cri-logs Log Parser

« cri-logs »
v0.1 by crowdsecurity
Log parser

CRI logging format parser

Installation

cscli parsers install crowdsecurity/cri-logs

Description

This is the default CRI logs format parser. It works on kubernetes using containerd.

When using this parser, you need to specify in your acquis.yaml type and program. So your log will be extracted and then sent to the proper next parser using the program key.

example:

labels:
 type: containerd
 program: nginx

YAML Configuration

1filter: "evt.Line.Labels.type == 'containerd'"
2onsuccess: next_stage
3name: crowdsecurity/cri-logs
4description: CRI logging format parser
5nodes:
6  - grok:
7      pattern: "^%{TIMESTAMP_ISO8601:cri_timestamp} %{WORD:stream} %{WORD:logtag} %{GREEDYDATA:message}"
8      apply_on: Line.Raw
9statics:
10  - parsed: "logsource"
11    value: "cri"
12  - target: evt.StrTime
13    expression: evt.Parsed.cri_timestamp
14  - parsed: program
15    expression: evt.Line.Labels.program
16  - meta: datasource_path
17    expression: evt.Line.Src
18  - meta: datasource_type
19    expression: evt.Line.Module

Hub configuration

« cri-logs »v0.1 by crowdsecurityLog parser

« cri-logs »
v0.1 by crowdsecurity
Log parser