feat(correlation): add include_dest_ports filter + README/arch update (v1.1.12)

- feat: new config directive include_dest_ports ([]int) in correlation section - feat: if non-empty, only events with a matching dst_port are correlated - feat: filtered events are silently ignored (not correlated, not emitted as orphan) - feat: new metric failed_dest_port_filtered tracked in ProcessEvent - feat: DEBUG log 'event excluded by dest port filter: source=A dst_port=22' - test: TestCorrelationService_IncludeDestPorts_AllowedPort - test: TestCorrelationService_IncludeDestPorts_FilteredPort - test: TestCorrelationService_IncludeDestPorts_EmptyAllowsAll - docs(readme): full rewrite to match current code (v1.1.12) - docs(readme): add include_dest_ports section, fix version refs, clean outdated sections - docs(arch): add dest_port_filtering section, failed_dest_port_filtered metric, debug log example - fix(config.example): remove obsolete stdout.level field - chore: bump version to 1.1.12 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-03-05 13:51:20 +01:00
parent ba9e0ab477
commit a8e024105d
9 changed files with 454 additions and 544 deletions
--- a/2
+++ b/2
@ -20,7 +20,7 @@ BINARY_NAME=logcorrelator
 DIST_DIR=dist
 # Package version
-PKG_VERSION ?= 1.1.11
+PKG_VERSION ?= 1.1.12
 # Enable BuildKit for better performance
 export DOCKER_BUILDKIT=1
--- a/README.md
+++ b/README.md
--- a/architecture.yml
+++ b/architecture.yml
@ -412,6 +412,21 @@ correlation:
    description: >
      Stratégie 1‑à‑N : un log réseau peut être utilisé pour plusieurs logs HTTP
      successifs tant qu'il n'a pas expiré ni été évincé.
  ip_filtering:
    directive: exclude_source_ips
    description: >
      Liste d'IPs source (exactes ou plages CIDR) à ignorer silencieusement.
      Événements non corrélés, non émis en orphelin. Métrique : failed_ip_excluded.
  dest_port_filtering:
    directive: include_dest_ports
    description: >
      Liste blanche de ports de destination. Si non vide, seuls les événements
      dont le dst_port est dans la liste participent à la corrélation. Les autres
      sont silencieusement ignorés (non corrélés, non émis en orphelin).
      Liste vide = tous les ports autorisés (comportement par défaut).
      Métrique : failed_dest_port_filtered.
    example:
      include_dest_ports: [80, 443, 8080, 8443]
 schema:
  description: >
@ -708,6 +723,8 @@ architecture:
      responsibilities:
        - Modèles NormalizedEvent et CorrelatedLog.
        - CorrelationService (fenêtre, TTL, buffers bornés, one-to-many/Keep-Alive, orphelins).
        - Filtrage par IP source (exclude_source_ips, CIDR).
        - Filtrage par port destination (include_dest_ports, liste blanche).
        - Custom JSON marshaling pour CorrelatedLog (structure plate).
    - name: internal/ports
      type: ports
@ -849,6 +866,7 @@ observability:
      - "A event has no matching B key in buffer: key=..."
      - "A event has same key as B but outside time window: key=... time_diff=5s window=10s"
      - "event excluded by IP filter: source=A src_ip=10.0.0.1 src_port=8080"
      - "event excluded by dest port filter: source=A dst_port=22"
      - "TTL reset for B event (Keep-Alive): key=... new_ttl=120s"
      - "[clickhouse] DEBUG batch sent: rows=42 table=correlated_logs_http_network"
    info_logs:
@ -877,6 +895,7 @@ observability:
            "failed_buffer_eviction": 5,
            "failed_ttl_expired": 12,
            "failed_ip_excluded": 7,
            "failed_dest_port_filtered": 3,
            "buffer_a_size": 23,
            "buffer_b_size": 18,
            "orphans_emitted_a": 92,
@ -900,6 +919,7 @@ observability:
      - failed_buffer_eviction: Buffer plein, événement évincé
      - failed_ttl_expired: TTL du événement B expiré
      - failed_ip_excluded: Événement exclu par filtre IP (exclude_source_ips)
      - failed_dest_port_filtered: Événement exclu par filtre port destination (include_dest_ports)
    buffers:
      - buffer_a_size: Taille actuelle du buffer HTTP
      - buffer_b_size: Taille actuelle du buffer réseau
@ -929,6 +949,9 @@ observability:
      - symptom: failed_ip_excluded élevé
        cause: Traffic depuis des IPs configurées dans exclude_source_ips
        solution: Vérifier la configuration, c'est normal si attendu
      - symptom: failed_dest_port_filtered élevé
        cause: Traffic sur des ports non listés dans include_dest_ports
        solution: Vérifier la configuration include_dest_ports, ou vider la liste pour tout accepter
      - symptom: orphans_emitted_a élevé
        cause: Beaucoup de logs A sans correspondance B
        solution: Vérifier que la source B envoie bien les événements attendus
--- a/cmd/logcorrelator/main.go
+++ b/cmd/logcorrelator/main.go
@ -115,6 +115,7 @@ func main() {
 		NetworkTTLS:         cfg.Correlation.GetNetworkTTLS(),
 		MatchingMode:        cfg.Correlation.GetMatchingMode(),
 		ExcludeSourceIPs:    cfg.Correlation.GetExcludeSourceIPs(),
 		IncludeDestPorts:    cfg.Correlation.GetIncludeDestPorts(),
 	}, &domain.RealTimeProvider{})
 	// Set logger for correlation service
--- a/config.example.yml
+++ b/config.example.yml
@ -36,7 +36,6 @@ outputs:
  stdout:
    enabled: false
    level: INFO  # DEBUG: all logs including orphans, INFO: only correlated, WARN: correlated only, ERROR: none
 correlation:
  # Time window for correlation (A and B must be within this window)
@ -74,6 +73,16 @@ correlation:
    - 172.16.0.0/12        # CIDR range (private network)
    - 10.10.10.0/24        # Another CIDR range
  # Restrict correlation to specific destination ports (optional)
  # If non-empty, only events whose dst_port matches one of these values will be correlated
  # Events on other ports are silently ignored (not correlated, not emitted as orphans)
  # Useful to focus on HTTP/HTTPS traffic only and ignore unrelated connections
  # include_dest_ports:
  #   - 80    # HTTP
  #   - 443   # HTTPS
  #   - 8080  # HTTP alt
  #   - 8443  # HTTPS alt
 # Metrics server configuration (optional, for debugging/monitoring)
 metrics:
  enabled: false
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -98,7 +98,8 @@ type CorrelationConfig struct {
 	Matching         MatchingConfig     `yaml:"matching"`
 	Buffers          BuffersConfig      `yaml:"buffers"`
 	TTL              TTLConfig          `yaml:"ttl"`
-	ExcludeSourceIPs []string           `yaml:"exclude_source_ips"` // List of source IPs or CIDR ranges to exclude
+	ExcludeSourceIPs []string `yaml:"exclude_source_ips"` // List of source IPs or CIDR ranges to exclude
 	IncludeDestPorts []int    `yaml:"include_dest_ports"` // If non-empty, only correlate events matching these destination ports
 	// Deprecated: Use TimeWindow.Value instead
 	TimeWindowS int  `yaml:"time_window_s"`
 	// Deprecated: Use OrphanPolicy.ApacheAlwaysEmit instead
@ -351,6 +352,12 @@ func (c *UnixSocketConfig) GetSocketPermissions() os.FileMode {
 	return os.FileMode(perms)
 }
 // GetIncludeDestPorts returns the list of destination ports allowed for correlation.
 // An empty list means all ports are allowed.
 func (c *CorrelationConfig) GetIncludeDestPorts() []int {
 	return c.IncludeDestPorts
 }
 // GetExcludeSourceIPs returns the list of excluded source IPs or CIDR ranges.
 func (c *CorrelationConfig) GetExcludeSourceIPs() []string {
 	return c.ExcludeSourceIPs
--- a/internal/domain/correlation_service.go
+++ b/internal/domain/correlation_service.go
@ -42,8 +42,9 @@ type CorrelationConfig struct {
 	MaxHTTPBufferSize int    // Maximum events to buffer for source A (HTTP)
 	MaxNetworkBufferSize int // Maximum events to buffer for source B (Network)
 	NetworkTTLS       int    // TTL in seconds for network events (source B)
-	MatchingMode      string // "one_to_one" or "one_to_many" (Keep-Alive)
+	MatchingMode      string   // "one_to_one" or "one_to_many" (Keep-Alive)
 	ExcludeSourceIPs  []string // List of source IPs or CIDR ranges to exclude
 	IncludeDestPorts  []int    // If non-empty, only correlate events matching these destination ports
 }
 // pendingOrphan represents an A event waiting to be emitted as orphan.
@ -181,6 +182,20 @@ func (s *CorrelationService) isIPExcluded(ip string) bool {
 	return false
 }
 // isDestPortFiltered returns true if the event's destination port is NOT in the
 // include list. When IncludeDestPorts is empty, all ports are allowed.
 func (s *CorrelationService) isDestPortFiltered(port int) bool {
 	if len(s.config.IncludeDestPorts) == 0 {
 		return false // no filter configured: allow all
 	}
 	for _, p := range s.config.IncludeDestPorts {
 		if p == port {
 			return false // port is in the allow-list
 		}
 	}
 	return true // port not in allow-list: filter out
 }
 // ProcessEvent processes an incoming event and returns correlated logs if matches are found.
 func (s *CorrelationService) ProcessEvent(event *NormalizedEvent) []CorrelatedLog {
 	s.mu.Lock()
@ -194,6 +209,14 @@ func (s *CorrelationService) ProcessEvent(event *NormalizedEvent) []CorrelatedLo
 		return nil
 	}
 	// Check if destination port is in the allow-list
 	if s.isDestPortFiltered(event.DstPort) {
 		s.logger.Debugf("event excluded by dest port filter: source=%s dst_port=%d",
 			event.Source, event.DstPort)
 		s.metrics.RecordCorrelationFailed("dest_port_filtered")
 		return nil
 	}
 	// Record event received
 	s.metrics.RecordEventReceived(string(event.Source))
--- a/internal/domain/correlation_service_test.go
+++ b/internal/domain/correlation_service_test.go
@ -1317,3 +1317,100 @@ func TestCorrelationService_ApacheEmitDelay_Flush(t *testing.T) {
 	}
 }
 func TestCorrelationService_IncludeDestPorts_AllowedPort(t *testing.T) {
 now := time.Now()
 mt := &mockTimeProvider{now: now}
 svc := NewCorrelationService(CorrelationConfig{
 TimeWindow:       10 * time.Second,
 ApacheAlwaysEmit: true,
 MatchingMode:     MatchingModeOneToMany,
 IncludeDestPorts: []int{80, 443},
 }, mt)
 // B event on allowed port 443
 bEvent := &NormalizedEvent{
 Source: SourceB, Timestamp: now,
 SrcIP: "1.2.3.4", SrcPort: 1234, DstPort: 443,
 }
 results := svc.ProcessEvent(bEvent)
 if len(results) != 0 {
 t.Fatalf("expected B buffered (no match yet), got %d results", len(results))
 }
 // A event on same key, allowed port
 aEvent := &NormalizedEvent{
 Source: SourceA, Timestamp: now,
 SrcIP: "1.2.3.4", SrcPort: 1234, DstPort: 443,
 }
 results = svc.ProcessEvent(aEvent)
 if len(results) != 1 {
 t.Fatalf("expected 1 correlation, got %d", len(results))
 }
 if !results[0].Correlated {
 t.Error("expected correlated=true")
 }
 }
 func TestCorrelationService_IncludeDestPorts_FilteredPort(t *testing.T) {
 now := time.Now()
 mt := &mockTimeProvider{now: now}
 svc := NewCorrelationService(CorrelationConfig{
 TimeWindow:       10 * time.Second,
 ApacheAlwaysEmit: true,
 MatchingMode:     MatchingModeOneToMany,
 IncludeDestPorts: []int{80, 443},
 }, mt)
 // A event on port 22 (not in allow-list)
 aEvent := &NormalizedEvent{
 Source: SourceA, Timestamp: now,
 SrcIP: "1.2.3.4", SrcPort: 1234, DstPort: 22,
 }
 results := svc.ProcessEvent(aEvent)
 if len(results) != 0 {
 t.Fatalf("expected 0 results (filtered), got %d", len(results))
 }
 // B event on port 22 (not in allow-list)
 bEvent := &NormalizedEvent{
 Source: SourceB, Timestamp: now,
 SrcIP: "1.2.3.4", SrcPort: 1234, DstPort: 22,
 }
 results = svc.ProcessEvent(bEvent)
 if len(results) != 0 {
 t.Fatalf("expected 0 results (filtered), got %d", len(results))
 }
 // Flush should also return nothing
 flushed := svc.Flush()
 if len(flushed) != 0 {
 t.Errorf("expected 0 flushed events, got %d", len(flushed))
 }
 }
 func TestCorrelationService_IncludeDestPorts_EmptyAllowsAll(t *testing.T) {
 now := time.Now()
 mt := &mockTimeProvider{now: now}
 // No IncludeDestPorts = all ports allowed
 svc := NewCorrelationService(CorrelationConfig{
 TimeWindow:       10 * time.Second,
 ApacheAlwaysEmit: true,
 MatchingMode:     MatchingModeOneToMany,
 }, mt)
 bEvent := &NormalizedEvent{
 Source: SourceB, Timestamp: now,
 SrcIP: "1.2.3.4", SrcPort: 1234, DstPort: 9999,
 }
 svc.ProcessEvent(bEvent)
 aEvent := &NormalizedEvent{
 Source: SourceA, Timestamp: now,
 SrcIP: "1.2.3.4", SrcPort: 1234, DstPort: 9999,
 }
 results := svc.ProcessEvent(aEvent)
 if len(results) != 1 || !results[0].Correlated {
 t.Errorf("expected 1 correlation on any port when list is empty, got %d", len(results))
 }
 }
--- a/packaging/rpm/logcorrelator.spec
+++ b/packaging/rpm/logcorrelator.spec
@ -141,6 +141,16 @@ exit 0
 %config(noreplace) /etc/logrotate.d/logcorrelator
 %changelog
 * Thu Mar 05 2026 logcorrelator <dev@example.com> - 1.1.12-1
 - Feat: New config directive include_dest_ports - restrict correlation to specific destination ports
 - Feat: If include_dest_ports is non-empty, events on unlisted ports are silently ignored (not correlated, not emitted as orphan)
 - Feat: New metric failed_dest_port_filtered for monitoring filtered traffic
 - Feat: Debug log for filtered events: "event excluded by dest port filter: source=A dst_port=22"
 - Test: New unit tests for include_dest_ports (allowed port, filtered port, empty=all)
 - Docs: README.md updated with include_dest_ports section and current version references
 - Docs: architecture.yml updated with include_dest_ports
 - Fix: config.example.yml - removed obsolete stdout.level field
 * Thu Mar 05 2026 logcorrelator <dev@example.com> - 1.1.11-1
 - Fix: StdoutSink no longer writes correlated/orphan JSON to stdout
 - Fix: stdout sink is now a no-op for data; operational logs go to stderr via logger