File Coverage

blib/lib/Search/ESsearcher/Templates/syslog.pm

Criterion	Covered	Total	%
statement	8	12	66.6
branch			n/a
condition			n/a
subroutine	3	7	42.8
pod	0	4	0.0
total	11	23	47.8

line	stmt	sub	pod	time	code
1					package Search::ESsearcher::Templates::syslog;
2
3	1	1		73475	use 5.006;
	1			15
4	1	1		7	use strict;
	1			2
	1			37
5	1	1		7	use warnings;
	1			3
	1			328
6
7					=head1 NAME
8
9					Search::ESsearcher::Templates::syslog - Provides syslog support for essearcher.
10
11					=head1 VERSION
12
13					Version 1.1.0
14
15					=cut
16
17					our $VERSION = '1.1.0';
18
19					=head1 LOGSTASH
20
21					This uses a logstash configuration below.
22
23					input {
24					syslog {
25					host => "10.10.10.10"
26					port => 11514
27					type => "syslog"
28					}
29					}
30
31					filter { }
32
33					output {
34					if [type] == "syslog" {
35					elasticsearch {
36					hosts => [ "127.0.0.1:9200" ]
37					}
38					}
39					}
40
41					The important bit is "type" being set to "syslog". If that is not used,
42					use the command line options field and fieldv.
43
44					=head1 Options
45
46					=head2 --host <log host>
47
48					The syslog server.
49
50					The search is done with .keyword appended to the field name.
51
52					=head2 --hostx <log host>
53
54					The syslog server.
55
56					Does not run the it through aonHost.
57
58					The search is done with .keyword appended to the field name.
59
60					=head2 --src <src server>
61
62					The source server sending to the syslog server.
63
64					The search is done with .keyword appended to the field name.
65
66					=head2 --srcx <src server>
67
68					The source server sending to the syslog server.
69
70					Does not run the it through aonHost.
71
72					The search is done with .keyword appended to the field name.
73
74					=head2 --program <program>
75
76					The name of the daemon/program in question.
77
78					=head2 --size <count>
79
80					The number of items to return.
81
82					=head2 --facility <facility>
83
84					The syslog facility.
85
86					=head2 --severity <severity>
87
88					The severity level of the message.
89
90					=head2 --pid <pid>
91
92					The PID that sent the message.
93
94					=head2 --dgt <date>
95
96					Date greater than.
97
98					=head2 --dgte <date>
99
100					Date greater than or equal to.
101
102					=head2 --dlt <date>
103
104					Date less than.
105
106					=head2 --dlte <date>
107
108					Date less than or equal to.
109
110					=head2 --msg <message>
111
112					Messages to match.
113
114					=head2 --field <field>
115
116					The term field to use for matching them all.
117
118					=head2 --fieldv <fieldv>
119
120					The value of the term field to matching them all.
121
122					=head1 AND, OR, or NOT shortcut
123
124					, OR
125					+ AND
126					! NOT
127
128					A list seperated by any of those will be transformed
129
130					These may be used with program, facility, pid, or host.
131
132					example: --program postfix,spamd
133
134					results: postfix OR spamd
135
136					=head1 HOST AND, OR, or NOT shortcut
137
138					, OR
139					+ AND
140					! NOT
141
142					A list of hosts seperated by any of those will be transformed.
143					A host name should always end in a period unless it is a FQDN.
144
145					These may be used with host and src.
146
147					example: --src foo.,mail.bar.
148
149					results: /foo./ OR /mail.bar./
150
151
152					=head1 date
153
154					date
155
156					/^-/ appends "now" to it. So "-5m" becomes "now-5m".
157
158					/^u\:/ takes what is after ":" and uses Time::ParseDate to convert it to a
159					unix time value.
160
161					Any thing not matching maching any of the above will just be passed on.
162
163					=cut
164
165
166					sub search{
167	0	0	0		return '
168					[% USE JSON ( pretty => 1 ) %]
169					[% DEFAULT o.size = "50" %]
170					[% DEFAULT o.field = "type" %]
171					[% DEFAULT o.fieldv = "syslog" %]
172					{
173					"index": "logstash-*",
174					"body": {
175					"size": [% o.size.json %],
176					"query": {
177					"bool": {
178					"must": [
179					{
180					"term": { [% o.field.json %]: [% o.fieldv.json %] }
181					},
182					[% IF o.host %]
183					{"query_string": {
184					"default_field": "host.keyword",
185					"query": [% aonHost( o.host ).json %]
186					}
187					},
188					[% END %]
189					[% IF o.hostx %]
190					{"query_string": {
191					"default_field": "host.keyword",
192					"query": [% o.host.json %]
193					}
194					},
195					[% END %]
196					[% IF o.srcx %]
197					{"query_string": {
198					"default_field": "logsource.keyword",
199					"query": [% o.src.json %]
200					}
201					},
202					[% END %]
203					[% IF o.src %]
204					{"query_string": {
205					"default_field": "logsource.keyword",
206					"query": [% aonHost( o.src ).json %]
207					}
208					},
209					[% END %]
210					[% IF o.program %]
211					{"query_string": {
212					"default_field": "program",
213					"query": [% aon( o.program ).json %]
214					}
215					},
216					[% END %]
217					[% IF o.facility %]
218					{"query_string": {
219					"default_field": "facility_label",
220					"query": [% aon( o.facility ).json %]
221					}
222					},
223					[% END %]
224					[% IF o.severity %]
225					{"query_string": {
226					"default_field": "severity_label",
227					"query": [% aon( o.severity ).json %]
228					}
229					},
230					[% END %]
231					[% IF o.pid %]
232					{"query_string": {
233					"default_field": "pid",
234					"query": [% aon( o.pid ).json %]
235					}
236					},
237					[% END %]
238					[% IF o.msg %]
239					{"query_string": {
240					"default_field": "message",
241					"query": [% o.msg.json %]
242					}
243					},
244					[% END %]
245					[% IF o.dgt %]
246					{"range": {
247					"@timestamp": {
248					"gt": [% pd( o.dgt ).json %]
249					}
250					}
251					},
252					[% END %]
253					[% IF o.dgte %]
254					{"range": {
255					"@timestamp": {
256					"gte": [% pd( o.dgte ).json %]
257					}
258					}
259					},
260					[% END %]
261					[% IF o.dlt %]
262					{"range": {
263					"@timestamp": {
264					"lt": [% pd( o.dlt ).json %]
265					}
266					}
267					},
268					[% END %]
269					[% IF o.dlte %]
270					{"range": {
271					"@timestamp": {
272					"lte": [% pd( o.dlte ).json %]
273					}
274					}
275					},
276					[% END %]
277					]
278					}
279					},
280					"sort": [
281					{
282					"@timestamp": {"order" : "desc"}}
283					]
284					}
285					}
286					';
287					}
288
289					sub options{
290	0	0	0		return '
291					host=s
292					hostx=s
293					src=s
294					program=s
295					size=s
296					facility=s
297					severity=s
298					pid=s
299					dgt=s
300					dgte=s
301					dlt=s
302					dlte=s
303					msg=s
304					field=s
305					fieldv=s
306					srcx=s
307					';
308					}
309
310					sub output{
311	0	0	0		return '[% c("cyan") %][% f.timestamp %] [% c("bright_blue") %][% f.logsource %] '.
312					'[% c("bright_green") %][% f.program %][% c("bright_magenta") %][[% c("bright_yellow") %]'.
313					'[% f.pid %][% c("bright_magenta") %]] [% c("white") %]'.
314					'[% PERL %]'.
315					'use Term::ANSIColor;'.
316					'my $f=$stash->get("f");'.
317
318					'my $msg=color("white").$f->{message};'.
319
320					'my $replace=color("cyan")."<".color("bright_magenta");'.
321					'$msg=~s/\</$replace/g;'.
322					'$replace=color("cyan").">".color("white");'.
323					'$msg=~s/\>/$replace/g;'.
324
325					'$replace=color("bright_green")."(".color("cyan");'.
326					'$msg=~s/\(/$replace/g;'.
327					'$replace=color("bright_green").")".color("white");'.
328					'$msg=~s/\)/$replace/g;'.
329
330					'my $green=color("bright_green");'.
331					'my $white=color("white");'.
332					'my $yellow=color("bright_yellow");'.
333					'my $blue=color("bright_blue");'.
334
335					'$replace=color("bright_yellow")."\'".color("cyan");'.
336					'$msg=~s/\\\'([A-Za-z0-9\\.\\#\\:\\-\\/]*)\\\'/$replace$1$yellow\'$white/g;'.
337
338					'$msg=~s/([A-Za-z\_\-]+)\=/$green$1$yellow=$white/g;'.
339
340					'$msg=~s/([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/$blue$1$white/g;'.
341
342					'$msg=~s/(([A-f0-9:]+:+)+[A-f0-9]+)/$blue$1$white/g;'.
343
344					'print $msg;'.
345					'[% END %]';
346					;
347					}
348
349					sub help{
350	0	0	0		return '
351
352					--host <log host> The syslog server.
353					--hostx <log host> The syslog server, raw.
354					--src <src server> The source server sending to the syslog server.
355					--srcx <src server> The source server sending to the syslog server, raw.
356					--program <program> The name of the daemon/program in question.
357					--size <count> The number of items to return.
358					--facility <facility> The syslog facility.
359					--severity <severity> The severity level of the message.
360					--pid <pid> The PID that sent the message.
361
362					--dgt <date> Date greater than.
363					--dgte <date> Date greater than or equal to.
364					--dlt <date> Date less than.
365					--dlte <date> Date less than or equal to.
366
367					--msg <message> Messages to match.
368
369					--field <field> The term field to use for matching them all.
370					--fieldv <fieldv> The value of the term field to matching them all.
371
372
373
374					AND, OR, or NOT shortcut
375					, OR
376					+ AND
377					! NOT
378
379					A list seperated by any of those will be transformed.
380
381					These may be used with program, facility, and pid.
382
383					example: --program postfix,spamd
384
385
386
387					HOST AND, OR, or NOT shortcut
388					, OR
389					+ AND
390					! NOT
391
392					A list of hosts seperated by any of those will be transformed.
393					A host name should always end in a period unless it is a FQDN.
394
395					These may be used with host and src.
396
397					example: --src foo.,mail.bar.
398
399					results: /foo./ OR /mail.bar./
400
401
402
403					field and fieldv
404
405					The search template is written with the expectation that logstash is setting
406					"type" with a value of "syslog". If you are using like "tag" instead of "type"
407					or the like, this allows you to change the field and value.
408
409
410
411					date
412
413					/^-/ appends "now" to it. So "-5m" becomes "now-5m".
414
415					/^u\:/ takes what is after ":" and uses Time::ParseDate to convert it to a
416					unix time value.
417
418					Any thing not matching maching any of the above will just be passed on.
419					';
420
421
422					}