johntdyer/fail2ban.lua

## fail2ban.lua
local dt              = require "date_time"
local l               = require 'lpeg'
local ip              = require "ip_address"
local ip_address      = l.Cg(l.Ct(l.Cg(ip.v4, "value") * l.Cg(l.Cc"ipv4", "representation")), "address")

l.locale(l)

local msg = {
    Timestamp  = nil,
    type       = nil,
    country_code = nil,
    program    = nil,
    Hostname   = nil,
    Logger     = nil,
    Payload    = nil,
    EnvVersion = nil,
    Severity   = nil,
    Fields     = {},
}

local Ct, C, Cb, Cg, Ct, P, S, V, R = lpeg.Ct, lpeg.C, lpeg.Cb, lpeg.Cg, lpeg.Ct, lpeg.P, lpeg.P, lpeg.V, lpeg.R

local hyphen          = P("-")
local colon           = P(":")
local comma           = P(",")
local space           = l.space
-- fail2ban actions

local fail2ban_prefix = P(P("fail2ban.actions") * P("[") * Cg(R("09")^1/tonumber,"Pid") * P("]") * colon * space)
local log_level       = Cg(P("WARNING") + P("ERROR") + P("INFO") + P("DEBUG"),"Level")
local matcher         = Cg(P(P(1) - P"]")^1, "JailName")

-- Date stuff
local date_fullyear   = Cg(l.digit * l.digit * l.digit * l.digit, "year")
local date_month      = Cg(P"0"  * R"19" + "1" * R"02", "month")
local date_mday       = Cg(P"0"  * R"19" + R"12" * R"09" + "3" * R"01", "day")
local time_hour       = Cg(R"01" * l.digit + "2" * R"03", "hour")
local time_minute     = Cg(R"05" * l.digit, "min")
local time_second     = Cg(R"05" * l.digit + "60", "sec") -- include leap second
local time_secfrac    = Cg(comma  * l.digit^1 / tonumber, "sec_frac")

local date      = date_fullyear * hyphen * date_month * hyphen * date_mday
local time      = time_hour * colon * time_minute * colon * time_second
local full_time = Cg(date * space * time,"Timestamp")


-- 2015-05-30 03:16:17 fail2ban.actions[2552]: WARNING [repeat_offenders] Ban 88.150.187.10
local full_pattern = full_time * time_secfrac * space * fail2ban_prefix * log_level * space * P("[") * matcher * P("]") * space * P("Ban") * space * ip_address
grammar = Ct(full_pattern)

function process_message ()

    local payload = read_message("Payload")
    local m = grammar:match(payload)

    if m then
        msg.program             = "fail2ban"
        msg.Type                = "fail2ban"
        msg.Hostname            = read_message("Hostname")
        msg.Logger              = read_message("Logger")
        msg.Payload             = read_message("Payload")
        msg.EnvVersion          = read_message("EnvVersion")
        msg.Severity            = m.Level
        msg.Timestamp           = m.Timestamp
        msg.Fields.ip           = m.address.value
        msg.Fields.process_pid  = m.Pid
        msg.Fields.type         = m.address.representation
        msg.Fields.jail_name    = m.JailName
        inject_message(msg)
        return 0
    end
    return -1
end

function timer_event(ns)

end
	local dt = require "date_time"
	local l = require 'lpeg'
	local ip = require "ip_address"
	local ip_address = l.Cg(l.Ct(l.Cg(ip.v4, "value") * l.Cg(l.Cc"ipv4", "representation")), "address")

	l.locale(l)

	local msg = {
	Timestamp = nil,
	type = nil,
	country_code = nil,
	program = nil,
	Hostname = nil,
	Logger = nil,
	Payload = nil,
	EnvVersion = nil,
	Severity = nil,
	Fields = {},
	}

	local Ct, C, Cb, Cg, Ct, P, S, V, R = lpeg.Ct, lpeg.C, lpeg.Cb, lpeg.Cg, lpeg.Ct, lpeg.P, lpeg.P, lpeg.V, lpeg.R

	local hyphen = P("-")
	local colon = P(":")
	local comma = P(",")
	local space = l.space
	-- fail2ban actions

	local fail2ban_prefix = P(P("fail2ban.actions") * P("[") * Cg(R("09")^1/tonumber,"Pid") * P("]") * colon * space)
	local log_level = Cg(P("WARNING") + P("ERROR") + P("INFO") + P("DEBUG"),"Level")
	local matcher = Cg(P(P(1) - P"]")^1, "JailName")

	-- Date stuff
	local date_fullyear = Cg(l.digit * l.digit * l.digit * l.digit, "year")
	local date_month = Cg(P"0" * R"19" + "1" * R"02", "month")
	local date_mday = Cg(P"0" * R"19" + R"12" * R"09" + "3" * R"01", "day")
	local time_hour = Cg(R"01" * l.digit + "2" * R"03", "hour")
	local time_minute = Cg(R"05" * l.digit, "min")
	local time_second = Cg(R"05" * l.digit + "60", "sec") -- include leap second
	local time_secfrac = Cg(comma * l.digit^1 / tonumber, "sec_frac")

	local date = date_fullyear * hyphen * date_month * hyphen * date_mday
	local time = time_hour * colon * time_minute * colon * time_second
	local full_time = Cg(date * space * time,"Timestamp")


	-- 2015-05-30 03:16:17 fail2ban.actions[2552]: WARNING [repeat_offenders] Ban 88.150.187.10
	local full_pattern = full_time * time_secfrac * space * fail2ban_prefix * log_level * space * P("[") * matcher * P("]") * space * P("Ban") * space * ip_address
	grammar = Ct(full_pattern)

	function process_message ()

	local payload = read_message("Payload")
	local m = grammar:match(payload)

	if m then
	msg.program = "fail2ban"
	msg.Type = "fail2ban"
	msg.Hostname = read_message("Hostname")
	msg.Logger = read_message("Logger")
	msg.Payload = read_message("Payload")
	msg.EnvVersion = read_message("EnvVersion")
	msg.Severity = m.Level
	msg.Timestamp = m.Timestamp
	msg.Fields.ip = m.address.value
	msg.Fields.process_pid = m.Pid
	msg.Fields.type = m.address.representation
	msg.Fields.jail_name = m.JailName
	inject_message(msg)
	return 0
	end
	return -1
	end

	function timer_event(ns)

	end