From a66ded0e8f36abedb9e5f0ed92f138b7c66dc35d Mon Sep 17 00:00:00 2001
From: Aaron Stein <aaron.stein@clever.com>
Date: Tue, 1 Oct 2019 14:39:11 -0700
Subject: [PATCH] parse rds slowquery user

---
 decode/decode.go      | 22 ++++++++++++++++++++++
 decode/decode_test.go | 17 +++++++++++++++++
 2 files changed, 39 insertions(+)

diff --git a/decode/decode.go b/decode/decode.go
index 93d8a66..55becc4 100644
--- a/decode/decode.go
+++ b/decode/decode.go
@@ -107,6 +107,20 @@ func FieldsFromKayvee(line string) (map[string]interface{}, error) {
 	return m, nil
 }
 
+var userPattern = `#\sUser@Host:\s(?P<user>[a-zA-Z]+\[[a-zA-Z]+\])\s@\s[a-zA-Z]+.*Id:\s+(?P<id>[0-9]+)`
+var userPatternRegex = regexp.MustCompile(userPattern)
+
+func FieldsFromRDSSlowquery(rawlog string) map[string]interface{} {
+	out := map[string]interface{}{}
+
+	match := userPatternRegex.FindStringSubmatch(rawlog)
+	if len(match) == 3 {
+		out["user"] = match[1]
+		out["user_id"] = match[2]
+	}
+	return out
+}
+
 // MetricsRoute represents a metrics kv log route
 type MetricsRoute struct {
 	Series     string
@@ -421,6 +435,14 @@ func ParseAndEnhance(line string, env string) (map[string]interface{}, error) {
 		}
 	}
 
+	// Try pulling RDS slowquery logs fields out of message
+	if out["hostname"] == "aws-rds" {
+		slowQueryFields := FieldsFromRDSSlowquery(rawlog)
+		for k, v := range slowQueryFields {
+			out[k] = v
+		}
+	}
+
 	return out, nil
 }
 
diff --git a/decode/decode_test.go b/decode/decode_test.go
index 7f201a9..d60e0d3 100644
--- a/decode/decode_test.go
+++ b/decode/decode_test.go
@@ -344,6 +344,23 @@ func TestParseAndEnhance(t *testing.T) {
 				"timestamp":        logTime2,
 			},
 		},
+		ParseAndEnhanceSpec{
+			Title: "RDS Slowquery Log",
+			Line: `2017-04-05T21:57:46+00:00 aws-rds production-aurora-test-db: Slow query: # Time: 190921 16:02:59
+# User@Host: rdsadmin[rdsadmin] @ localhost []  Id:     1
+# Query_time: 22.741550  Lock_time: 0.000000 Rows_sent: 0  Rows_examined: 0SET timestamp=1569081779;call action start_seamless_scaling('AQEAAB1P/PAIqvTHEQFJAEkojZUoH176FGJttZ62JF5QmRehaf0S0VFTa+5MPJdYQ9k0/sekBlnMi8U=', 300000, 2);
+SET timestamp=1569862702;`,
+			ExpectedOutput: map[string]interface{}{
+				"env":              "deploy-env",
+				"hostname":         "aws-rds",
+				"programname":      "production-aurora-test-db",
+				"decoder_msg_type": "syslog",
+				"rawlog":           "Slow query: # Time: 190921 16:02:59\n# User@Host: rdsadmin[rdsadmin] @ localhost []  Id:     1\n# Query_time: 22.741550  Lock_time: 0.000000 Rows_sent: 0  Rows_examined: 0SET timestamp=1569081779;call action start_seamless_scaling('AQEAAB1P/PAIqvTHEQFJAEkojZUoH176FGJttZ62JF5QmRehaf0S0VFTa+5MPJdYQ9k0/sekBlnMi8U=', 300000, 2);\nSET timestamp=1569862702;",
+				"timestamp":        logTime2,
+				"user":             "rdsadmin[rdsadmin]",
+				"user_id":          "1",
+			},
+		},
 	}
 	for _, spec := range specs {
 		t.Run(fmt.Sprintf(spec.Title), func(t *testing.T) {