traefik-logs Log Parser

Co-authored with (https://github.com/gmelodie)

This traefik parser supports access logs in the Common Log Format (defined here for Traefik) and JSON formats.

1# co-authored with gmelodie (https://github.com/gmelodie)

2name: crowdsecurity/traefik-logs

3description: "Parse Traefik access logs"

4filter: "evt.Parsed.program startsWith 'traefik'"

5#debug: true

6onsuccess: next_stage

7pattern_syntax:

8 TRAEFIK_ROUTER: '(%{USER}@%{URIHOST}|\-)'

9 TRAEFIK_SERVER_URL: '(%{URI}|\-)'

10 NUMBER_MINUS: '[0-9-]+'

11 NGCUSTOMUSER: '[a-zA-Z0-9\.\@\-\+_%]+'

12 NGINXACCESS2: '%{IPORHOST:remote_addr} - %{NGCUSTOMUSER:remote_user} \[%{HTTPDATE:time_local}\] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:http_version}" %{NUMBER_MINUS:status} %{NUMBER_MINUS:body_bytes_sent} "%{NOTDQUOTE:http_referer}" "%{NOTDQUOTE:http_user_agent}"'

13nodes:

14 - grok: # CLF parser

15 pattern: '%{NGINXACCESS2} %{NUMBER:number_of_requests_received_since_traefik_started} "%{TRAEFIK_ROUTER:traefik_router_name}" "%{TRAEFIK_SERVER_URL:traefik_server_url}" %{NUMBER:request_duration_in_ms}ms'

16 apply_on: message

17# We must use evt.Parsed.message to make sure we respect s00 stage

18 - filter: TrimSpace(evt.Parsed.message) startsWith "{" && UnmarshalJSON(evt.Parsed.message, evt.Unmarshaled, "traefik") in ["", nil]

19 statics:

20 - parsed: remote_addr

21 expression: evt.Unmarshaled.traefik.ClientHost

22 - parsed: dest_addr

23 ## Split dest_addr to get IP only as this is original functionality

24 expression: Split(evt.Unmarshaled.traefik.ClientAddr, ':')[0]

25 - parsed: request_addr

26 expression: evt.Unmarshaled.traefik.RequestAddr

27 - parsed: service_addr

28 ## Split service_addr to get IP only as this is original functionality

29 expression: "evt.Unmarshaled.traefik.ServiceAddr != nil ? Split(evt.Unmarshaled.traefik.ServiceAddr, ':')[0] : nil"

30 - parsed: http_user_agent

31 expression: evt.Unmarshaled.traefik["request_User-Agent"] ## We have to access via [] as the key contains a dash

32 - parsed: body_bytes_sent

33 ## We have to check if DownstreamContentSize is nil, as it will cause EXPR error if it is

34 expression: "evt.Unmarshaled.traefik.DownstreamContentSize != nil ? int(evt.Unmarshaled.traefik.DownstreamContentSize) : nil"

35 - parsed: request_duration_in_ms

36 expression: int(evt.Unmarshaled.traefik.Duration)

37 - parsed: traefik_router_name

38 expression: evt.Unmarshaled.traefik.RouterName

39 - parsed: time_local

40 expression: evt.Unmarshaled.traefik.time

41 - parsed: verb

42 expression: evt.Unmarshaled.traefik.RequestMethod

43 - parsed: request

44 expression: evt.Unmarshaled.traefik.RequestPath

45 - parsed: http_version

46 ## Split http_version to get version only as this is original functionality

47 expression: Split(evt.Unmarshaled.traefik.RequestProtocol, '/')[1]

48 - parsed: status

49 expression: int(evt.Unmarshaled.traefik.DownstreamStatus)

50statics:

51 - meta: service

52 value: http

53 - meta: http_status

54 expression: "evt.Parsed.status"

55 - meta: http_path

56 expression: "evt.Parsed.request"

57 - meta: user

58 expression: "evt.Parsed.remote_user"

59 - meta: source_ip

60 expression: "evt.Parsed.remote_addr"

61 - meta: http_user_agent

62 expression: "evt.Parsed.http_user_agent"

63 - meta: log_type

64 value: http_access-log

65 - target: evt.StrTime

66 expression: "evt.Parsed.time_local"

67 - meta: traefik_router_name

68 expression: "evt.Parsed.traefik_router_name"

69 - meta: http_verb

70 expression: "evt.Parsed.verb"

Hub configuration

« traefik-logs »
v1.0 by crowdsecurity
Log parser

Hub configuration

« traefik-logs »v1.0 by crowdsecurityLog parser

« traefik-logs »
v1.0 by crowdsecurity
Log parser