1#debug: false
2name: LePresidente/grafana-logs
3filter: "evt.Parsed.program == 'grafana'"
4description: "Parse grafana logs"
5pattern_syntax:
6  GRAFANA_AUTH_WORD: (Unauthorized|Invalid|Successful)
7nodes:
8  ## Main parsing section either it key value pairs or JSON
9  - filter: TrimSpace(evt.Parsed.message) not startsWith "{" && ParseKV(evt.Parsed.message, evt.Unmarshaled, "grafana") in ["", nil]
10    statics:
11      - meta: log_format
12        value: CLF
13  - filter: evt.Unmarshaled.grafana == nil && UnmarshalJSON(evt.Parsed.message, evt.Unmarshaled, "grafana") in ["", nil]
14    statics:
15      - meta: log_format
16        value: JSON
17
18 ## Detect msg contans authentication attempt to parse out user info
19  - grok:
20      pattern: "%{GRAFANA_AUTH_WORD:auth_status}( username or password)?" 
21      expression: evt.Unmarshaled.grafana.msg
22    statics:
23      - meta: log_type
24        expression: 'evt.Parsed.auth_status == "Unauthorized" || evt.Parsed.auth_status == "Invalid"  ? "auth_failed" : "auth_success"'
25  
26  ## We filter to see if we have a log_type set from above, if not we detect if new log format
27  - filter: evt.Meta.log_type == ''
28    statics:
29      - meta: log_type
30        expression: 'evt.Unmarshaled.grafana.errorMessageID == "password-auth.failed" && evt.Unmarshaled.grafana.errorReason in ["Unauthorized", "Invalid"] ? "auth_failed" : "auth_success"'
31
32  ## This section is a hack to allow all grafana logs to pass to next stage, if you set onsuccess next stage at root level all successful attempts will not be passed, so we could do some impossible trave sceanrios
33  - filter: evt.Unmarshaled.grafana != nil
34    onsuccess: next_stage
35    statics:
36      - meta: service
37        value: grafana
38statics:
39    - target: evt.StrTime
40      expression: evt.Unmarshaled.grafana.t
41    - meta: source_ip
42      expression: evt.Unmarshaled.grafana.remote_addr
43