From e1fac851f9f54680870f3ebe1c36aedc1d3f1f60 Mon Sep 17 00:00:00 2001 From: Neil Lathwood Date: Sat, 15 Oct 2016 00:29:55 +0100 Subject: [PATCH] refactor: Update alert rules to generate sql query and store in db (#4748) --- alerts.php | 7 +++++-- daily.php | 14 ++++++++++++++ daily.sh | 1 + html/ajax_form.php | 1 + html/includes/forms/create-alert-item.inc.php | 6 +++--- html/includes/output/query.inc.php | 6 +++++- html/includes/print-alert-rules.php | 2 ++ includes/alerts.inc.php | 5 ++++- sql-schema/145.sql | 1 + 9 files changed, 36 insertions(+), 7 deletions(-) create mode 100644 sql-schema/145.sql diff --git a/alerts.php b/alerts.php index 6e131ac172..a72fac5407 100755 --- a/alerts.php +++ b/alerts.php @@ -172,7 +172,7 @@ function RunFollowUp() $alert['rule_id'], $alert['device_id'], ); - $alert = dbFetchRow('SELECT alert_log.id,alert_log.rule_id,alert_log.device_id,alert_log.state,alert_log.details,alert_log.time_logged,alert_rules.rule,alert_rules.severity,alert_rules.extra,alert_rules.name FROM alert_log,alert_rules WHERE alert_log.rule_id = alert_rules.id && alert_log.device_id = ? && alert_log.rule_id = ? && alert_rules.disabled = 0 ORDER BY alert_log.id DESC LIMIT 1', array($alert['device_id'], $alert['rule_id'])); + $alert = dbFetchRow('SELECT alert_log.id,alert_log.rule_id,alert_log.device_id,alert_log.state,alert_log.details,alert_log.time_logged,alert_rules.rule, alert_rules.query,alert_rules.severity,alert_rules.extra,alert_rules.name FROM alert_log,alert_rules WHERE alert_log.rule_id = alert_rules.id && alert_log.device_id = ? && alert_log.rule_id = ? && alert_rules.disabled = 0 ORDER BY alert_log.id DESC LIMIT 1', array($alert['device_id'], $alert['rule_id'])); if (empty($alert['rule']) || !IsRuleValid($tmp[1], $tmp[0])) { // Alert-Rule does not exist anymore, let's remove the alert-state. echo 'Stale-Rule: #'.$tmp[0].'/'.$tmp[1]."\r\n"; @@ -186,7 +186,10 @@ function RunFollowUp() continue; } - $chk = dbFetchRows(GenSQL($alert['rule']), array($alert['device_id'])); + if (empty($alert['query'])) { + $alert['query'] = GenSQL($alert['rule']); + } + $chk = dbFetchRows($alert['query'], array($alert['device_id'])); $o = sizeof($alert['details']['rule']); $n = sizeof($chk); $ret = 'Alert #'.$alert['id']; diff --git a/daily.php b/daily.php index df29e7be12..02742b8d20 100644 --- a/daily.php +++ b/daily.php @@ -12,6 +12,7 @@ require 'includes/defaults.inc.php'; require 'config.php'; require_once 'includes/definitions.inc.php'; require 'includes/functions.php'; +require_once 'includes/alerts.inc.php'; $options = getopt('f:d'); @@ -152,3 +153,16 @@ if ($options['f'] === 'purgeusers') { } } } + +if ($options['f'] === 'refresh_alert_rules') { + echo 'Refreshing alert rules queries' . PHP_EOL; + $rules = dbFetchRows('SELECT `id`, `rule` FROM `alert_rules`'); + foreach ($rules as $rule) { + $data['query'] = GenSQL($rule['rule']); + if (!empty($data['query'])) { + $debug=1; + dbUpdate($data, 'alert_rules', 'id=?', array($rule['id'])); + unset($data); + } + } +} diff --git a/daily.sh b/daily.sh index edb400a344..d23015348a 100755 --- a/daily.sh +++ b/daily.sh @@ -82,6 +82,7 @@ else ;; cleanup) # Cleanups + php daily.php -f refresh_alert_rules php daily.php -f syslog php daily.php -f eventlog php daily.php -f authlog diff --git a/html/ajax_form.php b/html/ajax_form.php index 6e60ff45c6..0ce833f442 100644 --- a/html/ajax_form.php +++ b/html/ajax_form.php @@ -21,6 +21,7 @@ require_once 'includes/functions.inc.php'; require_once '../includes/functions.php'; require_once 'includes/authenticate.inc.php'; require_once 'includes/vars.inc.php'; +require_once '../includes/alerts.inc.php'; set_debug($_REQUEST['debug']); diff --git a/html/includes/forms/create-alert-item.inc.php b/html/includes/forms/create-alert-item.inc.php index 01ae19e728..40ded90fa6 100644 --- a/html/includes/forms/create-alert-item.inc.php +++ b/html/includes/forms/create-alert-item.inc.php @@ -18,6 +18,7 @@ if (is_admin() === false) { $rule = implode(' ', $_POST['rules']); $rule = rtrim($rule, '&|'); +$query = GenSQL($rule); $alert_id = $_POST['alert_id']; $count = mres($_POST['count']); $delay = mres($_POST['delay']); @@ -62,7 +63,7 @@ if (empty($rule)) { ); $extra_json = json_encode($extra); if (is_numeric($alert_id) && $alert_id > 0) { - if (dbUpdate(array('rule' => $rule, 'severity' => mres($_POST['severity']), 'extra' => $extra_json, 'name' => $name, 'proc' => $proc), 'alert_rules', 'id=?', array($alert_id)) >= 0) { + if (dbUpdate(array('rule' => $rule, 'severity' => mres($_POST['severity']), 'extra' => $extra_json, 'name' => $name, 'proc' => $proc, 'query' => $query), 'alert_rules', 'id=?', array($alert_id)) >= 0) { $update_message = "Edited Rule: $name: $rule"; } else { $update_message = 'ERROR: Failed to edit Rule: '.$rule.''; @@ -71,8 +72,7 @@ if (empty($rule)) { if (is_array($_POST['maps'])) { $device_id = ':'.$device_id; } - - if (dbInsert(array('device_id' => $device_id, 'rule' => $rule, 'severity' => mres($_POST['severity']), 'extra' => $extra_json, 'disabled' => 0, 'name' => $name, 'proc' => $proc), 'alert_rules')) { + if (dbInsert(array('device_id' => $device_id, 'rule' => $rule, 'severity' => mres($_POST['severity']), 'extra' => $extra_json, 'disabled' => 0, 'name' => $name, 'proc' => $proc, 'query' => $query), 'alert_rules')) { $update_message = "Added Rule: $name: $rule"; if (is_array($_POST['maps'])) { foreach ($_POST['maps'] as $target) { diff --git a/html/includes/output/query.inc.php b/html/includes/output/query.inc.php index 4a29ffe138..c5fd969a22 100644 --- a/html/includes/output/query.inc.php +++ b/html/includes/output/query.inc.php @@ -39,7 +39,10 @@ switch ($type) { $rules = GetRules($device_id); $output = ''; foreach ($rules as $rule) { - $sql = GenSQL($rule['rule']); + if (empty($rule['query'])) { + $rule['query'] = GenSQL($rule['rule']); + } + $sql = $rule['query']; $qry = dbFetchRow($sql, array($device_id)); if (is_array($qry)) { $response = 'matches'; @@ -48,6 +51,7 @@ switch ($type) { } $output .= 'Rule name: ' . $rule['name'] . PHP_EOL; $output .= 'Alert rule: ' . $rule['rule'] . PHP_EOL; + $output .= 'Alert query: ' . $rule['query'] . PHP_EOL; $output .= 'Rule match: ' . $response . PHP_EOL . PHP_EOL; } if ($config['alert']['transports']['mail'] === true) { diff --git a/html/includes/print-alert-rules.php b/html/includes/print-alert-rules.php index accf363ffb..c553954a61 100644 --- a/html/includes/print-alert-rules.php +++ b/html/includes/print-alert-rules.php @@ -83,7 +83,9 @@ if (isset($_POST['create-default'])) { 'disabled' => 0, 'name' => 'Service up/down', ); + require_once '../includes/alerts.inc.php'; foreach ($default_rules as $add_rule) { + $add_rule['query'] = GenSQL($add_rule['rule']); dbInsert($add_rule, 'alert_rules'); } }//end if diff --git a/includes/alerts.inc.php b/includes/alerts.inc.php index a876a26eca..962156581b 100644 --- a/includes/alerts.inc.php +++ b/includes/alerts.inc.php @@ -169,7 +169,10 @@ function RunRules($device) } d_echo(PHP_EOL); $chk = dbFetchRow("SELECT state FROM alerts WHERE rule_id = ? && device_id = ? ORDER BY id DESC LIMIT 1", array($rule['id'], $device)); - $sql = GenSQL($rule['rule']); + if (empty($rule['query'])) { + $rule['query'] = GenSQL($rule['rule']); + } + $sql = $rule['query']; $qry = dbFetchRows($sql, array($device)); if (isset($qry[0]['ip'])) { $qry[0]['ip'] = inet6_ntop($qry[0]['ip']); diff --git a/sql-schema/145.sql b/sql-schema/145.sql new file mode 100644 index 0000000000..7291b699b0 --- /dev/null +++ b/sql-schema/145.sql @@ -0,0 +1 @@ +ALTER TABLE `alert_rules` ADD `query` TEXT NOT NULL AFTER `name`;