Add json parser skeleton

crowdsecurity · Oct 27, 2021 · 60ffcf5 · 60ffcf5
1 parent f45a106
commit 60ffcf5
Showing 1 changed file with 40 additions and 10 deletions.
diff --git a/parsers/s01-parse/crowdsecurity/traefik-logs.yaml b/parsers/s01-parse/crowdsecurity/traefik-logs.yaml
@@ -4,16 +4,46 @@ onsuccess: next_stage
 pattern_syntax:
   TRAEFIK_ROUTER: '(%{USER}@%{URIHOST}|\-)'
   TRAEFIK_SERVER_URL: '(%{URI}|\-)'
-  # for json just use TIMESTAMP_ISO8601
 name: crowdsecurity/traefik-logs
 description: "Parse Traefik access logs"
-#
-grok:
-  pattern: '%{NGINXACCESS} %{NUMBER:number_of_requests_received_since_traefik_started} "%{TRAEFIK_ROUTER:traefik_router_name}" "%{TRAEFIK_SERVER_URL:traefik_server_url}" %{NUMBER:request_duration_in_ms}ms'
-  apply_on: message
-# statics:
-#   - meta: log_type
-#     value: http_access-log
-#   - parsed: is_my_service
-#     value: yes
+
+
+nodes:
+  - grok: # CLF parser
+      pattern: '%{NGINXACCESS} %{NUMBER:number_of_requests_received_since_traefik_started} "%{TRAEFIK_ROUTER:traefik_router_name}" "%{TRAEFIK_SERVER_URL:traefik_server_url}" %{NUMBER:request_duration_in_ms}ms'
+      apply_on: message
+
+
+  - nodes: #JSON  parser
+    - grok:
+        pattern: '%{IPORHOST:remote_addr}'
+        expression: JsonExtract(evt.Line.Raw, "ClientAddr")
+    - grok:
+        pattern: '%{USERNAME:remote_user}'
+        expression: JsonExtract(evt.Line.Raw, "ClientUsername")
+    - grok:
+        pattern: '%{NUMBER:body_bytes_sent}'
+        expression: JsonExtract(evt.Line.Raw, "DownstreamContentSize")
+    - grok:
+        pattern: '%{NUMBER:request_duration_in_ms}'
+        expression: JsonExtract(evt.Line.Raw, "Duration")
+    - grok:
+        pattern: '%{TRAEFIK_ROUTER:traefik_router_name}'
+        expression: JsonExtract(evt.Line.Raw, "RouterName")
+    - grok:
+        pattern: '%{GREEDYDATA:timestamp}:'
+        expression: JsonExtract(evt.Line.Raw, "time")
+    - grok:
+        pattern: '%{WORD:method}:'
+        expression: JsonExtract(evt.Line.Raw, "RequestMethod")
+    - grok:
+        pattern: '%{URIPATHPARAM:request}:'
+        expression: JsonExtract(evt.Line.Raw, "RequestPath")
+    - grok:
+        pattern: 'HTTP/%{NUMBER:http_version}'
+        expression: JsonExtract(evt.Line.Raw, "RequestProtocol")
+    - grok:
+        pattern: '%{NUMBER:status}'
+        expression: JsonExtract(evt.Line.Raw, "DownstreamStatus")
+