Hi Craig
yes, we're using a log-forwarder too (log-courier on this side) since
we had some issues with logstash-forwarder
https://github.com/driskell/log-courier but found it more convenient
(rsyslog cannot glob() )
once the filters are stable i'd create a pattern/naxsi - plugin
please note: the filter isnt able (atm) to detect multiple events
in one line, but i'm working on it; it catches the first evnet only
but the dasboards are nice :DDDD
i'm writing an extensive article on how to setup this thingie, but it
will take some more
days until this is finished; please find the dashboard an a screenshot attached
my filters:
if [type] == "ngx_err" {
grok {
# naxsi 1 - normal event
match => { "message" => "%{DATA:request_date}
%{DATA:request_date} %{DATA:err_level} %{DATA:pid_1}: %{DATA:pid_2}
NAXSI_FMT: ip=%{IP:PEER_IP}&server=%{HOST:Host}&uri=%{URIPATH:URI}&learning=%{DATA:learning}&vers=%{DATA:naxsi_version}&total_processed=%{NONNEGINT:processed}&total_blocked=%{NONNEGINT:blocked}&block=%{NONNEGINT:block}&cscore0=%{DATA:cscore}&score0=%{DATA:score}&zone0=%{DATA:zone}&id0=%{NONNEGINT:sid}&var_name0=%{DATA:var_name}"
}
add_tag => [ "t_naxsi_event"]
add_field => [ "naxsi_sensor", "%{host}" ]
remove_tag => ["_grokparsefailure"]
}
grok {
# naxsi 2 - build-in events
match => { "message" => "%{DATA:request_date}
%{DATA:request_date} %{DATA:err_level} %{DATA:pid_1}: %{DATA:pid_2}
NAXSI_FMT: ip=%{IP:PEER_IP}&server=%{HOST:Host}&uri=%{URIPATH:URI}&learning=%{DATA:learning}&vers=%{DATA:naxsi_version}&total_processed=%{NONNEGINT:processed}&total_blocked=%{NONNEGINT:blocked}&block=%{NONNEGINT:block}&zone0=%{DATA:zone}&id0=%{NONNEGINT:sid}&var_name0=%{DATA:var_name}"
}
add_tag => [ "t_naxsi_event"]
remove_tag => ["_grokparsefailure"]
add_field => [ "naxsi_sensor", "%{host}" ]
}
mutate {
remove_field => [ "syslog_program", "deliverer", "err_level",
"pid_1", "pid_2", "proccessed", "block", "blocked" ]
join => ["request_date", " "]
}
date {
match => ["request_date", "yyyy/MM/dd HH:mm:ss",
"dd/MMM/YYYY:HH:mm:ss Z", "ISO8601"]
target => "@timestamp"