graylog, working on nginx streams

terranix/graylog/nginx.nix

@@ -62,5 +62,59 @@ with builtins; {
 
     };
 
+    graylog_stream = {
+      nginx5xx = {
+        title = "nginx 5xx";
+        description = "all requests answered with a 5xx response";
+        index_set_id = "\${graylog_index_set.default.id}";
+        disabled = false;
+        matching_type = "AND";
+      };
+      nginx4xx = {
+        title = "nginx 4xx";
+        description = "all requests answered with a 4xx response";
+        index_set_id = "\${graylog_index_set.default.id}";
+        disabled = false;
+        matching_type = "AND";
+      };
+      nginx2xx = {
+        title = "nginx 2xx";
+        description = "all requests answered with a 2xx response";
+        index_set_id = "\${graylog_index_set.default.id}";
+        disabled = false;
+        matching_type = "AND";
+      };
+    };
+
+    graylog_stream_rule = let
+      nq_stream_rule = field: value: stream_id: {
+        inherit field value stream_id;
+        type = 1;
+        inverted = true;
+      };
+      eq_stream_rule = field: value: stream_id: {
+        inherit field value stream_id;
+        type = 1;
+        inverted = false;
+      };
+      gt_stream_rule = field: value: stream_id: {
+        inherit field value stream_id;
+        type = 3;
+        inverted = false;
+      };
+      lt_stream_rule = field: value: stream_id: {
+        inherit field value stream_id;
+        type = 4;
+        inverted = false;
+      };
+      between = min: max: stream_id: {
+        "is_nginx_${min}_${max}" = (eq_stream_rule "from_nginx" true stream_id);
+        "nginx_above${min}" = (gt_stream_rule "response_status" min stream_id);
+        "nginx_below${max}" = (lt_stream_rule "response_status" max stream_id);
+      };
+    in (between "499" "600" "\${graylog_stream.nginx5xx.id}")
+    // (between "399" "500" "\${graylog_stream.nginx4xx.id}")
+    // (between "199" "300" "\${graylog_stream.nginx2xx.id}");
+
   };
 }