Merge pull request #365 from imranalisyed506/im-gstack-changes1

[GoogleStackDriver] Buffer portion of GCP log not being decoded for AuditLog type
alertlogic · Apr 17, 2024 · 34bf851 · 34bf851
2 parents 304d6d4 + fcf3841
commit 34bf851
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 3 deletions.
diff --git a/collectors/googlestackdriver/collector.js b/collectors/googlestackdriver/collector.js
@@ -16,10 +16,12 @@ const parse = require('@alertlogic/al-collector-js').Parse;
 const AlLogger = require('@alertlogic/al-aws-collector-js').Logger;
 const logging = require('@google-cloud/logging');
 const packageJson = require('./package.json');
+const protoFiles = require('google-proto-files');
 
 const API_THROTTLING_ERROR = 8;
 const MAX_POLL_INTERVAL = 900;
 const MAX_PAGE_SIZE = 1000;
+const AUDIT_PAYLOAD_TYPE_URL = 'type.googleapis.com/google.cloud.audit.AuditLog';
 
 const typeIdPaths = [
     {path: ['jsonPayload', 'fields', 'event_type', 'stringValue']},
@@ -31,6 +33,14 @@ class GooglestackdriverCollector extends PawsCollector {
 
     constructor(context, creds){
         super(context, creds, packageJson.version);
+        this._initAuditLogDecoder();
+    }
+
+    _initAuditLogDecoder() {
+        const protoPath = protoFiles.getProtoPath('cloud', 'audit', 'audit_log.proto');
+        const root = protoFiles.loadSync(protoPath);
+        const auditLogDecoder = root.lookupType('google.cloud.audit.AuditLog');
+        this._auditLogDecoder = auditLogDecoder;
     }
 
     pawsInitCollectionState(event, callback) {
@@ -86,7 +96,11 @@ timestamp < "${state.until}"`;
         const paginationCallback = (result, acc = []) => {
             AlLogger.info(`Getting page: ${pagesRetireved + 1} Logs retrieved: ${result[0].length}`);
             pagesRetireved++;
-            const logs = result[0];
+            //decode the protoPayload if it's an AuditLog message
+            let logs = result[0].map(function (logEntry) {
+                return collector.decodeProtoPayload(logEntry);
+            });
+
             const nextPage = result[1];
             const newAcc = [...acc, ...logs];
             AlLogger.info(`Total Logs ${newAcc.length}`);
@@ -160,6 +174,20 @@ timestamp < "${state.until}"`;
             });
     }
 
+    decodeProtoPayload(logEntry) {
+        let collector = this;
+        if (logEntry.protoPayload && (logEntry.protoPayload.type_url === AUDIT_PAYLOAD_TYPE_URL)) {
+            try {
+                const buffer = Buffer.from(logEntry.protoPayload.value);
+                let decodedData = collector._auditLogDecoder.decode(buffer);
+                logEntry.protoPayload.value = decodedData.toJSON();
+            } catch(error) {
+                AlLogger.error(`Error decoding data ${error}`);
+            }
+        }
+        return logEntry;
+    }
+
     _getNextCollectionState(curState, nextPage) {
         // Reset the page size for the next collection if it's less than the maximum
         const pageSize = Math.max(MAX_PAGE_SIZE, nextPage?.pageSize || curState.pageSize || MAX_PAGE_SIZE);

diff --git a/collectors/googlestackdriver/package.json b/collectors/googlestackdriver/package.json
@@ -1,6 +1,6 @@
 {
   "name": "googlestackdriver-collector",
-  "version": "1.2.8",
+  "version": "1.2.9",
   "description": "Alert Logic AWS based Googlestackdriver Log Collector",
   "repository": {},
   "private": true,
@@ -28,6 +28,7 @@
     "@alertlogic/al-collector-js": "3.0.10",
     "@alertlogic/paws-collector": "2.2.1",
     "@google-cloud/logging": "^11.0.0",
+    "google-proto-files": "^4.2.0",
     "async": "^3.2.4",
     "debug": "^4.3.4",
     "moment": "2.29.4"

diff --git a/collectors/googlestackdriver/test/mock.js b/collectors/googlestackdriver/test/mock.js
@@ -159,7 +159,7 @@ const LOG_EVENT_PROTO_PAYLOAD = { labels: {},
     traceSampled: false,
     protoPayload:
      { type_url: 'type.googleapis.com/google.cloud.audit.AuditLog',
-       value:"Some buffer"
+       value:{"type":"Buffer","data":[18,0,26,168,2,10,54,117,115,97,99,115,45,115,105,101,109,64,119,101,98,45,99,111,110,115,111,108,101,45,109,105,100,101,111,105,100,46,105,97,109,46,103,115,101,114,118,105,99,101,97,99,99,111,117,110,116,46,99,111,109,42,166,1,47,47,105,97,109,46,103,111,111,103,108,101,97,112,105,115,46,99,111,109,47,112,114,111,106,101,99,116,115,47,119,101,98,45,99,111,110,115,111,108,101,45,109,105,100,101,111,105,100,47,115,101,114,118,105,99,101,65,99,99,111,117,110,116,115,47,117,115,97,99,115,45,115,105,101,109,64,119,101,98,45,99,111,110,115,111,108,101,45,109,105,100,101,111,105,100,46,105,97,109,46,103,115,101,114,118,105,99,101,97,99,99,111,117,110,116,46,99,111,109,47,107,101,121,115,47,48,48,53,51,56,57,57,98,50,49,56,49,54,97,102,52,99,53,100,100,101,50,100,54,102,54,50,56,56,49,52,100,100,48,101,97,53,98,51,98,66,69,115,101,114,118,105,99,101,65,99,99,111,117,110,116,58,117,115,97,99,115,45,115,105,101,109,64,119,101,98,45,99,111,110,115,111,108,101,45,109,105,100,101,111,105,100,46,105,97,109,46,103,115,101,114,118,105,99,101,97,99,99,111,117,110,116,46,99,111,109,34,65,10,12,51,46,50,51,55,46,49,55,46,49,54,51,18,29,103,114,112,99,45,110,111,100,101,45,106,115,47,49,46,49,48,46,48,44,103,122,105,112,40,103,102,101,41,58,16,74,12,8,192,159,179,176,6,16,148,129,149,153,2,106,0,66,0,58,22,108,111,103,103,105,110,103,46,103,111,111,103,108,101,97,112,105,115,46,99,111,109,66,49,103,111,111,103,108,101,46,108,111,103,103,105,110,103,46,118,50,46,76,111,103,103,105,110,103,83,101,114,118,105,99,101,86,50,46,76,105,115,116,76,111,103,69,110,116,114,105,101,115,74,109,10,26,111,114,103,97,110,105,122,97,116,105,111,110,115,47,54,50,50,56,53,50,55,51,55,50,57,52,18,23,108,111,103,103,105,110,103,46,108,111,103,69,110,116,114,105,101,115,46,108,105,115,116,24,1,42,52,10,22,108,111,103,103,105,110,103,46,103,111,111,103,108,101,97,112,105,115,46,99,111,109,18,26,111,114,103,97,110,105,122,97,116,105,111,110,115,47,54,50,50,56,53,50,55,51,55,50,57,52,74,116,10,26,111,114,103,97,110,105,122,97,116,105,111,110,115,47,54,50,50,56,53,50,55,51,55,50,57,52,18,30,108,111,103,103,105,110,103,46,112,114,105,118,97,116,101,76,111,103,69,110,116,114,105,101,115,46,108,105,115,116,24,1,42,52,10,22,108,111,103,103,105,110,103,46,103,111,111,103,108,101,97,112,105,115,46,99,111,109,18,26,111,114,103,97,110,105,122,97,116,105,111,110,115,47,54,50,50,56,53,50,55,51,55,50,57,52,90,26,111,114,103,97,110,105,122,97,116,105,111,110,115,47,54,50,50,56,53,50,55,51,55,50,57,52,130,1,238,1,10,21,10,8,112,97,103,101,83,105,122,101,18,9,17,0,0,0,0,0,64,143,64,10,49,10,13,114,101,115,111,117,114,99,101,78,97,109,101,115,18,32,50,30,10,28,26,26,111,114,103,97,110,105,122,97,116,105,111,110,115,47,54,50,50,56,53,50,55,51,55,50,57,52,10,90,10,6,102,105,108,116,101,114,18,80,26,78,116,105,109,101,115,116,97,109,112,32,62,61,32,34,50,48,50,52,45,48,52,45,48,51,84,48,51,58,50,51,58,48,54,46,48,48,48,90,34,10,116,105,109,101,115,116,97,109,112,32,60,32,34,50,48,50,52,45,48,52,45,48,51,84,48,51,58,50,52,58,48,54,46,48,48,48,90,34,10,70,10,5,64,116,121,112,101,18,61,26,59,116,121,112,101,46,103,111,111,103,108,101,97,112,105,115,46,99,111,109,47,103,111,111,103,108,101,46,108,111,103,103,105,110,103,46,118,50,46,76,105,115,116,76,111,103,69,110,116,114,105,101,115,82,101,113,117,101,115,116]},
      },
     payload: 'protoPayload' };