From 9665dc1040333ae813773da73212a1098ea1a4e0 Mon Sep 17 00:00:00 2001
From: Afeef Ghannam <afeef.ghannam@netways.de>
Date: Mon, 28 Aug 2023 15:28:35 +0200
Subject: [PATCH 1/5] Remove extra space

---
 filter-10-selinux.conf | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/filter-10-selinux.conf b/filter-10-selinux.conf
index e94d606..f0e6448 100644
--- a/filter-10-selinux.conf
+++ b/filter-10-selinux.conf
@@ -2,7 +2,6 @@ filter {
   grok {
     add_tag => "selinux"
     tag_on_failure => "selinux_failure"
-    match => [ "message", ": avc:%{SPACE}%{SPACE}%{DATA:[selinux][avc]}  \{ %{WORD:[selinux][action]} \} for  pid=%{NUMBER:[selinux][pid]} comm=\"%{DATA:[selinux][command]}\" ((src=%{DATA:[selinux][source]})?|(name=\"%{DATA:[selinux][filename]}\" dev=\"%{DATA:[selinux][device]}\" ino=%{NUMBER:[selinux][inode]})?) scontext=%{DATA:[selinux][source][context]} tcontext=%{DATA:[selinux][target][context]} tclass=%{DATA:[selinux][target][class]} permissive=%{NUMBER:[selinux][permissive]}" ]
-       }
-}
-
+    match => [ "message", "avc:%{SPACE}%{SPACE}%{DATA:[selinux][avc]}  \{ %{WORD:[selinux][action]} \} for  pid=%{NUMBER:[selinux][pid]} comm=\"%{DATA:[selinux][command]}\" ((src=%{DATA:[selinux][source]})?|(name=\"%{DATA:[selinux][filename]}\" dev=\"%{DATA:[selinux][device]}\" ino=%{NUMBER:[selinux][inode]})?) scontext=%{DATA:[selinux][source][context]} tcontext=%{DATA:[selinux][target][context]} tclass=%{DATA:[selinux][target][class]} permissive=%{NUMBER:[selinux][permissive]}" ]
+  }
+}
\ No newline at end of file

From d468b34420147fcdfaac9f67217251eb0be5cd94 Mon Sep 17 00:00:00 2001
From: Afeef Ghannam <afeef.ghannam@netways.de>
Date: Mon, 28 Aug 2023 15:29:31 +0200
Subject: [PATCH 2/5] Add github pipelines

---
 .github/dependabot.yml         |  7 +++++++
 .github/workflows/logstash.yml | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 39 insertions(+)
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/workflows/logstash.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..15bb5ce
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+---
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: monthly
diff --git a/.github/workflows/logstash.yml b/.github/workflows/logstash.yml
new file mode 100644
index 0000000..3cd6341
--- /dev/null
+++ b/.github/workflows/logstash.yml
@@ -0,0 +1,32 @@
+---
+name: Logstash Syntax
+on:
+  push:
+    tags:
+      - v*
+    branches:
+      - main
+  pull_request:
+  merge_group:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install gpg
+          wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
+          echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
+          sudo apt-get update
+          sudo apt-get install logstash
+          mkdir -p /tmp/logstash/data /tmp/logstash/logs
+
+      - name: Test with Logstash
+        run: |
+          /usr/share/logstash/bin/logstash  --path.settings /etc/logstash/ --path.config '*conf' --path.data /tmp/logstash/data --path.logs /tmp/logstash/logs --config.test_and_exit

From 0e57c7be93afe767751ed55cc0b3527a4e865174 Mon Sep 17 00:00:00 2001
From: Afeef Ghannam <afeef.ghannam@netways.de>
Date: Mon, 28 Aug 2023 16:02:21 +0200
Subject: [PATCH 3/5] Add id and event type

---
 filter-10-selinux.conf | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/filter-10-selinux.conf b/filter-10-selinux.conf
index f0e6448..29d0732 100644
--- a/filter-10-selinux.conf
+++ b/filter-10-selinux.conf
@@ -2,6 +2,10 @@ filter {
   grok {
     add_tag => "selinux"
     tag_on_failure => "selinux_failure"
+    id => "selinux"
     match => [ "message", "avc:%{SPACE}%{SPACE}%{DATA:[selinux][avc]}  \{ %{WORD:[selinux][action]} \} for  pid=%{NUMBER:[selinux][pid]} comm=\"%{DATA:[selinux][command]}\" ((src=%{DATA:[selinux][source]})?|(name=\"%{DATA:[selinux][filename]}\" dev=\"%{DATA:[selinux][device]}\" ino=%{NUMBER:[selinux][inode]})?) scontext=%{DATA:[selinux][source][context]} tcontext=%{DATA:[selinux][target][context]} tclass=%{DATA:[selinux][target][class]} permissive=%{NUMBER:[selinux][permissive]}" ]
+    add_field => {
+      "[selinux][eventtype]" => "selinux_avc"
+    }
   }
 }
\ No newline at end of file

From 2eccbf9263e2c7f7cdad31cb02d04db37d612759 Mon Sep 17 00:00:00 2001
From: Afeef Ghannam <afeef.ghannam@netways.de>
Date: Mon, 28 Aug 2023 16:14:00 +0200
Subject: [PATCH 4/5] Add docs

---
 README.md | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index d0d0250..5686693 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,28 @@
 # logstash-pipelines-selinux
-Logstash pipelines for SELinux logs,  This Repository is in development process.
+Logstash pipelines for SELinux logs.
+
+[![CI](https://github.com/netways/selinux-logstash-pipeline/workflows/Logstash%20Syntax/badge.svg?event=push)](https://github.com/netways/selinux-logstash-pipeline/actions?query=workflow%3A%22Logstash+Syntax%22)
+
+## Input and Output ##
+
+This pipeline does not provide inputs or outputs so you can configure whatever you need. Files named `input.conf` and `output.conf` will not interfere with updates via git, so name your files accordingly.
+
+Here are examples how your files could look if you want to use a local Redis instance.
+
+```
+input {
+  redis {
+    host => localhost
+    key => "selinux"
+    data_type => list
+  }
+}
+
+output {
+  redis {
+    key => "forwarder"
+    data_type => list
+    host => localhost
+  }
+}
+```

From 60d82ab04537210b5843ea83b5a79f70eaaada30 Mon Sep 17 00:00:00 2001
From: Afeef Ghannam <afeef.ghannam@netways.de>
Date: Mon, 28 Aug 2023 17:07:50 +0200
Subject: [PATCH 5/5] Remove space and fix last line

---
 filter-10-selinux.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/filter-10-selinux.conf b/filter-10-selinux.conf
index 29d0732..1587422 100644
--- a/filter-10-selinux.conf
+++ b/filter-10-selinux.conf
@@ -3,9 +3,9 @@ filter {
     add_tag => "selinux"
     tag_on_failure => "selinux_failure"
     id => "selinux"
-    match => [ "message", "avc:%{SPACE}%{SPACE}%{DATA:[selinux][avc]}  \{ %{WORD:[selinux][action]} \} for  pid=%{NUMBER:[selinux][pid]} comm=\"%{DATA:[selinux][command]}\" ((src=%{DATA:[selinux][source]})?|(name=\"%{DATA:[selinux][filename]}\" dev=\"%{DATA:[selinux][device]}\" ino=%{NUMBER:[selinux][inode]})?) scontext=%{DATA:[selinux][source][context]} tcontext=%{DATA:[selinux][target][context]} tclass=%{DATA:[selinux][target][class]} permissive=%{NUMBER:[selinux][permissive]}" ]
+    match => [ "message", "avc:%{SPACE}%{DATA:[selinux][avc]}  \{ %{WORD:[selinux][action]} \} for  pid=%{NUMBER:[selinux][pid]} comm=\"%{DATA:[selinux][command]}\" ((src=%{DATA:[selinux][source]})?|(name=\"%{DATA:[selinux][filename]}\" dev=\"%{DATA:[selinux][device]}\" ino=%{NUMBER:[selinux][inode]})?) scontext=%{DATA:[selinux][source][context]} tcontext=%{DATA:[selinux][target][context]} tclass=%{DATA:[selinux][target][class]} permissive=%{NUMBER:[selinux][permissive]}" ]
     add_field => {
       "[selinux][eventtype]" => "selinux_avc"
     }
   }
-}
\ No newline at end of file
+}