Created
March 15, 2023 12:50
-
-
Save LaurenceJJones/48c314123b45b881e90cfb3d93e6db77 to your computer and use it in GitHub Desktop.
A cri-log s00 for syslog events
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| filter: "evt.Line.Labels.type == 'containerd' && evt.Line.Labels.program == 'syslog'" | |
| name: crowdsecurity/cri-syslogs | |
| description: CRI logging format parser for syslogs | |
| #debug: true | |
| pattern_syntax: | |
| RAW_SYSLOG_PREFIX: '^<%{NUMBER:stuff1}>%{NUMBER:stuff2} %{SYSLOGBASE2} %{DATA:program} %{NUMBER:pid}' | |
| RAW_SYSLOG_META: '\[meta sequenceId="%{NOTDQUOTE:seq_id}"\]' | |
| nodes: | |
| - grok: | |
| pattern: "^%{TIMESTAMP_ISO8601:cri_timestamp} %{WORD:stream} %{WORD:logtag} %{GREEDYDATA:message}" | |
| apply_on: Line.Raw | |
| nodes: | |
| - grok: | |
| pattern: "^%{SYSLOGLINE}" | |
| apply_on: message | |
| onsuccess: next_stage | |
| - grok: | |
| pattern: '%{RAW_SYSLOG_PREFIX} - %{RAW_SYSLOG_META} %{GREEDYDATA:message}' | |
| apply_on: message | |
| onsuccess: next_stage | |
| statics: | |
| - parsed: "logsource" | |
| value: "cri" | |
| - target: evt.StrTime | |
| expression: evt.Parsed.cri_timestamp | |
| - parsed: program | |
| expression: evt.Parsed.program | |
| - meta: datasource_path | |
| expression: evt.Line.Src | |
| - meta: datasource_type | |
| expression: evt.Line.Module |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment