d}-1>", detectorType.getDetectorType());

MonitorConfig monitor = new MonitorConfig(alertsIndex, alertsHistoryIndex, alertsHistoryIndexPattern, allAlertsIndicesPattern, findingsIndex, findingsIndexPattern, ruleIndex);
MonitorConfig monitor = new MonitorConfig(
alertsIndex, alertsHistoryIndex, alertsHistoryIndexPattern, allAlertsIndicesPattern,
findingsIndex, findingsIndexPattern, allFindingsIndicesPattern,
ruleIndex
);
detectorTypeToIndicesMapping.put(detectorType.getDetectorType(), monitor);
});
}
Expand Down Expand Up @@ -76,7 +84,14 @@ public static String getAlertsHistoryIndexPattern(String detectorType) {
public static String getAllAlertsIndicesPattern(String detectorType) {
return detectorTypeToIndicesMapping.containsKey(detectorType) ?
detectorTypeToIndicesMapping.get(detectorType).getAllAlertsIndicesPattern() :
"*";
OPENSEARCH_DEFAULT_ALL_ALERT_INDICES_PATTERN;
}

public static List<String> getAllAlertsIndicesPatternForAllTypes() {
return detectorTypeToIndicesMapping.entrySet()
.stream()
.map(e -> e.getValue().getAllAlertsIndicesPattern())
.collect(Collectors.toList());
}

public static String getFindingsIndex(String detectorType) {
Expand All @@ -85,6 +100,19 @@ public static String getFindingsIndex(String detectorType) {
OPENSEARCH_DEFAULT_FINDINGS_INDEX;
}

public static String getAllFindingsIndicesPattern(String detectorType) {
return detectorTypeToIndicesMapping.containsKey(detectorType) ?
detectorTypeToIndicesMapping.get(detectorType).getAllFindingsIndicesPattern() :
OPENSEARCH_DEFAULT_ALL_FINDINGS_INDICES_PATTERN;
}

public static List<String> getAllFindingsIndicesPatternForAllTypes() {
return detectorTypeToIndicesMapping.entrySet()
.stream()
.map(e -> e.getValue().getAllFindingsIndicesPattern())
.collect(Collectors.toList());
}

public static String getFindingsIndexPattern(String detectorType) {
return detectorTypeToIndicesMapping.containsKey(detectorType) ?
detectorTypeToIndicesMapping.get(detectorType).getFindingsIndexPattern() :
Expand All @@ -106,6 +134,7 @@ public static class MonitorConfig {
private final String allAlertsIndicesPattern;
private final String findingIndex;
private final String findingsIndexPattern;
private final String allFindingsIndicesPattern;
private final String ruleIndex;

private MonitorConfig(
Expand All @@ -115,6 +144,7 @@ private MonitorConfig(
String allAlertsIndicesPattern,
String findingsIndex,
String findingsIndexPattern,
String allFindingsIndicesPattern,
String ruleIndex
) {
this.alertsIndex = alertsIndex;
Expand All @@ -123,6 +153,7 @@ private MonitorConfig(
this.allAlertsIndicesPattern = allAlertsIndicesPattern;
this.findingIndex = findingsIndex;
this.findingsIndexPattern = findingsIndexPattern;
this.allFindingsIndicesPattern = allFindingsIndicesPattern;
this.ruleIndex = ruleIndex;
}

Expand Down Expand Up @@ -150,6 +181,10 @@ public String getFindingsIndexPattern() {
return findingsIndexPattern;
}

public String getAllFindingsIndicesPattern() {
return allFindingsIndicesPattern;
}

public String getRuleIndex() {
return ruleIndex;
}
Expand Down
4 changes: 2 additions & 2 deletions src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ public void onFailure(Exception e) {
FindingsService.this.getFindingsByMonitorIds(
monitorToDetectorMapping,
monitorIds,
DetectorMonitorConfig.getFindingsIndex(detector.getDetectorType()),
DetectorMonitorConfig.getAllFindingsIndicesPattern(detector.getDetectorType()),
table,
getFindingsResponseListener
);
Expand Down Expand Up @@ -183,7 +183,7 @@ public void getFindings(
FindingsService.this.getFindingsByMonitorIds(
monitorToDetectorMapping,
allMonitorIds,
DetectorMonitorConfig.getFindingsIndex(detectorType.getDetectorType()),
DetectorMonitorConfig.getAllFindingsIndicesPattern(detectorType.getDetectorType()),
table,
new ActionListener<>() {
@Override
Expand Down
43 changes: 22 additions & 21 deletions .../java/org/opensearch/securityanalytics/indexmanagment/DetectorIndexManagementService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,9 +55,6 @@ public class DetectorIndexManagementService extends AbstractLifecycleComponent i

private Logger logger = LogManager.getLogger(DetectorIndexManagementService.class);

private static final String ALERT_HISTORY_ALL = ".opensearch-sap-alerts-history-*";
private static final String FINDING_HISTORY_ALL = ".opensearch-sap-findings-*";

private final Client client;
private final ThreadPool threadPool;
private final ClusterService clusterService;
Expand Down Expand Up @@ -235,7 +232,7 @@ private String executorName() {
return ThreadPool.Names.MANAGEMENT;
}

private void deleteOldIndices(String tag, String indices) {
private void deleteOldIndices(String tag, String... indices) {
logger.error("info deleteOldIndices");
ClusterStateRequest clusterStateRequest = new ClusterStateRequest()
.clear()
Expand All @@ -250,7 +247,7 @@ private void deleteOldIndices(String tag, String indices) {
public void onResponse(ClusterStateResponse clusterStateResponse) {
if (!clusterStateResponse.getState().metadata().getIndices().isEmpty()) {
List<String> indicesToDelete = getIndicesToDelete(clusterStateResponse);
logger.info("Deleting old " + tag + " indices viz $indicesToDelete");
logger.info("Checking if we should delete " + tag + " indices: [" + indicesToDelete + "]");
deleteAllOldHistoryIndices(indicesToDelete);
} else {
logger.info("No Old " + tag + " Indices to delete");
Expand All @@ -269,12 +266,14 @@ private List<String> getIndicesToDelete(ClusterStateResponse clusterStateRespons
List<String> indicesToDelete = new ArrayList<>();
for (ObjectCursor<IndexMetadata> in : clusterStateResponse.getState().metadata().indices().values()) {
IndexMetadata indexMetaData = in.value;
indicesToDelete.add(
getHistoryIndexToDelete(indexMetaData, alertHistoryRetentionPeriod.millis(), alertHistoryIndices, alertHistoryEnabled)
);
indicesToDelete.add(
getHistoryIndexToDelete(indexMetaData, findingHistoryRetentionPeriod.millis(), findingHistoryIndices, findingHistoryEnabled)
);
String indexToDelete = getHistoryIndexToDelete(indexMetaData, alertHistoryRetentionPeriod.millis(), alertHistoryIndices, alertHistoryEnabled);
if (indexToDelete != null) {
indicesToDelete.add(indexToDelete);
}
indexToDelete = getHistoryIndexToDelete(indexMetaData, findingHistoryRetentionPeriod.millis(), findingHistoryIndices, findingHistoryEnabled);
if (indexToDelete != null) {
indicesToDelete.add(indexToDelete);
}
}
return indicesToDelete;
}
Expand Down Expand Up @@ -319,15 +318,17 @@ private void deleteAllOldHistoryIndices(List<String> indicesToDelete) {
public void onResponse(AcknowledgedResponse deleteIndicesResponse) {
if (!deleteIndicesResponse.isAcknowledged()) {
logger.error(
"Could not delete one or more Alerting/Finding history indices: $indicesToDelete. Retrying one by one."
"Could not delete one or more Alerting/Finding history indices: [" + indicesToDelete + "]. Retrying one by one."
);
deleteOldHistoryIndex(indicesToDelete);
} else {
logger.info("Succsessfuly deleted indices: [" + indicesToDelete + "]");
}
}

@Override
public void onFailure(Exception e) {
logger.error("Delete for Alerting/Finding History Indices $indicesToDelete Failed. Retrying one By one.");
logger.error("Delete for Alerting/Finding History Indices failed: [" + indicesToDelete + "]. Retrying one By one.");
deleteOldHistoryIndex(indicesToDelete);
}
}
Expand All @@ -351,7 +352,7 @@ public void onResponse(AcknowledgedResponse acknowledgedResponse) {

@Override
public void onFailure(Exception e) {
logger.debug("Exception ${e.message} while deleting the index " + index);
logger.debug("Exception: [" + e.getMessage() + "] while deleting the index " + index);
}
}
);
Expand All @@ -360,12 +361,12 @@ public void onFailure(Exception e) {

private void rolloverAndDeleteAlertHistoryIndices() {
if (alertHistoryEnabled) rolloverAlertHistoryIndices();
deleteOldIndices("History", ALERT_HISTORY_ALL);
deleteOldIndices("Alert", DetectorMonitorConfig.getAllAlertsIndicesPatternForAllTypes().toArray(new String[0]));
}

private void rolloverAndDeleteFindingHistoryIndices() {
if (findingHistoryEnabled) rolloverFindingHistoryIndices();
deleteOldIndices("Finding", FINDING_HISTORY_ALL);
deleteOldIndices("Finding", DetectorMonitorConfig.getAllFindingsIndicesPatternForAllTypes().toArray(new String[0]));
}

private void rolloverIndex(
Expand Down Expand Up @@ -393,13 +394,13 @@ private void rolloverIndex(
@Override
public void onResponse(RolloverResponse rolloverResponse) {
if (!rolloverResponse.isRolledOver()) {
logger.info(index + "not rolled over. Conditions were: ${response.conditionStatus}");
logger.info(index + "not rolled over. Conditions were: " + rolloverResponse.getConditionStatus());
}
}

@Override
public void onFailure(Exception e) {
logger.error(index + " not roll over failed.");
logger.error("rollover failed for index [" + index + "].");
}
}
);
Expand All @@ -417,9 +418,9 @@ private void rolloverAlertHistoryIndices() {
private void rolloverFindingHistoryIndices() {
for (HistoryIndexInfo h : findingHistoryIndices) {
rolloverIndex(
h.isInitialized, h.indexAlias,
h.indexPattern, h.indexMappings,
h.maxDocs, h.maxAge
h.isInitialized, h.indexAlias,
h.indexPattern, h.indexMappings,
h.maxDocs, h.maxAge
);
}
}
Expand Down
2 changes: 1 addition & 1 deletion src/test/java/org/opensearch/securityanalytics/SecurityAnalyticsRestTestCase.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1120,7 +1120,7 @@ public List<String> getAlertIndices(String detectorType) throws IOException {
}

public List<String> getFindingIndices(String detectorType) throws IOException {
Response response = client().performRequest(new Request("GET", "/_cat/indices/" + DetectorMonitorConfig.getFindingsIndex(detectorType) + "?format=json"));
Response response = client().performRequest(new Request("GET", "/_cat/indices/" + DetectorMonitorConfig.getAllFindingsIndicesPattern(detectorType) + "?format=json"));
XContentParser xcp = createParser(XContentType.JSON.xContent(), response.getEntity().getContent());
List<Object> responseList = xcp.list();
List<String> indices = new ArrayList<>();
Expand Down
Loading