e0c622f635
New feature: Apache events can now wait for B events before being emitted as orphans.
Changes:
- Add ApacheEmitDelayMs config (default: 500ms)
- Add pendingOrphans structure for delayed emission
- processSourceA(): add A to pending orphans instead of immediate emission
- processSourceB(): check pending orphans before buffer A
- emitPendingOrphans(): emit orphans after delay expires
- Flush(): emit all pending orphans immediately (shutdown)
Configuration:
correlation:
orphan_policy:
apache_always_emit: true
apache_emit_delay_ms: 500 # Wait 500ms before emitting as orphan
Backward compatibility:
- apache_emit_delay_ms: 0 → immediate emission (legacy mode)
- apache_emit_delay_ms < 0 → default 500ms
Tests added (5 new tests):
- TestCorrelationService_ApacheEmitDelay_BArrivesDuringDelay
- TestCorrelationService_ApacheEmitDelay_NoBArrives
- TestCorrelationService_ApacheEmitDelay_ZeroDelay
- TestCorrelationService_ApacheEmitDelay_MultipleA_SameKey
- TestCorrelationService_ApacheEmitDelay_Flush
All 30 tests pass. Coverage: 75.1%
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
68 lines
1.7 KiB
YAML
68 lines
1.7 KiB
YAML
# logcorrelator configuration file
|
|
# Format: YAML
|
|
|
|
# Logging configuration
|
|
log:
|
|
level: INFO # DEBUG, INFO, WARN, ERROR
|
|
|
|
inputs:
|
|
unix_sockets:
|
|
- name: http
|
|
source_type: A
|
|
path: /var/run/logcorrelator/http.socket
|
|
format: json
|
|
socket_permissions: "0666" # world read/write
|
|
- name: network
|
|
source_type: B
|
|
path: /var/run/logcorrelator/network.socket
|
|
format: json
|
|
socket_permissions: "0666"
|
|
|
|
outputs:
|
|
file:
|
|
enabled: true
|
|
path: /var/log/logcorrelator/correlated.log
|
|
|
|
clickhouse:
|
|
enabled: false
|
|
dsn: clickhouse://user:pass@localhost:9000/db
|
|
table: correlated_logs_http_network
|
|
batch_size: 500
|
|
flush_interval_ms: 200
|
|
max_buffer_size: 5000
|
|
drop_on_overflow: true
|
|
async_insert: true
|
|
timeout_ms: 1000
|
|
|
|
stdout:
|
|
enabled: false
|
|
level: INFO # DEBUG: all logs including orphans, INFO: only correlated, WARN: correlated only, ERROR: none
|
|
|
|
correlation:
|
|
# Time window for correlation (A and B must be within this window)
|
|
# Increased to 10s to support HTTP Keep-Alive scenarios
|
|
time_window:
|
|
value: 10
|
|
unit: s
|
|
|
|
# Orphan policy: what to do when no match is found
|
|
orphan_policy:
|
|
apache_always_emit: true # Always emit A events, even without B match
|
|
apache_emit_delay_ms: 500 # Wait 500ms before emitting as orphan (allows B to arrive)
|
|
network_emit: false # Never emit B events alone
|
|
|
|
# Matching mode: one_to_one or one_to_many (Keep-Alive)
|
|
matching:
|
|
mode: one_to_many
|
|
|
|
# Buffer limits (max events in memory)
|
|
buffers:
|
|
max_http_items: 10000
|
|
max_network_items: 20000
|
|
|
|
# TTL for network events (source B)
|
|
# Increased to 120s to support long-lived HTTP Keep-Alive sessions
|
|
ttl:
|
|
network_ttl_s: 120
|
|
|