-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathlogstash.conf
82 lines (79 loc) · 2.57 KB
/
logstash.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
input {
file {
discover_interval => 1
path => [ "/ezproxy/ezproxy*.res" ]
sincedb_path => "/ezproxy/ezproxylog/.sincedb"
start_position => "beginning"
type => "ezproxylog"
}
}
filter {
grok {
pattern => "%{IP:request_client_ip} %{HOST:request_client_host} %{WORD:request_client_session} %{WORD:user_name}-%{WORD:patron_id}-%{WORD:patron_type}-%{WORD:stat_class} \[%{HTTPDATE:request_timestamp}\] %{QUOTEDSTRING:request_raw} %{NUMBER:response_http} %{NUMBER:response_bytes} \"%{DATA:requested_uri}\""
type => "ezproxylog"
}
#Drop if the user has no session
if [request_client_session] !~ /.+/ {
drop {}
}
date {
# Try to set the @timestamp field from the 'request_timestamp' field (parsed above with
# grok).
match => [ "request_timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
type => "ezproxylog"
}
geoip {
# Try to get GeoIP lookup using value from the 'request_client_ip' field (parsed above with
# grok).
source => "request_client_ip"
type => "ezproxylog"
}
grok {
# Add field requested_host to the output, matching on URIHOST from requested_uri field.
match => [ "requested_uri", "%{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST:requested_host})?(?:%{URIPATHPARAM})?" ]
type => "ezproxylog"
}
#Only check espace if username exists and doesnt start with 's'
if [user_name] and [user_name] != "" and [user_name] !~ /^s.*$/ {
elasticsearch {
hosts => ["elasticsearch"]
fail_on_error => "false"
query => "type:espace AND aut_org_username:%{[user_name]}"
fields => {
"aut_org_desc" => "aut_org_desc"
"aut_pos_title" => "aut_pos_title"
"aut_aou" => "aut_aou"
"aut_class_lev1" => "aut_class_lev1"
}
add_tag => [ "espace_username_matches" ]
}
}
#Only check sinet if username starts with 's'
if [user_name] and [user_name] =~ /^s.*$/ {
elasticsearch {
hosts => ["elasticsearch"]
fail_on_error => "false"
query => "type:sinet AND s_username:%{[user_name]}"
fields => {
"s_subject_full" => "s_subject_full"
"s_subject" => "s_subject"
"s_catalog_nbr" => "s_catalog_nbr"
"s_descr" => "s_descr"
"s_acad_group" => "s_acad_group"
"s_acad_org" => "s_acad_org"
"s_acad_org_desc" => "s_acad_org_desc"
"s_acad_group_desc" => "s_acad_group_desc"
}
add_tag => [ "sinet_username_matches" ]
}
}
}
output {
elasticsearch {
host => "elasticsearch"
port => 9200
protocol => "http"
embedded => false
index_type => "ezproxylog"
}
}