Last active
August 29, 2015 14:01
-
-
Save Govinda-Fichtner/8d08f49937741bcaa224 to your computer and use it in GitHub Desktop.
rules.drl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| mport org.graylog2.plugin.Message | |
| import java.util.regex.Matcher | |
| import java.util.regex.Pattern | |
| /* | |
| Raw Syslog: app2 apache2: app2.kb.production.qsc.bis: 192.168.102.25 - - [13/May/2014:09:52:05 +0200] "GET /en/topic/743-where-can-i-find-mib-files-for-my-device HTTP/1.1"500 616 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36” | |
| apache2: (.*): (\d+.\d+.\d+.\d+.) (\S*) (\S*) \[(.*)\] "([A-Z]{3,10}) (.*) (.*)"(\d\d\d) (\d*) "(.*)" "(.*)" | |
| virtual host: app2.kb.production.qsc.bis | |
| ip: 192.168.102.25 | |
| user(identd): - | |
| user(apache): - | |
| finished: 13/May/2014:09:52:05 +0200 | |
| verb: GET | |
| url: /en/topic/743-where-can-i-find-mib-files-for-my-device | |
| protocol: HTTP/1.1 | |
| status_code: 500 | |
| bytes: 616 | |
| referer: - | |
| user_agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36 | |
| */ | |
| rule "Apache2 Access Logging to Graylog" | |
| when | |
| /* m : Message( getField("facility") == "local1" ) */ | |
| m : Message( message matches ".*apache2:.*" ) | |
| then | |
| System.out.println( "[DROOL] : " + m.toString() ); | |
| String apache2_regex = "apache2: (.*): (\\d+.\\d+.\\d+.\\d+.) (\\S*) (\\S*) \\[(.*)\\] \"([A-Z]{3,10}) (.*) (.*)\"(\\d\\d\\d) (\\d*) \"(.*)\" \"(.*)”(.|\r|\n)"; | |
| Matcher matcher = Pattern.compile(apache2_regex).matcher(m.getMessage()); | |
| if (matcher.find()) { | |
| System.out.println( "[DROOL] matches : " + m.toString() ); | |
| m.addField("facility","apache2_accesslog"); | |
| m.addField("request_virtual_host",matcher.group(1)); | |
| m.addField("request_ip",matcher.group(2)); | |
| m.addField("request_user_identd",matcher.group(3)); | |
| m.addField("request_user_apache",matcher.group(4)); | |
| m.addField("request_finished",matcher.group(5)); | |
| m.addField("request_http_verb",matcher.group(6)); | |
| m.addField("request_url",matcher.group(7)); | |
| m.addField("request_protocol",matcher.group(8)); | |
| m.addField("request_http_status_code",matcher.group(9)); | |
| m.addField("request_transfered_bytes",matcher.group(10)); | |
| m.addField("request_referer",matcher.group(11)); | |
| m.addField("request_user_agent",matcher.group(12)); | |
| } | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment