Last active
July 12, 2021 11:02
-
-
Save kimsondrup/e3c13f0b025366af6b0d3541267da1f7 to your computer and use it in GitHub Desktop.
Artifactory and JFrog Xray Splunk config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[jfrog:misc] | |
SEDCMD-jfrog_removecolorcodes = s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mM|K]//g | |
TRANSFORMS-set_sourcetype_jfrog_service = set_sourcetype_jfrog_service | |
[jfrog:service] | |
BREAK_ONLY_BEFORE_DATE = true | |
category = Application | |
EVAL-service_type = coalesce(case(service_type == "jfrou", "jfrpg", service_type == "jfxan", "jfxana", service_type == "jfxid", "jfxidx", service_type == "jfxps", "jfxpst"), service_type) | |
EVAL-trace_id = substr("0000000000000000", len(trace_id) + 1) . trace_id | |
EXTRACT-timestamp,service_type,log_level,trace_id,class_line_number,thread,message = ^(?<timestamp>[^ ]+) \[\s*(?<service_type>[^\s\]]*)\s*\] \[{1,2}\s*(?<log_level>[^\s\]]*)\s*\]{1,2} \[\s*(?<trace_id>[^\s\]]*)\s*\] \[(?<class_line_number>[^\]]*?)\s*\] \[(?<thread>[^\]]*?)\s*\] (?:- )?(?s)(?<message>.*)$ | |
LOOKUP-service_name = jfrog_services identifier AS service_type OUTPUT service_name | |
MAX_EVENTS = 10000 | |
SEDCMD-jfrog_removecolorcodes = s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mM|K]//g | |
SHOULD_LINEMERGE = true | |
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%QZ | |
TZ = GMT | |
[jfrog:request] | |
category = Application | |
EVAL-req_call_type = if(match(remote_address, "^/?127.0.0.1\b") OR (match(request_user_agent, "^(?:JFrog(?: Access (?:Go|Java) Client|-Router)|Artifactory|XrayJavaClient)/") AND match(username, "^(?:token:)*jf[a-z]{2,4}@")), "internal", "external") | |
EVAL-trace_id = if(trace_id == "null", null, substr("0000000000000000", len(trace_id) + 1) . trace_id) | |
EVAL-user = replace(username, "^(?:token:)+", "") | |
EXTRACT-request_service = /(?<request_service>[a-z]+(?:-[a-z]+)*)-request.log$ in source | |
FIELD_NAMES = timestamp,trace_id,remote_address,username,request_method,request_url,status,request_content_length,response_content_length,request_duration,request_user_agent | |
INDEXED_EXTRACTIONS = PSV | |
LOOKUP-service_info = jfrog_services request_service OUTPUT identifier AS service_type, service_name | |
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%QZ | |
TZ = GMT | |
[jfrog:router:request] | |
category = Web | |
EVAL-trace_id = substr("0000000000000000", len(mvindex(split(uber_trace_id, ":"), 0)) + 1) . mvindex(split(uber_trace_id, ":"), 0) | |
FIELDALIAS-uber_trace_id = request_Uber-Trace-Id ASNEW uber_trace_id | |
INDEXED_EXTRACTIONS = JSON | |
KV_MODE = none | |
[jfrog:artifactory:traffic] | |
category = Application | |
EVAL-trace_id = if(trace_id == "null", null, substr("0000000000000000", len(trace_id) + 1) . trace_id) | |
FIELD_NAMES = datetime,trace_id,time_taken,action,remote_address,path,content_length | |
INDEXED_EXTRACTIONS = PSV | |
TIME_FORMAT = %Y%m%d%H%M%S | |
[jfrog:artifactory:access] | |
category = Application | |
EVAL-trace_id = substr("0000000000000000", len(trace_id) + 1) . trace_id | |
EVAL-user = if(user == "NA", null, user) | |
EXTRACT-timestamp,trace_id,action,action_response,action_type,message,repository,user,user_ip = ^(?<timestamp>[^ ]+) \[\s*(?<trace_id>[^\s\]]*)\s*\] \[(?<action>(?<action_response>[A-Z]+) (?<action_type>[A-Z]+)|[^\]]*)\s*\]\s+(?<message>(?:(?<repository>[-\w]+):)?.*?(?: for (?:client )?(?:: )?(?<user>[^/\s]+)?\s?/\s?(?:\[?(?<user_ip>[0-9a-fA-F][.:0-9a-fA-F]+?)\]?)?\.?)?)$ | |
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%QZ | |
TZ = GMT | |
[jfrog:access:security_audit] | |
category = Application | |
EVAL-performing_user_ip = if(performing_user_ip == "UNKNOWN", null, performing_user_ip) | |
EVAL-performing_user = if(performing_user == "UNKNOWN", null, performing_user) | |
EVAL-trace_id = if(trace_id == "null", null, substr("0000000000000000", len(trace_id) + 1) . trace_id) | |
FIELD_NAMES = timestamp,trace_id,performing_user_ip,performing_user,loggedin_principal,entity_name,security_event_type,security_event,data_changed | |
INDEXED_EXTRACTIONS = PSV | |
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%QZ | |
TZ = GMT |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[jfrog_services] | |
filename=jfrog_services.csv | |
[set_sourcetype_jfrog_service] | |
# %Y-%m-%dT%H:%M:%S.%QZ [service_type] [log_level] [trace_id] [class_line_number] [thread] ... | |
REGEX = ^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+Z (?:\[(?:[^\]]*)\] ){5} | |
DEST_KEY = MetaData:Sourcetype | |
FORMAT = sourcetype::jfrog:service |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# _ _ __ _ | |
# /\ | | (_)/ _| | | | |
# / \ _ __| |_ _| |_ __ _ ___| |_ ___ _ __ _ _ | |
# / /\ \ | '__| __| | _/ _` |/ __| __/ _ \| '__| | | | | |
# / ____ \| | | |_| | || (_| | (__| || (_) | | | |_| | | |
# /_/ \_\_| \__|_|_| \__,_|\___|\__\___/|_| \__, | | |
# __/ | | |
# |___/ | |
[monitor:///var/opt/jfrog/artifactory/log/*-request.log] | |
blacklist = /router-request\.log$ | |
sourcetype = jfrog:request | |
[monitor:///var/opt/jfrog/artifactory/log/*-service.log] | |
sourcetype = jfrog:service | |
[monitor:///var/opt/jfrog/artifactory/log/router-request.log] | |
sourcetype = jfrog:router:request | |
[monitor:///var/opt/jfrog/artifactory/log/router-traefik.log] | |
sourcetype = jfrog:router:traefik | |
[monitor:///var/opt/jfrog/artifactory/log/artifactory-access.log] | |
sourcetype = jfrog:artifactory:access | |
[monitor:///var/opt/jfrog/artifactory/log/artifactory-traffic.*.log] | |
sourcetype = jfrog:artifactory:traffic | |
[monitor:///var/opt/jfrog/artifactory/log/access-security-audit.log] | |
sourcetype = jfrog:access:security_audit | |
[monitor:///var/opt/jfrog/artifactory/log/artifactory-*.log] | |
blacklist = \-(?:metrics(?:_events)?|request|service|traffic)(?:\.[.0-9]+)?\.log$ | |
sourcetype = jfrog:misc | |
# _ ______ __ __ | |
# | | ____| \ \ / / | |
# | | |__ _ __ ___ __ _ \ V / _ __ __ _ _ _ | |
# _ | | __| '__/ _ \ / _` | > < | '__/ _` | | | | | |
# | |__| | | | | | (_) | (_| | / . \| | | (_| | |_| | | |
# \____/|_| |_| \___/ \__, | /_/ \_\_| \__,_|\__, | | |
# __/ | __/ | | |
# |___/ |___/ | |
[monitor:///var/opt/jfrog/xray/log/*-service.log] | |
sourcetype = jfrog:service | |
[monitor:///var/opt/jfrog/xray/log/xray-request.log] | |
sourcetype = jfrog:request | |
[monitor:///var/opt/jfrog/xray/log/router-request.log] | |
sourcetype = jfrog:router:request | |
[monitor:///var/opt/jfrog/xray/log/router-traefik.log] | |
sourcetype = jfrog:router:traefik |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
identifier | request_service | service_name | |
---|---|---|---|
jfac | access | Access | |
jfdr | Distributor | ||
jfds | Distribution | ||
jfevt | event | Event | |
jffe | frontend | Frontend | |
jfiex | insight-executor | Insight Executor | |
jfisc | insight-scheduler | Insight Scheduler | |
jfisv | insight-server | Insight Server | |
jfmc | mc | Mission Control | |
jfmd | metadata | Metadata | |
jfpip | Pipelines | ||
jfrep | Replicator | ||
jfrpg | router | Router | |
jfrt | artifactory | Artifactory | |
jfxana | Xray Analysis | ||
jfxidx | Xray Indexer | ||
jfxpst | Xray Persist | ||
jfxr | xray | Xray |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Splunk apps are nice, but to just get started this will do it
Note. These files have Forwarder, Indexer And Search Head settings all mixed together.