graylog: add nextcloud parser

terranix/graylog/config.nix

@@ -2,12 +2,6 @@ with builtins; {
 
   imports = [ ./provider.nix ./nginx.nix ./journald.nix ];
 
-  resource.graylog_output.stdout = {
-    title = "test stdout";
-    type = "org.graylog2.outputs.LoggingOutput";
-    configuration = toJSON ({ prefix = "Writing message: "; });
-  };
-
   # create default index
   resource.graylog_index_set.default = let
     maxIndexSize = 200;

terranix/graylog/journald.nix

@@ -1,5 +1,7 @@
 with builtins; {
 
+  imports = [ ./journald/nextcloud.nix ];
+
   resource = {
 
     graylog_input.journald = {
@@ -38,8 +40,20 @@ with builtins; {
       fields = { from_journald = true; };
     };
 
-    graylog_pipeline.systemd_loglevel_fix.source = ''
+    graylog_pipeline_connection = {
-      pipeline "journald : log level fix"
+      journald = {
+        stream_id = "\${graylog_stream.journald.id}";
+        pipeline_ids = [
+          "\${graylog_pipeline.journald_fix_loglevel.id}"
+          "\${graylog_pipeline.journald_iptable_parse.id}"
+          "\${graylog_pipeline.journald_loglevel_int_to_str.id}"
+        ];
+      };
+    };
+
+    graylog_pipeline = {
+      journald_fix_loglevel.source = ''
+        pipeline "journald : fix loglevel"
           stage 0 match either
             rule "journald : lookup log level"
           stage 1 match either
@@ -47,8 +61,23 @@ with builtins; {
         end
       '';
 
+      journald_iptable_parse.source = ''
+        pipeline "journald : ip table parse"
+          stage 0 match either
+            rule "journald : iptables split"
+        end
+      '';
+
+      journald_loglevel_int_to_str.source = ''
+        pipeline "journald : loglevel int to str"
+          stage 9 match either
+            rule "journald : int to str"
+        end
+      '';
+    };
+
     graylog_pipeline_rule = {
-      lookup.source = ''
+      loglevelLookup.source = ''
         rule "journald : lookup log level"
         when
           has_field("level")
@@ -57,7 +86,7 @@ with builtins; {
           set_field("level_fix",lookup);
         end
       '';
-      replace.source = ''
+      loglevelReplace.source = ''
         rule "journald : replace log level"
         when
           has_field("level_fix")
@@ -65,6 +94,51 @@ with builtins; {
           set_field("level",$message.level_fix);
         end
       '';
+      loglevelIntToStr.source = ''
+        rule "journald : int to str"
+        when
+          has_field("level")
+        then
+          let lookup = lookup_value("systemd_log_level",$message.level);
+          set_field("level_type",lookup);
+        end
+      '';
+
+      iptableSplit.source = ''
+        rule "journald : iptables split"
+        when
+          has_field("facility") && $message.facility == "kernel"
+        then
+          let result = regex(
+            "^refused connection:\\s*IN=(.*) OUT=(.*) MAC=(.*) SRC=(.*) DST=(.*) LEN=.* TOS=.* PREC=.* TTL=(.*) ID=(.*) PROTO=(.*) SPT=(.*) DPT=(.*) WINDOW=(.*) RES=.*",
+            to_string($message.message),
+            ["in_interface"
+            ,"out_interface"
+            ,"mac_addr"
+            ,"src_addr"
+            ,"dst_addr"
+            ,"ttl"
+            ,"iptables_id"
+            ,"protocol"
+            ,"src_port"
+            ,"dst_port"
+            ,"window"]
+            );
+
+          set_field("in_interface"     ,result.in_interface);
+          set_field("out_interface"    ,result.out_interface);
+          set_field("mac_addr"         ,result.mac_addr);
+          set_field("src_addr"         ,result.src_addr);
+          set_field("dst_addr"         ,result.dst_addr);
+          set_field("ttl"              ,result.ttl);
+          set_field("iptables_id"      ,result.iptables_id);
+          set_field("protocol"         ,result.protocol);
+          set_field("src_port"         ,result.src_port);
+          set_field("dst_port"         ,result.dst_port);
+          set_field("window"           ,result.window);
+
+        end
+      '';
 
     };
   };

terranix/graylog/journald/nextcloud.nix

@@ -0,0 +1,34 @@
+with builtins; {
+
+  resource = {
+
+    graylog_pipeline_connection = {
+      nextcloud = {
+        stream_id = "\${graylog_stream.journald.id}";
+        pipeline_ids = [ "\${graylog_pipeline.nextcloud.id}" ];
+      };
+    };
+
+    graylog_pipeline = {
+      nextcloud.source = ''
+        pipeline "nextcloud : parsing"
+          stage 10 match either
+            rule "nextcloud : parse level 1"
+        end
+      '';
+    };
+
+    graylog_pipeline_rule = {
+      nextcloudLevel1.source = ''
+        rule "nextcloud : parse level 1"
+        when
+            has_field("Systemd_unit") && $message.Systemd_unit == "phpfpm-nextcloud.service"
+        then
+          let parsedJson = parse_json(to_string($message.message));
+          set_fields(to_map(parsedJson),"nextcloud_");
+        end
+      '';
+    };
+
+  };
+}