[backend] Implement log shipping to Graylog via GELF (#9629) #8410
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #8410 +/- ##
==========================================
- Coverage 65.24% 65.17% -0.08%
==========================================
Files 630 632 +2
Lines 60273 60406 +133
Branches 6763 6764 +1
==========================================
+ Hits 39325 39368 +43
- Misses 20948 21038 +90 ☔ View full report in Codecov by Sentry. |
bnazare
force-pushed
the
feature/log-shipping
branch
from
1a7d222 to
281366b
Compare
|
@bnazare thanks for your contribution ! |
|
This PR have a counterpart in OpenCTI-Platform/client-python#786. |
bnazare
force-pushed
the
feature/log-shipping
branch
from
3c9b6fe to
55f1339
Compare
Sorry about the delay, they're signed now ;). |
richard-julien
force-pushed
the
master
branch
5 times, most recently
from
b414944 to
c7f4cb7
Compare
Thanks! Some merge conflicts remain to be resolved, but we'll be able to merge your PRs as soon as those are solved. |
aHenryJard
changed the title
|
@bnazare could you rebase your PR on latest master please ? |
bnazare
force-pushed
the
feature/log-shipping
branch
from
55f1339 to
3fd8920
Compare
|
@labo-flg I've just rebased the PR. Unfortunately, while testing the results I found an issue with the package "winston-gelf". That package hasn't seen any movement in 6 years and I also couldn't find a more suitable alternative. So, to solve it, I copied its contents into the project and patched it. It's only 40 something lines so it's not a very large addition. Let me know if you'd prefer a different approach. |
Proposed changes
Related issues
There are not related issues but this subject has been previously discussed with Linkare within the scope of the OpenCTI implementation for the Centre for Cybersecurity Belgium (https://ccb.belgium.be/).
EDIT: closes #9629 (issue created for tracking)
Checklist
Further comments
We added an extra step to the application shutdown so that it now waits for the loggers to flush. This was previously not very relevant but sending data via the network introduces some latency that makes this necessary. Failing to do so results in the loss of some of the last log messages. This is particularly critical in the cases where the application fails as those messages will probably include the details of the relevant error.
No new tests were added for this functionality as that would require setting up an integration testing environment containing at least a Graylog instance plus subordinate MongoDB and Elasticsearch instances. Furthermore, having the test communicate with Graylog, so as to assert that the logs where correctly stored, would not be a trivial implementation. All in all, we estimate the effort required to implement all of this would dwarf the effort put into such a small change.
On the other hand, the changes proposed are all opt-in so they shouldn't break any existing behaviour. The little code that is unavoidable will actually run on every startup and shutdown and thus all existing tests will at least validate that the new functionality has no negative effects when not explicitly enabled.