Merge pull request #560 from mozilla/fix_cloudtrail_mapping

Fix cloudtrail mapping

config/defaultMappingTemplate.json

@@ -140,6 +140,11 @@
               "sourceport" : {
                 "index" : "not_analyzed",
                 "type" : "long"
+              },
+              "apiVersion" : {
+                "type" : "string",
+                "index" : "not_analyzed",
+                "doc_values" : true
               }
             }
           },
@@ -151,11 +156,6 @@
             "format" : "dateOptionalTime",
             "type" : "date"
           },
-          "apiVersion" : {
-          "type" : "string",
-          "index" : "not_analyzed",
-          "doc_values" : true
-          },
           "version" : {
             "index" : "not_analyzed",
             "type" : "string",

mq/esworker_cloudtrail.py

@@ -23,13 +23,13 @@ import gzip
 from StringIO import StringIO
 from threading import Timer
 import re
-
+import time
 
 import sys
 import os
 sys.path.append(os.path.join(os.path.dirname(os.path.abspath(__file__)), '../lib'))
 from utilities.toUTC import toUTC
-from elasticsearch_client import ElasticsearchClient
+from elasticsearch_client import ElasticsearchClient, ElasticsearchBadServer, ElasticsearchInvalidIndex, ElasticsearchException
 from utilities.logger import logger, initLogger
 
 from lib.plugins import sendEventToPlugins, registerPlugins
@@ -167,6 +167,8 @@ def keyMapping(aDict):
         returndict['summary'] = summary_str
 
     if 'eventName' in aDict:
+        # Uppercase first character
+        aDict['eventName'] = aDict['eventName'][0].upper() + aDict['eventName'][1:]
         returndict['details']['eventVerb'] = CLOUDTRAIL_VERB_REGEX.findall(aDict['eventName'])[0]
         returndict['details']['eventReadOnly'] = (returndict['details']['eventVerb'] in ['Describe', 'Get', 'List'])
     # set the timestamp when we received it, i.e. now

tests/mq/test_esworker_cloudtrail.py

@@ -132,3 +132,16 @@ class TestKeyMapping():
         }
 
         assert result['details'] == expected_details
+
+    def test_cloudtrail_dict_eventname_lowercase(self):
+        cloudtrail_dict = {
+            'eventName': 'listDomains',
+        }
+        result = self.key_mapping(cloudtrail_dict)
+        expected_details = {
+            'eventReadOnly': True,
+            'eventVerb': 'List',
+            'eventname': 'ListDomains'
+        }
+        assert result['details'] == expected_details
+