Event-Handler: Add ability to skip Teleport events

This PR adds the ability to skip some audit log events when pushing them to FluentD. Signed-off-by: Tiago Silva <[email protected]>
gravitational · May 2, 2024 · e8cb9ba · e8cb9ba
1 parent a9c70c3
commit e8cb9ba
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 3 deletions.
diff --git a/event-handler/README.md b/event-handler/README.md
@@ -34,6 +34,7 @@ You may specify configuration options via command line arguments, environment va
 | storage                   | Storage directory                                                                                     | FDFWD_STORAGE                   |
 | batch                     | Fetch batch size                                                                                      | FDFWD_BATCH                     |
 | types                     | Comma-separated list of event types to forward                                                        | FDFWD_TYPES                     |
+| skip-types                | Comma-separated list of event types to skip                                                           | FDFWD_SKIP_TYPES                |
 | skip-session-types        | Comma-separated list of session event types to skip                                                   | FDFWD_SKIP_SESSION_TYPES        |
 | start-time                | Minimum event time (RFC3339 format)                                                                   | FDFWD_START_TIME                |
 | timeout                   | Polling timeout                                                                                       | FDFWD_TIMEOUT                   |

diff --git a/event-handler/cli.go b/event-handler/cli.go
@@ -123,6 +123,12 @@ type IngestConfig struct {
 	// Types are event types to log
 	Types []string `help:"Comma-separated list of event types to forward" env:"FDFWD_TYPES"`
 
+	// SkipTypesRaw are event types to skip
+	SkipTypesRaw []string `name:"skip-types" help:"Comma-separated list of event types to skip" env:"FDFWD_SKIP_TYPES"`
+
+	// SkipSessionTypes is a map generated from SkipTypesRaw
+	SkipTypes map[string]struct{} `kong:"-"`
+
 	// SkipSessionTypes are session event types to skip
 	SkipSessionTypesRaw []string `name:"skip-session-types" help:"Comma-separated list of session event types to skip" default:"print" env:"FDFWD_SKIP_SESSION_TYPES"`
 
@@ -226,6 +232,7 @@ func (c *StartCmdConfig) Validate() error {
 		return trace.Wrap(err)
 	}
 	c.SkipSessionTypes = lib.SliceToAnonymousMap(c.SkipSessionTypesRaw)
+	c.SkipTypes = lib.SliceToAnonymousMap(c.SkipTypesRaw)
 
 	return nil
 }
@@ -237,6 +244,7 @@ func (c *StartCmdConfig) Dump(ctx context.Context) {
 	// Log configuration variables
 	log.WithField("batch", c.BatchSize).Info("Using batch size")
 	log.WithField("types", c.Types).Info("Using type filter")
+	log.WithField("skip-types", c.SkipTypes).Info("Using type exclude filter")
 	log.WithField("types", c.SkipSessionTypes).Info("Skipping session events of type")
 	log.WithField("value", c.StartTime).Info("Using start time")
 	log.WithField("timeout", c.Timeout).Info("Using timeout")

diff --git a/event-handler/teleport_events_watcher.go b/event-handler/teleport_events_watcher.go
@@ -175,7 +175,7 @@ func (t *TeleportEventsWatcher) fetch(ctx context.Context) error {
 	}
 
 	// Zero batch
-	t.batch = make([]*TeleportEvent, len(b))
+	t.batch = make([]*TeleportEvent, 0, len(b))
 
 	// Save next cursor
 	t.nextCursor = nextCursor
@@ -193,13 +193,16 @@ func (t *TeleportEventsWatcher) fetch(ctx context.Context) error {
 	pos := 0
 
 	// Convert batch to TeleportEvent
-	for i, e := range b {
+	for _, e := range b {
+		if _, ok := t.config.SkipTypes[e.Type]; ok {
+			continue
+		}
 		evt, err := NewTeleportEvent(e, t.cursor)
 		if err != nil {
 			return trace.Wrap(err)
 		}
 
-		t.batch[i] = evt
+		t.batch = append(t.batch, evt)
 	}
 
 	// If last known id is not empty, let's try to find it's pos