search

defenxor / dsiem

Security event correlation engine for ELK stack
GNU General Public License v3.0
435 stars 100 forks source link

[Feature Request] Accept json array in POST /events route #410

Open aphilas opened 2 years ago

aphilas commented 2 years ago

Problem to be solved

/events only accepts a single event. Code in event.go and handler.go

I am setting up an EFK stack, and then using using dsiem for correlation.

Fluentd out_http plugin, IIUC, only emits either ndjson or json with an array of events. Docs.

Alternatives I have tried

POSTing application\x-ndjson, which fails. POSTing application\json with an array of normalized events, which fails. Different fluentd configs for out_http

Suggested solution

Parse an event or an array of events.

I don't know if that's trivial (or even necessary), or it adds extra complexity.

ETA:

  1. Fixed typo
  2. In the meantime I have set up a tiny proxy to split the array
mmta commented 1 year ago

We're not considering accepting arrays for now, and your workaround seems good.

Doing it with the least amount of change in Dsiem would be by modifying this line to parse array: https://github.com/defenxor/dsiem/blob/edcd608668aad890056c20dd5ade5061da672cc2/internal/pkg/dsiem/server/handler.go#L188, and just create a loop over it to the end of the file.