with builtins; { imports = [ ./journald/nextcloud.nix ./journald/kibana.nix ]; resource = { graylog_input = { journalbeat = { title = "Journalbeat Logs"; # https://javadoc.io/doc/org.graylog2/graylog2-inputs/latest/index.html type = "org.graylog.plugins.beats.Beats2Input"; global = true; attributes = toJSON ({ bind_address = "0.0.0.0"; no_beats_prefix = true; number_worker_threads = 4; port = 5044; recv_buffer_size = 1048576; tcp_keepalive = false; tls_cert_file = ""; tls_client_auth = "disabled"; tls_client_auth_cert_file = ""; tls_enable = false; tls_key_file = ""; tls_key_password = ""; }); }; }; graylog_input_static_fields.journalbeat = { input_id = "\${graylog_input.journalbeat.id}"; fields = { from_journald = true; journalbeat = true; }; }; graylog_stream.journald = { title = "journald"; description = "journald processing stream"; index_set_id = "\${graylog_index_set.default.id}"; disabled = false; matching_type = "AND"; }; graylog_stream_rule.journald = { field = "from_journald"; value = true; stream_id = "\${graylog_stream.journald.id}"; #description = ""; type = 1; inverted = false; }; graylog_pipeline_connection = { journald = { stream_id = "\${graylog_stream.journald.id}"; pipeline_ids = [ #"\${graylog_pipeline.journald_fix_loglevel.id}" "\${graylog_pipeline.journald_iptable_parse.id}" #"\${graylog_pipeline.journald_loglevel_int_to_str.id}" ]; }; }; graylog_pipeline = { journald_iptable_parse.source = '' pipeline "journald : ip table parse" stage 0 match either rule "journald : iptables split" end ''; }; graylog_pipeline_rule = { iptableSplit.source = '' rule "journald : iptables split" when has_field("facility") && $message.facility == "kernel" then let result = regex( "^refused connection:\\s*IN=(.*) OUT=(.*) MAC=(.*) SRC=(.*) DST=(.*) LEN=.* TOS=.* PREC=.* TTL=(.*) ID=(.*) PROTO=(.*) SPT=(.*) DPT=(.*) WINDOW=(.*) RES=.*", to_string($message.message), ["in_interface" ,"out_interface" ,"mac_addr" ,"src_addr" ,"dst_addr" ,"ttl" ,"iptables_id" ,"protocol" ,"src_port" ,"dst_port" ,"window"] ); set_field("in_interface" ,result.in_interface); set_field("out_interface" ,result.out_interface); set_field("mac_addr" ,result.mac_addr); set_field("src_addr" ,result.src_addr); set_field("dst_addr" ,result.dst_addr); set_field("ttl" ,result.ttl); set_field("iptables_id" ,result.iptables_id); set_field("protocol" ,result.protocol); set_field("src_port" ,result.src_port); set_field("dst_port" ,result.dst_port); set_field("window" ,result.window); end ''; }; }; }