As of October 2020 this repo is no longer actively maintained by the GOV.UK Pay team, following the switch from Sumologic to Splunk in March 2019.
This was done as a one-off to check loglines for sumologic
The sumologic CSV output has these headings:
"_messagetimems","_messagetime","dest_host","dest_user","src_user"
The deskpro CSV output has these headings:
"ID","Subject","Agent Team","Agent Team ID","Message","Date Created","Date Resolved"
the report used to generate this output is here.
The script works by doing the following:
- parse all deskpro tickets, parses the html, extracts the table containing the count of sudo activity and builds a hash of the user and logline count from the output
- parse all sumologic log lines, for each:
- attempt to find a deskpro ticket which occurred no more than 90 minutes after the log line
- for that ticket increment a counter for the given user
- if the counter exceeds the number of sudos listed in the deskpro ticket by more than 1, raise an error. Note: the margin of 1 was added to allow for the fact that some log-lines may have been re-ingested so there may be duplicate log lines in sumologic
At the end the script prints out the number of log lines for which no ticket was found.