nixos-config/terranix/graylog/journald.nix

with builtins; {

  imports = [ ./journald/nextcloud.nix ./journald/kibana.nix ];

  resource = {

    graylog_input = {
      journalbeat = {
        title = "Journalbeat Logs";
        # https://javadoc.io/doc/org.graylog2/graylog2-inputs/latest/index.html
        type = "org.graylog.plugins.beats.Beats2Input";
        global = true;
        attributes = toJSON ({
          bind_address = "0.0.0.0";
          no_beats_prefix = true;
          number_worker_threads = 4;
          port = 5044;
          recv_buffer_size = 1048576;
          tcp_keepalive = false;
          tls_cert_file = "";
          tls_client_auth = "disabled";
          tls_client_auth_cert_file = "";
          tls_enable = false;
          tls_key_file = "";
          tls_key_password = "";
        });
      };
    };

    graylog_input_static_fields.journalbeat = {
      input_id = "\${graylog_input.journalbeat.id}";
      fields = {
        from_journald = true;
        journalbeat = true;
      };
    };

    graylog_stream.journald = {
      title = "journald";
      description = "journald processing stream";
      index_set_id = "\${graylog_index_set.default.id}";
      disabled = false;
      matching_type = "AND";
    };

    graylog_stream_rule.journald = {
      field = "from_journald";
      value = true;
      stream_id = "\${graylog_stream.journald.id}";
      #description = "";
      type = 1;
      inverted = false;
    };

    graylog_pipeline_connection = {
      journald = {
        stream_id = "\${graylog_stream.journald.id}";
        pipeline_ids = [
          #"\${graylog_pipeline.journald_fix_loglevel.id}"
          "\${graylog_pipeline.journald_iptable_parse.id}"
          #"\${graylog_pipeline.journald_loglevel_int_to_str.id}"
        ];
      };
    };

    graylog_pipeline = {
      journald_iptable_parse.source = ''
        pipeline "journald : ip table parse"
          stage 0 match either
            rule "journald : iptables split"
        end
      '';
    };

    graylog_pipeline_rule = {
      iptableSplit.source = ''
        rule "journald : iptables split"
        when
          has_field("facility") && $message.facility == "kernel"
        then
          let result = regex(
            "^refused connection:\\s*IN=(.*) OUT=(.*) MAC=(.*) SRC=(.*) DST=(.*) LEN=.* TOS=.* PREC=.* TTL=(.*) ID=(.*) PROTO=(.*) SPT=(.*) DPT=(.*) WINDOW=(.*) RES=.*",
            to_string($message.message),
            ["in_interface"
            ,"out_interface"
            ,"mac_addr"
            ,"src_addr"
            ,"dst_addr"
            ,"ttl"
            ,"iptables_id"
            ,"protocol"
            ,"src_port"
            ,"dst_port"
            ,"window"]
            );

          set_field("in_interface"     ,result.in_interface);
          set_field("out_interface"    ,result.out_interface);
          set_field("mac_addr"         ,result.mac_addr);
          set_field("src_addr"         ,result.src_addr);
          set_field("dst_addr"         ,result.dst_addr);
          set_field("ttl"              ,result.ttl);
          set_field("iptables_id"      ,result.iptables_id);
          set_field("protocol"         ,result.protocol);
          set_field("src_port"         ,result.src_port);
          set_field("dst_port"         ,result.dst_port);
          set_field("window"           ,result.window);

        end
      '';

    };
  };

}
update graylog terranix setup 2021-07-14 12:12:36 +02:00			`with builtins; {`

graylog: fine tuning and dashboard creation 2021-07-17 13:45:19 +02:00			`imports = [ ./journald/nextcloud.nix ./journald/kibana.nix ];`
graylog: add nextcloud parser 2021-07-15 08:59:44 +02:00
update graylog terranix setup 2021-07-14 12:12:36 +02:00			`resource = {`

graylog: fixing stuff 2021-07-15 23:09:55 +02:00			`graylog_input = {`
			`journalbeat = {`
			`title = "Journalbeat Logs";`
			`# https://javadoc.io/doc/org.graylog2/graylog2-inputs/latest/index.html`
			`type = "org.graylog.plugins.beats.Beats2Input";`
			`global = true;`
			`attributes = toJSON ({`
			`bind_address = "0.0.0.0";`
			`no_beats_prefix = true;`
			`number_worker_threads = 4;`
			`port = 5044;`
			`recv_buffer_size = 1048576;`
			`tcp_keepalive = false;`
			`tls_cert_file = "";`
			`tls_client_auth = "disabled";`
			`tls_client_auth_cert_file = "";`
			`tls_enable = false;`
			`tls_key_file = "";`
			`tls_key_password = "";`
			`});`
			`};`
			`};`

			`graylog_input_static_fields.journalbeat = {`
			`input_id = "\${graylog_input.journalbeat.id}";`
			`fields = {`
			`from_journald = true;`
			`journalbeat = true;`
			`};`
update graylog terranix setup 2021-07-14 12:12:36 +02:00			`};`

use graylog for journald logs 2021-07-14 13:09:08 +02:00			`graylog_stream.journald = {`
			`title = "journald";`
			`description = "journald processing stream";`
			`index_set_id = "\${graylog_index_set.default.id}";`
			`disabled = false;`
			`matching_type = "AND";`
			`};`

			`graylog_stream_rule.journald = {`
			`field = "from_journald";`
			`value = true;`
			`stream_id = "\${graylog_stream.journald.id}";`
			`#description = "";`
			`type = 1;`
			`inverted = false;`
			`};`
update graylog terranix setup 2021-07-14 12:12:36 +02:00
graylog: add nextcloud parser 2021-07-15 08:59:44 +02:00			`graylog_pipeline_connection = {`
			`journald = {`
			`stream_id = "\${graylog_stream.journald.id}";`
			`pipeline_ids = [`
graylog: fixing stuff 2021-07-15 23:09:55 +02:00			`#"\${graylog_pipeline.journald_fix_loglevel.id}"`
graylog: add nextcloud parser 2021-07-15 08:59:44 +02:00			`"\${graylog_pipeline.journald_iptable_parse.id}"`
graylog: fixing stuff 2021-07-15 23:09:55 +02:00			`#"\${graylog_pipeline.journald_loglevel_int_to_str.id}"`
graylog: add nextcloud parser 2021-07-15 08:59:44 +02:00			`];`
			`};`
			`};`

			`graylog_pipeline = {`
			`journald_iptable_parse.source = ''`
			`pipeline "journald : ip table parse"`
			`stage 0 match either`
			`rule "journald : iptables split"`
			`end`
			`'';`
			`};`
update graylog terranix setup 2021-07-14 12:12:36 +02:00
			`graylog_pipeline_rule = {`
graylog: add nextcloud parser 2021-07-15 08:59:44 +02:00			`iptableSplit.source = ''`
			`rule "journald : iptables split"`
			`when`
			`has_field("facility") && $message.facility == "kernel"`
			`then`
			`let result = regex(`
			`"^refused connection:\\sIN=(.) OUT=(.) MAC=(.) SRC=(.) DST=(.) LEN=.* TOS=.* PREC=.* TTL=(.) ID=(.) PROTO=(.) SPT=(.) DPT=(.) WINDOW=(.) RES=.*",`
			`to_string($message.message),`
			`["in_interface"`
			`,"out_interface"`
			`,"mac_addr"`
			`,"src_addr"`
			`,"dst_addr"`
			`,"ttl"`
			`,"iptables_id"`
			`,"protocol"`
			`,"src_port"`
			`,"dst_port"`
			`,"window"]`
			`);`

			`set_field("in_interface" ,result.in_interface);`
			`set_field("out_interface" ,result.out_interface);`
			`set_field("mac_addr" ,result.mac_addr);`
			`set_field("src_addr" ,result.src_addr);`
			`set_field("dst_addr" ,result.dst_addr);`
			`set_field("ttl" ,result.ttl);`
			`set_field("iptables_id" ,result.iptables_id);`
			`set_field("protocol" ,result.protocol);`
			`set_field("src_port" ,result.src_port);`
			`set_field("dst_port" ,result.dst_port);`
			`set_field("window" ,result.window);`

			`end`
			`'';`
update graylog terranix setup 2021-07-14 12:12:36 +02:00
			`};`
			`};`

			`}`