forked from IBM/logstash-filter-mongodb-guardium
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfilter-test-generator.conf
40 lines (35 loc) · 1.38 KB
/
filter-test-generator.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
input {
generator {
type => "syslog-mongodb"
lines => [
"<14>Feb 18 08:53:31 qa-db51 mongod: { 'atype': 'authCheck', 'ts': { '$date': '2020-01-26T08:25:10.527-0500' }, 'local': { 'ip': '127.0.0.1', 'port': 27017 }, 'remote': { 'ip': '127.0.0.1', 'port': 56470 }, 'users': [ { 'user' : 'realAdmin', 'db' : 'admin' } ], 'roles' : [ { 'role' : 'readWriteAnyDatabase', 'db' : 'admin' }, { 'role' : 'userAdminAnyDatabase', 'db' : 'admin' } ], 'param': { 'command': 'delete', 'ns': 'test.posts', 'args': { 'delete': 'posts', 'ordered': true, 'lsid': { 'id': { '$binary': '1P3A98W7QbqeDMqMdP2trA==', '$type': '04' } }, '$db': 'test', 'deletes': [ { 'q': { 'owner_id': '12345' }, 'limit': 1 } ] } }, 'result': 0 }"
]
count => 1
}
}
filter {
if [type] == "syslog-mongodb" {
grok { #TIMESTAMP_ISO8601
#SYSLOGTIMESTAMP
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:server_hostname} %{SYSLOGPROG:source_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
}
date {
match => [ "timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
#json { source => "syslog_message" }
mongodb_guardium_filter {}
}
mutate { remove_field => [
"message",
"syslog_timestamp",
"source_program", "program", "syslog_pid",
"syslog_message",
"server_hostname", "host"
]
}
}
output {
if [GuardRecord] {
stdout { codec => rubydebug }
}
}