-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfilter-50-httpserverconnection.conf
36 lines (36 loc) · 1.66 KB
/
filter-50-httpserverconnection.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
filter {
if [icinga][facility] == "HttpServerConnection" {
if [message] =~ /^HTTP client disconnected .+from/ {
grok {
match => ["message","HTTP client disconnected \(from \[%{IP:[client][ip]}\]:%{POSINT:[client][port]}\)"]
id => "icinga_httpclientdisconnected"
add_tag => "icinga_httpclientdisconnected"
tag_on_failure => ["_grokparsefailure","icinga_httpclientdisconnected_failed"]
add_field => {
"[icinga][eventtype]" => "http_client_disconnected"
}
}
} else if [message] =~ /^Request: GET .+, user: .+/ {
# do not use pattern USERNAME for api user, because sometimes it's just "<unauthenticated>"
grok {
match => ["message","Request: %{WORD:[http][request][method]} %{URIPATHPARAM:[icinga][apirequest]} \(from \[%{IP:[client][ip]}\]:%{POSINT:[client][port]}\), user: %{DATA:[user][name]}(, agent: %{DATA:[user_agent][original]})?"]
id => "icinga_httprequest"
add_tag => "icinga_httprequest"
tag_on_failure => ["_grokparsefailure","icinga_httprequest_failed"]
add_field => {
"[icinga][eventtype]" => "httprequest"
}
}
} else if [message] =~ /^Unauthorized request:/ {
grok {
match => ["message","Unauthorized request: %{WORD:[http][request][method]} %{URIPATHPARAM:[icinga][apirequest]}%{GREEDYDATA:[icinga][context]}"]
id => "icinga_unauthorizedrequestget"
add_tag => "icinga_unauthorizedrequestget"
tag_on_failure => ["_grokparsefailure","icinga_unauthorizedrequestget_failed"]
add_field => {
"[icinga][eventtype]" => "icinga_unauthorizedrequestget"
}
}
}
}
}