{
  "cells": [
    {
      "cell_type": "markdown",
      "metadata": {},
      "source": [
        "# Dissector\n",
        "\n",
        "This presentations goal it to introduce the features of the `Dissector` and how to configure it."
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {},
      "source": [
        "# Dissector\n",
        "\n",
        "This presentations goal it to introduce the features of the `Dissector` and how to configure it."
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {},
      "source": [
        "### The challenge\n",
        "\n",
        "I want to dissect a field to different target fields."
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {},
      "source": [
        "from this:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 21,
      "metadata": {},
      "outputs": [],
      "source": [
        "document = { \"message\": \"Oct 17 11:54:21 dev-machine hv_kvp_daemon[3416730]: sh: 1: /usr/libexec/hypervkvpd/hv_get_dns_info: not found\" }"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {},
      "source": [
        "to this:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 22,
      "metadata": {},
      "outputs": [],
      "source": [
        "expected = {\n",
        "    \"message\": \"Oct 17 11:54:21 dev-machine hv_kvp_daemon[3416730]: sh: 1: /usr/libexec/hypervkvpd/hv_get_dns_info: not found\",\n",
        "    \"@timestamp\": \"Oct 17 11:54:21\",\n",
        "    \"hostname\": \"dev-machine\",\n",
        "    \"process\": {\n",
        "        \"name\": \"hv_kvp_daemon\",\n",
        "        \"pid\": 3416730\n",
        "    },\n",
        "    \"sh\": \"/usr/libexec/hypervkvpd/hv_get_dns_info: not found\"\n",
        "}"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {},
      "source": [
        "### Create rule and processor"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {},
      "source": [
        "create the rule:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 23,
      "metadata": {},
      "outputs": [
        {
          "data": {
            "text/plain": [
              "215"
            ]
          },
          "execution_count": 23,
          "metadata": {},
          "output_type": "execute_result"
        }
      ],
      "source": [
        "import sys\n",
        "sys.path.append(\"../../../../../\")\n",
        "import tempfile\n",
        "from pathlib import Path\n",
        "\n",
        "rule_yaml = \"\"\"---\n",
        "filter: \"message\"\n",
        "dissector:\n",
        "  mapping:\n",
        "    message: \"%{@timestamp} %{+@timestamp} %{+@timestamp} %{hostname} %{process.name}[%{process.pid}]: %{?shell}: %{}: %{&shell}\"\n",
        "  convert_datatype:\n",
        "    process.pid: int\n",
        "\"\"\"\n",
        "\n",
        "rule_path = Path(tempfile.gettempdir()) / \"concatenator\"\n",
        "rule_path.mkdir(exist_ok=True)\n",
        "rule_file = rule_path / \"data-stream.yml\"\n",
        "rule_file.write_text(rule_yaml)"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {},
      "source": [
        "create the processor config:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 24,
      "metadata": {},
      "outputs": [],
      "source": [
        "processor_config = {\n",
        "    \"thealmightydissector\":{   \n",
        "        \"type\": \"dissector\",\n",
        "        \"rules\": [str(rule_path), \"/dev\"],\n",
        "        }\n",
        "    }"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {},
      "source": [
        "create the processor with the factory:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 25,
      "metadata": {},
      "outputs": [
        {
          "data": {
            "text/plain": [
              "dissector"
            ]
          },
          "execution_count": 25,
          "metadata": {},
          "output_type": "execute_result"
        }
      ],
      "source": [
        "from unittest import mock\n",
        "from logprep.factory import Factory\n",
        "\n",
        "mock_logger = mock.MagicMock()\n",
        "dissector = Factory.create(processor_config)\n",
        "dissector"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {},
      "source": [
        "### Process event"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 26,
      "metadata": {},
      "outputs": [
        {
          "name": "stdout",
          "output_type": "stream",
          "text": [
            "before: {'message': 'Oct 17 11:54:21 dev-machine hv_kvp_daemon[3416730]: sh: 1: /usr/libexec/hypervkvpd/hv_get_dns_info: not found'}\n",
            "after: {'message': 'Oct 17 11:54:21 dev-machine hv_kvp_daemon[3416730]: sh: 1: /usr/libexec/hypervkvpd/hv_get_dns_info: not found', '@timestamp': 'Oct 17 11:54:21', 'hostname': 'dev-machine', 'process': {'name': 'hv_kvp_daemon', 'pid': 3416730}, 'sh': '/usr/libexec/hypervkvpd/hv_get_dns_info: not found'}\n",
            "True\n"
          ]
        }
      ],
      "source": [
        "from copy import deepcopy\n",
        "mydocument = deepcopy(document)\n",
        "\n",
        "\n",
        "print(f\"before: {mydocument}\")\n",
        "dissector.process(mydocument)\n",
        "print(f\"after: {mydocument}\")\n",
        "print(mydocument == expected)"
      ]
    }
  ],
  "metadata": {
    "kernelspec": {
      "display_name": "Python 3.11.0 ('.venv': venv)",
      "language": "python",
      "name": "python3"
    },
    "language_info": {
      "codemirror_mode": {
        "name": "ipython",
        "version": 3
      },
      "file_extension": ".py",
      "mimetype": "text/x-python",
      "name": "python",
      "nbconvert_exporter": "python",
      "pygments_lexer": "ipython3",
      "version": "3.9.16"
    },
    "orig_nbformat": 4,
    "vscode": {
      "interpreter": {
        "hash": "586280540a85d3e21edc698fe7b86af2848b9b02644e6c22463da25c40a3f1be"
      }
    }
  },
  "nbformat": 4,
  "nbformat_minor": 2
}