Skip to content

Instantly share code, notes, and snippets.

@kimsondrup
Last active July 12, 2021 11:02
Show Gist options
  • Save kimsondrup/e3c13f0b025366af6b0d3541267da1f7 to your computer and use it in GitHub Desktop.
Save kimsondrup/e3c13f0b025366af6b0d3541267da1f7 to your computer and use it in GitHub Desktop.
Artifactory and JFrog Xray Splunk config
[jfrog:misc]
SEDCMD-jfrog_removecolorcodes = s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mM|K]//g
TRANSFORMS-set_sourcetype_jfrog_service = set_sourcetype_jfrog_service
[jfrog:service]
BREAK_ONLY_BEFORE_DATE = true
category = Application
EVAL-service_type = coalesce(case(service_type == "jfrou", "jfrpg", service_type == "jfxan", "jfxana", service_type == "jfxid", "jfxidx", service_type == "jfxps", "jfxpst"), service_type)
EVAL-trace_id = substr("0000000000000000", len(trace_id) + 1) . trace_id
EXTRACT-timestamp,service_type,log_level,trace_id,class_line_number,thread,message = ^(?<timestamp>[^ ]+) \[\s*(?<service_type>[^\s\]]*)\s*\] \[{1,2}\s*(?<log_level>[^\s\]]*)\s*\]{1,2} \[\s*(?<trace_id>[^\s\]]*)\s*\] \[(?<class_line_number>[^\]]*?)\s*\] \[(?<thread>[^\]]*?)\s*\] (?:- )?(?s)(?<message>.*)$
LOOKUP-service_name = jfrog_services identifier AS service_type OUTPUT service_name
MAX_EVENTS = 10000
SEDCMD-jfrog_removecolorcodes = s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mM|K]//g
SHOULD_LINEMERGE = true
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%QZ
TZ = GMT
[jfrog:request]
category = Application
EVAL-req_call_type = if(match(remote_address, "^/?127.0.0.1\b") OR (match(request_user_agent, "^(?:JFrog(?: Access (?:Go|Java) Client|-Router)|Artifactory|XrayJavaClient)/") AND match(username, "^(?:token:)*jf[a-z]{2,4}@")), "internal", "external")
EVAL-trace_id = if(trace_id == "null", null, substr("0000000000000000", len(trace_id) + 1) . trace_id)
EVAL-user = replace(username, "^(?:token:)+", "")
EXTRACT-request_service = /(?<request_service>[a-z]+(?:-[a-z]+)*)-request.log$ in source
FIELD_NAMES = timestamp,trace_id,remote_address,username,request_method,request_url,status,request_content_length,response_content_length,request_duration,request_user_agent
INDEXED_EXTRACTIONS = PSV
LOOKUP-service_info = jfrog_services request_service OUTPUT identifier AS service_type, service_name
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%QZ
TZ = GMT
[jfrog:router:request]
category = Web
EVAL-trace_id = substr("0000000000000000", len(mvindex(split(uber_trace_id, ":"), 0)) + 1) . mvindex(split(uber_trace_id, ":"), 0)
FIELDALIAS-uber_trace_id = request_Uber-Trace-Id ASNEW uber_trace_id
INDEXED_EXTRACTIONS = JSON
KV_MODE = none
[jfrog:artifactory:traffic]
category = Application
EVAL-trace_id = if(trace_id == "null", null, substr("0000000000000000", len(trace_id) + 1) . trace_id)
FIELD_NAMES = datetime,trace_id,time_taken,action,remote_address,path,content_length
INDEXED_EXTRACTIONS = PSV
TIME_FORMAT = %Y%m%d%H%M%S
[jfrog:artifactory:access]
category = Application
EVAL-trace_id = substr("0000000000000000", len(trace_id) + 1) . trace_id
EVAL-user = if(user == "NA", null, user)
EXTRACT-timestamp,trace_id,action,action_response,action_type,message,repository,user,user_ip = ^(?<timestamp>[^ ]+) \[\s*(?<trace_id>[^\s\]]*)\s*\] \[(?<action>(?<action_response>[A-Z]+) (?<action_type>[A-Z]+)|[^\]]*)\s*\]\s+(?<message>(?:(?<repository>[-\w]+):)?.*?(?: for (?:client )?(?:: )?(?<user>[^/\s]+)?\s?/\s?(?:\[?(?<user_ip>[0-9a-fA-F][.:0-9a-fA-F]+?)\]?)?\.?)?)$
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%QZ
TZ = GMT
[jfrog:access:security_audit]
category = Application
EVAL-performing_user_ip = if(performing_user_ip == "UNKNOWN", null, performing_user_ip)
EVAL-performing_user = if(performing_user == "UNKNOWN", null, performing_user)
EVAL-trace_id = if(trace_id == "null", null, substr("0000000000000000", len(trace_id) + 1) . trace_id)
FIELD_NAMES = timestamp,trace_id,performing_user_ip,performing_user,loggedin_principal,entity_name,security_event_type,security_event,data_changed
INDEXED_EXTRACTIONS = PSV
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%QZ
TZ = GMT
[jfrog_services]
filename=jfrog_services.csv
[set_sourcetype_jfrog_service]
# %Y-%m-%dT%H:%M:%S.%QZ [service_type] [log_level] [trace_id] [class_line_number] [thread] ...
REGEX = ^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+Z (?:\[(?:[^\]]*)\] ){5}
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::jfrog:service
# _ _ __ _
# /\ | | (_)/ _| | |
# / \ _ __| |_ _| |_ __ _ ___| |_ ___ _ __ _ _
# / /\ \ | '__| __| | _/ _` |/ __| __/ _ \| '__| | | |
# / ____ \| | | |_| | || (_| | (__| || (_) | | | |_| |
# /_/ \_\_| \__|_|_| \__,_|\___|\__\___/|_| \__, |
# __/ |
# |___/
[monitor:///var/opt/jfrog/artifactory/log/*-request.log]
blacklist = /router-request\.log$
sourcetype = jfrog:request
[monitor:///var/opt/jfrog/artifactory/log/*-service.log]
sourcetype = jfrog:service
[monitor:///var/opt/jfrog/artifactory/log/router-request.log]
sourcetype = jfrog:router:request
[monitor:///var/opt/jfrog/artifactory/log/router-traefik.log]
sourcetype = jfrog:router:traefik
[monitor:///var/opt/jfrog/artifactory/log/artifactory-access.log]
sourcetype = jfrog:artifactory:access
[monitor:///var/opt/jfrog/artifactory/log/artifactory-traffic.*.log]
sourcetype = jfrog:artifactory:traffic
[monitor:///var/opt/jfrog/artifactory/log/access-security-audit.log]
sourcetype = jfrog:access:security_audit
[monitor:///var/opt/jfrog/artifactory/log/artifactory-*.log]
blacklist = \-(?:metrics(?:_events)?|request|service|traffic)(?:\.[.0-9]+)?\.log$
sourcetype = jfrog:misc
# _ ______ __ __
# | | ____| \ \ / /
# | | |__ _ __ ___ __ _ \ V / _ __ __ _ _ _
# _ | | __| '__/ _ \ / _` | > < | '__/ _` | | | |
# | |__| | | | | | (_) | (_| | / . \| | | (_| | |_| |
# \____/|_| |_| \___/ \__, | /_/ \_\_| \__,_|\__, |
# __/ | __/ |
# |___/ |___/
[monitor:///var/opt/jfrog/xray/log/*-service.log]
sourcetype = jfrog:service
[monitor:///var/opt/jfrog/xray/log/xray-request.log]
sourcetype = jfrog:request
[monitor:///var/opt/jfrog/xray/log/router-request.log]
sourcetype = jfrog:router:request
[monitor:///var/opt/jfrog/xray/log/router-traefik.log]
sourcetype = jfrog:router:traefik
identifier request_service service_name
jfac access Access
jfdr Distributor
jfds Distribution
jfevt event Event
jffe frontend Frontend
jfiex insight-executor Insight Executor
jfisc insight-scheduler Insight Scheduler
jfisv insight-server Insight Server
jfmc mc Mission Control
jfmd metadata Metadata
jfpip Pipelines
jfrep Replicator
jfrpg router Router
jfrt artifactory Artifactory
jfxana Xray Analysis
jfxidx Xray Indexer
jfxpst Xray Persist
jfxr xray Xray
@kimsondrup
Copy link
Author

kimsondrup commented Jun 22, 2021

Splunk apps are nice, but to just get started this will do it

props.conf           -> /opt/splunkforwarder/etc/system/local/props.conf
x-transform.conf     -> /opt/splunkforwarder/etc/system/local/transform.conf
y-inputs.conf        -> /opt/splunkforwarder/etc/system/local/inputs.conf
z-jfrog_services.csv -> /opt/splunkforwarder/etc/system/lookups/jfrog_services.csv

Note. These files have Forwarder, Indexer And Search Head settings all mixed together.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment