with builtins; { resource = { graylog_input = { nginx_access_logs = { title = "nginx access log"; # https://javadoc.io/doc/org.graylog2/graylog2-inputs/latest/index.html type = "org.graylog2.inputs.syslog.udp.SyslogUDPInput"; global = true; attributes = toJSON ({ allow_override_date = true; bind_address = "0.0.0.0"; expand_structured_data = false; force_rdns = false; number_worker_threads = 4; port = 12304; recv_buffer_size = 1048576; store_full_message = false; }); }; nginx_error_logs = { title = "nginx error log"; # https://javadoc.io/doc/org.graylog2/graylog2-inputs/latest/index.html type = "org.graylog2.inputs.syslog.udp.SyslogUDPInput"; global = true; attributes = toJSON ({ allow_override_date = true; bind_address = "0.0.0.0"; expand_structured_data = false; force_rdns = false; number_worker_threads = 4; port = 12305; recv_buffer_size = 1048576; store_full_message = false; }); }; }; graylog_input_static_fields = { nginx_access_logs = { input_id = "\${graylog_input.nginx_access_logs.id}"; fields = { from_nginx = true; nginx_error = false; nginx_access = true; }; }; nginx_error_logs = { input_id = "\${graylog_input.nginx_error_logs.id}"; fields = { from_nginx = true; nginx_error = true; nginx_access = false; }; }; }; graylog_stream = { nginx5xx = { title = "nginx 5xx"; description = "all requests answered with a 5xx response"; index_set_id = "\${graylog_index_set.default.id}"; disabled = false; matching_type = "AND"; }; nginx4xx = { title = "nginx 4xx"; description = "all requests answered with a 4xx response"; index_set_id = "\${graylog_index_set.default.id}"; disabled = false; matching_type = "AND"; }; nginx2xx = { title = "nginx 2xx"; description = "all requests answered with a 2xx response"; index_set_id = "\${graylog_index_set.default.id}"; disabled = false; matching_type = "AND"; }; nginx_access = { title = "nginx access"; description = "all requests"; index_set_id = "\${graylog_index_set.default.id}"; disabled = false; matching_type = "AND"; }; nginx_error = { title = "nginx error"; description = "all errors"; index_set_id = "\${graylog_index_set.default.id}"; disabled = false; matching_type = "AND"; }; }; graylog_stream_rule = let nq_stream_rule = field: value: stream_id: { inherit field value stream_id; type = 1; inverted = true; }; eq_stream_rule = field: value: stream_id: { inherit field value stream_id; type = 1; inverted = false; }; gt_stream_rule = field: value: stream_id: { inherit field value stream_id; type = 3; inverted = false; }; lt_stream_rule = field: value: stream_id: { inherit field value stream_id; type = 4; inverted = false; }; between = min: max: stream_id: { "is_nginx_access_${min}_${max}" = (eq_stream_rule "nginx_access" true stream_id); "nginx_above${min}" = (gt_stream_rule "response_status" min stream_id); "nginx_below${max}" = (lt_stream_rule "response_status" max stream_id); }; in (between "499" "600" "\${graylog_stream.nginx5xx.id}") // (between "399" "500" "\${graylog_stream.nginx4xx.id}") // (between "199" "300" "\${graylog_stream.nginx2xx.id}") // { is_nginx_access = (eq_stream_rule "nginx_access" true "\${graylog_stream.nginx_access.id}"); is_nginx_error = (eq_stream_rule "nginx_error" true "\${graylog_stream.nginx_error.id}"); }; }; }