Примеры использовавшихся экстракторов
Примеры использовавшихся экстракторов#
Для Beats Input (сюда направляются логи systemd с помощью journalbeat)
{
"extractors": [
{
"title": "Postfix: client IP address",
"extractor_type": "regex",
"converters": [],
"order": 12,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "postfix_client_ip_address",
"extractor_config": {
"regex_value": "^[A-Z0-9]{12}\\:\\
client=\\w+\\[(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\\]"
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "ssh: get user IP",
"extractor_type": "regex",
"converters": [],
"order": 1,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "ssh_user_IP",
"extractor_config": {
"regex_value": "^Accepted publickey for \\w+ from
(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})"
},
"condition_type": "string",
"condition_value": "Accepted publickey for"
},
{
"title": "ocserv: get username",
"extractor_type": "regex",
"converters": [],
"order": 3,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "ocserv_username",
"extractor_config": {
"regex_value": "^sec-mod: initiating session for user '(\\w+)'"
},
"condition_type": "string",
"condition_value": "sec-mod: initiating session for user"
},
{
"title": "ssh: get username",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "ssh_username",
"extractor_config": {
"regex_value": "^Accepted publickey for (\\w+) from"
},
"condition_type": "string",
"condition_value": "Accepted publickey for"
},
{
"title": "ssh: get user public key sha256",
"extractor_type": "regex",
"converters": [],
"order": 2,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "ssh_user_public_key_sha256",
"extractor_config": {
"regex_value": "^Accepted publickey for .* ssh2: \\w+ SHA256:(.*$)"
},
"condition_type": "string",
"condition_value": "Accepted publickey for"
},
{
"title": "Postfix: get message status",
"extractor_type": "regex",
"converters": [],
"order": 9,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "postfix_message_status",
"extractor_config": {
"regex_value": ", status=(\\w+) "
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "Postfix: get email recipient",
"extractor_type": "regex",
"converters": [],
"order": 11,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "postfix_email_recipient",
"extractor_config": {
"regex_value": "^[A-Z0-9]{12}\\:\\ to=<(\\S+)>,\\ "
},
"condition_type": "string",
"condition_value": ": to=<"
},
{
"title": "Postfix: get message ID",
"extractor_type": "regex",
"converters": [],
"order": 8,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "postfix_queue_message_id",
"extractor_config": {
"regex_value": "^([0-9A-F]{12})\\:\\ "
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "ocserv: get session id",
"extractor_type": "regex",
"converters": [],
"order": 7,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "ocserv_user_session_id",
"extractor_config": {
"regex_value": " \\(session: (.*)\\)$"
},
"condition_type": "string",
"condition_value": "(session:"
},
{
"title": "ocserv: get connection stats",
"extractor_type": "json",
"converters": [],
"order": 5,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"list_separator": ", ",
"kv_separator": "=",
"key_prefix": "ocserv_",
"key_separator": "_",
"replace_key_whitespace": false,
"key_whitespace_replacement": "_"
},
"condition_type": "string",
"condition_value": "OCServ Connections"
},
{
"title": "ocserv: get username (2)",
"extractor_type": "regex",
"converters": [],
"order": 4,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "ocserv_username",
"extractor_config": {
"regex_value": "\\\\nUser: (\\w+)\\\\nRemote IP:"
},
"condition_type": "string",
"condition_value": "OCServ Connections"
},
{
"title": "ocserv: get user remote IP",
"extractor_type": "regex",
"converters": [],
"order": 6,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "oscerv_user_remote_IP",
"extractor_config": {
"regex_value": "\\\\nRemote IP:
(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\\\\nServer:"
},
"condition_type": "string",
"condition_value": "OCServ Connections"
},
{
"title": "Postfix: get email sender",
"extractor_type": "regex",
"converters": [],
"order": 10,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "postfix_email_sender",
"extractor_config": {
"regex_value": "^[A-Z0-9]{12}\\: from=<(\\S+)>, "
},
"condition_type": "string",
"condition_value": " from=<"
},
{
"title": "Postfix: noqueue - email sender",
"extractor_type": "regex",
"converters": [],
"order": 13,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "postfix_email_sender",
"extractor_config": {
"regex_value": "^NOQUEUE: .* from=<(\\S+)>"
},
"condition_type": "string",
"condition_value": "NOQUEUE:"
},
{
"title": "Postfix: noqueue - email recipient",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "postfix_email_recipient",
"extractor_config": {
"regex_value": "^NOQUEUE: .* to=<(\\S+)>"
},
"condition_type": "string",
"condition_value": "NOQUEUE:"
},
{
"title": "ssh: preauth failure - username",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "ssh_username",
"extractor_config": {
"regex_value": "^Connection closed by authenticating user (\\w+)"
},
"condition_type": "string",
"condition_value": "Connection closed by authenticating user"
},
{
"title": "grok pam access denied",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"grok_pattern": "%{WORD:pam_service}\\(%{DATA:pam_service_name}\\):
Access denied for user %{USERNAME:username}: %{GREEDYDATA:pam_reason}",
"named_captures_only": true
},
"condition_type": "string",
"condition_value": "pam_"
},
{
"title": "grok failed password",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"grok_pattern": "Failed password for %{USERNAME:username} from
%{IP:source_IP} port %{NUMBER} %{WORD:service_name}",
"named_captures_only": true
},
"condition_type": "string",
"condition_value": "Failed password"
}
],
"version": "4.1.10"
}