-
Notifications
You must be signed in to change notification settings - Fork 0
/
filter-50-jsonrpcconnection.conf
55 lines (55 loc) · 2.43 KB
/
filter-50-jsonrpcconnection.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
filter {
if [icinga][facility] == "JsonRpcConnection" {
if [message] =~ /API client disconnected/ {
grok {
match => ["message","API client disconnected for identity '%{HOSTNAME:[icinga][clientendpoint]}'"]
id => "icinga_clientdisconnected"
add_tag => "icinga_clientdisconnected"
tag_on_failure => ["_grokparsefailure","icinga_clientdisconnected_failed"]
add_field => {
"[icinga][eventtype]" => "client_disconnected"
}
}
} else if [message] =~ /No messages for identity/ {
grok {
match => ["message","No messages for identity '%{HOSTNAME:[icinga][clientendpoint]}' have been received in the last %{NUMBER:[icinga][nomessageduration]} seconds."]
id => "icinga_nomessagesforidentity"
add_tag => "icinga_nomessagesforidentity"
tag_on_failure => ["_grokparsefailure","icinga_nomessagesforidentity_failed"]
add_field => {
"[icinga][eventtype]" => "no_messages_for_identity"
}
}
} else if [message] =~ /Received '/ {
grok {
match => ["message","Received '%{DATA:[icinga][messagetype]}' message from '%{HOSTNAME:[icinga][clientendpoint]}'"]
id => "icinga_receivedmessage"
add_tag => "icinga_receivedmessage"
tag_on_failure => ["_grokparsefailure","icinga_receivedmessage_failed"]
add_field => {
"[icinga][eventtype]" => "received_message"
}
}
} else if [message] =~ /Received certificate request/ {
grok {
match => ["message","Received certificate request for CN '%{HOSTNAME:[icinga][clientendpoint]}' signed by our CA."]
id => "icinga_receivedcertificaterequest"
add_tag => "icinga_receivedcertificaterequest"
tag_on_failure => ["_grokparsefailure","icinga_receivedcertificaterequest_failed"]
add_field => {
"[icinga][eventtype]" => "received_certificate_request"
}
}
} else if [message] =~ /The certificate for CN/ {
grok {
match => ["message","The certificate for CN '%{HOSTNAME:[icinga][clientendpoint]}' is valid and uptodate. Skipping automated renewal."]
id => "icinga_certificatevalidanduptodate"
add_tag => "icinga_certificatevalidanduptodate"
tag_on_failure => ["_grokparsefailure","icinga_certificatevalidanduptodate_failed"]
add_field => {
"[icinga][eventtype]" => "certificate_valid_and_uptodate"
}
}
}
}
}