kimsondrup/props.conf

## props.conf
[jfrog:misc]
SEDCMD-jfrog_removecolorcodes = s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mM|K]//g
TRANSFORMS-set_sourcetype_jfrog_service = set_sourcetype_jfrog_service

[jfrog:service]
BREAK_ONLY_BEFORE_DATE = true
category = Application
EVAL-service_type = coalesce(case(service_type == "jfrou", "jfrpg", service_type == "jfxan", "jfxana", service_type == "jfxid", "jfxidx", service_type == "jfxps", "jfxpst"), service_type)
EVAL-trace_id = substr("0000000000000000", len(trace_id) + 1) . trace_id
EXTRACT-timestamp,service_type,log_level,trace_id,class_line_number,thread,message = ^(?<timestamp>[^ ]+) \[\s*(?<service_type>[^\s\]]*)\s*\] \[{1,2}\s*(?<log_level>[^\s\]]*)\s*\]{1,2} \[\s*(?<trace_id>[^\s\]]*)\s*\] \[(?<class_line_number>[^\]]*?)\s*\] \[(?<thread>[^\]]*?)\s*\] (?:- )?(?s)(?<message>.*)$
LOOKUP-service_name = jfrog_services identifier AS service_type OUTPUT service_name
MAX_EVENTS = 10000
SEDCMD-jfrog_removecolorcodes = s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mM|K]//g
SHOULD_LINEMERGE = true
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%QZ
TZ = GMT

[jfrog:request]
category = Application
EVAL-req_call_type = if(match(remote_address, "^/?127.0.0.1\b") OR (match(request_user_agent, "^(?:JFrog(?: Access (?:Go|Java) Client|-Router)|Artifactory|XrayJavaClient)/") AND match(username, "^(?:token:)*jf[a-z]{2,4}@")), "internal", "external")
EVAL-trace_id = if(trace_id == "null", null, substr("0000000000000000", len(trace_id) + 1) . trace_id)
EVAL-user = replace(username, "^(?:token:)+", "")
EXTRACT-request_service = /(?<request_service>[a-z]+(?:-[a-z]+)*)-request.log$ in source
FIELD_NAMES = timestamp,trace_id,remote_address,username,request_method,request_url,status,request_content_length,response_content_length,request_duration,request_user_agent
INDEXED_EXTRACTIONS = PSV
LOOKUP-service_info = jfrog_services request_service OUTPUT identifier AS service_type, service_name
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%QZ
TZ = GMT

[jfrog:router:request]
category = Web
EVAL-trace_id = substr("0000000000000000", len(mvindex(split(uber_trace_id, ":"), 0)) + 1) . mvindex(split(uber_trace_id, ":"), 0)
FIELDALIAS-uber_trace_id = request_Uber-Trace-Id ASNEW uber_trace_id
INDEXED_EXTRACTIONS = JSON
KV_MODE = none

[jfrog:artifactory:traffic]
category = Application
EVAL-trace_id = if(trace_id == "null", null, substr("0000000000000000", len(trace_id) + 1) . trace_id)
FIELD_NAMES = datetime,trace_id,time_taken,action,remote_address,path,content_length
INDEXED_EXTRACTIONS = PSV
TIME_FORMAT = %Y%m%d%H%M%S

[jfrog:artifactory:access]
category = Application
EVAL-trace_id = substr("0000000000000000", len(trace_id) + 1) . trace_id
EVAL-user = if(user == "NA", null, user)
EXTRACT-timestamp,trace_id,action,action_response,action_type,message,repository,user,user_ip = ^(?<timestamp>[^ ]+) \[\s*(?<trace_id>[^\s\]]*)\s*\] \[(?<action>(?<action_response>[A-Z]+) (?<action_type>[A-Z]+)|[^\]]*)\s*\]\s+(?<message>(?:(?<repository>[-\w]+):)?.*?(?: for (?:client )?(?:: )?(?<user>[^/\s]+)?\s?/\s?(?:\[?(?<user_ip>[0-9a-fA-F][.:0-9a-fA-F]+?)\]?)?\.?)?)$
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%QZ
TZ = GMT

[jfrog:access:security_audit]
category = Application
EVAL-performing_user_ip = if(performing_user_ip == "UNKNOWN", null, performing_user_ip)
EVAL-performing_user = if(performing_user == "UNKNOWN", null, performing_user)
EVAL-trace_id = if(trace_id == "null", null, substr("0000000000000000", len(trace_id) + 1) . trace_id)
FIELD_NAMES = timestamp,trace_id,performing_user_ip,performing_user,loggedin_principal,entity_name,security_event_type,security_event,data_changed
INDEXED_EXTRACTIONS = PSV
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%QZ
TZ = GMT

## x-transform.conf
[jfrog_services]
filename=jfrog_services.csv

[set_sourcetype_jfrog_service]
# %Y-%m-%dT%H:%M:%S.%QZ [service_type] [log_level] [trace_id] [class_line_number] [thread] ...
REGEX = ^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+Z (?:\[(?:[^\]]*)\] ){5}
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::jfrog:service

## y-inputs.conf
#                _   _  __           _
#     /\        | | (_)/ _|         | |
#    /  \   _ __| |_ _| |_ __ _  ___| |_ ___  _ __ _   _
#   / /\ \ | '__| __| |  _/ _` |/ __| __/ _ \| '__| | | |
#  / ____ \| |  | |_| | || (_| | (__| || (_) | |  | |_| |
# /_/    \_\_|   \__|_|_| \__,_|\___|\__\___/|_|   \__, |
#                                                   __/ |
#                                                  |___/

[monitor:///var/opt/jfrog/artifactory/log/*-request.log]
blacklist = /router-request\.log$
sourcetype = jfrog:request

[monitor:///var/opt/jfrog/artifactory/log/*-service.log]
sourcetype = jfrog:service

[monitor:///var/opt/jfrog/artifactory/log/router-request.log]
sourcetype = jfrog:router:request

[monitor:///var/opt/jfrog/artifactory/log/router-traefik.log]
sourcetype = jfrog:router:traefik

[monitor:///var/opt/jfrog/artifactory/log/artifactory-access.log]
sourcetype = jfrog:artifactory:access

[monitor:///var/opt/jfrog/artifactory/log/artifactory-traffic.*.log]
sourcetype = jfrog:artifactory:traffic

[monitor:///var/opt/jfrog/artifactory/log/access-security-audit.log]
sourcetype = jfrog:access:security_audit

[monitor:///var/opt/jfrog/artifactory/log/artifactory-*.log]
blacklist = \-(?:metrics(?:_events)?|request|service|traffic)(?:\.[.0-9]+)?\.log$
sourcetype = jfrog:misc

#       _ ______                __   __
#      | |  ____|               \ \ / /
#      | | |__ _ __ ___   __ _   \ V / _ __ __ _ _   _
#  _   | |  __| '__/ _ \ / _` |   > < | '__/ _` | | | |
# | |__| | |  | | | (_) | (_| |  / . \| | | (_| | |_| |
#  \____/|_|  |_|  \___/ \__, | /_/ \_\_|  \__,_|\__, |
#                         __/ |                   __/ |
#                        |___/                   |___/

[monitor:///var/opt/jfrog/xray/log/*-service.log]
sourcetype = jfrog:service

[monitor:///var/opt/jfrog/xray/log/xray-request.log]
sourcetype = jfrog:request

[monitor:///var/opt/jfrog/xray/log/router-request.log]
sourcetype = jfrog:router:request

[monitor:///var/opt/jfrog/xray/log/router-traefik.log]
sourcetype = jfrog:router:traefik

## z-jfrog_services.csv

          
            identifier
            request_service
            service_name

            
              jfac
              access
              Access

            
              jfdr
              
              Distributor

            
              jfds
              
              Distribution

            
              jfevt
              event
              Event

            
              jffe
              frontend
              Frontend

            
              jfiex
              insight-executor
              Insight Executor

            
              jfisc
              insight-scheduler
              Insight Scheduler

            
              jfisv
              insight-server
              Insight Server

            
              jfmc
              mc
              Mission Control

            
              jfmd
              metadata
              Metadata

            
              jfpip
              
              Pipelines

            
              jfrep
              
              Replicator

            
              jfrpg
              router
              Router

            
              jfrt
              artifactory
              Artifactory

            
              jfxana
              
              Xray Analysis

            
              jfxidx
              
              Xray Indexer

            
              jfxpst
              
              Xray Persist

            
              jfxr
              xray
              Xray
	[jfrog:misc]
	SEDCMD-jfrog_removecolorcodes = s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mM\|K]//g
	TRANSFORMS-set_sourcetype_jfrog_service = set_sourcetype_jfrog_service

	[jfrog:service]
	BREAK_ONLY_BEFORE_DATE = true
	category = Application
	EVAL-service_type = coalesce(case(service_type == "jfrou", "jfrpg", service_type == "jfxan", "jfxana", service_type == "jfxid", "jfxidx", service_type == "jfxps", "jfxpst"), service_type)
	EVAL-trace_id = substr("0000000000000000", len(trace_id) + 1) . trace_id
	EXTRACT-timestamp,service_type,log_level,trace_id,class_line_number,thread,message = ^(?<timestamp>[^ ]+) \[\s(?<service_type>[^\s\]])\s\] \[{1,2}\s(?<log_level>[^\s\]])\s\]{1,2} \[\s(?<trace_id>[^\s\]])\s\] \[(?<class_line_number>[^\]]?)\s\] \[(?<thread>[^\]]?)\s\] (?:- )?(?s)(?<message>.)$
	LOOKUP-service_name = jfrog_services identifier AS service_type OUTPUT service_name
	MAX_EVENTS = 10000
	SEDCMD-jfrog_removecolorcodes = s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mM\|K]//g
	SHOULD_LINEMERGE = true
	TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%QZ
	TZ = GMT

	[jfrog:request]
	category = Application
	EVAL-req_call_type = if(match(remote_address, "^/?127.0.0.1\b") OR (match(request_user_agent, "^(?:JFrog(?: Access (?:Go\|Java) Client\|-Router)\|Artifactory\|XrayJavaClient)/") AND match(username, "^(?:token:)*jf[a-z]{2,4}@")), "internal", "external")
	EVAL-trace_id = if(trace_id == "null", null, substr("0000000000000000", len(trace_id) + 1) . trace_id)
	EVAL-user = replace(username, "^(?:token:)+", "")
	EXTRACT-request_service = /(?<request_service>[a-z]+(?:-[a-z]+)*)-request.log$ in source
	FIELD_NAMES = timestamp,trace_id,remote_address,username,request_method,request_url,status,request_content_length,response_content_length,request_duration,request_user_agent
	INDEXED_EXTRACTIONS = PSV
	LOOKUP-service_info = jfrog_services request_service OUTPUT identifier AS service_type, service_name
	TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%QZ
	TZ = GMT

	[jfrog:router:request]
	category = Web
	EVAL-trace_id = substr("0000000000000000", len(mvindex(split(uber_trace_id, ":"), 0)) + 1) . mvindex(split(uber_trace_id, ":"), 0)
	FIELDALIAS-uber_trace_id = request_Uber-Trace-Id ASNEW uber_trace_id
	INDEXED_EXTRACTIONS = JSON
	KV_MODE = none

	[jfrog:artifactory:traffic]
	category = Application
	EVAL-trace_id = if(trace_id == "null", null, substr("0000000000000000", len(trace_id) + 1) . trace_id)
	FIELD_NAMES = datetime,trace_id,time_taken,action,remote_address,path,content_length
	INDEXED_EXTRACTIONS = PSV
	TIME_FORMAT = %Y%m%d%H%M%S

	[jfrog:artifactory:access]
	category = Application
	EVAL-trace_id = substr("0000000000000000", len(trace_id) + 1) . trace_id
	EVAL-user = if(user == "NA", null, user)
	EXTRACT-timestamp,trace_id,action,action_response,action_type,message,repository,user,user_ip = ^(?<timestamp>[^ ]+) \[\s(?<trace_id>[^\s\]])\s\] \[(?<action>(?<action_response>[A-Z]+) (?<action_type>[A-Z]+)\|[^\]])\s\]\s+(?<message>(?:(?<repository>[-\w]+):)?.?(?: for (?:client )?(?:: )?(?<user>[^/\s]+)?\s?/\s?(?:\[?(?<user_ip>[0-9a-fA-F][.:0-9a-fA-F]+?)\]?)?\.?)?)$
	TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%QZ
	TZ = GMT

	[jfrog:access:security_audit]
	category = Application
	EVAL-performing_user_ip = if(performing_user_ip == "UNKNOWN", null, performing_user_ip)
	EVAL-performing_user = if(performing_user == "UNKNOWN", null, performing_user)
	EVAL-trace_id = if(trace_id == "null", null, substr("0000000000000000", len(trace_id) + 1) . trace_id)
	FIELD_NAMES = timestamp,trace_id,performing_user_ip,performing_user,loggedin_principal,entity_name,security_event_type,security_event,data_changed
	INDEXED_EXTRACTIONS = PSV
	TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%QZ
	TZ = GMT
	[jfrog_services]
	filename=jfrog_services.csv

	[set_sourcetype_jfrog_service]
	# %Y-%m-%dT%H:%M:%S.%QZ [service_type] [log_level] [trace_id] [class_line_number] [thread] ...
	REGEX = ^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+Z (?:\[(?:[^\]]*)\] ){5}
	DEST_KEY = MetaData:Sourcetype
	FORMAT = sourcetype::jfrog:service
	# _ _ __ _
	# /\ \| \| (_)/ _\| \| \|
	# / \ _ __\| \|_ _\| \|_ __ _ ___\| \|_ ___ _ __ _ _
	# / /\ \ \| '__\| __\| \| _/ _` \|/ __\| __/ _ \\| '__\| \| \| \|
	# / ____ \\| \| \| \|_\| \| \|\| (_\| \| (__\| \|\| (_) \| \| \| \|_\| \|
	# /_/ \_\_\| \__\|_\|_\| \__,_\|\___\|\__\___/\|_\| \__, \|
	# __/ \|
	# \|___/

	[monitor:///var/opt/jfrog/artifactory/log/*-request.log]
	blacklist = /router-request\.log$
	sourcetype = jfrog:request

	[monitor:///var/opt/jfrog/artifactory/log/*-service.log]
	sourcetype = jfrog:service

	[monitor:///var/opt/jfrog/artifactory/log/router-request.log]
	sourcetype = jfrog:router:request

	[monitor:///var/opt/jfrog/artifactory/log/router-traefik.log]
	sourcetype = jfrog:router:traefik

	[monitor:///var/opt/jfrog/artifactory/log/artifactory-access.log]
	sourcetype = jfrog:artifactory:access

	[monitor:///var/opt/jfrog/artifactory/log/artifactory-traffic.*.log]
	sourcetype = jfrog:artifactory:traffic

	[monitor:///var/opt/jfrog/artifactory/log/access-security-audit.log]
	sourcetype = jfrog:access:security_audit

	[monitor:///var/opt/jfrog/artifactory/log/artifactory-*.log]
	blacklist = \-(?:metrics(?:_events)?\|request\|service\|traffic)(?:\.[.0-9]+)?\.log$
	sourcetype = jfrog:misc

	# _ ______ __ __
	# \| \| ____\| \ \ / /
	# \| \| \|__ _ __ ___ __ _ \ V / _ __ __ _ _ _
	# _ \| \| __\| '__/ _ \ / _` \| > < \| '__/ _` \| \| \| \|
	# \| \|__\| \| \| \| \| \| (_) \| (_\| \| / . \\| \| \| (_\| \| \|_\| \|
	# \____/\|_\| \|_\| \___/ \__, \| /_/ \_\_\| \__,_\|\__, \|
	# __/ \| __/ \|
	# \|___/ \|___/

	[monitor:///var/opt/jfrog/xray/log/*-service.log]
	sourcetype = jfrog:service

	[monitor:///var/opt/jfrog/xray/log/xray-request.log]
	sourcetype = jfrog:request

	[monitor:///var/opt/jfrog/xray/log/router-request.log]
	sourcetype = jfrog:router:request

	[monitor:///var/opt/jfrog/xray/log/router-traefik.log]
	sourcetype = jfrog:router:traefik
identifier	request_service	service_name
jfac	access	Access
jfdr		Distributor
jfds		Distribution
jfevt	event	Event
jffe	frontend	Frontend
jfiex	insight-executor	Insight Executor
jfisc	insight-scheduler	Insight Scheduler
jfisv	insight-server	Insight Server
jfmc	mc	Mission Control
jfmd	metadata	Metadata
jfpip		Pipelines
jfrep		Replicator
jfrpg	router	Router
jfrt	artifactory	Artifactory
jfxana		Xray Analysis
jfxidx		Xray Indexer
jfxpst		Xray Persist
jfxr	xray	Xray