Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / heka / 519f08d0e41094a7a3c75520affa8242545b03a8^! / .
commit519f08d0e41094a7a3c75520affa8242545b03a8[log] [tgz]
authorSimon Pasquier <spasquier@mirantis.com>Wed Feb 22 10:43:29 2017 +0100
committerSimon Pasquier <spasquier@mirantis.com>Thu Feb 23 10:15:09 2017 +0100
treea56dec3ea99f3eef09e0980ca87b64e0616b0c91
parenteab45382cb91df447307b4b1c77107db101a164b [diff]
Add a filter counting the failed SSH logins

Change-Id: I1a20a356920edf189bbc7430c57f9084b5d6a6b7

diff --git a/heka/files/lua/filters/failed_logins.lua b/heka/files/lua/filters/failed_logins.lua
new file mode 100644
index 0000000..ecf259f
--- /dev/null
+++ b/heka/files/lua/filters/failed_logins.lua

@@ -0,0 +1,72 @@
+-- Copyright 2017 Mirantis, Inc.
+--
+-- Licensed under the Apache License, Version 2.0 (the "License");
+-- you may not use this file except in compliance with the License.
+-- You may obtain a copy of the License at
+--
+--     http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+require 'os'
+local utils = require 'lma_utils'
+
+local hostname = read_config('hostname') or error('hostname must be specified')
+-- The filter can receive messages that should be discarded because they are
+-- way too old (Heka cannot guarantee that messages are processed in real-time).
+-- The 'grace_interval' parameter allows to define which messages should be
+-- kept and which should be discarded. For instance, a value of '10' means that
+-- the filter will take into account messages that are at most 10 seconds
+-- older than the current time.
+local grace_interval = (read_config('grace_interval') or 0) + 0
+local metric_source = read_config('source')
+
+local msg = {
+    Type = "metric", -- will be prefixed by "heka.sandbox."
+    Severity = 6,
+    Fields = {
+        source = metric_source,
+        hostname = hostname,
+        tag_fields = { 'hostname' }
+    }
+}
+local global_counter = 0
+local ticker_counter = 0
+local last_timer_event = os.time() * 1e9
+
+function process_message ()
+    if utils.convert_to_sec(read_message('Timestamp')) + grace_interval < utils.convert_to_sec(last_timer_event) then
+        -- skip the the message if it doesn't fall into the current interval
+        return 0
+    end
+
+    if string.match(read_message('Payload'), '^Invalid user') then
+        global_counter = global_counter + 1
+        ticker_counter = ticker_counter + 1
+    end
+
+    return 0
+end
+
+function timer_event(ns)
+    msg.Timestamp = ns
+    msg.Fields.name = 'failed_logins_total'
+    msg.Fields.value = global_counter
+    msg.Fields.type = utils.metric_type['GAUGE']
+    utils.inject_tags(msg)
+    utils.safe_inject_message(msg)
+
+    msg.Fields.name = 'failed_logins_rate'
+    msg.Fields.type = utils.metric_type['DERIVE']
+    msg.Fields.value = ticker_counter / ((ns - last_timer_event) / 1e9)
+    utils.safe_inject_message(msg)
+
+    ticker_counter = 0
+    last_timer_event = ns
+
+    return 0
+end