mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
13898 Commits
28 Branches
Tree: 36e960ed74
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '36e960ed74'
${ noResults }
rspamd/src/plugins/lua/elastic.lua

elastic.lua 14KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488 
  1. --[[

  2. Copyright (c) 2017, Veselin Iordanov

  3. Copyright (c) 2018, Vsevolod Stakhov <vsevolod@highsecure.ru>

  4. 

  5. Licensed under the Apache License, Version 2.0 (the "License");

  6. you may not use this file except in compliance with the License.

  7. You may obtain a copy of the License at

  8. 

  9.     http://www.apache.org/licenses/LICENSE-2.0

  10. 

  11. Unless required by applicable law or agreed to in writing, software

  12. distributed under the License is distributed on an "AS IS" BASIS,

  13. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14. See the License for the specific language governing permissions and

  15. limitations under the License.

  16. ]]--

  17. 

  18. local rspamd_logger = require 'rspamd_logger'

  19. local rspamd_http = require "rspamd_http"

  20. local lua_util = require "lua_util"

  21. local util = require "rspamd_util"

  22. local ucl = require "ucl"

  23. local rspamd_redis = require "lua_redis"

  24. local upstream_list = require "rspamd_upstream_list"

  25. 

  26. if confighelp then

  27.   return

  28. end

  29. 

  30. local rows = {}

  31. local nrows = 0

  32. local failed_sends = 0

  33. local elastic_template

  34. local redis_params

  35. local N = "elastic"

  36. local E = {}

  37. local connect_prefix = 'http://'

  38. local enabled = true

  39. local settings = {

  40.   limit = 500,

  41.   index_pattern = 'rspamd-%Y.%m.%d',

  42.   template_file = rspamd_paths['SHAREDIR'] .. '/elastic/rspamd_template.json',

  43.   kibana_file = rspamd_paths['SHAREDIR'] ..'/elastic/kibana.json',

  44.   key_prefix = 'elastic-',

  45.   expire = 3600,

  46.   timeout = 5.0,

  47.   failover = false,

  48.   import_kibana = false,

  49.   use_https = false,

  50.   use_gzip = true,

  51.   allow_local = false,

  52.   user = nil,

  53.   password = nil,

  54.   no_ssl_verify = false,

  55.   max_fail = 3,

  56. }

  57. 

  58. local function read_file(path)

  59.     local file = io.open(path, "rb")

  60.     if not file then return nil end

  61.     local content = file:read "*a"

  62.     file:close()

  63.     return content

  64. end

  65. 

  66. local function elastic_send_data(task)

  67.   local es_index = os.date(settings['index_pattern'])

  68.   local tbl = {}

  69.   for _,value in pairs(rows) do

  70.     table.insert(tbl, '{ "index" : { "_index" : "'..es_index..

  71.         '", "_type" : "logs" ,"pipeline": "rspamd-geoip"} }')

  72.     table.insert(tbl, ucl.to_format(value, 'json-compact'))

  73.   end

  74. 

  75.   table.insert(tbl, '') -- For last \n

  76. 

  77.   local upstream = settings.upstream:get_upstream_round_robin()

  78.   local ip_addr = upstream:get_addr():to_string(true)

  79. 

  80.   local push_url = connect_prefix .. ip_addr .. '/'..es_index..'/_bulk'

  81.   local bulk_json = table.concat(tbl, "\n")

  82.   local err, response = rspamd_http.request({

  83.     url = push_url,

  84.     headers = {

  85.       ['Content-Type'] = 'application/x-ndjson',

  86.     },

  87.     body = bulk_json,

  88.     task = task,

  89.     method = 'post',

  90.     gzip = settings.use_gzip,

  91.     no_ssl_verify = settings.no_ssl_verify,

  92.     user = settings.user,

  93.     password = settings.password,

  94.     timeout = settings.timeout,

  95.   })

  96. 

  97.   if err then

  98.     rspamd_logger.infox(task, "cannot push data to elastic backend (%s): %s; failed attempts: %s/%s",

  99.         push_url, err, failed_sends, settings.max_fail)

  100.   else

  101.     if response.code ~= 200 then

  102.       rspamd_logger.infox(task,

  103.           "cannot push data to elastic backend (%s): wrong http code %s (%s); failed attempts: %s/%s",

  104.           push_url, err, response.code, failed_sends, settings.max_fail)

  105.     else

  106.       lua_util.debugm(N, task, "successfully sent %s (%s bytes) rows to ES",

  107.           nrows, #bulk_json)

  108. 

  109.       return true

  110.     end

  111.   end

  112. 

  113.   return false

  114. end

  115. 

  116. local function get_general_metadata(task)

  117.   local r = {}

  118.   local ip_addr = task:get_ip()

  119. 

  120.   r.webmail = false

  121. 

  122.   if ip_addr  and ip_addr:is_valid() then

  123.     r.is_local = ip_addr:is_local()

  124.     local origin = task:get_header('X-Originating-IP')

  125.     if origin then

  126.       origin = string.sub(origin, 2, -2)

  127.       local rspamd_ip = require "rspamd_ip"

  128.       local test = rspamd_ip.from_string(origin)

  129. 

  130.       if test and test:is_valid() then

  131.         r.webmail = true

  132.         r.ip = origin

  133.       else

  134.         r.ip = tostring(ip_addr)

  135.       end

  136.     else

  137.       r.ip = tostring(ip_addr)

  138.     end

  139.   else

  140.     r.ip = '127.0.0.1'

  141.   end

  142. 

  143.   r.direction = "Inbound"

  144.   r.user = task:get_user() or 'unknown'

  145.   r.qid = task:get_queue_id() or 'unknown'

  146.   r.action = task:get_metric_action('default')

  147.   if r.user ~= 'unknown' then

  148.       r.direction = "Outbound"

  149.   end

  150.   local s = task:get_metric_score('default')[1]

  151.   r.score =  s

  152. 

  153.   local rcpt = task:get_recipients('smtp')

  154.   if rcpt then

  155.     local l = {}

  156.     for _, a in ipairs(rcpt) do

  157.       table.insert(l, a['addr'])

  158.     end

  159.       r.rcpt = l

  160.   else

  161.     r.rcpt = 'unknown'

  162.   end

  163.   local from = task:get_from('smtp')

  164.   if ((from or E)[1] or E).addr then

  165.     r.from = from[1].addr

  166.   else

  167.     r.from = 'unknown'

  168.   end

  169. 

  170.   local syminf = task:get_symbols_all()

  171.   r.symbols = syminf

  172.   r.asn = {}

  173.   local pool = task:get_mempool()

  174.   r.asn.country = pool:get_variable("country") or 'unknown'

  175.   r.asn.asn   = pool:get_variable("asn") or 0

  176.   r.asn.ipnet = pool:get_variable("ipnet") or 'unknown'

  177. 

  178.   local function process_header(name)

  179.     local hdr = task:get_header_full(name)

  180.     if hdr then

  181.       local l = {}

  182.       for _, h in ipairs(hdr) do

  183.         table.insert(l, h.decoded)

  184.       end

  185.       return l

  186.     else

  187.       return 'unknown'

  188.     end

  189.   end

  190. 

  191.   r.header_from = process_header('from')

  192.   r.header_to = process_header('to')

  193.   r.header_subject = process_header('subject')

  194.   r.header_date = process_header('date')

  195.   r.message_id = task:get_message_id()

  196.   local hname = task:get_hostname() or 'unknown'

  197.   r.hostname = hname

  198. 

  199.   return r

  200. end

  201. 

  202. local function elastic_collect(task)

  203.   if not enabled then return end

  204.   if task:has_flag('skip') then return end

  205.   if not settings.allow_local and lua_util.is_rspamc_or_controller(task) then return end

  206. 

  207.   local row = {['rspamd_meta'] = get_general_metadata(task),

  208.     ['@timestamp'] = tostring(util.get_time() * 1000)}

  209.   table.insert(rows, row)

  210.   nrows = nrows + 1

  211.   if nrows > settings['limit'] then

  212.     lua_util.debugm(N, task, 'send elastic search rows: %s', nrows)

  213.     if elastic_send_data(task) then

  214.       nrows = 0

  215.       rows = {}

  216.       failed_sends = 0;

  217.     else

  218.       failed_sends = failed_sends + 1

  219. 

  220.       if failed_sends > settings.max_fail then

  221.         rspamd_logger.errx(task, 'cannot send %s rows to ES %s times, stop trying',

  222.             nrows, failed_sends)

  223.         nrows = 0

  224.         rows = {}

  225.         failed_sends = 0;

  226.       end

  227.     end

  228.   end

  229. end

  230. 

  231. 

  232. local opts = rspamd_config:get_all_opt('elastic')

  233. 

  234. local function check_elastic_server(cfg, ev_base, _)

  235.   local upstream = settings.upstream:get_upstream_round_robin()

  236.   local ip_addr = upstream:get_addr():to_string(true)

  237. 

  238.   local plugins_url = connect_prefix .. ip_addr .. '/_nodes/plugins'

  239.   local function http_callback(err, code, body, _)

  240.     if code == 200 then

  241.       local parser = ucl.parser()

  242.       local res,ucl_err = parser:parse_string(body)

  243.       if not res then

  244.         rspamd_logger.infox(rspamd_config, 'failed to parse reply from %s: %s',

  245.             plugins_url, ucl_err)

  246.         enabled = false;

  247.         return

  248.       end

  249.       local obj = parser:get_object()

  250.       for node,value in pairs(obj['nodes']) do

  251.         local plugin_found = false

  252.         for _,plugin in pairs(value['plugins']) do

  253.           if plugin['name'] == 'ingest-geoip' then

  254.             plugin_found = true

  255.             lua_util.debugm(N, "ingest-geoip plugin has been found")

  256.           end

  257.         end

  258.         if not plugin_found then

  259.           rspamd_logger.infox(rspamd_config,

  260.               'Unable to find ingest-geoip on %1 node, disabling module', node)

  261.           enabled = false

  262.           return

  263.         end

  264.       end

  265.     else

  266.       rspamd_logger.errx('cannot get plugins from %s: %s(%s) (%s)', plugins_url,

  267.           err, code, body)

  268.       enabled = false

  269.     end

  270.   end

  271.   rspamd_http.request({

  272.     url = plugins_url,

  273.     ev_base = ev_base,

  274.     config = cfg,

  275.     method = 'get',

  276.     callback = http_callback,

  277.     no_ssl_verify = settings.no_ssl_verify,

  278.     user = settings.user,

  279.     password = settings.password,

  280.     timeout = settings.timeout,

  281.   })

  282. end

  283. 

  284. -- import ingest pipeline and kibana dashboard/visualization

  285. local function initial_setup(cfg, ev_base, worker)

  286.   if not worker:is_primary_controller() then return end

  287. 

  288.   local upstream = settings.upstream:get_upstream_round_robin()

  289.   local ip_addr = upstream:get_addr():to_string(true)

  290. 

  291.   local function push_kibana_template()

  292.     -- add kibana dashboard and visualizations

  293.     if settings['import_kibana'] then

  294.       local kibana_mappings = read_file(settings['kibana_file'])

  295.       if kibana_mappings then

  296.         local parser = ucl.parser()

  297.         local res,parser_err = parser:parse_string(kibana_mappings)

  298.         if not res then

  299.           rspamd_logger.infox(rspamd_config, 'kibana template cannot be parsed: %s',

  300.               parser_err)

  301.           enabled = false

  302. 

  303.           return

  304.         end

  305.         local obj = parser:get_object()

  306.         local tbl = {}

  307.         for _,item in ipairs(obj) do

  308.           table.insert(tbl, '{ "index" : { "_index" : ".kibana", "_type" : "doc" ,"_id": "'..

  309.               item['_type'] .. ':' .. item["_id"]..'"} }')

  310.           table.insert(tbl, ucl.to_format(item['_source'], 'json-compact'))

  311.         end

  312.         table.insert(tbl, '') -- For last \n

  313. 

  314.         local kibana_url = connect_prefix .. ip_addr ..'/.kibana/_bulk'

  315.         local function kibana_template_callback(err, code, body, _)

  316.           if code ~= 200 then

  317.             rspamd_logger.errx('cannot put template to %s: %s(%s) (%s)', kibana_url,

  318.                 err, code, body)

  319.             enabled = false

  320.           else

  321.             lua_util.debugm(N, 'pushed kibana template: %s', body)

  322.           end

  323.         end

  324. 

  325.         rspamd_http.request({

  326.           url = kibana_url,

  327.           ev_base = ev_base,

  328.           config = cfg,

  329.           headers = {

  330.             ['Content-Type'] = 'application/x-ndjson',

  331.           },

  332.           body = table.concat(tbl, "\n"),

  333.           method = 'post',

  334.           gzip = settings.use_gzip,

  335.           callback = kibana_template_callback,

  336.           no_ssl_verify = settings.no_ssl_verify,

  337.           user = settings.user,

  338.           password = settings.password,

  339.           timeout = settings.timeout,

  340.         })

  341.       else

  342.         rspamd_logger.infox(rspamd_config, 'kibana template file %s not found', settings['kibana_file'])

  343.       end

  344.     end

  345.   end

  346. 

  347.   if enabled then

  348.     -- create ingest pipeline

  349.     local geoip_url = connect_prefix .. ip_addr ..'/_ingest/pipeline/rspamd-geoip'

  350.     local function geoip_cb(err, code, body, _)

  351.       if code ~= 200 then

  352.         rspamd_logger.errx('cannot get data from %s: %s(%s) (%s)',

  353.             geoip_url, err, code, body)

  354.         enabled = false

  355.       end

  356.     end

  357.     local template = {

  358.       description = "Add geoip info for rspamd",

  359.       processors = {

  360.         {

  361.           geoip = {

  362.             field = "rspamd_meta.ip",

  363.             target_field = "rspamd_meta.geoip"

  364.           }

  365.         }

  366.       }

  367.     }

  368.     rspamd_http.request({

  369.       url = geoip_url,

  370.       ev_base = ev_base,

  371.       config = cfg,

  372.       callback = geoip_cb,

  373.       headers = {

  374.         ['Content-Type'] = 'application/json',

  375.       },

  376.       gzip = settings.use_gzip,

  377.       body = ucl.to_format(template, 'json-compact'),

  378.       method = 'put',

  379.       no_ssl_verify = settings.no_ssl_verify,

  380.       user = settings.user,

  381.       password = settings.password,

  382.       timeout = settings.timeout,

  383.     })

  384.     -- create template mappings if not exist

  385.     local template_url = connect_prefix .. ip_addr ..'/_template/rspamd'

  386.     local function http_template_put_callback(err, code, body, _)

  387.       if code ~= 200 then

  388.         rspamd_logger.errx('cannot put template to %s: %s(%s) (%s)',

  389.             template_url, err, code, body)

  390.         enabled = false

  391.       else

  392.         lua_util.debugm(N, 'pushed rspamd template: %s', body)

  393.         push_kibana_template()

  394.       end

  395.     end

  396.     local function http_template_exist_callback(_, code, _, _)

  397.       if code ~= 200 then

  398.         rspamd_http.request({

  399.           url = template_url,

  400.           ev_base = ev_base,

  401.           config = cfg,

  402.           body = elastic_template,

  403.           method = 'put',

  404.           headers = {

  405.             ['Content-Type'] = 'application/json',

  406.           },

  407.           gzip = settings.use_gzip,

  408.           callback = http_template_put_callback,

  409.           no_ssl_verify = settings.no_ssl_verify,

  410.           user = settings.user,

  411.           password = settings.password,

  412.           timeout = settings.timeout,

  413.         })

  414.       else

  415.         push_kibana_template()

  416.       end

  417.     end

  418. 

  419.     rspamd_http.request({

  420.       url = template_url,

  421.       ev_base = ev_base,

  422.       config = cfg,

  423.       method = 'head',

  424.       callback = http_template_exist_callback,

  425.       no_ssl_verify = settings.no_ssl_verify,

  426.       user = settings.user,

  427.       password = settings.password,

  428.       timeout = settings.timeout,

  429.     })

  430. 

  431.   end

  432. end

  433. 

  434. redis_params = rspamd_redis.parse_redis_server('elastic')

  435. 

  436. if redis_params and opts then

  437.   for k,v in pairs(opts) do

  438.     settings[k] = v

  439.   end

  440. 

  441.   if not settings['server'] and not settings['servers'] then

  442.     rspamd_logger.infox(rspamd_config, 'no servers are specified, disabling module')

  443.     lua_util.disable_module(N, "config")

  444.   else

  445.     if settings.use_https then

  446.       connect_prefix = 'https://'

  447.     end

  448. 

  449.     settings.upstream = upstream_list.create(rspamd_config,

  450.       settings['server'] or settings['servers'], 9200)

  451. 

  452.     if not settings.upstream then

  453.       rspamd_logger.errx('cannot parse elastic address: %s',

  454.         settings['server'] or settings['servers'])

  455.       lua_util.disable_module(N, "config")

  456.       return

  457.     end

  458.     if not settings['template_file'] then

  459.       rspamd_logger.infox(rspamd_config, 'elastic template_file is required, disabling module')

  460.       lua_util.disable_module(N, "config")

  461.       return

  462.     end

  463. 

  464.     elastic_template = read_file(settings['template_file']);

  465.     if not elastic_template then

  466.       rspamd_logger.infox(rspamd_config, 'elastic unable to read %s, disabling module',

  467.         settings['template_file'])

  468.       lua_util.disable_module(N, "config")

  469.       return

  470.     end

  471. 

  472.     rspamd_config:register_symbol({

  473.       name = 'ELASTIC_COLLECT',

  474.       type = 'idempotent',

  475.       callback = elastic_collect,

  476.       priority = 10,

  477.       flags = 'empty',

  478.     })

  479. 

  480.     rspamd_config:add_on_load(function(cfg, ev_base,worker)

  481.       if worker:is_scanner() then

  482.         check_elastic_server(cfg, ev_base, worker) -- check for elasticsearch requirements

  483.         initial_setup(cfg, ev_base, worker) -- import mappings pipeline and visualizations

  484.       end

  485.     end)

  486.   end

  487. 

  488. end