baikal-logs Log Parser

« baikal-logs »
v0.1 by andreasbrett
Log parser

Parse baikal logs

Installation

cscli parsers install andreasbrett/baikal-logs

Description

Parser for Baikal logs. Baikal does not produce dedicated logs but rather sends PHP errors into apache/nginx logs. Currently only apache error logs are supported by this parser.

---
filenames:
    - /var/log/httpd/error.log
labels:
    type: Baikal

YAML Configuration

1onsuccess: next_stage
2filter: "Upper(evt.Parsed.program) == 'BAIKAL'"
3name: andreasbrett/baikal-logs
4description: "Parse baikal logs"
5pattern_syntax:
6    BAIKAL_FAILED_AUTH: '\[%{HTTPDERROR_DATE:timestamp}\].*\[client %{IP:source_ip}:%{INT:source_port}\] AH01071: Got error ''PHP message: user %{USERNAME:username} authentication failure for Baikal'''
7    BAIKAL_FAILED_AUTH_NO_USER: '\[%{HTTPDERROR_DATE:timestamp}\].*\[client %{IP:source_ip}:%{INT:source_port}\] AH01071: Got error ''PHP message: user \(name stripped-out\) authentication failure for Baikal'''
8nodes:
9    - grok:
10          pattern: "%{BAIKAL_FAILED_AUTH}"
11          apply_on: message
12          statics:
13              - meta: log_type
14                value: baikal_failed_auth
15              - meta: username
16                expression: evt.Parsed.username
17    - grok:
18          pattern: "%{BAIKAL_FAILED_AUTH_NO_USER}"
19          apply_on: message
20          statics:
21              - meta: log_type
22                value: baikal_failed_auth_no_user
23
24statics:
25    - meta: service
26      value: baikal
27    - meta: source_ip
28      expression: "evt.Parsed.source_ip"
29    - target: evt.StrTime
30      expression: evt.Parsed.timestamp
31

Hub configuration

« baikal-logs »v0.1 by andreasbrettLog parser

« baikal-logs »
v0.1 by andreasbrett
Log parser