-
Notifications
You must be signed in to change notification settings - Fork 135
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
traefik parser #41
Comments
traefik can reverse proxy http, tcp and udp. I only use it for http traffic though. here is a sample anonymized log file for an access log in CLF format:
Here is one in json format:
|
Any news about this ? |
I'll give this one a shot! So as far as I understand this would require me to write a new pattern to filter logs (maybe two, including JSON). Should I create it only inside the parser As a reference, I'm basing myself on this traefik log documentation:
|
Here's a sample parser I created (only for CLF for now). debug: true
filter: "evt.Parsed.program startsWith 'traefik'"
onsuccess: next_stage
pattern_syntax:
TRAEFIK_ROUTER: '%{USER}@%{URIHOST}'
# for json just use TIMESTAMP_ISO8601
name: crowdsecurity/traefik-logs
description: "Parse Traefik access logs"
#
grok:
pattern: '%{NGINXACCESS} %{NUMBER:number_of_requests_received_since_traefik_started} "(%{TRAEFIK_ROUTER:traefik_router_name}|\-)" "(%{URI:traefik_server_url}|\-)" %{NUMBER:request_duration_in_ms}ms'
apply_on: message
|
Hello @gmelodie, It's better to add the patterns inside the parser directly, it allows for easier updates (we can just update the hub instead of forcing the user to update their crowdsec) |
I am running a couple of services using docker using traefik as a reverse proxy. I would like to enable an access log for traefik and have crowdsec check those whic hwould help secure all services behind the reverse proxy.
afaik traefik can write the access logs in json or in CLF format
(x-post from crowdsecurity/crowdsec#343)
The text was updated successfully, but these errors were encountered: