[AI-5055] DDS: OpenVPN Integration V1.0.0 #19811
Conversation
datadog-agent-integrations-bot
bot
added
documentation
release
qa/skip-qa
buraizu
added
the
editorial review
temporal-github-worker-1
bot
added
agent/approved
and removed
agent/review-requested
labels
temporal-github-worker-1
bot
dismissed
iliakur’s stale review
Review from iliakur is dismissed. Related teams and files:
- agent-integrations
- openvpn/assets/dashboards/openvpn_overview.json
temporal-github-worker-1
bot
added
agent/review-requested
and removed
agent/approved
labels
openvpn/assets/logs/openvpn.yaml
Outdated
| rule3 %{regex("(.*?)(?=:)")}:(\s+)?\'%{notSpace} %{notSpace} %{regex("Web login authentication failed"):log_type}: \{\\'status\\': %{integer:status}, \\'user\\': \\'%{regex("(.*)(?=\\\\')"):user}\\', \\'reason\\': "%{regex("(.*)(?=\")"):reason}", \\'auth method\\': \\'%{regex("(.*?)(?=\\\\')"):auth_method}\\'}' | ||
|
|
||
|
|
||
| rule4 %{regex("(.*?)(?=:)")}:(\s+)?\'%{notSpace} %{notSpace} %{regex("Web login authentication failed"):log_type}: \{\\'status\\': %{integer:status}, \\'user\\': \\'%{regex("(.*)(?=\\\\')"):user}\\', \\'reason\\': "%{regex("(.*)(?=\")"):reason}"}' |
There was a problem hiding this comment.
These rules have some significant overlap and could lead to fully parsing the logs multiple times. Can you reduce this redundancy?
Also, some of these seem to be JSON or keyvalue based, for example the status and user fields in rule3. Could those be extracted and remapped into the expected log fields rather than using complex parsers and regex?
There was a problem hiding this comment.
We are checking on this and will update soon.
There was a problem hiding this comment.
- We have created two Grok parsers to handle the parsing of web authentication logs—one for the headers and another for key-value format. This separation helps eliminate overlap and reduces redundant parsing.
- For
auth methodfield, we observed that keys containing spaces were not correctly extracted by thedata::keyvalueparser. To address this, we created static parsing rules. - Additionally, fields such as
userandstatuswere escaped as 'user', which prevented them from being parsed correctly by thedata::keyvalueparser. To handle this, we added static rules specifically to extract these escaped fields.
| matchRules: >- | ||
| rule1 \[%{regex("(.*?)(?=])")}\](\s+)?%{regex("AUTH | ||
| SUCCESS"):log_type}\s+\{%{data::keyvalue(": ",", ")}, 'auth | ||
| method': '%{regex("(.*?)(?=\\')"):auth_method}', |
There was a problem hiding this comment.
Similar here - it looks like 'auth method' is a key in a JSON-like structure. Could this be parsed out into an object and then extract the value for the key you're interested in?
There was a problem hiding this comment.
Can you please help us understand this comment better?
|
@gunterd We were not able to access this PR yesterday. Let me have a look at the comments and get back to you. |
openvpn/assets/logs/openvpn.yaml
Outdated
| grok: | ||
| supportRules: "" | ||
| matchRules: >- | ||
| rule1 \[%{regex("(.*?)(?=])")}\](\s+)?%{regex("AUTH |
There was a problem hiding this comment.
To reduce some of the regex burden here, can you replace \[%{regex("(.*?)(?=])")}\] with (\[\-\])?
There was a problem hiding this comment.
We have used [%{regex("(.*?)(?=])")}] as a safekeeping to ensure that grok parser doesn't fail if different value comes in between [].
Based on our testing, we have only observed [-] hence we have updated regex to ([-]) for better efficiency.
| authentication failed: {'status': 1, 'user': 'openvpn', 'reason': | ||
| 'local auth failed: password verification failed'}\"" | ||
| - "[-] [WEB] OUT: '2025-03-11T12:59:46+0000 [stdout#info] Web login | ||
| authentication failed: {\\'status\\': 2, \\'user\\': \\'abc\\', |
There was a problem hiding this comment.
Do these logs come in with the backslashes escaped?
There was a problem hiding this comment.
Yes, we are getting those logs with backslashes escaped.
PR Security UpdateAll commits in this PR up to and including b9cc37b have been reviewed and marked safe by SDLC security. For any questions, please reach out to #ci-for-external-contributors-collab on Slack. |
temporal-github-worker-1
bot
added
agent/approved
and removed
agent/review-requested
labels
* Add: OpenVPN integration * Update: labeler for openvpn * Updated tests yaml file * updated test yaml file * Updated changelog number * Updated minor changes * Updated as per PR comments * Update: address review comments * Update: address review comments * Update: minor changes and move openvpn logo * Update: remove filter from Datadog Cloud SIEM group * Update: CODEOWNERS * Update: CODEOWNER add tag * Update: address review comments * Update: logs sample * Update: Address review comments --------- Co-authored-by: manan-crest <[email protected]> 0b4ffe8
| "id": 6980405278649262, | ||
| "definition": { | ||
| "type": "note", | ||
| "content": "OpenVPN is a free, open-source protocol that creates secure connections between devices over the internet. It's used to create virtual private networks (VPNs).\n\n\nThe OpenVPN Overview dashboard provides an overall insights of the logs generated by OpenVPN.\n\n\nFor more information, see the [OpenVPN Integration Documentation](https://docs.datadoghq.com/integrations/openvpn/).\n\n**Tips**\n- Use the timeframe selector in the top right of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify and add widgets and visualizations. ", |
There was a problem hiding this comment.
Please update copy here.
Current: The OpenVPN Overview dashboard provides an overall insights of the logs generated by OpenVPN.
Proposed: The OpenVPN Overview dashboard provides insights into the logs generated by OpenVPN.
There was a problem hiding this comment.
@jnhunsberger Have made the suggested changes in below raised PR.
PR Link: <link>
What does this PR do?
PR for a new integration OpenVPN 1.0.0
Additional Notes
-- OOTB detection rules JSON would be shared separately with the required teams as a part of separate repository .
-- Since during the standard attribute remapping we are not preserving the source attributes as per suggested best practices, it would result in filters using these standard attributes populating the values of other integrations as well as per current datadog behavior.
Review checklist (to be filled by reviewers)