cscli parsers install yanis-kouidri/envoy-logsThis parser decodes Envoy Gateway logs in the default access log format and JSON (when encapsulated in CRI for Kubernetes/containerd). It extracts HTTP metadata and forwards the event to crowdsecurity/http-logs and other enrichment parsers.
Then it can proceed by http scenarios like the ones in the Envoy collection.
Example Log (CRI/JSON)
12023-10-27T10:00:00.000000Z stdout F {"start_time":"2023-10-27T10:00:00.000Z","method":"GET","x-envoy-origin-path":"/admin","response_code":404,"user-agent":"Mozilla/5.0...","downstream_remote_address":"1.2.3.4:5678",":authority":"example.com"}
source_ip: Client IP address.http_path: Requested URL path.http_verb: HTTP method (GET, POST, etc.).http_status: Response code.target_fqdn: Target domain.http_user_agent: Client identifier.The following components must be installed for this parser to work correctly:
Example of agent part of a values.yaml to use with crowdsec helm installation on Kubernetes
1container_runtime: containerd2agent:3 acquisition:4 - namespace: envoy-gateway-system5 podName: envoy-envoy-gateway-system-envoy-gateway-*6 program: envoy7 poll_without_inotify: true89 env:10 - name: COLLECTIONS11 value: "yanis-kouidri/envoy"
Validate:
1sudo cscli hubtest run envoy-logs
Get details:
1sudo cscli hubtest explain envoy-logs
1filter: "evt.Parsed.program == 'envoy'"2onsuccess: next_stage3name: yanis-kouidri/envoy-logs4description: envoy access logs parser5nodes:6 # Default Envoy access log format:7 # https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage8 - grok:9 pattern: '\[%{DATA:time}\] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:http_version}" %{NUMBER:status} %{DATA:response_flags} %{DATA:bytes_received} %{DATA:bytes_sent} %{DATA:duration} %{DATA:upstream_service_time} "%{DATA:x_forwarded_for}" "%{DATA:http_user_agent}" "%{DATA:request_id}" "%{DATA:target_fqdn}" "%{DATA:upstream_host}"'10 apply_on: message11 statics:12 - parsed: raw_remote_addr13 expression: evt.Parsed.x_forwarded_for14 - parsed: remote_addr15 expression: |16 let xff = evt.Parsed.x_forwarded_for ?? '';17 let first_ip = xff != '' ? Split(xff, ',')[0] : '';18 TrimPrefix(TrimSuffix(first_ip, "]"), "[")19 - filter: TrimSpace(evt.Parsed.message) startsWith "{" && UnmarshalJSON(evt.Parsed.message, evt.Unmarshaled, "envoy") in ["", nil]20 statics:21 - parsed: time22 expression: evt.Unmarshaled.envoy.start_time23 - parsed: raw_remote_addr24 expression: evt.Unmarshaled.envoy.downstream_remote_address25 - parsed: remote_addr26 expression: |27 let address = evt.Unmarshaled.envoy.downstream_remote_address ?? '';28 let last_colon = lastIndexOf(address, ':');29 let addr = last_colon >= 0 ? address[:last_colon] : address;30 TrimPrefix(TrimSuffix(addr, "]"), "[")31 - parsed: request32 expression: evt.Unmarshaled.envoy["x-envoy-origin-path"]33 - parsed: verb34 expression: evt.Unmarshaled.envoy.method35 - parsed: status36 expression: "evt.Unmarshaled.envoy.response_code != nil ? int(evt.Unmarshaled.envoy.response_code) : nil"37 - parsed: http_user_agent38 expression: evt.Unmarshaled.envoy["user-agent"]39 - parsed: target_fqdn40 expression: evt.Unmarshaled.envoy[":authority"]41statics:42 - target: evt.StrTime43 expression: evt.Parsed.time44 - meta: service45 value: http46 - meta: log_type47 value: http_access-log48 - meta: source_ip49 expression: "evt.Parsed.remote_addr"50 - meta: http_path51 expression: "evt.Parsed.request"52 - meta: http_verb53 expression: "evt.Parsed.verb"54 - meta: http_status55 expression: "evt.Parsed.status"56 - meta: http_user_agent57 expression: "evt.Parsed.http_user_agent"58 - meta: target_fqdn59 expression: "evt.Parsed.target_fqdn"60