irt/gists
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity

updated bwi.conf logstash conf

Browse Source
This commit is contained in:
Tobias Kessels
2018-08-10 16:52:21 +02:00
parent c27610ad19
commit 6644ee9ffb
1 changed files with 23 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
dockerfiles/logstash/configs/bwi.conf
View File

@@ -9,7 +9,7 @@ input {
# }
file{
type => syslog
path => "/data/*"
path => "/config/*"
start_position => "beginning"
}
}
@@ -70,25 +70,35 @@ filter {
}
geoip {
source => "mwg[dst]"
target => "mwg[dst_geo]"
}
# geoip {
# source => "mwg[src]"
# target => "mwg[src_geo]"
# }
#url aufteilen nach subdomain.domain.tld
grok {
match => { "mwg[url]" => "%{URIPROTO:mwg[urlparsed][proto]}://(?<mwg[urlparsed][subdom]>[^/]+)\.(?<mwg[urlparsed][domain]>[^/.]+)\.(?<mwg[urlparsed][tld]>[^/.]+)" }
match => { "mwg[url]" => "%{URIPROTO:mwg[parsedurl][protocol]}://(?<mwg[parsedurl][host]>[^/]+)(/(?<mwg[parsedurl][path]>[^?]+)(\?%{GREEDYDATA:mwg[parsedurl][parameters]})?)?" }
}
grok {
match => { "mwg[parsedurl][host]" => "((?<mwg[parsedurl][subdomain]>[^/]+)\.)?(?<mwg[parsedurl][domain]>[^/.]+)\.(?<mwg[parsedurl][tld]>[^/.]+)" }
}
if [mwg.parsedurl.domain] == "google"{
grok {
match => { "mwg[parsedurl][parameters]" => "(?<mwg[parsedurl][googlesearch]>q=[^&]+)" }
}
}
# mutate {
# split => { "syslog_message" => "|" }
# parsing von allen url parameter macht probleme weil zu viele
# kv {
# source => "mwg[parsedurl][parameters]"
# field_split => "&"
# target => "mwg[parsedurl][parsedparameters]"
# }
}
}
output {
elasticsearch { hosts => ["elasticsearch:9200"] }
# stdout { codec => rubydebug }
# elasticsearch {
# hosts => ["elasticsearch:9200"]
# index => "logstash-bwi-casenr"
# }
stdout { codec => rubydebug }
}