-
Notifications
You must be signed in to change notification settings - Fork 29
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(plugin): common event format logs (#612)
* ported common_event_format plugin * fixed typo, updated location to be type timezone * cleaned up operators, moved add_log_type * updated severity parser to otel sev mappings
- Loading branch information
Showing
1 changed file
with
91 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,91 @@ | ||
| version: 0.0.1 | ||
| title: Common Event Format | ||
| description: File Input Common Event Format Parser | ||
| parameters: | ||
| - name: file_log_path | ||
| description: Specify a single path or multiple paths to read one or many files. You may also use a wildcard (*) to read multiple files within a directory. | ||
| type: "[]string" | ||
| required: true | ||
| - name: exclude_file_log_path | ||
| description: Specify a single path or multiple paths to exclude one or many files from being read. You may also use a wildcard (*) to exclude multiple files from being read within a directory | ||
| type: "[]string" | ||
| default: [] | ||
| - name: log_type | ||
| type: string | ||
| description: Adds the specified 'Type' as a label to each log message. | ||
| default: "cef" | ||
| - name: timezone | ||
| description: Timezone to use when parsing the timestamp | ||
| type: timezone | ||
| default: UTC | ||
| - name: start_at | ||
| type: string | ||
| description: Start reading file from 'beginning' or 'end' | ||
| supported: | ||
| - beginning | ||
| - end | ||
| default: end | ||
|
|
||
| template: | | ||
| receivers: | ||
| filelog: | ||
| include: | ||
| {{ range $fp := .file_log_path }} | ||
| - '{{ $fp }}' | ||
| {{ end }} | ||
| exclude: | ||
| {{ range $fp := .exclude_file_log_path }} | ||
| - '{{ $fp }}' | ||
| {{end}} | ||
| start_at: {{ .start_at }} | ||
| operators: | ||
| - type: regex_parser | ||
| regex: '^(?P<timestamp>\w{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2})\s+((?P<hostname>[^\s]+)\s+)?(?P<cef_headers>[\d\D]+)' | ||
| timestamp: | ||
| parse_from: attributes.timestamp | ||
| layout_type: gotime | ||
| layout: 'Jan 02 15:04:05' | ||
| location: {{ .timezone }} | ||
| - type: csv_parser | ||
| parse_from: attributes.cef_headers | ||
| header: 'version|device_vendor|device_product|device_version|signature_id|name|severity|extensions' | ||
| header_delimiter: "|" | ||
| delimiter: "|" | ||
| - type: regex_parser | ||
| if: 'attributes.version != nil and attributes.version matches "CEF:[^\\|]*"' | ||
| regex: 'CEF:(?P<version>[^\|]*)' | ||
| parse_from: attributes.version | ||
| - type: severity_parser | ||
| if: 'attributes.severity != nil' | ||
| parse_from: attributes.severity | ||
| preset: none | ||
| mapping: | ||
| info: | ||
| - min: 0 | ||
| max: 3 | ||
| - low | ||
| warn: | ||
| - min: 4 | ||
| max: 6 | ||
| - medium | ||
| error: | ||
| - min: 7 | ||
| max: 8 | ||
| - high | ||
| fatal: | ||
| - min: 9 | ||
| max: 10 | ||
| - very-high | ||
| - id: add_log_type | ||
| type: add | ||
| field: attributes.log_type | ||
| value: {{ .log_type }} | ||
| service: | ||
| pipelines: | ||
| logs: | ||
| receivers: [filelog] |