started log ingestion and analysis

2026-04-24 14:15:58 -04:00
parent c2537dd955
commit 9ac96cee9a
27 changed files with 1368 additions and 179 deletions
--- a/config/log_rules.json
+++ b/config/log_rules.json
@@ -0,0 +1,149 @@
+{
+  "categories": {
+    "Registration": [
+      {
+        "pattern": "RegistrationFailure|UeRegistrationFailed|N1.*[Rr]egistration.*[Ff]ail",
+        "nf": "AMF",
+        "severity": "critical",
+        "description": "UE registration failure",
+        "remediation": "Check AMF logs for NGAP errors; verify UE credentials and NRF registration."
+      },
+      {
+        "pattern": "N2SetupFail|NgapSetupFail|N2.*[Tt]imeout|NgapProcedure.*failed",
+        "nf": "AMF",
+        "severity": "critical",
+        "description": "N2 interface setup failure",
+        "remediation": "Verify gNB connectivity to AMF; check SCTP transport and NGAP PLMN config."
+      },
+      {
+        "pattern": "InitialContextSetupFail|UeContextRelease.*[Aa]bnormal",
+        "nf": "AMF",
+        "severity": "warning",
+        "description": "UE context setup failure",
+        "remediation": "Review AMF-SMF N11 interface; check subscriber profile in UDM/UDR."
+      },
+      {
+        "pattern": "PagingFail|UeUnreachable|UeNotFound",
+        "nf": "AMF",
+        "severity": "warning",
+        "description": "UE paging failure",
+        "remediation": "Verify UE is registered; check AMF tracking area configuration."
+      }
+    ],
+    "Sessions": [
+      {
+        "pattern": "PduSessionEstablishmentReject|PduSession.*[Ff]ail|CreateSessionResponse.*[Ff]ail",
+        "nf": "SMF",
+        "severity": "critical",
+        "description": "PDU session establishment failure",
+        "remediation": "Check SMF-UPF N4 path; verify DNN/APN config and UPF N3/N9 interfaces."
+      },
+      {
+        "pattern": "N4Session.*[Ff]ail|PfcpSession.*[Ee]rror|N4.*[Tt]imeout|PfcpAssociation.*[Ff]ail",
+        "nf": "UPF",
+        "severity": "critical",
+        "description": "N4/PFCP session error",
+        "remediation": "Restart PFCP association between SMF and UPF; check N4 IP reachability."
+      },
+      {
+        "pattern": "IpAllocationFail|AddressPoolExhausted|NoIpAvailable",
+        "nf": "SMF",
+        "severity": "critical",
+        "description": "IP address pool exhausted",
+        "remediation": "Expand UE IP address pool in SMF config; review active session count."
+      },
+      {
+        "pattern": "SessionModification.*[Ff]ail|BearerModification.*[Ee]rror",
+        "nf": "SMF",
+        "severity": "warning",
+        "description": "Session modification failure",
+        "remediation": "Check PCF policy consistency; verify QoS parameters match UPF capabilities."
+      }
+    ],
+    "Authentication": [
+      {
+        "pattern": "AuthenticationFailure|AuthReject|EapFailure|5g-aka.*[Ff]ail|EapAkaFailure",
+        "nf": "AUSF",
+        "severity": "critical",
+        "description": "UE authentication failure",
+        "remediation": "Verify USIM credentials match UDM subscriber data; check AUSF-UDM N12 link."
+      },
+      {
+        "pattern": "UdmAuthReq.*[Ee]rror|SuciDeconceal.*[Ff]ail|UdmUeAuth.*[Ee]rror",
+        "nf": "UDM",
+        "severity": "critical",
+        "description": "UDM authentication error",
+        "remediation": "Check UDM-UDR N35 connectivity; verify Home Network Public Key configuration."
+      },
+      {
+        "pattern": "AuthVectorFetch.*[Ff]ail|AusfUeAuth.*[Rr]eject|HssAuth.*[Ff]ail",
+        "nf": "AUSF",
+        "severity": "warning",
+        "description": "Auth vector fetch failure",
+        "remediation": "Review UDR data integrity for affected SUPI; check AUSF-UDM TLS certificates."
+      }
+    ],
+    "Connectivity": [
+      {
+        "pattern": "NfDiscovery.*[Ff]ail|NrfRegistration.*[Ff]ail|NfDeregistration.*unexpect",
+        "nf": "NRF",
+        "severity": "warning",
+        "description": "NF service discovery failure",
+        "remediation": "Verify NRF is reachable from all NFs; check NRF registration TTL and heartbeat."
+      },
+      {
+        "pattern": "ServiceUnavailable.*NF|HTTP.*503.*NF|NfProfile.*expired",
+        "nf": "NRF",
+        "severity": "warning",
+        "description": "NF service unavailable",
+        "remediation": "Check NF pod health and SBI listen port; review NRF subscription notifications."
+      },
+      {
+        "pattern": "SbiRequest.*[Tt]imeout|SbiConn.*[Ff]ail|Http2.*[Ee]rror",
+        "nf": "NRF",
+        "severity": "warning",
+        "description": "SBI interface timeout",
+        "remediation": "Inspect inter-NF network MTU and TLS handshake; check load balancer config."
+      }
+    ],
+    "Policy": [
+      {
+        "pattern": "PcfSmPolicy.*[Ee]rror|PolicyDecision.*[Ff]ail|SmPolicy.*[Rr]eject",
+        "nf": "PCF",
+        "severity": "warning",
+        "description": "Policy decision failure",
+        "remediation": "Review PCF policy rules and subscriber group config; check PCF-UDR N36 link."
+      },
+      {
+        "pattern": "QosEnforce.*[Ff]ail|ChargingRule.*[Ee]rror|PccRule.*[Rr]eject",
+        "nf": "PCF",
+        "severity": "warning",
+        "description": "QoS policy enforcement failure",
+        "remediation": "Verify QoS profiles match UPF capabilities; check PCF-CHF N40 charging path."
+      }
+    ],
+    "Security": [
+      {
+        "pattern": "SecurityMode.*[Ff]ail|IntegrityCheck.*[Ff]ail|NasIntegrity.*[Ee]rror",
+        "nf": "AMF",
+        "severity": "critical",
+        "description": "NAS security mode failure",
+        "remediation": "Check AMF cipher/integrity algorithm priority list matches UE capabilities."
+      },
+      {
+        "pattern": "TlsHandshake.*[Ff]ail|Certificate.*[Ee]xpir|x509.*[Ee]rror|CertVerify.*[Ff]ail",
+        "nf": "AMF",
+        "severity": "critical",
+        "description": "TLS/certificate error",
+        "remediation": "Renew expired certificates; verify trust chain between NFs; check SBI TLS config."
+      },
+      {
+        "pattern": "SuciProtection.*[Ff]ail|PrivacyProtection.*[Ee]rror|HomeNetworkKey.*[Ee]rror",
+        "nf": "UDM",
+        "severity": "warning",
+        "description": "SUCI privacy protection error",
+        "remediation": "Verify Home Network Public Key provisioning on UDM; check SUPI revealing config."
+      }
+    ]
+  }
+}
--- a/config/marvis.env.example
+++ b/config/marvis.env.example
@@ -10,6 +10,22 @@ MARVIS_PLS_PASSWORD=
 MARVIS_PLS_AUTH_BACKEND=local
 MARVIS_PLS_VERIFY_TLS=false

+# Fluent Bit log ingestion.
+MARVIS_LOG_INGEST_ENABLED=true
+MARVIS_LOG_AUTO_CONFIGURE=true
+MARVIS_LOG_RECEIVER_BIND_HOST=0.0.0.0
+MARVIS_LOG_RECEIVER_HOST=
+MARVIS_LOG_RECEIVER_PORT=5514
+MARVIS_LOG_RECEIVER_FORMAT=json_lines
+MARVIS_LOG_BUFFER_LINES=1000
+MARVIS_LOG_TRACE_BUFFER_LINES=5000
+MARVIS_LOG_ALERT_CONTEXT_BEFORE=5
+MARVIS_LOG_ALERT_CONTEXT_AFTER=5
+MARVIS_LOG_ALERT_CONTEXT_DB_PATH=/app/data/marvis-alert-context.db
+MARVIS_LOG_ALERT_CONTEXT_DB_MAX_ROWS=500
+MARVIS_LOG_FLUENTBIT_MATCH=*
+MARVIS_LOG_ALLOWED_NFS=AMF,SMF,UPF,UDM,UDR,NRF,AUSF,PCF,MME,SGWC,DRA,DSM,AAA,BMSC,CHF,SMSF,EIR
+
 # AI backend configuration.
 MARVIS_AI_MODE=rule
 MARVIS_OPENAI_API_KEY=
--- a/config/p5g-marvis.service
+++ b/config/p5g-marvis.service
@@ -16,6 +16,20 @@ Environment=MARVIS_PLS_USERNAME=
 Environment=MARVIS_PLS_PASSWORD=
 Environment=MARVIS_PLS_AUTH_BACKEND=local
 Environment=MARVIS_PLS_VERIFY_TLS=false
+Environment=MARVIS_LOG_INGEST_ENABLED=true
+Environment=MARVIS_LOG_AUTO_CONFIGURE=true
+Environment=MARVIS_LOG_RECEIVER_BIND_HOST=0.0.0.0
+Environment=MARVIS_LOG_RECEIVER_HOST=
+Environment=MARVIS_LOG_RECEIVER_PORT=5514
+Environment=MARVIS_LOG_RECEIVER_FORMAT=json_lines
+Environment=MARVIS_LOG_BUFFER_LINES=1000
+Environment=MARVIS_LOG_TRACE_BUFFER_LINES=5000
+Environment=MARVIS_LOG_ALERT_CONTEXT_BEFORE=5
+Environment=MARVIS_LOG_ALERT_CONTEXT_AFTER=5
+Environment=MARVIS_LOG_ALERT_CONTEXT_DB_PATH=/app/data/marvis-alert-context.db
+Environment=MARVIS_LOG_ALERT_CONTEXT_DB_MAX_ROWS=500
+Environment=MARVIS_LOG_FLUENTBIT_MATCH=*
+Environment=MARVIS_LOG_ALLOWED_NFS=AMF,SMF,UPF,UDM,UDR,NRF,AUSF,PCF,MME,SGWC,DRA,DSM,AAA,BMSC,CHF,SMSF,EIR
 Environment=MARVIS_AI_MODE=rule
 Environment=MARVIS_OPENAI_API_KEY=
 Environment=MARVIS_OPENAI_BASE_URL=https://api.openai.com
@@ -28,6 +42,7 @@ ExecStartPre=-/usr/bin/docker rm -f p5g-marvis
 ExecStart=/usr/bin/docker run \
  --name p5g-marvis \
  --network host \
+  --volume /var/lib/p5g-marvis:/app/data \
  --env MARVIS_PROMETHEUS_URL \
  --env MARVIS_PROMETHEUS_PREFIX \
  --env MARVIS_ALERTMANAGER_URL \
@@ -36,6 +51,20 @@ ExecStart=/usr/bin/docker run \
  --env MARVIS_PLS_PASSWORD \
  --env MARVIS_PLS_AUTH_BACKEND \
  --env MARVIS_PLS_VERIFY_TLS \
+  --env MARVIS_LOG_INGEST_ENABLED \
+  --env MARVIS_LOG_AUTO_CONFIGURE \
+  --env MARVIS_LOG_RECEIVER_BIND_HOST \
+  --env MARVIS_LOG_RECEIVER_HOST \
+  --env MARVIS_LOG_RECEIVER_PORT \
+  --env MARVIS_LOG_RECEIVER_FORMAT \
+  --env MARVIS_LOG_BUFFER_LINES \
+  --env MARVIS_LOG_TRACE_BUFFER_LINES \
+  --env MARVIS_LOG_ALERT_CONTEXT_BEFORE \
+  --env MARVIS_LOG_ALERT_CONTEXT_AFTER \
+  --env MARVIS_LOG_ALERT_CONTEXT_DB_PATH \
+  --env MARVIS_LOG_ALERT_CONTEXT_DB_MAX_ROWS \
+  --env MARVIS_LOG_FLUENTBIT_MATCH \
+  --env MARVIS_LOG_ALLOWED_NFS \
  --env MARVIS_AI_MODE \
  --env MARVIS_OPENAI_API_KEY \
  --env MARVIS_OPENAI_BASE_URL \