423 lines
8.3 KiB
Perl
423 lines
8.3 KiB
Perl
package Search::ESsearcher::Templates::syslog;
|
|
|
|
use 5.006;
|
|
use strict;
|
|
use warnings;
|
|
|
|
=head1 NAME
|
|
|
|
Search::ESsearcher::Templates::syslog - Provides syslog support for essearcher.
|
|
|
|
=head1 VERSION
|
|
|
|
Version 1.1.0
|
|
|
|
=cut
|
|
|
|
our $VERSION = '1.1.0';
|
|
|
|
=head1 LOGSTASH
|
|
|
|
This uses a logstash configuration below.
|
|
|
|
input {
|
|
syslog {
|
|
host => "10.10.10.10"
|
|
port => 11514
|
|
type => "syslog"
|
|
}
|
|
}
|
|
|
|
filter { }
|
|
|
|
output {
|
|
if [type] == "syslog" {
|
|
elasticsearch {
|
|
hosts => [ "127.0.0.1:9200" ]
|
|
}
|
|
}
|
|
}
|
|
|
|
The important bit is "type" being set to "syslog". If that is not used,
|
|
use the command line options field and fieldv.
|
|
|
|
=head1 Options
|
|
|
|
=head2 --host <log host>
|
|
|
|
The syslog server.
|
|
|
|
The search is done with .keyword appended to the field name.
|
|
|
|
=head2 --hostx <log host>
|
|
|
|
The syslog server.
|
|
|
|
Does not run the it through aonHost.
|
|
|
|
The search is done with .keyword appended to the field name.
|
|
|
|
=head2 --src <src server>
|
|
|
|
The source server sending to the syslog server.
|
|
|
|
The search is done with .keyword appended to the field name.
|
|
|
|
=head2 --srcx <src server>
|
|
|
|
The source server sending to the syslog server.
|
|
|
|
Does not run the it through aonHost.
|
|
|
|
The search is done with .keyword appended to the field name.
|
|
|
|
=head2 --program <program>
|
|
|
|
The name of the daemon/program in question.
|
|
|
|
=head2 --size <count>
|
|
|
|
The number of items to return.
|
|
|
|
=head2 --facility <facility>
|
|
|
|
The syslog facility.
|
|
|
|
=head2 --severity <severity>
|
|
|
|
The severity level of the message.
|
|
|
|
=head2 --pid <pid>
|
|
|
|
The PID that sent the message.
|
|
|
|
=head2 --dgt <date>
|
|
|
|
Date greater than.
|
|
|
|
=head2 --dgte <date>
|
|
|
|
Date greater than or equal to.
|
|
|
|
=head2 --dlt <date>
|
|
|
|
Date less than.
|
|
|
|
=head2 --dlte <date>
|
|
|
|
Date less than or equal to.
|
|
|
|
=head2 --msg <message>
|
|
|
|
Messages to match.
|
|
|
|
=head2 --field <field>
|
|
|
|
The term field to use for matching them all.
|
|
|
|
=head2 --fieldv <fieldv>
|
|
|
|
The value of the term field to matching them all.
|
|
|
|
=head1 AND, OR, or NOT shortcut
|
|
|
|
, OR
|
|
+ AND
|
|
! NOT
|
|
|
|
A list seperated by any of those will be transformed
|
|
|
|
These may be used with program, facility, pid, or host.
|
|
|
|
example: --program postfix,spamd
|
|
|
|
results: postfix OR spamd
|
|
|
|
=head1 HOST AND, OR, or NOT shortcut
|
|
|
|
, OR
|
|
+ AND
|
|
! NOT
|
|
|
|
A list of hosts seperated by any of those will be transformed.
|
|
A host name should always end in a period unless it is a FQDN.
|
|
|
|
These may be used with host and src.
|
|
|
|
example: --src foo.,mail.bar.
|
|
|
|
results: /foo./ OR /mail.bar./
|
|
|
|
|
|
=head1 date
|
|
|
|
date
|
|
|
|
/^-/ appends "now" to it. So "-5m" becomes "now-5m".
|
|
|
|
/^u\:/ takes what is after ":" and uses Time::ParseDate to convert it to a
|
|
unix time value.
|
|
|
|
Any thing not matching maching any of the above will just be passed on.
|
|
|
|
=cut
|
|
|
|
|
|
sub search{
|
|
return '
|
|
[% USE JSON ( pretty => 1 ) %]
|
|
[% DEFAULT o.size = "50" %]
|
|
[% DEFAULT o.field = "type" %]
|
|
[% DEFAULT o.fieldv = "syslog" %]
|
|
{
|
|
"index": "logstash-*",
|
|
"body": {
|
|
"size": [% o.size.json %],
|
|
"query": {
|
|
"bool": {
|
|
"must": [
|
|
{
|
|
"term": { [% o.field.json %]: [% o.fieldv.json %] }
|
|
},
|
|
[% IF o.host %]
|
|
{"query_string": {
|
|
"default_field": "host.keyword",
|
|
"query": [% aonHost( o.host ).json %]
|
|
}
|
|
},
|
|
[% END %]
|
|
[% IF o.hostx %]
|
|
{"query_string": {
|
|
"default_field": "host.keyword",
|
|
"query": [% o.host.json %]
|
|
}
|
|
},
|
|
[% END %]
|
|
[% IF o.srcx %]
|
|
{"query_string": {
|
|
"default_field": "logsource.keyword",
|
|
"query": [% o.src.json %]
|
|
}
|
|
},
|
|
[% END %]
|
|
[% IF o.src %]
|
|
{"query_string": {
|
|
"default_field": "logsource.keyword",
|
|
"query": [% aonHost( o.src ).json %]
|
|
}
|
|
},
|
|
[% END %]
|
|
[% IF o.program %]
|
|
{"query_string": {
|
|
"default_field": "program",
|
|
"query": [% aon( o.program ).json %]
|
|
}
|
|
},
|
|
[% END %]
|
|
[% IF o.facility %]
|
|
{"query_string": {
|
|
"default_field": "facility_label",
|
|
"query": [% aon( o.facility ).json %]
|
|
}
|
|
},
|
|
[% END %]
|
|
[% IF o.severity %]
|
|
{"query_string": {
|
|
"default_field": "severity_label",
|
|
"query": [% aon( o.severity ).json %]
|
|
}
|
|
},
|
|
[% END %]
|
|
[% IF o.pid %]
|
|
{"query_string": {
|
|
"default_field": "pid",
|
|
"query": [% aon( o.pid ).json %]
|
|
}
|
|
},
|
|
[% END %]
|
|
[% IF o.msg %]
|
|
{"query_string": {
|
|
"default_field": "message",
|
|
"query": [% o.msg.json %]
|
|
}
|
|
},
|
|
[% END %]
|
|
[% IF o.dgt %]
|
|
{"range": {
|
|
"@timestamp": {
|
|
"gt": [% pd( o.dgt ).json %]
|
|
}
|
|
}
|
|
},
|
|
[% END %]
|
|
[% IF o.dgte %]
|
|
{"range": {
|
|
"@timestamp": {
|
|
"gte": [% pd( o.dgte ).json %]
|
|
}
|
|
}
|
|
},
|
|
[% END %]
|
|
[% IF o.dlt %]
|
|
{"range": {
|
|
"@timestamp": {
|
|
"lt": [% pd( o.dlt ).json %]
|
|
}
|
|
}
|
|
},
|
|
[% END %]
|
|
[% IF o.dlte %]
|
|
{"range": {
|
|
"@timestamp": {
|
|
"lte": [% pd( o.dlte ).json %]
|
|
}
|
|
}
|
|
},
|
|
[% END %]
|
|
]
|
|
}
|
|
},
|
|
"sort": [
|
|
{
|
|
"@timestamp": {"order" : "desc"}}
|
|
]
|
|
}
|
|
}
|
|
';
|
|
}
|
|
|
|
sub options{
|
|
return '
|
|
host=s
|
|
hostx=s
|
|
src=s
|
|
program=s
|
|
size=s
|
|
facility=s
|
|
severity=s
|
|
pid=s
|
|
dgt=s
|
|
dgte=s
|
|
dlt=s
|
|
dlte=s
|
|
msg=s
|
|
field=s
|
|
fieldv=s
|
|
srcx=s
|
|
';
|
|
}
|
|
|
|
sub output{
|
|
return '[% c("cyan") %][% f.timestamp %] [% c("bright_blue") %][% f.logsource %] '.
|
|
'[% c("bright_green") %][% f.program %][% c("bright_magenta") %][[% c("bright_yellow") %]'.
|
|
'[% f.pid %][% c("bright_magenta") %]] [% c("white") %]'.
|
|
'[% PERL %]'.
|
|
'use Term::ANSIColor;'.
|
|
'my $f=$stash->get("f");'.
|
|
|
|
'my $msg=color("white").$f->{message};'.
|
|
|
|
'my $replace=color("cyan")."<".color("bright_magenta");'.
|
|
'$msg=~s/\</$replace/g;'.
|
|
'$replace=color("cyan").">".color("white");'.
|
|
'$msg=~s/\>/$replace/g;'.
|
|
|
|
'$replace=color("bright_green")."(".color("cyan");'.
|
|
'$msg=~s/\(/$replace/g;'.
|
|
'$replace=color("bright_green").")".color("white");'.
|
|
'$msg=~s/\)/$replace/g;'.
|
|
|
|
'my $green=color("bright_green");'.
|
|
'my $white=color("white");'.
|
|
'my $yellow=color("bright_yellow");'.
|
|
'my $blue=color("bright_blue");'.
|
|
|
|
'$replace=color("bright_yellow")."\'".color("cyan");'.
|
|
'$msg=~s/\\\'([A-Za-z0-9\\.\\#\\:\\-\\/]*)\\\'/$replace$1$yellow\'$white/g;'.
|
|
|
|
'$msg=~s/([A-Za-z\_\-]+)\=/$green$1$yellow=$white/g;'.
|
|
|
|
'$msg=~s/([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/$blue$1$white/g;'.
|
|
|
|
'$msg=~s/(([A-f0-9:]+:+)+[A-f0-9]+)/$blue$1$white/g;'.
|
|
|
|
'print $msg;'.
|
|
'[% END %]';
|
|
;
|
|
}
|
|
|
|
sub help{
|
|
return '
|
|
|
|
--host <log host> The syslog server.
|
|
--hostx <log host> The syslog server, raw.
|
|
--src <src server> The source server sending to the syslog server.
|
|
--srcx <src server> The source server sending to the syslog server, raw.
|
|
--program <program> The name of the daemon/program in question.
|
|
--size <count> The number of items to return.
|
|
--facility <facility> The syslog facility.
|
|
--severity <severity> The severity level of the message.
|
|
--pid <pid> The PID that sent the message.
|
|
|
|
--dgt <date> Date greater than.
|
|
--dgte <date> Date greater than or equal to.
|
|
--dlt <date> Date less than.
|
|
--dlte <date> Date less than or equal to.
|
|
|
|
--msg <message> Messages to match.
|
|
|
|
--field <field> The term field to use for matching them all.
|
|
--fieldv <fieldv> The value of the term field to matching them all.
|
|
|
|
|
|
|
|
AND, OR, or NOT shortcut
|
|
, OR
|
|
+ AND
|
|
! NOT
|
|
|
|
A list seperated by any of those will be transformed.
|
|
|
|
These may be used with program, facility, and pid.
|
|
|
|
example: --program postfix,spamd
|
|
|
|
|
|
|
|
HOST AND, OR, or NOT shortcut
|
|
, OR
|
|
+ AND
|
|
! NOT
|
|
|
|
A list of hosts seperated by any of those will be transformed.
|
|
A host name should always end in a period unless it is a FQDN.
|
|
|
|
These may be used with host and src.
|
|
|
|
example: --src foo.,mail.bar.
|
|
|
|
results: /foo./ OR /mail.bar./
|
|
|
|
|
|
|
|
field and fieldv
|
|
|
|
The search template is written with the expectation that logstash is setting
|
|
"type" with a value of "syslog". If you are using like "tag" instead of "type"
|
|
or the like, this allows you to change the field and value.
|
|
|
|
|
|
|
|
date
|
|
|
|
/^-/ appends "now" to it. So "-5m" becomes "now-5m".
|
|
|
|
/^u\:/ takes what is after ":" and uses Time::ParseDate to convert it to a
|
|
unix time value.
|
|
|
|
Any thing not matching maching any of the above will just be passed on.
|
|
';
|
|
|
|
|
|
}
|