lusis/01-relp-rsyslog.conf

## 01-relp-rsyslog.conf
$ModLoad omrelp
$RepeatedMsgReduction off
$template ls_json,"{\"@version\":1,\"es_environment\":\"dmz\",\"@timestamp\":\"%timestamp:1:19:date-rfc3339%.%timestamp:1:3:date-subseconds%+00:00\",%HOSTNAME:::jsonf:source_host%,\"message\":\"%timestamp% %app-name%:%msg:::json%\",%syslogfacility-text:::jsonf:facility%,%syslogseverity-text:::jsonf:severity%,%app-name:::jsonf:program%,%procid:::jsonf:processid%}"
*.* :omrelp:X.X.X.X:21514;ls_json

## 02-nginx-rsyslog.conf
$ModLoad imfile
$WorkDirectory /var/lib/rsyslog-state/
$InputFileName /var/lib/nrouter/logs/access.log
$InputFileTag nginx-access:
$InputFileStateFile state-nginx-access
$InputFileSeverity info
$InputFileFacility local7
$InputFileMaxSubmitAtOnce 100
$InputRunFileMonitor

$InputFileName /var/lib/nrouter/logs/tcp_access.log
$InputFileTag nginx-tcpaccess:
$InputFileStateFile state-nginx-tcpaccess
$InputFileSeverity info
$InputFileFacility local7
$InputRunFileMonitor

## kibana.md

      
    Raw
  

              kibana.md
            
          
## logevent-fragment.json
{
    "@version": 1,
    "es_environment": "dmz",
    "@timestamp": "2014-10-15T03:21:27.000Z",
    "source_host": "XXXXXXXX",
    "message": "GET /logstash-2014.10.15/_aliases?ignore_missing=true [200]",
    "facility": "local7",
    "severity": "info",
    "program": "nginx-access",
    "processid": "-",
    "ls_input": "relp",
    "es_component": "rsyslog",
    "host": "XXXXXXXXXXXX:58910",
    "clientip": "X.X.X.X",
    "ident": "-",
    "auth": "XXXXXXXXX",
    "verb": "GET",
    "request": "/logstash-2014.10.15/_aliases",
    "httpversion": "1.1",
    "response": "200",
    "bytes": 67,
    "referrer": "https://XXXXXXXXXXXXXXXXXXXX/",
    "agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0",
    "x_forwarded_for": "\"-\"",
    "ssl_cipher": "TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256",
    "geoip": {
      "ip": "X.X.X.X",
      "country_code2": "US",
      "country_code3": "USA",
      "country_name": "United States",
      "continent_code": "NA",
      "region_name": "TX",
      "city_name": "Round Rock",
      "postal_code": "78682",
      "latitude": 30.656800000000004,
      "longitude": -97.6026,
      "dma_code": 635,
      "area_code": 512,
      "timezone": "America/Chicago",
      "real_region_name": "Texas",
      "location": [
        -97.6026,
        30.656800000000004
      ]
    }

## logstash-filters.conf
	  grok {
		match => [
			"message", "%{COMBINEDAPACHELOG} %{QS:x_forwarded_for} \[%{GREEDYDATA:ssl_cipher}\]",
			"message", "%{COMBINEDAPACHELOG} \[%{GREEDYDATA:ssl_cipher}\]",
			"message", "%{COMBINEDAPACHELOG} %{QS:x_forwarded_for}",
			"message", "%{COMBINEDAPACHELOG}"
		]
	  }
	  date {
	    match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
	  }
	  geoip { source => "clientip" }
	  kv { target => "query_params" field_split => "&?" source => "request" }
	  kv { target => "referrer_params" field_split => "&?" source => "referrer" }
	  mutate {
		update => ["message", "%{verb} %{request} [%{response}]"]
		remove_field => ["timestamp"]
                convert => [ "bytes", "integer" ]
          }
}

## nginx-logging.conf
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA;

    log_format  main  '$remote_addr - $http_remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" [$ssl_protocol/$ssl_cipher]';
	$ModLoad omrelp
	$RepeatedMsgReduction off
	$template ls_json,"{\"@version\":1,\"es_environment\":\"dmz\",\"@timestamp\":\"%timestamp:1:19:date-rfc3339%.%timestamp:1:3:date-subseconds%+00:00\",%HOSTNAME:::jsonf:source_host%,\"message\":\"%timestamp% %app-name%:%msg:::json%\",%syslogfacility-text:::jsonf:facility%,%syslogseverity-text:::jsonf:severity%,%app-name:::jsonf:program%,%procid:::jsonf:processid%}"
	. :omrelp:X.X.X.X:21514;ls_json
	$ModLoad imfile
	$WorkDirectory /var/lib/rsyslog-state/
	$InputFileName /var/lib/nrouter/logs/access.log
	$InputFileTag nginx-access:
	$InputFileStateFile state-nginx-access
	$InputFileSeverity info
	$InputFileFacility local7
	$InputFileMaxSubmitAtOnce 100
	$InputRunFileMonitor

	$InputFileName /var/lib/nrouter/logs/tcp_access.log
	$InputFileTag nginx-tcpaccess:
	$InputFileStateFile state-nginx-tcpaccess
	$InputFileSeverity info
	$InputFileFacility local7
	$InputRunFileMonitor
	{
	"@version": 1,
	"es_environment": "dmz",
	"@timestamp": "2014-10-15T03:21:27.000Z",
	"source_host": "XXXXXXXX",
	"message": "GET /logstash-2014.10.15/_aliases?ignore_missing=true [200]",
	"facility": "local7",
	"severity": "info",
	"program": "nginx-access",
	"processid": "-",
	"ls_input": "relp",
	"es_component": "rsyslog",
	"host": "XXXXXXXXXXXX:58910",
	"clientip": "X.X.X.X",
	"ident": "-",
	"auth": "XXXXXXXXX",
	"verb": "GET",
	"request": "/logstash-2014.10.15/_aliases",
	"httpversion": "1.1",
	"response": "200",
	"bytes": 67,
	"referrer": "https://XXXXXXXXXXXXXXXXXXXX/",
	"agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0",
	"x_forwarded_for": "\"-\"",
	"ssl_cipher": "TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256",
	"geoip": {
	"ip": "X.X.X.X",
	"country_code2": "US",
	"country_code3": "USA",
	"country_name": "United States",
	"continent_code": "NA",
	"region_name": "TX",
	"city_name": "Round Rock",
	"postal_code": "78682",
	"latitude": 30.656800000000004,
	"longitude": -97.6026,
	"dma_code": 635,
	"area_code": 512,
	"timezone": "America/Chicago",
	"real_region_name": "Texas",
	"location": [
	-97.6026,
	30.656800000000004
	]
	}
	grok {
	match => [
	"message", "%{COMBINEDAPACHELOG} %{QS:x_forwarded_for} \[%{GREEDYDATA:ssl_cipher}\]",
	"message", "%{COMBINEDAPACHELOG} \[%{GREEDYDATA:ssl_cipher}\]",
	"message", "%{COMBINEDAPACHELOG} %{QS:x_forwarded_for}",
	"message", "%{COMBINEDAPACHELOG}"
	]
	}
	date {
	match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
	}
	geoip { source => "clientip" }
	kv { target => "query_params" field_split => "&?" source => "request" }
	kv { target => "referrer_params" field_split => "&?" source => "referrer" }
	mutate {
	update => ["message", "%{verb} %{request} [%{response}]"]
	remove_field => ["timestamp"]
	convert => [ "bytes", "integer" ]
	}
	}
	ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA;

	log_format main '$remote_addr - $http_remote_user [$time_local] "$request" '
	'$status $body_bytes_sent "$http_referer" '
	'"$http_user_agent" "$http_x_forwarded_for" [$ssl_protocol/$ssl_cipher]';