{ "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "# FieldManager\n", "\n", "This presentations goal it to introduce the features of the `FieldManager` and how to configure it." ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### The challenges\n", "\n", "- I want to move or rename a field.\n", "- I want to copy a field.\n", "- I want to merge field values to a list.\n", "- I want to merge lists from different fields to one list in a new or existing field\n" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "given preprocessed log entry:" ] }, { "cell_type": "code", "execution_count": 31, "metadata": {}, "outputs": [], "source": [ "document = {\n", " \"client\": {\"ip\": [\"127.0.0.1\", \"fe89::\", \"192.168.5.1\"], \"nat\": {\"ip\": \"223.2.3.2\"}},\n", " \"destination\": {\"ip\": \"8.8.8.8\"},\n", " \"host\": {\"_hostname\": \"customer2\", \"ip\": [\"192.168.5.1\", \"180.22.66.3\"]},\n", " \"observer\": {\"ip\": \"10.10.2.33\"},\n", " \"server\": {\"ip\": \"10.10.2.33\", \"nat\": {\"ip\": \"180.22.66.1\"}},\n", " \"source\": {\"ip\": \"10.10.2.33\"},\n", " \"preexisting\": \"I exists already\",\n", " \"parent\": {\"child1\": {\"child2\": {\"child3\": \"I am a child\"}}, \"child1a\": \"the other child\"},\n", "}\n" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Create rules and processor" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "create the rules:" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "create the processor config:" ] }, { "cell_type": "code", "execution_count": 32, "metadata": {}, "outputs": [], "source": [ "processor_config = {\n", " \"the_field_manager\": {\n", " \"type\": \"field_manager\",\n", " \"rules\": [\n", " {\n", " \"filter\": \"host._hostname\",\n", " \"field_manager\": {\n", " \"source_fields\": [\"client.nat.ip\", \"source.ip\"],\n", " \"target_field\": \"related.ip\",\n", " \"overwrite_target\": True,\n", " \"delete_source_fields\": True,\n", " \"merge_with_target\": True,\n", " },\n", " },\n", " {\n", " \"filter\": \"parent\",\n", " \"field_manager\": {\n", " \"mapping\": {\n", " \"parent.child1\": \"newparent.child1\",\n", " }\n", " },\n", " },\n", " ],\n", " }\n", "}" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "create the processor with the factory:" ] }, { "cell_type": "code", "execution_count": 33, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "DEBUG:Processor:FieldManager (the_field_manager) loaded 2 rules\n" ] }, { "data": { "text/plain": [ "field_manager" ] }, "execution_count": 33, "metadata": {}, "output_type": "execute_result" } ], "source": [ "import logging\n", "import sys\n", "\n", "from logprep.factory import Factory\n", "\n", "# Configure logging\n", "logging.basicConfig(\n", " level=logging.DEBUG, \n", " stream=sys.stdout\n", ")\n", "\n", "processor = Factory.create(processor_config)\n", "processor\n" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Process event" ] }, { "cell_type": "code", "execution_count": 34, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "DEBUG:Processor:FieldManager (the_field_manager) processing event {'client': {'ip': ['127.0.0.1', 'fe89::', '192.168.5.1'], 'nat': {'ip': '223.2.3.2'}}, 'destination': {'ip': '8.8.8.8'}, 'host': {'_hostname': 'customer2', 'ip': ['192.168.5.1', '180.22.66.3']}, 'observer': {'ip': '10.10.2.33'}, 'server': {'ip': '10.10.2.33', 'nat': {'ip': '180.22.66.1'}}, 'source': {'ip': '10.10.2.33'}, 'preexisting': 'I exists already', 'parent': {'child1': {'child2': {'child3': 'I am a child'}}, 'child1a': 'the other child'}}\n" ] }, { "data": { "text/plain": [ "ProcessorResult(data=[], errors=[], warnings=[], event={'client': {'ip': ['127.0.0.1', 'fe89::', '192.168.5.1']}, 'destination': {'ip': '8.8.8.8'}, 'host': {'_hostname': 'customer2', 'ip': ['192.168.5.1', '180.22.66.3']}, 'observer': {'ip': '10.10.2.33'}, 'server': {'ip': '10.10.2.33', 'nat': {'ip': '180.22.66.1'}}, 'preexisting': 'I exists already', 'parent': {'child1': {'child2': {'child3': 'I am a child'}}, 'child1a': 'the other child'}, 'related': {'ip': ['223.2.3.2', '10.10.2.33']}, 'newparent': {'child1': {'child2': {'child3': 'I am a child'}}}}, processor_name='the_field_manager')" ] }, "execution_count": 34, "metadata": {}, "output_type": "execute_result" } ], "source": [ "from copy import deepcopy\n", "\n", "mydocument = deepcopy(document)\n", "processor.process(mydocument)\n" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Check Results" ] }, { "cell_type": "code", "execution_count": 35, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "{'client': {'ip': ['127.0.0.1', 'fe89::', '192.168.5.1'],\n", " 'nat': {'ip': '223.2.3.2'}},\n", " 'destination': {'ip': '8.8.8.8'},\n", " 'host': {'_hostname': 'customer2', 'ip': ['192.168.5.1', '180.22.66.3']},\n", " 'observer': {'ip': '10.10.2.33'},\n", " 'server': {'ip': '10.10.2.33', 'nat': {'ip': '180.22.66.1'}},\n", " 'source': {'ip': '10.10.2.33'},\n", " 'preexisting': 'I exists already',\n", " 'parent': {'child1': {'child2': {'child3': 'I am a child'}},\n", " 'child1a': 'the other child'}}" ] }, "execution_count": 35, "metadata": {}, "output_type": "execute_result" } ], "source": [ "document" ] }, { "cell_type": "code", "execution_count": 36, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "{'client': {'ip': ['127.0.0.1', 'fe89::', '192.168.5.1']},\n", " 'destination': {'ip': '8.8.8.8'},\n", " 'host': {'_hostname': 'customer2', 'ip': ['192.168.5.1', '180.22.66.3']},\n", " 'observer': {'ip': '10.10.2.33'},\n", " 'server': {'ip': '10.10.2.33', 'nat': {'ip': '180.22.66.1'}},\n", " 'preexisting': 'I exists already',\n", " 'parent': {'child1': {'child2': {'child3': 'I am a child'}},\n", " 'child1a': 'the other child'},\n", " 'related': {'ip': ['223.2.3.2', '10.10.2.33']},\n", " 'newparent': {'child1': {'child2': {'child3': 'I am a child'}}}}" ] }, "execution_count": 36, "metadata": {}, "output_type": "execute_result" } ], "source": [ "mydocument" ] } ], "metadata": { "kernelspec": { "display_name": ".venv", "language": "python", "name": "python3" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 3 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", "version": "3.12.3" }, "orig_nbformat": 4 }, "nbformat": 4, "nbformat_minor": 2 }