-
Notifications
You must be signed in to change notification settings - Fork 7
/
vmware_vcenter.yaml
154 lines (145 loc) · 4.23 KB
/
vmware_vcenter.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
# Plugin Info
version: 1.0.1
title: VMware vCenter
description: Log parser for VMware vCenter
min_stanza_version: 0.13.16
parameters:
- name: listen_port
label: Listen Port
description: A port which the agent will listen for syslog messages
type: int
default: 5140
- name: listen_ip
label: Listen IP
description: A syslog ip address of the form `<ip>`
type: string
default: "0.0.0.0"
advanced_config: true
- name: listen_address
label: Listen Address
description: Parameter Deprecated Use 'listen_ip' and 'listen_port' instead.
type: string
default: ""
advanced_config: true
hidden: true
- name: max_buffer_size
label: Max Buffer Size
description: Maximum size of buffer that may be allocated while reading TCP input
type: string
default: "1024kib"
required: false
- name: enable_tls
label: Enable TLS
description: Enable TLS for the TCP listener
type: bool
default: false
- name: certificate_file
label: TLS certificate path
description: File path for the X509 TLS certificate chain
type: string
default: "/opt/cert"
required: true
relevant_if:
enable_tls:
equals: true
- name: private_key_file
label: TLS private key path
description: File path for the X509 TLS certificate chain
type: string
default: "/opt/key"
required: true
relevant_if:
enable_tls:
equals: true
# Set Defaults
# {{$listen_address := default "0.0.0.0:5140" .listen_address}}
# {{$length := len $listen_address}}
# {{$listen_ip := default "0.0.0.0" .listen_ip}}
# {{$listen_port := default 5140 .listen_port}}
# {{$max_buffer_size := default "1024kib" .max_buffer_size}}
# {{$enable_tls := default true .enable_tls}}
# {{$certificate_file := default "" .certificate_file}}
# {{$private_key_file := default "" .private_key_file}}
# Pipeline Template
pipeline:
- id: vcenter_input
type: tcp_input
listen_address: '{{ if eq $length 0 }}{{ $listen_ip }}:{{ $listen_port }}{{ else }}{{ $listen_address }}{{ end }}'
max_buffer_size: {{ $max_buffer_size }}
labels:
log_type: vmware_vcenter
plugin_id: {{ .id }}
add_labels: true
tls:
enable: {{ $enable_tls }}
certificate: {{ $certificate_file }}
private_key: {{ $private_key_file }}
output: prefix_router
# vcenter will (sometimes) prepend an id to the messages, check
# for the id and drop it if it exsits
# example: '257 <14>1. . . '
- id: prefix_router
type: router
routes:
- expr: '$record matches "^{.*}"'
output: gcve_json_parser
- expr: '$record matches "^\\d* "'
output: pre_parser
default: vcenter_parser
- id: pre_parser
type: regex_parser
regex: '^(?P<drop>\d* )(?P<syslog_message>[\w\W]*)'
output: pre_parser_restructure
- id: pre_parser_restructure
type: restructure
ops:
- remove: "$record.drop"
- move:
from: "$record.syslog_message"
to: "$record"
output: vcenter_parser
- id: vcenter_parser
type: syslog_parser
protocol: rfc5424
output: {{ .output }}
- id: gcve_json_parser
type: json_parser
parse_from: $record
severity:
parse_from: '$record["@fields.severity"]'
timestamp:
layout: "2006-01-02T15:04:05.000000-07:00"
layout_type: gotime
parse_from: '$record["@timestamp"]'
output: gcve_restructure
- id: gcve_restructure
type: restructure
ops:
- move:
from: '$record["@version"]'
to: "$record.version"
- move:
from: '$record["@fields.host"]'
to: '$record.host'
- move:
from: '$record["@fields.facility"]'
to: '$record.facility'
- move:
from: '$record["@fields.procid"]'
to: '$record.procid'
- move:
from: '$record["@fields.privatecloud_id"]'
to: '$record.privatecloud_id'
- move:
from: '$record["@fields.privatecloud_name"]'
to: '$record.privatecloud_name'
- move:
from: '$record["@fields.alias"]'
to: '$record.alias'
- move:
from: '$record["@fields.company_name"]'
to: '$record.company_name'
- move:
from: '$record["@fields.region_id"]'
to: '$record.region_id'
output: {{.output}}