147 lines
4.2 KiB
Nix
147 lines
4.2 KiB
Nix
with builtins; {
|
|
|
|
imports = [ ./journald/nextcloud.nix ];
|
|
|
|
resource = {
|
|
|
|
graylog_input.journald = {
|
|
title = "Journald Logs";
|
|
# https://javadoc.io/doc/org.graylog2/graylog2-inputs/latest/index.html
|
|
type = "org.graylog2.inputs.gelf.udp.GELFUDPInput";
|
|
global = true;
|
|
attributes = toJSON ({
|
|
bind_address = "0.0.0.0";
|
|
decompress_size_limit = 8388608;
|
|
number_worker_threads = 4;
|
|
port = 11201;
|
|
recv_buffer_size = 262144;
|
|
});
|
|
};
|
|
|
|
graylog_stream.journald = {
|
|
title = "journald";
|
|
description = "journald processing stream";
|
|
index_set_id = "\${graylog_index_set.default.id}";
|
|
disabled = false;
|
|
matching_type = "AND";
|
|
};
|
|
|
|
graylog_stream_rule.journald = {
|
|
field = "from_journald";
|
|
value = true;
|
|
stream_id = "\${graylog_stream.journald.id}";
|
|
#description = "";
|
|
type = 1;
|
|
inverted = false;
|
|
};
|
|
|
|
graylog_input_static_fields.journald = {
|
|
input_id = "\${graylog_input.journald.id}";
|
|
fields = { from_journald = true; };
|
|
};
|
|
|
|
graylog_pipeline_connection = {
|
|
journald = {
|
|
stream_id = "\${graylog_stream.journald.id}";
|
|
pipeline_ids = [
|
|
"\${graylog_pipeline.journald_fix_loglevel.id}"
|
|
"\${graylog_pipeline.journald_iptable_parse.id}"
|
|
"\${graylog_pipeline.journald_loglevel_int_to_str.id}"
|
|
];
|
|
};
|
|
};
|
|
|
|
graylog_pipeline = {
|
|
journald_fix_loglevel.source = ''
|
|
pipeline "journald : fix loglevel"
|
|
stage 0 match either
|
|
rule "journald : lookup log level"
|
|
stage 1 match either
|
|
rule "journald : replace log level"
|
|
end
|
|
'';
|
|
|
|
journald_iptable_parse.source = ''
|
|
pipeline "journald : ip table parse"
|
|
stage 0 match either
|
|
rule "journald : iptables split"
|
|
end
|
|
'';
|
|
|
|
journald_loglevel_int_to_str.source = ''
|
|
pipeline "journald : loglevel int to str"
|
|
stage 9 match either
|
|
rule "journald : int to str"
|
|
end
|
|
'';
|
|
};
|
|
|
|
graylog_pipeline_rule = {
|
|
loglevelLookup.source = ''
|
|
rule "journald : lookup log level"
|
|
when
|
|
has_field("level")
|
|
then
|
|
let lookup = lookup_value("systemd-log-level-reverse",$message.level);
|
|
set_field("level_fix",lookup);
|
|
end
|
|
'';
|
|
loglevelReplace.source = ''
|
|
rule "journald : replace log level"
|
|
when
|
|
has_field("level_fix")
|
|
then
|
|
set_field("level",$message.level_fix);
|
|
end
|
|
'';
|
|
loglevelIntToStr.source = ''
|
|
rule "journald : int to str"
|
|
when
|
|
has_field("level")
|
|
then
|
|
let lookup = lookup_value("systemd_log_level",$message.level);
|
|
set_field("level_type",lookup);
|
|
end
|
|
'';
|
|
|
|
iptableSplit.source = ''
|
|
rule "journald : iptables split"
|
|
when
|
|
has_field("facility") && $message.facility == "kernel"
|
|
then
|
|
let result = regex(
|
|
"^refused connection:\\s*IN=(.*) OUT=(.*) MAC=(.*) SRC=(.*) DST=(.*) LEN=.* TOS=.* PREC=.* TTL=(.*) ID=(.*) PROTO=(.*) SPT=(.*) DPT=(.*) WINDOW=(.*) RES=.*",
|
|
to_string($message.message),
|
|
["in_interface"
|
|
,"out_interface"
|
|
,"mac_addr"
|
|
,"src_addr"
|
|
,"dst_addr"
|
|
,"ttl"
|
|
,"iptables_id"
|
|
,"protocol"
|
|
,"src_port"
|
|
,"dst_port"
|
|
,"window"]
|
|
);
|
|
|
|
set_field("in_interface" ,result.in_interface);
|
|
set_field("out_interface" ,result.out_interface);
|
|
set_field("mac_addr" ,result.mac_addr);
|
|
set_field("src_addr" ,result.src_addr);
|
|
set_field("dst_addr" ,result.dst_addr);
|
|
set_field("ttl" ,result.ttl);
|
|
set_field("iptables_id" ,result.iptables_id);
|
|
set_field("protocol" ,result.protocol);
|
|
set_field("src_port" ,result.src_port);
|
|
set_field("dst_port" ,result.dst_port);
|
|
set_field("window" ,result.window);
|
|
|
|
end
|
|
'';
|
|
|
|
};
|
|
};
|
|
|
|
}
|