Merge changes from topic 'add-failed-logins-metric'

* changes:
  Add a filter counting the failed SSH logins
  Rename authentications.lua to audit_authentications.lua
diff --git a/heka/files/lua/filters/authentications.lua b/heka/files/lua/filters/audit_authentications.lua
similarity index 100%
rename from heka/files/lua/filters/authentications.lua
rename to heka/files/lua/filters/audit_authentications.lua
diff --git a/heka/files/lua/filters/failed_logins.lua b/heka/files/lua/filters/failed_logins.lua
new file mode 100644
index 0000000..ecf259f
--- /dev/null
+++ b/heka/files/lua/filters/failed_logins.lua
@@ -0,0 +1,72 @@
+-- Copyright 2017 Mirantis, Inc.
+--
+-- Licensed under the Apache License, Version 2.0 (the "License");
+-- you may not use this file except in compliance with the License.
+-- You may obtain a copy of the License at
+--
+--     http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+require 'os'
+local utils = require 'lma_utils'
+
+local hostname = read_config('hostname') or error('hostname must be specified')
+-- The filter can receive messages that should be discarded because they are
+-- way too old (Heka cannot guarantee that messages are processed in real-time).
+-- The 'grace_interval' parameter allows to define which messages should be
+-- kept and which should be discarded. For instance, a value of '10' means that
+-- the filter will take into account messages that are at most 10 seconds
+-- older than the current time.
+local grace_interval = (read_config('grace_interval') or 0) + 0
+local metric_source = read_config('source')
+
+local msg = {
+    Type = "metric", -- will be prefixed by "heka.sandbox."
+    Severity = 6,
+    Fields = {
+        source = metric_source,
+        hostname = hostname,
+        tag_fields = { 'hostname' }
+    }
+}
+local global_counter = 0
+local ticker_counter = 0
+local last_timer_event = os.time() * 1e9
+
+function process_message ()
+    if utils.convert_to_sec(read_message('Timestamp')) + grace_interval < utils.convert_to_sec(last_timer_event) then
+        -- skip the the message if it doesn't fall into the current interval
+        return 0
+    end
+
+    if string.match(read_message('Payload'), '^Invalid user') then
+        global_counter = global_counter + 1
+        ticker_counter = ticker_counter + 1
+    end
+
+    return 0
+end
+
+function timer_event(ns)
+    msg.Timestamp = ns
+    msg.Fields.name = 'failed_logins_total'
+    msg.Fields.value = global_counter
+    msg.Fields.type = utils.metric_type['GAUGE']
+    utils.inject_tags(msg)
+    utils.safe_inject_message(msg)
+
+    msg.Fields.name = 'failed_logins_rate'
+    msg.Fields.type = utils.metric_type['DERIVE']
+    msg.Fields.value = ticker_counter / ((ns - last_timer_event) / 1e9)
+    utils.safe_inject_message(msg)
+
+    ticker_counter = 0
+    last_timer_event = ns
+
+    return 0
+end
diff --git a/heka/meta/heka.yml b/heka/meta/heka.yml
index 637a870..9e00f60 100644
--- a/heka/meta/heka.yml
+++ b/heka/meta/heka.yml
@@ -225,9 +225,9 @@
       module_dir: /usr/share/lma_collector/common;/usr/share/heka/lua_modules
       preserve_data: false
       message_matcher: "Type == 'notification' && Fields[event_type] =~ /create.end$/"
-    authentication:
+    audit_authentications:
       engine: sandbox
-      module_file: /usr/share/lma_collector/filters/authentications.lua
+      module_file: /usr/share/lma_collector/filters/audit_authentications.lua
       module_dir: /usr/share/lma_collector/common;/usr/share/heka/lua_modules
       message_matcher: "Type == 'audit' &&  Fields[action] == 'authenticate'"
       ticker_interval: 60