50 lines
1.3 KiB
Nix
50 lines
1.3 KiB
Nix
# filters kernel messages
|
|
{
|
|
resource."graylog_pipeline_rule" = {
|
|
|
|
routeToKernelMessage = {
|
|
|
|
description = "route kernel messages to kernel stream (TF)";
|
|
source = ''
|
|
rule "route kernel message"
|
|
when
|
|
to_string($message.facility) == "kernel"
|
|
then
|
|
route_to_stream(id:"''${ graylog_stream.kernel.id }", remove_from_default: true);
|
|
end
|
|
'';
|
|
};
|
|
|
|
extractFirewallDeny = {
|
|
description = "extract information form a firewall deny (TF)";
|
|
source = ''
|
|
rule "extract firewall deny"
|
|
when
|
|
starts_with(to_string($message.message), "refused connection:")
|
|
then
|
|
set_fields(grok("SRC=%{IP:source_ip} .* DPT=%{NUMBER:destination_port}", to_string($message.message)));
|
|
set_field("is_thread", true);
|
|
route_to_stream(id:"''${ graylog_stream.thread.id }");
|
|
end
|
|
'';
|
|
};
|
|
|
|
};
|
|
|
|
graylog.all_messages.rules = [ "route kernel message" ];
|
|
|
|
graylog.stream.kernel = {
|
|
index_set_id = "\${data.graylog_index_set.default.id}";
|
|
pipelines = [ "\${graylog_pipeline.processKernelMessage.id}" ];
|
|
};
|
|
|
|
graylog.pipeline.processKernelMessage = {
|
|
source = ''
|
|
stage 0 match all
|
|
rule "extract firewall deny";
|
|
'';
|
|
description = "process messages of the kernel stream(TF)";
|
|
};
|
|
|
|
}
|