traefik-logs Log Parser

Co-authored with (https://github.com/gmelodie)

This traefik parser supports access logs in the Common Log Format (defined here for Traefik) and JSON formats.

1# co-authored with gmelodie (https://github.com/gmelodie)

2name: crowdsecurity/traefik-logs

3description: "Parse Traefik access logs"

4filter: "evt.Parsed.program startsWith 'traefik'"

5#debug: true

6onsuccess: next_stage

7pattern_syntax:

8 TRAEFIK_ROUTER: '(%{USER}@%{URIHOST}|\-)'

9 TRAEFIK_SERVER_URL: '(%{URI}|\-)'

10 NUMBER_MINUS: '[0-9-]+'

11 NGCUSTOMUSER: '[a-zA-Z0-9\.\@\-\+_%]+'

12 NGINXACCESS2: '%{IPORHOST:remote_addr} - %{NGCUSTOMUSER:remote_user} \[%{HTTPDATE:time_local}\] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:http_version}" %{NUMBER_MINUS:status} %{NUMBER_MINUS:body_bytes_sent} "%{NOTDQUOTE:http_referer}" "%{NOTDQUOTE:http_user_agent}"'

13nodes:

14 ## CLF parser - extract fields and store full router chain in traefik_router_name (backwards compatible)

15 - grok:

16 pattern: '%{NGINXACCESS2} %{NUMBER:number_of_requests_received_since_traefik_started} "%{DATA:traefik_router_name}" "%{TRAEFIK_SERVER_URL:traefik_server_url}" %{NUMBER:request_duration_in_ms}ms'

17 apply_on: message

18 nodes:

19 ## Parse root, intermediate (if any), and leaf routers from full router chain

20 - grok:

21 pattern: '^%{TRAEFIK_ROUTER:traefik_router_name_root}(?: -> (?:%{DATA:traefik_router_intermediate} -> )?%{TRAEFIK_ROUTER:traefik_router_leaf})?$'

22 expression: evt.Parsed.traefik_router_name

23 ## JSON parser - extract fields and store full router chain in traefik_router_name (backwards compatible)

24 # We must use evt.Parsed.message to make sure we respect s00 stage

25 - filter: TrimSpace(evt.Parsed.message) startsWith "{" && UnmarshalJSON(evt.Parsed.message, evt.Unmarshaled, "traefik") in ["", nil]

26 nodes:

27 ## Parse root, intermediate (if any), and leaf routers from full router chain

28 - grok:

29 pattern: '^%{TRAEFIK_ROUTER:traefik_router_name_root}?(?: -> (?:%{DATA:traefik_router_intermediate} -> )?%{TRAEFIK_ROUTER:traefik_router_leaf})?$'

30 expression: "evt.Unmarshaled.traefik.RouterName ?? ''"

31 statics:

32 - parsed: remote_addr

33 ## Split by comma and take last IP to handle proxied requests (e.g., ZScaler)

34 expression: "TrimSpace(Split(evt.Unmarshaled.traefik.ClientHost, ',')[-1])"

35 - parsed: dest_addr

36 ## Split dest_addr to get IP only as this is original functionality

37 expression: Split(evt.Unmarshaled.traefik.ClientAddr, ':')[0]

38 - parsed: request_addr

39 expression: evt.Unmarshaled.traefik.RequestAddr

40 - parsed: service_addr

41 ## Split service_addr to get IP only as this is original functionality

42 expression: "evt.Unmarshaled.traefik.ServiceAddr != nil ? Split(evt.Unmarshaled.traefik.ServiceAddr, ':')[0] : nil"

43 - parsed: http_user_agent

44 expression: evt.Unmarshaled.traefik["request_User-Agent"] ## We have to access via [] as the key contains a dash

45 - parsed: body_bytes_sent

46 ## We have to check if DownstreamContentSize is nil, as it will cause EXPR error if it is

47 expression: "evt.Unmarshaled.traefik.DownstreamContentSize != nil ? int(evt.Unmarshaled.traefik.DownstreamContentSize) : nil"

48 - parsed: request_duration_in_ms

49 expression: int(evt.Unmarshaled.traefik.Duration)

50 - parsed: traefik_router_name

51 ## Full router chain (backwards compatible)

52 expression: "evt.Unmarshaled.traefik.RouterName ?? ''"

53 - parsed: time_local

54 expression: evt.Unmarshaled.traefik.time

55 - parsed: verb

56 expression: evt.Unmarshaled.traefik.RequestMethod

57 - parsed: request

58 expression: evt.Unmarshaled.traefik.RequestPath

59 - parsed: http_version

60 ## Split http_version to get version only as this is original functionality

61 expression: Split(evt.Unmarshaled.traefik.RequestProtocol, '/')[1]

62 - parsed: status

63 expression: int(evt.Unmarshaled.traefik.DownstreamStatus)

64 - meta: target_fqdn

65 expression: "evt.Unmarshaled.traefik.RequestHost != nil ? evt.Unmarshaled.traefik.RequestHost : ''"

66statics:

67 - meta: service

68 value: http

69 - meta: http_status

70 expression: "evt.Parsed.status"

71 - meta: http_path

72 expression: "evt.Parsed.request"

73 - meta: user

74 expression: "evt.Parsed.remote_user"

75 - meta: source_ip

76 expression: "evt.Parsed.remote_addr"

77 - meta: http_user_agent

78 expression: "evt.Parsed.http_user_agent"

79 - meta: log_type

80 value: http_access-log

81 - target: evt.StrTime

82 expression: "evt.Parsed.time_local"

83 - meta: traefik_router_name_root

84 expression: "evt.Parsed.traefik_router_leaf != '' ? evt.Parsed.traefik_router_name_root : ''"

85 - meta: traefik_router_name_intermediate

86 expression: "evt.Parsed.traefik_router_intermediate"

87 - meta: traefik_router_name_leaf

88 expression: "evt.Parsed.traefik_router_leaf"

89 - meta: traefik_router_name

90 ## Full router chain (backwards compatible)

91 expression: "evt.Parsed.traefik_router_name"

92 - meta: http_verb

93 expression: "evt.Parsed.verb"

Hub configuration

« traefik-logs »
v1.5 by crowdsecurity
Log parser

Hub configuration

« traefik-logs »v1.5 by crowdsecurityLog parser

« traefik-logs »
v1.5 by crowdsecurity
Log parser