LOG-7014: fix parsing complex auditd logs for otlp mode

vparfonov · openshift-merge-bot[bot] · commit b00c77df2f0a · 2025-04-22T19:04:37.000Z
Signed-off-by: Vitalii Parfonov &lt;vparfono@redhat.com&gt;
diff --git a/internal/generator/vector/output/lokistack/lokistack_otel.toml b/internal/generator/vector/output/lokistack/lokistack_otel.toml
@@ -189,7 +189,13 @@ if exists(kv.type) {
     r.attributes = push(r.attributes, {"key": "auditd.type", "value": {"stringValue": kv.type }})
 }
 if exists(kv.msg) {
-    trimmed = slice!(kv.msg, find!(kv.msg, "(") + 1, -2)
+    msg_str = ""
+    if is_array(kv.msg) {
+        msg_str = kv.msg[0]
+    } else {
+        msg_str = kv.msg
+    }
+    trimmed = slice!(msg_str, find!(msg_str, "(") + 1, -2)
     parts = split!(trimmed, ":")
     r.attributes = push(r.attributes, {"key": "auditd.sequence", "value": {"stringValue": parts[1] }})
 }
diff --git a/internal/generator/vector/output/otlp/otlp_all.toml b/internal/generator/vector/output/otlp/otlp_all.toml
@@ -215,7 +215,13 @@ if exists(kv.type) {
     r.attributes = push(r.attributes, {"key": "auditd.type", "value": {"stringValue": kv.type }})
 }
 if exists(kv.msg) {
-    trimmed = slice!(kv.msg, find!(kv.msg, "(") + 1, -2)
+    msg_str = ""
+    if is_array(kv.msg) {
+        msg_str = kv.msg[0]
+    } else {
+        msg_str = kv.msg
+    }
+    trimmed = slice!(msg_str, find!(msg_str, "(") + 1, -2)
     parts = split!(trimmed, ":")
     r.attributes = push(r.attributes, {"key": "auditd.sequence", "value": {"stringValue": parts[1] }})
 }
diff --git a/internal/generator/vector/output/otlp/otlp_tuning.toml b/internal/generator/vector/output/otlp/otlp_tuning.toml
@@ -215,7 +215,13 @@ if exists(kv.type) {
     r.attributes = push(r.attributes, {"key": "auditd.type", "value": {"stringValue": kv.type }})
 }
 if exists(kv.msg) {
-    trimmed = slice!(kv.msg, find!(kv.msg, "(") + 1, -2)
+    msg_str = ""
+    if is_array(kv.msg) {
+        msg_str = kv.msg[0]
+    } else {
+        msg_str = kv.msg
+    }
+    trimmed = slice!(msg_str, find!(msg_str, "(") + 1, -2)
     parts = split!(trimmed, ":")
     r.attributes = push(r.attributes, {"key": "auditd.sequence", "value": {"stringValue": parts[1] }})
 }
diff --git a/internal/generator/vector/output/otlp/otlp_with_auth_basic.toml b/internal/generator/vector/output/otlp/otlp_with_auth_basic.toml
@@ -215,7 +215,13 @@ if exists(kv.type) {
     r.attributes = push(r.attributes, {"key": "auditd.type", "value": {"stringValue": kv.type }})
 }
 if exists(kv.msg) {
-    trimmed = slice!(kv.msg, find!(kv.msg, "(") + 1, -2)
+    msg_str = ""
+    if is_array(kv.msg) {
+        msg_str = kv.msg[0]
+    } else {
+        msg_str = kv.msg
+    }
+    trimmed = slice!(msg_str, find!(msg_str, "(") + 1, -2)
     parts = split!(trimmed, ":")
     r.attributes = push(r.attributes, {"key": "auditd.sequence", "value": {"stringValue": parts[1] }})
 }
diff --git a/internal/generator/vector/output/otlp/otlp_with_auth_sa_token.toml b/internal/generator/vector/output/otlp/otlp_with_auth_sa_token.toml
@@ -215,7 +215,13 @@ if exists(kv.type) {
     r.attributes = push(r.attributes, {"key": "auditd.type", "value": {"stringValue": kv.type }})
 }
 if exists(kv.msg) {
-    trimmed = slice!(kv.msg, find!(kv.msg, "(") + 1, -2)
+    msg_str = ""
+    if is_array(kv.msg) {
+        msg_str = kv.msg[0]
+    } else {
+        msg_str = kv.msg
+    }
+    trimmed = slice!(msg_str, find!(msg_str, "(") + 1, -2)
     parts = split!(trimmed, ":")
     r.attributes = push(r.attributes, {"key": "auditd.sequence", "value": {"stringValue": parts[1] }})
 }
diff --git a/internal/generator/vector/output/otlp/otlp_with_auth_token.toml b/internal/generator/vector/output/otlp/otlp_with_auth_token.toml
@@ -215,7 +215,13 @@ if exists(kv.type) {
     r.attributes = push(r.attributes, {"key": "auditd.type", "value": {"stringValue": kv.type }})
 }
 if exists(kv.msg) {
-    trimmed = slice!(kv.msg, find!(kv.msg, "(") + 1, -2)
+    msg_str = ""
+    if is_array(kv.msg) {
+        msg_str = kv.msg[0]
+    } else {
+        msg_str = kv.msg
+    }
+    trimmed = slice!(msg_str, find!(msg_str, "(") + 1, -2)
     parts = split!(trimmed, ":")
     r.attributes = push(r.attributes, {"key": "auditd.sequence", "value": {"stringValue": parts[1] }})
 }
diff --git a/internal/generator/vector/output/otlp/transform.go b/internal/generator/vector/output/otlp/transform.go
@@ -110,7 +110,13 @@ if exists(kv.type) {
   r.attributes = push(r.attributes, {"key": "auditd.type", "value": {"stringValue": kv.type }})
 }
 if exists(kv.msg) {
-  trimmed = slice!(kv.msg, find!(kv.msg, "(") + 1, -2)
+  msg_str = ""
+  if is_array(kv.msg) {
+    msg_str = kv.msg[0] 
+  } else {
+    msg_str = kv.msg 
+  }
+  trimmed = slice!(msg_str, find!(msg_str, "(") + 1, -2)
   parts = split!(trimmed, ":")
   r.attributes = push(r.attributes, {"key": "auditd.sequence", "value": {"stringValue": parts[1] }})
 }
diff --git a/test/framework/functional/factory.go b/test/framework/functional/factory.go
@@ -21,7 +21,7 @@ func NewKubeAuditLog(eventTime time.Time) string {
 
 func NewAuditHostLog(eventTime time.Time) string {
 	now := fmt.Sprintf("%.3f", float64(eventTime.UnixNano())/float64(time.Second))
-	return fmt.Sprintf(`type=DAEMON_START msg=audit(%s:2914): op=start ver=3.0 format=enriched kernel=4.18.0-240.15.1.el8_3.x86_64 auid=4294967295 pid=1396 uid=0 ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=successAUID="unset" UID="root"`, now)
+	return fmt.Sprintf(`type=DAEMON_START msg=audit(%s:2914): op=start ver=3.0 format=enriched kernel=4.18.0-240.15.1.el8_3.x86_64 auid=4294967295 pid=1396 uid=0 ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=successAUID="unset" UID="root" msg="PAM:authentication"`, now)
 }
 func NewOVNAuditLog(eventTime time.Time) string {
 	now := CRIOTime(eventTime)

Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@ func NewKubeAuditLog(eventTime time.Time) string {`
`21`	`21`
`22`	`22`	`func NewAuditHostLog(eventTime time.Time) string {`
`23`	`23`	`now := fmt.Sprintf("%.3f", float64(eventTime.UnixNano())/float64(time.Second))`
`24`		- return fmt.Sprintf(`type=DAEMON_START msg=audit(%s:2914): op=start ver=3.0 format=enriched kernel=4.18.0-240.15.1.el8_3.x86_64 auid=4294967295 pid=1396 uid=0 ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=successAUID="unset" UID="root"`, now)
	`24`	+ return fmt.Sprintf(`type=DAEMON_START msg=audit(%s:2914): op=start ver=3.0 format=enriched kernel=4.18.0-240.15.1.el8_3.x86_64 auid=4294967295 pid=1396 uid=0 ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=successAUID="unset" UID="root" msg="PAM:authentication"`, now)
`25`	`25`	`}`
`26`	`26`	`func NewOVNAuditLog(eventTime time.Time) string {`
`27`	`27`	`now := CRIOTime(eventTime)`