npmplus-logs Log Parser

Installation

cscli parsers install ZoeyVid/npmplus-logs

Description

A generic parser for NPMplus, supports both access and error logs.

YAML Configuration

1filter: "evt.Parsed.program startsWith 'npmplus'"
2onsuccess: next_stage
3name: ZoeyVid/npmplus-logs
4description: "Parse NPMplus access and error logs"
5pattern_syntax:
6  NPMPLUSFQDN: '%{IPORHOST}||%{DATA}'
7nodes:
8  - grok:
9      pattern: '\[%{HTTPDATE:time_local}\] %{NPMPLUSFQDN:target_fqdn} %{IPORHOST:remote_addr} %{NUMBER:request_time} "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:http_version}" %{NUMBER:status} %{NUMBER:body_bytes_sent} %{NUMBER:bytes_sent} %{NOTDQUOTE:http_referer} %{NOTDQUOTE:http_user_agent}'
10      apply_on: message
11      statics:
12        - meta: log_type
13          value: http_access-log
14        - target: evt.StrTime
15          expression: evt.Parsed.time_local
16  - grok:
17      # and this one the error log
18      pattern: '(%{IPORHOST:target_fqdn} )?%{NGINXERRTIME:time} \[%{LOGLEVEL:loglevel}\] %{NONNEGINT:pid}#%{NONNEGINT:tid}: (\*%{NONNEGINT:cid} )?%{GREEDYDATA:message}, client: %{IPORHOST:remote_addr}, server: %{DATA:target_fqdn}, request: "%{WORD:verb} ([^/]+)?%{URIPATHPARAM:request}( HTTP/%{NUMBER:http_version})?", host: "%{IPORHOST}(:%{NONNEGINT})?"'
19      apply_on: message
20      statics:
21        - meta: log_type
22          value: http_error-log
23        - target: evt.StrTime
24          expression: evt.Parsed.time
25    pattern_syntax:
26      NO_DOUBLE_QUOTE: '[^"]+'
27    onsuccess: next_stage
28    nodes:
29      - filter: "evt.Parsed.message contains 'was not found in'"
30        pattern_syntax:
31          USER_NOT_FOUND: 'user "%{NO_DOUBLE_QUOTE:username}" was not found in "%{NO_DOUBLE_QUOTE}"'
32        grok:
33          pattern: '%{USER_NOT_FOUND}'
34          apply_on: message
35        statics:
36          - meta: sub_type
37            value: "auth_fail"
38          - meta: username
39            expression: evt.Parsed.username
40      - filter: "evt.Parsed.message contains 'password mismatch'"
41        pattern_syntax:
42          PASSWORD_MISMATCH: 'user "%{NO_DOUBLE_QUOTE:username}": password mismatch'
43        grok:
44          pattern: '%{PASSWORD_MISMATCH}'
45          apply_on: message
46        statics:
47          - meta: sub_type
48            value: "auth_fail"
49          - meta: username
50            expression: evt.Parsed.username
51      - filter: "evt.Parsed.message contains 'limiting requests, excess'"
52        statics:
53          - meta: sub_type
54            value: "req_limit_exceeded"
55  ## Parse malformed requests
56  - grok:
57      pattern: '\[%{HTTPDATE:time_local}\] %{NPMPLUSFQDN:target_fqdn} %{IPORHOST:remote_addr} %{NUMBER:request_time} "%{DATA:request}" %{NUMBER:status} %{NUMBER:body_bytes_sent} %{NUMBER:bytes_sent} %{NOTDQUOTE:http_referer} %{NOTDQUOTE:http_user_agent}'
58      apply_on: message
59    statics:
60      - meta: log_type
61        value: http_access-log
62      - target: evt.StrTime
63        expression: evt.Parsed.time_local
64    # these ones apply for both grok patterns
65statics:
66  - meta: service
67    value: http
68  - meta: source_ip
69    expression: "evt.Parsed.remote_addr"
70  - meta: http_status
71    expression: "evt.Parsed.status"
72  - meta: http_path
73    expression: "evt.Parsed.request"
74  - meta: http_verb
75    expression: "evt.Parsed.verb"
76  - meta: http_user_agent
77    expression: "evt.Parsed.http_user_agent"
78  - meta: target_fqdn
79    expression: "evt.Parsed.target_fqdn"
80

Hub configuration

« npmplus-logs »
v0.2 by ZoeyVid
Log parser

Hub configuration

« npmplus-logs »v0.2 by ZoeyVidLog parser

« npmplus-logs »
v0.2 by ZoeyVid
Log parser