sidecar

package
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 31, 2026 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Overview

Package sidecar implements the Universal Sidecar (§5.5) — a zero-dependency Go binary that runs alongside SENTINEL sensors, tails their STDOUT/logs, and pushes parsed security events to the SOC Event Bus.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type BusClient 

type BusClient struct {
	// contains filtered or unexported fields
}

BusClient sends security events to the SOC Event Bus via HTTP POST.

func NewBusClient 

func NewBusClient(baseURL, sensorID, apiKey string) *BusClient

NewBusClient creates a client for the SOC Event Bus.

func (*BusClient) Healthy 

func (c *BusClient) Healthy() bool

Healthy checks if the bus is reachable (M-4 fix: /healthz not /health).

func (*BusClient) Heartbeat 

func (c *BusClient) Heartbeat() error

Heartbeat sends a sensor heartbeat to the Event Bus.

func (*BusClient) SendEvent 

func (c *BusClient) SendEvent(ctx context.Context, evt *domsoc.SOCEvent) error

SendEvent posts a SOCEvent to the Event Bus. Accepts context for graceful cancellation during retries (L-2 fix).

type Config 

type Config struct {
	SensorType   string        // sentinel-core, shield, immune, generic
	LogPath      string        // Path to sensor log file, or "stdin"
	BusURL       string        // SOC Event Bus URL (e.g., http://localhost:9100)
	SensorID     string        // Sensor registration ID
	APIKey       string        // Sensor API key
	PollInterval time.Duration // Log file poll interval
}

Config holds sidecar runtime configuration.

type GenericParser 

type GenericParser struct {
	Pattern *regexp.Regexp
	Source  domsoc.EventSource
}

GenericParser uses a configurable regex with named groups. Named groups: "category", "severity", "description", "confidence".

func NewGenericParser 

func NewGenericParser(pattern string, source domsoc.EventSource) (*GenericParser, error)

func (*GenericParser) Parse 

func (p *GenericParser) Parse(line string) (*domsoc.SOCEvent, bool)

type ImmuneParser 

type ImmuneParser struct{}

ImmuneParser parses immune system anomaly/response logs. Expected format: [ANOMALY] type=<type> score=<float> detail=<text> 

or: [RESPONSE] action=<action> target=<target> reason=<text>

func (*ImmuneParser) Parse 

func (p *ImmuneParser) Parse(line string) (*domsoc.SOCEvent, bool)

type Parser 

type Parser interface {
	Parse(line string) (*domsoc.SOCEvent, bool)
}

Parser converts a raw log line into a SOCEvent. Returns nil, false if the line is not a security event.

func ParserForSensor 

func ParserForSensor(sensorType string) Parser

ParserForSensor returns the appropriate parser for a sensor type.

type SentinelCoreParser 

type SentinelCoreParser struct{}

SentinelCoreParser parses sentinel-core detection output. Expected format: [DETECT] engine=<name> confidence=<float> pattern=<desc> [severity=<sev>]

func (*SentinelCoreParser) Parse 

func (p *SentinelCoreParser) Parse(line string) (*domsoc.SOCEvent, bool)

type ShieldParser 

type ShieldParser struct{}

ShieldParser parses shield network block logs. Expected format: BLOCKED protocol=<proto> reason=<reason> source_ip=<ip>

func (*ShieldParser) Parse 

func (p *ShieldParser) Parse(line string) (*domsoc.SOCEvent, bool)

type Sidecar 

type Sidecar struct {
	// contains filtered or unexported fields
}

Sidecar is the main orchestrator: tailer → parser → bus client.

func New 

func New(cfg Config) *Sidecar

New creates a Sidecar with the given config.

func (*Sidecar) GetStats 

func (s *Sidecar) GetStats() StatsSnapshot

GetStats returns a snapshot of current runtime metrics (thread-safe).

func (*Sidecar) Run 

func (s *Sidecar) Run(ctx context.Context) error

Run starts the sidecar pipeline: tail → parse → send. Blocks until ctx is cancelled.

func (*Sidecar) RunReader 

func (s *Sidecar) RunReader(ctx context.Context, r io.Reader) error

RunReader runs the sidecar from any io.Reader (for testing).

type Stats 

type Stats struct {
	LinesRead  atomic.Int64
	EventsSent atomic.Int64
	Errors     atomic.Int64
	StartedAt  time.Time
}

Stats tracks sidecar runtime metrics (thread-safe via atomic).

type StatsSnapshot 

type StatsSnapshot struct {
	LinesRead  int64     `json:"lines_read"`
	EventsSent int64     `json:"events_sent"`
	Errors     int64     `json:"errors"`
	StartedAt  time.Time `json:"started_at"`
}

StatsSnapshot is a non-atomic copy for reading/logging.

type Tailer 

type Tailer struct {
	// contains filtered or unexported fields
}

Tailer follows a log file or stdin, emitting lines via a channel.

func NewTailer 

func NewTailer(pollInterval time.Duration) *Tailer

NewTailer creates a Tailer with the given poll interval for file changes.

func (*Tailer) FollowFile 

func (t *Tailer) FollowFile(ctx context.Context, path string) (<-chan string, error)

FollowFile tails a file, seeking to end on start. Sends lines on the returned channel until ctx is cancelled.

func (*Tailer) FollowReader 

func (t *Tailer) FollowReader(ctx context.Context, r io.Reader) <-chan string

FollowReader reads from any io.Reader (for testing).

func (*Tailer) FollowStdin 

func (t *Tailer) FollowStdin(ctx context.Context) <-chan string

FollowStdin reads from stdin line by line.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.