µSIEM Enricher

Documentation crates.io

A basic log enricher component.

Usage

rust let mut enrichers: Vec<Box<dyn LogEnrichment>> = Vec::with_capacity(128); let mac_enricher = MacEnricher { name : "MacEnricher" }; enrichers.push(Box::new(mac_enricher)); let mut enricher = LogEnricherComponent::new(&enrichers[..]);

Metrics

Enabled by default using the metrics feature. ```

HELP enricherprocessedlogs Processed logs

TYPE enricherprocessedlogs histogram

enricherprocessedlogsbucket{name="Enricher1",le=0.000001} 99948 enricherprocessedlogsbucket{name="Enricher1",le=0.0001} 99948 enricherprocessedlogsbucket{name="Enricher1",le=0.01} 100000 enricherprocessedlogssum{name="Enricher1"} 0.208 enricherprocessedlogscount{name="Enricher1"} 100000 enricherprocessedlogsbucket{name="Enricher2",le=0.000001} 99959 enricherprocessedlogsbucket{name="Enricher2",le=0.0001} 99959 enricherprocessedlogsbucket{name="Enricher2",le=0.01} 100000 enricherprocessedlogssum{name="Enricher2"} 0.164 enricherprocessedlogscount{name="Enricher2"} 100000 enricherprocessedlogsbucket{name="Enricher3",le=0.000001} 99963 enricherprocessedlogsbucket{name="Enricher3",le=0.0001} 99963 enricherprocessedlogsbucket{name="Enricher3",le=0.01} 100000 enricherprocessedlogssum{name="Enricher3"} 0.148 enricherprocessedlogscount{name="Enricher3"} 100000 enricherprocessedlogsbucket{name="Enricher4",le=0.000001} 99953 enricherprocessedlogsbucket{name="Enricher4",le=0.0001} 99953 enricherprocessedlogsbucket{name="Enricher4",le=0.01} 100000 enricherprocessedlogssum{name="Enricher4"} 0.188 enricherprocessedlogscount{name="Enricher4"} 100000 enricherprocessedlogsbucket{name="Enricher5",le=0.000001} 99968 enricherprocessedlogsbucket{name="Enricher5",le=0.0001} 99968 enricherprocessedlogsbucket{name="Enricher5",le=0.01} 100000 enricherprocessedlogssum{name="Enricher5"} 0.128 enricherprocessedlogscount{name="Enricher5"} 100000 enricherprocessedlogsbucket{le=0.000001} 99725 enricherprocessedlogsbucket{le=0.0001} 99725 enricherprocessedlogsbucket{le=0.01} 100000 enricherprocessedlogssum{} 1.1 enricherprocessedlogscount{} 100000 ```

Enricher examples

Create log enrichers using the LogEnrichment trait:

```rust

[derive(Clone)]

struct MacEnricher { pub name : &'static str }

impl LogEnrichment for MacEnricher { fn enrich(&self, mut log: SiemLog, datasets: &DatasetHolder) -> SiemLog { let mut fieldstoadd = vec![]; let macdataset: &IpMapSynDataset = match datasets.get(&SiemDatasetType::IpMac) { Some(dst) => match dst.tryinto() { Ok(v) => v, Err(_) => return log, }, None => return log, };

    for (name, field) in log.fields() {
        if let SiemField::IP(ip) = field {
            match mac_dataset.get(ip) {
                Some(val) => {
                    fields_to_add.push((
                        format!("{}.mac", field_name(name)),
                        SiemField::Text(val.clone()),
                    ));
                }
                None => {}
            }
        }
    }
    for (name, val) in fields_to_add {
        log.insert(LogString::Owned(name), val);
    }
    log
}

fn name(&self) -> &'static str {
    self.name
}

fn description(&self) -> &'static str {
    "Adds a Mac to each IP field"
}

} ```