code_public/logcorrelator
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7a9d92a469c3159fbb0410bcac328799f5d495bc
logcorrelator/README.md
Jacquin Antoine 85f7af357c refactor: remove obsolete config and update documentation 
- Remove config.example.conf (replaced by config.example.yml)
- Update Dockerfile to use YAML config
- Update README.md with YAML configuration examples
- Remove old directive-based config documentation
- Update package paths (DEB and RPM) in README

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
2026-02-27 16:14:53 +01:00

272 lines
6.2 KiB
Markdown
Raw Blame History

# logcorrelator
Service de corrélation de logs HTTP et réseau écrit en Go.
## Description
**logcorrelator** reçoit deux flux de logs JSON via des sockets Unix :
- **Source A** : logs HTTP applicatifs (Apache, reverse proxy)
- **Source B** : logs réseau (métadonnées IP/TCP, JA3/JA4, etc.)
Il corrèle les événements sur la base de `src_ip + src_port` avec une fenêtre temporelle configurable, et produit des logs corrélés vers :
- Un fichier local (JSON lines)
- ClickHouse (pour analyse et archivage)
## Architecture
```
┌─────────────────┐ ┌──────────────────┐ ┌─────────────────┐
│ Apache Source │────▶│ │────▶│ File Sink │
│ (Unix Socket) │ │ Correlation │ │ (JSON lines) │
└─────────────────┘ │ Service │ └─────────────────┘
│ │
┌─────────────────┐ │ - Buffers │ ┌─────────────────┐
│ Network Source │────▶│ - Time Window │────▶│ ClickHouse │
│ (Unix Socket) │ │ - Orphan Policy │ │ Sink │
└─────────────────┘ └──────────────────┘ └─────────────────┘
```
## Build (100% Docker)
Tout le build et les tests s'exécutent dans des containers Docker :
```bash
# Build complet (binaire + tests + RPM)
./build.sh
# Uniquement les tests
./test.sh
# Build manuel avec Docker
docker build --target builder -t logcorrelator-builder .
docker build --target runtime -t logcorrelator:latest .
```
### Prérequis
- Docker 20.10+
- Bash
## Installation
### Depuis Docker
```bash
# Build de l'image
./build.sh
# Exécuter
docker run -d \
--name logcorrelator \
-v /var/run/logcorrelator:/var/run/logcorrelator \
-v /var/log/logcorrelator:/var/log/logcorrelator \
-v ./config.example.yml:/etc/logcorrelator/logcorrelator.yml \
logcorrelator:latest
```
### Depuis les packages (DEB/RPM)
```bash
# Générer les packages
./build.sh
# Installer le package DEB (Debian/Ubuntu)
sudo dpkg -i dist/deb/logcorrelator_1.0.0_amd64.deb
# Installer le package RPM (Rocky Linux 8+)
sudo rpm -ivh dist/rpm/logcorrelator-1.0.0-1.x86_64.rpm
# Activer et démarrer le service
sudo systemctl enable logcorrelator
sudo systemctl start logcorrelator
# Vérifier le statut
sudo systemctl status logcorrelator
```
### Build manuel (sans Docker)
```bash
# Prérequis: Go 1.21+
go build -o logcorrelator ./cmd/logcorrelator
# Exécuter
./logcorrelator -config config.example.yml
```
## Configuration
La configuration utilise un fichier YAML :
```yaml
# Service configuration
service:
name: logcorrelator
language: go
# Input sources (at least 2 required)
inputs:
unix_sockets:
- name: apache_source
path: /var/run/logcorrelator/apache.sock
format: json
- name: network_source
path: /var/run/logcorrelator/network.sock
format: json
# File output
outputs:
file:
enabled: true
path: /var/log/logcorrelator/correlated.log
# ClickHouse output
outputs:
clickhouse:
enabled: false
dsn: clickhouse://user:pass@localhost:9000/db
table: correlated_logs_http_network
# Correlation configuration
correlation:
key:
- src_ip
- src_port
time_window:
value: 1
unit: s
orphan_policy:
apache_always_emit: true
network_emit: false
```
Exemple complet dans `config.example.yml`.
## Format des logs
### Source A (HTTP)
```json
{
"src_ip": "192.168.1.1",
"src_port": 8080,
"dst_ip": "10.0.0.1",
"dst_port": 80,
"timestamp": 1704110400000000000,
"method": "GET",
"path": "/api/test",
"header_host": "example.com"
}
```
### Source B (Réseau)
```json
{
"src_ip": "192.168.1.1",
"src_port": 8080,
"dst_ip": "10.0.0.1",
"dst_port": 443,
"ja3": "abc123def456",
"ja4": "xyz789"
}
```
### Log corrélé (sortie)
```json
{
"timestamp": "2024-01-01T12:00:00Z",
"src_ip": "192.168.1.1",
"src_port": 8080,
"dst_ip": "10.0.0.1",
"dst_port": 80,
"correlated": true,
"apache": {"method": "GET", "path": "/api/test"},
"network": {"ja3": "abc123def456"}
}
```
## Schema ClickHouse
```sql
CREATE TABLE correlated_logs_http_network (
timestamp DateTime64(9),
src_ip String,
src_port UInt32,
dst_ip String,
dst_port UInt32,
correlated UInt8,
orphan_side String,
apache JSON,
network JSON
) ENGINE = MergeTree()
ORDER BY (timestamp, src_ip, src_port);
```
## Tests
```bash
# Via Docker
./test.sh
# Local
go test ./...
go test -cover ./...
go test -coverprofile=coverage.out ./...
go tool cover -html=coverage.out
```
## Signaux
| Signal | Comportement |
|--------|--------------|
| `SIGINT` | Arrêt gracieux |
| `SIGTERM` | Arrêt gracieux |
Lors de l'arrêt gracieux :
1. Fermeture des sockets Unix
2. Flush des buffers
3. Émission des événements en attente
4. Fermeture des connexions ClickHouse
## Logs internes
Les logs internes sont envoyés vers stderr :
```bash
# Docker
docker logs -f logcorrelator
# Systemd
journalctl -u logcorrelator -f
```
## Structure du projet
```
.
├── cmd/logcorrelator/ # Point d'entrée
├── internal/
│ ├── adapters/
│ │ ├── inbound/unixsocket/
│ │ └── outbound/
│ │ ├── clickhouse/
│ │ ├── file/
│ │ └── multi/
│ ├── app/ # Orchestration
│ ├── config/ # Configuration
│ ├── domain/ # Domaine (corrélation)
│ ├── observability/ # Logging
│ └── ports/ # Interfaces
├── config.example.conf # Exemple de config
├── Dockerfile # Build multi-stage
├── build.sh # Script de build
├── test.sh # Script de tests
└── logcorrelator.service # Unité systemd
```
## License
MIT
Reference in New Issue View Git Blame Copy Permalink