add correlation rule layer for events-correlation-engine #7132
Conversation
sbcd90
requested review from
reta,
anasalkouz,
andrross,
Bukhtawar,
CEHENKLE,
dblock,
gbbafna,
setiah,
kartg,
kotwanikunal,
mch2,
nknize,
owaiskazi19,
Rishikesh1159,
ryanbogan,
saratvemulapalli,
shwetathareja,
dreamer-89,
tlfeng,
VachaShah and
xuezhou25
as code owners
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
...relation-engine/src/main/java/org/opensearch/plugin/correlation/EventsCorrelationPlugin.java
Outdated
Show resolved
Hide resolved
...src/main/java/org/opensearch/plugin/correlation/rules/action/IndexCorrelationRuleAction.java
Show resolved
Hide resolved
...ion-engine/src/main/java/org/opensearch/plugin/correlation/rules/model/CorrelationQuery.java
Show resolved
Hide resolved
...ion-engine/src/main/java/org/opensearch/plugin/correlation/rules/model/CorrelationQuery.java
Outdated
Show resolved
Hide resolved
...tion-engine/src/main/java/org/opensearch/plugin/correlation/rules/model/CorrelationRule.java
Show resolved
Hide resolved
...ion-engine/src/main/java/org/opensearch/plugin/correlation/rules/model/CorrelationQuery.java
Outdated
Show resolved
Hide resolved
...ion-engine/src/main/java/org/opensearch/plugin/correlation/rules/model/CorrelationQuery.java
Outdated
Show resolved
Hide resolved
...nts-correlation-engine/src/main/java/org/opensearch/plugin/correlation/utils/IndexUtils.java
Outdated
Show resolved
Hide resolved
...nts-correlation-engine/src/main/java/org/opensearch/plugin/correlation/utils/IndexUtils.java
Show resolved
Hide resolved
sbcd90
force-pushed
the
corr2
branch
2 times, most recently
from
ca63ad7
to
9f43a02
Compare
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
There was a problem hiding this comment.
Next round cleanup comments. It's coming together. We need to add the explicit javadoc checker and I left some cleanup comments. I think we can simplify the CorrelationConstants approach and possibly just remove that class altogether? If the public facing API needs it we might figure a cleaner way of doing it.
| import java.util.stream.Collectors; | ||
| import java.util.stream.Stream; | ||
|
|
||
| public class EventsCorrelationPluginTransportIT extends OpenSearchIntegTestCase { |
There was a problem hiding this comment.
Need javadocs here. all public classes will need javadocs.
| @Override | ||
| public List<Route> routes() { | ||
| return List.of( | ||
| new Route(RestRequest.Method.POST, EventsCorrelationPlugin.CORRELATION_RULES_BASE_URI), |
There was a problem hiding this comment.
From the RFC it looks like users can only create rules through the global _correlation endpoint.
POST /_correlation/rules
Request Body:
{
"correlate": [
{
"index": "vpc_flow",
"query": "dstaddr:4.5.6.7 or dstaddr:4.5.6.6"
},
{
"index": "windows",
"query": "winlog.event_data.SubjectDomainName:NTAUTHORI*"
},
{
"index": "ad_logs",
"query": "ResultType:50126"
},
{
"index": "app_logs",
"query": "endpoint:/customer_records.txt"
}
]
}
Would it also make sense to enable users to do this on a per index basis?
POST /my_ndex/_correlation/rule/{$rule_id}
where {$rule_id} is the (optional) existing rule
If so, we can do this in a follow up PR.
There was a problem hiding this comment.
will address this in follow-up pr.
There was a problem hiding this comment.
Maybe open an issue for this?
There was a problem hiding this comment.
created the issue: #7184
|
|
||
| void start() { | ||
| try { | ||
| if (!correlationRuleIndices.correlationRuleIndexExists()) { |
There was a problem hiding this comment.
nit, avoid negative conditionals.
Change to be explicit:
| if (!correlationRuleIndices.correlationRuleIndexExists()) { | |
| if (correlationRuleIndices.correlationRuleIndexExists() == false) { |
...a/org/opensearch/plugin/correlation/rules/transport/TransportIndexCorrelationRuleAction.java
Show resolved
Hide resolved
| /** | ||
| * Settings for events-correlation-engine. | ||
| * | ||
| * @opensearch.api |
There was a problem hiding this comment.
do you also want to mark as @opensearch.experimental for now? It's largely superficial but a nice flag if you think these Settings might change.
There was a problem hiding this comment.
marked as @opensearch.experimental
| * @param correlationQueries list of correlation queries part of rule | ||
| */ | ||
| public CorrelationRule(String id, Long version, String name, List<CorrelationQuery> correlationQueries) { | ||
| this.id = id != null ? id : NO_ID; |
There was a problem hiding this comment.
can we just have another ctor that doesn't take an ID as a parameter?
| */ | ||
| public CorrelationRule(String id, Long version, String name, List<CorrelationQuery> correlationQueries) { | ||
| this.id = id != null ? id : NO_ID; | ||
| this.version = version != null ? version : NO_VERSION; |
There was a problem hiding this comment.
Same, just have a ctor that doesn't take a version?
I think we can remove the CorrelationConstants#NO_ID and CorrelationConstants#NO_VERSION altogether.
There was a problem hiding this comment.
added a new ctor.
removed CorrelationConstants class.
|
Also make sure you rebase from main to pick up some of the BWC version check fixes. |
|
hi @nknize , addressed all the review comments. also rebased from main. please have a look. |
Gradle Check (Jenkins) Run Completed with:
|
| } | ||
| }, | ||
| "timestampField": { | ||
| "type": "text", |
There was a problem hiding this comment.
Shouldn't this be a long or date type?
There was a problem hiding this comment.
this is the timestamp field name which is a string.
...ion-engine/src/main/java/org/opensearch/plugin/correlation/utils/CorrelationRuleIndices.java
Outdated
Show resolved
Hide resolved
...a/org/opensearch/plugin/correlation/rules/transport/TransportIndexCorrelationRuleAction.java
Outdated
Show resolved
Hide resolved
| @Override | ||
| public List<Route> routes() { | ||
| return List.of( | ||
| new Route(RestRequest.Method.POST, EventsCorrelationPlugin.CORRELATION_RULES_BASE_URI), |
There was a problem hiding this comment.
Maybe open an issue for this?
...tion-engine/src/main/java/org/opensearch/plugin/correlation/rules/model/CorrelationRule.java
Show resolved
Hide resolved
Signed-off-by: Subhobrata Dey <[email protected]>
Signed-off-by: Subhobrata Dey <[email protected]>
Gradle Check (Jenkins) Run Completed with:
|
| @@ -8,6 +8,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), | |||
| - Support for HTTP/2 (server-side) ([#3847](https://github.com/opensearch-project/OpenSearch/pull/3847)) | |||
| - Add getter for path field in NestedQueryBuilder ([#4636](https://github.com/opensearch-project/OpenSearch/pull/4636)) | |||
| - Allow mmap to use new JDK-19 preview APIs in Apache Lucene 9.4+ ([#5151](https://github.com/opensearch-project/OpenSearch/pull/5151)) | |||
| - Add events correlation engine plugin ([#6854](https://github.com/opensearch-project/OpenSearch/issues/6854)) | |||
There was a problem hiding this comment.
We'll need to move this to the 2.x section assuming this is to be backported
| .collect(Collectors.toList()); | ||
| Assert.assertTrue( | ||
| pluginInfos.stream() |
There was a problem hiding this comment.
nitpick...no need to collect to a list here when you just use it as a stream again
| @@ -204,5 +204,6 @@ public static class CommonFields { | |||
| public static final ParseField FORMAT = new ParseField("format"); | |||
| public static final ParseField MISSING = new ParseField("missing"); | |||
| public static final ParseField TIME_ZONE = new ParseField("time_zone"); | |||
| public static final ParseField _META = new ParseField("_meta"); | |||
There was a problem hiding this comment.
It's not really a "common field throughout the project" if it is only used in one place. If you're sure this will be used any multiple places this is fine, otherwise it might be simpler to keep it defined where it is used.
Also, the leading underscore (in the Java constant name, not the text) technically violates the standard convention for constant names.
Maybe add a comment too unless you think the meaning of a "meta" field is self-evident.
There was a problem hiding this comment.
Agree, this could me moved to scope local once we start using it.
| private String correlationRuleId; | ||
|
|
||
| private CorrelationRule correlationRule; | ||
|
|
||
| private RestRequest.Method method; |
| private String id; | ||
|
|
||
| private Long version; | ||
|
|
||
| private RestStatus status; | ||
|
|
||
| private CorrelationRule correlationRule; |
| */ | ||
| public IndexCorrelationRuleRequest(CorrelationRule correlationRule, RestRequest.Method method) { | ||
| super(); | ||
| this.correlationRuleId = ""; |
There was a problem hiding this comment.
Is it really okay for one of these instances to exist without a rule id? The meaning of a magic empty string is usually not clear. If this is really an optional field, it is better to store it as null and codify the behavior in the getter type by returning an Optional so that the caller has to explicitly deal with the set/not set cases.
|
@nknize shouldn't the plugin go to |
|
What’s the plan for getting this into 2.x? |
…project#7132) Adds new correlation engine feature by way of a new `:plugins:events-correlation-engine` plugin. The endpoint is /_correlation and users can create new rules using the following example DSL: { "name": "s3 to app logs", "correlate": [ { "index": "s3_access_logs", "query": "aws.cloudtrail.eventName:ReplicateObject", "timestampField": "@timestamp", "tags": [ "s3" ] } ] } Signed-off-by: Subhobrata Dey <[email protected]>
Description
add correlation rule layer for events-correlation-engine
Issues Resolved
#6854
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.