fix(correlation): keepalives field not populated in ClickHouse (v1.1.17)
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
This commit is contained in:
toto
2
Makefile
2
Makefile
@ -20,7 +20,7 @@ BINARY_NAME=logcorrelator
|
|||||||
DIST_DIR=dist
|
DIST_DIR=dist
|
||||||
|
|
||||||
# Package version
|
# Package version
|
||||||
PKG_VERSION ?= 1.1.16
|
PKG_VERSION ?= 1.1.17
|
||||||
|
|
||||||
# Enable BuildKit for better performance
|
# Enable BuildKit for better performance
|
||||||
export DOCKER_BUILDKIT=1
|
export DOCKER_BUILDKIT=1
|
||||||
|
|||||||
@ -61,6 +61,10 @@ func (c CorrelatedLog) MarshalJSON() ([]byte, error) {
|
|||||||
|
|
||||||
// NewCorrelatedLogFromEvent creates a correlated log from a single event (orphan).
|
// NewCorrelatedLogFromEvent creates a correlated log from a single event (orphan).
|
||||||
func NewCorrelatedLogFromEvent(event *NormalizedEvent, orphanSide string) CorrelatedLog {
|
func NewCorrelatedLogFromEvent(event *NormalizedEvent, orphanSide string) CorrelatedLog {
|
||||||
|
fields := extractFields(event)
|
||||||
|
if event.KeepAliveSeq > 0 {
|
||||||
|
fields["keepalives"] = event.KeepAliveSeq
|
||||||
|
}
|
||||||
return CorrelatedLog{
|
return CorrelatedLog{
|
||||||
Timestamp: event.Timestamp,
|
Timestamp: event.Timestamp,
|
||||||
SrcIP: event.SrcIP,
|
SrcIP: event.SrcIP,
|
||||||
@ -69,7 +73,7 @@ func NewCorrelatedLogFromEvent(event *NormalizedEvent, orphanSide string) Correl
|
|||||||
DstPort: event.DstPort,
|
DstPort: event.DstPort,
|
||||||
Correlated: false,
|
Correlated: false,
|
||||||
OrphanSide: orphanSide,
|
OrphanSide: orphanSide,
|
||||||
Fields: extractFields(event),
|
Fields: fields,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -80,6 +84,11 @@ func NewCorrelatedLog(apacheEvent, networkEvent *NormalizedEvent) CorrelatedLog
|
|||||||
ts = networkEvent.Timestamp
|
ts = networkEvent.Timestamp
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fields := mergeFields(apacheEvent, networkEvent)
|
||||||
|
if apacheEvent.KeepAliveSeq > 0 {
|
||||||
|
fields["keepalives"] = apacheEvent.KeepAliveSeq
|
||||||
|
}
|
||||||
|
|
||||||
return CorrelatedLog{
|
return CorrelatedLog{
|
||||||
Timestamp: ts,
|
Timestamp: ts,
|
||||||
SrcIP: apacheEvent.SrcIP,
|
SrcIP: apacheEvent.SrcIP,
|
||||||
@ -88,7 +97,7 @@ func NewCorrelatedLog(apacheEvent, networkEvent *NormalizedEvent) CorrelatedLog
|
|||||||
DstPort: coalesceInt(apacheEvent.DstPort, networkEvent.DstPort),
|
DstPort: coalesceInt(apacheEvent.DstPort, networkEvent.DstPort),
|
||||||
Correlated: true,
|
Correlated: true,
|
||||||
OrphanSide: "",
|
OrphanSide: "",
|
||||||
Fields: mergeFields(apacheEvent, networkEvent),
|
Fields: fields,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -145,6 +145,13 @@ exit 0
|
|||||||
%config(noreplace) /etc/logrotate.d/logcorrelator
|
%config(noreplace) /etc/logrotate.d/logcorrelator
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Mar 06 2026 logcorrelator <dev@example.com> - 1.1.17-1
|
||||||
|
- Fix(correlation): champ keepalives non peuple dans ClickHouse
|
||||||
|
Le champ KeepAliveSeq de NormalizedEvent n'etait pas transfere dans les Fields
|
||||||
|
de CorrelatedLog. La vue materialisee ClickHouse extrayait keepalives du JSON
|
||||||
|
mais trouvait toujours 0. Desormais, NewCorrelatedLog et NewCorrelatedLogFromEvent
|
||||||
|
ajoutent explicitement keepalives = KeepAliveSeq dans les Fields.
|
||||||
|
|
||||||
* Fri Mar 06 2026 logcorrelator <dev@example.com> - 1.1.16-1
|
* Fri Mar 06 2026 logcorrelator <dev@example.com> - 1.1.16-1
|
||||||
- Feat(correlation): emettre les evenements A filtrés par include_dest_ports vers ClickHouse
|
- Feat(correlation): emettre les evenements A filtrés par include_dest_ports vers ClickHouse
|
||||||
Quand un evenement A (HTTP) etait exclu par le filtre include_dest_ports, il etait
|
Quand un evenement A (HTTP) etait exclu par le filtre include_dest_ports, il etait
|
||||||
|
|||||||
Reference in New Issue
Block a user