-
-
Save alxarch/e87e15b04ab2bcb0d9739d7f3a36b096 to your computer and use it in GitHub Desktop.
JSON Schema for Panther schema files
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"$schema": "http://json-schema.org/draft-07/schema#", | |
"title": "Panther log schema", | |
"$id": "https://runpanther.io/schemas/logspec/v0", | |
"$ref": "#/definitions/schemaSpec", | |
"definitions": { | |
"schemaSpec": { | |
"type": "object", | |
"properties": { | |
"version": { | |
"const": 0 | |
}, | |
"schema": { | |
"type": "string", | |
"minLength": 3, | |
"pattern": "^[A-Z][A-Za-z0-9]+(\\.[A-Z][A-Za-z0-9]+)*$" | |
}, | |
"description": { | |
"type": "string" | |
}, | |
"referenceURL": { | |
"type": "string", | |
"format": "uri" | |
}, | |
"parser": { | |
"type": "object", | |
"maxProperties": 1, | |
"minProperties": 1, | |
"properties": { | |
"csv": { | |
"oneOf": [ | |
{ | |
"$ref": "#/definitions/parserCSVWithHeader" | |
}, | |
{ | |
"$ref": "#/definitions/parserCSVWithoutHeader" | |
} | |
] | |
}, | |
"fastmatch": { | |
"$ref": "#/definitions/parserFastMatch" | |
}, | |
"regex": { | |
"$ref": "#/definitions/parserRegexMatch" | |
}, | |
"native": { | |
"$ref": "#/definitions/parserNative" | |
} | |
} | |
}, | |
"fields": { | |
"$ref": "#/definitions/objectFields" | |
}, | |
"definitions": { | |
"type": "object", | |
"patternProperties": { | |
"^[A-Z][A-Za-z0-9]+$": { | |
"$ref": "#/definitions/valueSpec" | |
} | |
}, | |
"additionalProperties": false | |
} | |
}, | |
"required": ["version", "fields"] | |
}, | |
"objectFields": { | |
"type": "array", | |
"minItems": 1, | |
"items": { | |
"$ref": "#/definitions/fieldSpec" | |
} | |
}, | |
"fieldSpec": { | |
"allOf": [ | |
{ | |
"type": "object", | |
"properties": { | |
"name": { | |
"$ref": "#/definitions/nameSpec" | |
}, | |
"required": { | |
"type": "boolean" | |
}, | |
"type": { | |
"$ref": "#/definitions/typeSpec" | |
}, | |
"description": { | |
"type": "string" | |
} | |
}, | |
"required": ["name", "type"] | |
}, | |
{ | |
"$ref": "#/definitions/valueSpec" | |
} | |
] | |
}, | |
"nameSpec": { | |
"type": "string", | |
"pattern": "^[A-Za-z_!#%&',/=@\\$\\*\\+\\\\`~]+.*" | |
}, | |
"valueSpec": { | |
"oneOf": [ | |
{ | |
"$ref": "#/definitions/stringSpec" | |
}, | |
{ | |
"$ref": "#/definitions/objectSpec" | |
}, | |
{ | |
"$ref": "#/definitions/arraySpec" | |
}, | |
{ | |
"$ref": "#/definitions/jsonSpec" | |
}, | |
{ | |
"$ref": "#/definitions/scalarSpec" | |
}, | |
{ | |
"$ref": "#/definitions/timeSpec" | |
}, | |
{ | |
"$ref": "#/definitions/refSpec" | |
} | |
] | |
}, | |
"typeSpec": { | |
"type": "string", | |
"enum": [ | |
"string", | |
"object", | |
"array", | |
"json", | |
"int", | |
"float", | |
"smallint", | |
"bigint", | |
"boolean", | |
"timestamp", | |
"ref" | |
] | |
}, | |
"objectSpec": { | |
"type": "object", | |
"properties": { | |
"type": { | |
"const": "object" | |
}, | |
"fields": { | |
"$ref": "#/definitions/objectFields" | |
}, | |
"isEmbeddedJSON": { | |
"$comment": "Parse string values as embedded JSON", | |
"type": "boolean" | |
} | |
}, | |
"required": ["type", "fields"] | |
}, | |
"arraySpec": { | |
"type": "object", | |
"properties": { | |
"type": { | |
"const": "array" | |
}, | |
"element": { | |
"$ref": "#/definitions/valueSpec" | |
}, | |
"isEmbeddedJSON": { | |
"$comment": "Parse string values as embedded JSON", | |
"type": "boolean" | |
} | |
}, | |
"required": ["type", "element"] | |
}, | |
"jsonSpec": { | |
"type": "object", | |
"required": ["type"], | |
"properties": { | |
"type": { | |
"const": "json" | |
} | |
}, | |
"isEmbeddedJSON": { | |
"$comment": "Parse string values as embedded JSON", | |
"type": "boolean" | |
} | |
}, | |
"scalarSpec": { | |
"type": "object", | |
"properties": { | |
"type": { | |
"type": "string", | |
"enum": ["int", "float", "bigint", "smallint", "boolean"] | |
} | |
}, | |
"required": ["type"] | |
}, | |
"validateSpec": { | |
"oneOf": [ | |
{ | |
"type": "object", | |
"required": ["allow"], | |
"properties": { | |
"allow": { | |
"type": "array", | |
"minItems": 1, | |
"items": { | |
"type": "string", | |
"minLength": 1 | |
} | |
} | |
} | |
}, | |
{ | |
"type": "object", | |
"required": ["deny"], | |
"properties": { | |
"deny": { | |
"type": "array", | |
"minItems": 1, | |
"items": { | |
"type": "string", | |
"minLength": 1 | |
} | |
} | |
} | |
} | |
] | |
}, | |
"stringSpec": { | |
"type": "object", | |
"required": ["type"], | |
"properties": { | |
"type": { | |
"const": "string" | |
}, | |
"indicators": { | |
"type": "array", | |
"minLength": 1, | |
"items": { | |
"$ref": "#/definitions/indicator" | |
} | |
}, | |
"validate": { | |
"$ref": "#/definitions/validateSpec" | |
} | |
} | |
}, | |
"indicator": { | |
"type": "string", | |
"enum": [ | |
"ip", | |
"domain", | |
"hostname", | |
"url", | |
"md5", | |
"sha1", | |
"sha256", | |
"aws_arn", | |
"aws_account_id", | |
"aws_instance_id", | |
"aws_tag", | |
"trace_id", | |
"username", | |
"email", | |
"net_addr" | |
] | |
}, | |
"timeSpec": { | |
"type": "object", | |
"properties": { | |
"type": { | |
"const": "timestamp" | |
}, | |
"isEventTime": { | |
"type": "boolean" | |
}, | |
"timeFormat": { | |
"oneOf": [ | |
{ | |
"type": "string", | |
"title": "Built-in timestamp format", | |
"description": "Common timestamp formats", | |
"enum": ["rfc3339", "unix", "unix_ms", "unix_us", "unix_ns", "cloudflare"] | |
}, | |
{ | |
"type": "string", | |
"title": "Custom timestamp format", | |
"description": "A custom time format in strftime notation", | |
"pattern": "%[aAbBcCdfHIjmMpSUwWxyYzZ]" | |
}, | |
{ | |
"type": "string", | |
"title": "Go layout timestamp format", | |
"description": "A custom time format in go layout notation", | |
"pattern": "^layout=" | |
} | |
] | |
} | |
}, | |
"required": ["type", "timeFormat"] | |
}, | |
"refSpec": { | |
"type": "object", | |
"properties": { | |
"type": { | |
"const": "ref" | |
}, | |
"target": { | |
"type": "string", | |
"minLength": 1 | |
} | |
}, | |
"required": ["target", "type"] | |
}, | |
"parserCSVWithHeader": { | |
"type": "object", | |
"required": ["hasHeader"], | |
"properties": { | |
"hasHeader": { | |
"const": true | |
}, | |
"delimiter": { | |
"type": "string", | |
"enum": [",", "\t", " "], | |
"default": "," | |
}, | |
"columns": { | |
"type": "array", | |
"minItems": 1, | |
"items": { | |
"type": "string", | |
"minLength": 1 | |
} | |
}, | |
"skipPrefix": { | |
"type": "string", | |
"minLength": 1 | |
}, | |
"emptyValues": { | |
"type": "array", | |
"minItems": 1, | |
"items": { | |
"type": "string" | |
} | |
}, | |
"trimSpace": { | |
"type": "boolean" | |
}, | |
"expandFields": { | |
"$ref": "#/definitions/textParserExpandFields" | |
} | |
} | |
}, | |
"parserCSVWithoutHeader": { | |
"type": "object", | |
"required": ["columns"], | |
"properties": { | |
"delimiter": { | |
"type": "string", | |
"enum": [",", "\t", " "], | |
"default": "," | |
}, | |
"hasHeader": { | |
"const": false | |
}, | |
"columns": { | |
"type": "array", | |
"minItems": 1, | |
"items": { | |
"type": "string", | |
"minLength": 1 | |
} | |
}, | |
"skipPrefix": { | |
"type": "string", | |
"minLength": 1 | |
}, | |
"emptyValues": { | |
"type": "array", | |
"minItems": 1, | |
"items": { | |
"type": "string" | |
} | |
}, | |
"trimSpace": { | |
"type": "boolean" | |
}, | |
"expandFields": { | |
"$ref": "#/definitions/textParserExpandFields" | |
} | |
} | |
}, | |
"parserFastMatch": { | |
"type": "object", | |
"required": ["match"], | |
"properties": { | |
"match": { | |
"type": "array", | |
"minItems": 1, | |
"items": { | |
"$ref": "#/definitions/fastmatchPattern" | |
} | |
}, | |
"skipPrefix": { | |
"type": "string", | |
"minLength": 1 | |
}, | |
"emptyValues": { | |
"type": "array", | |
"minItems": 1, | |
"items": { | |
"type": "string", | |
"minLength": 1 | |
} | |
}, | |
"trimSpace": { | |
"type": "boolean" | |
}, | |
"expandFields": { | |
"$ref": "#/definitions/textParserExpandFields" | |
} | |
} | |
}, | |
"parserNative": { | |
"required": ["name"], | |
"properties": { | |
"name": { | |
"type": "string" | |
} | |
} | |
}, | |
"parserRegexMatch": { | |
"type": "object", | |
"required": ["match"], | |
"properties": { | |
"patternDefintions": { | |
"type": "object", | |
"patternProperties": { | |
"^[A-Z][A-Z0-9_]*$": { | |
"type": "string", | |
"minLength": 1 | |
} | |
}, | |
"additionalProperties": false | |
}, | |
"match": { | |
"type": "array", | |
"minItems": 1, | |
"items": { | |
"type": "string" | |
} | |
}, | |
"skipPrefix": { | |
"type": "string", | |
"minLength": 1 | |
}, | |
"emptyValues": { | |
"type": "array", | |
"minItems": 1, | |
"items": { | |
"type": "string" | |
} | |
}, | |
"trimSpace": { | |
"type": "boolean" | |
}, | |
"expandFields": { | |
"$ref": "#/definitions/textParserExpandFields" | |
} | |
} | |
}, | |
"textParserExpandFields": { | |
"type": "object", | |
"additionalProperties": { | |
"type": "string" | |
} | |
}, | |
"fastmatchPattern": { | |
"allOf": [ | |
{ | |
"type": "string", | |
"minLength": 4 | |
}, | |
{ | |
"type": "string", | |
"title": "Pattern with placeholder", | |
"$comment": "Must contain at least one placeholder", | |
"pattern": "%{\\s*[^}]+\\s*\\}" | |
}, | |
{ | |
"type": "string", | |
"title": "Pattern without newlines", | |
"$comment": "Only allow newline at the end", | |
"pattern": "^[^\\n]+\\n?$" | |
} | |
] | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment