meznak/f5-dos.conf

## f5-dos.conf
#############################################################################
### F5 DOS

############################################################################
### Sources
# Multiple sources means using multiple threads, so split them up as much
# as possible!

# Don't specify an IP so we listen on all.
# Tuning: https://codeascraft.com/2012/08/13/performance-tuning-syslog-ng/
#	log-fetch-limit = number of lines from source in a "chunk"
#	log-iw-size = max-connections * log-fetch-limit
#	log-fifo-size = log-iw-size * 20 (set globally above)
#
source s_udp5432_F5 {
	# Default protocol is TCP, so specify UDP
	network(port(5432) transport("udp") max-connections(500) log-fetch-limit(1000) log-iw-size(100000) flags(assume-utf8, syslog-protocol));
};

############################################################################
### Filters
# filters for F5 types
# This makes sure no LB pings are in the directory
filter f_F5_AFM { host("*f5*" type(glob) flags("ignore-case"))};

# AFM logtype filtering
filter f_F5_ipint { match("asu-ip-intelligence" value("MESSAGE")) };
filter f_F5_afmevent { match("[A-Z][A-Z]\/[^\"]+" value("MESSAGE")) };
#############################################################################
### Rewrites
#
rewrite r_F5_trim {
	subst("/Common/", "", value("MESSAGE") type ("pcre") flags("global"));
	# CIM allows allowed, blocked, dropped, unknown
	#subst("Accept", "allowed", value("MESSAGE") type ("pcre") flags("global"));
	#subst("Drop", "dropped", value("MESSAGE") type ("pcre") flags("global"));
	#subst("?", "blocked", value("MESSAGE") type ("pcre") flags("global"));
	#subst("?", "unknown", value("MESSAGE") type ("pcre") flags("global"));
};

#############################################################################
### Destinations
#

# AFM Destinations
destination d_F5_ipint {
	file("/syslog/F5/${HOST}/`LOGHOST`.ipint.${YEAR}${MONTH}${DAY}-$HOUR-$(/ $MIN 15)");
};

destination d_F5_afmevent {
	file("/syslog/F5/${HOST}/`LOGHOST`.afmevent.${YEAR}${MONTH}${DAY}-$HOUR");
};

destination d_F5_dosprotect {
	file("/syslog/F5/${HOST}/`LOGHOST`.dosprotect.${YEAR}${MONTH}${DAY}-$HOUR");
};

destination d_F5_unknown {
	file("/syslog/F5/${HOST}/`LOGHOST`.unknown.${YEAR}${MONTH}${DAY}-$HOUR");
};

#############################################################################
### Logging
#
# Multiple log destinations means multi-threading!

# Log F5 DDOS Appliances
log {
	source (s_udp5432_F5);
	# Remember these are ANDs
	filter (f_F5_ipint);
	filter (f_F5_AFM);
	rewrite (r_F5_trim);
	destination(d_F5_ipint);
	flags(final);
};

log {
	source (s_udp5432_F5);
	# Remember these are ANDs
	filter (f_F5_afmevent);
	filter (f_F5_AFM);
	rewrite (r_F5_trim);
	destination(d_F5_afmevent);
	flags(final);
};

log {
	source (s_udp5432_F5);
	filter (f_F5_AFM);
	rewrite (r_F5_trim);
	destination(d_F5_dosprotect);
	flags(final);
};

log {
	source (s_udp5432_F5);
	rewrite (r_F5_trim);
	destination(d_F5_unknown);
	flags(final);
};
	#############################################################################
	### F5 DOS

	############################################################################
	### Sources
	# Multiple sources means using multiple threads, so split them up as much
	# as possible!

	# Don't specify an IP so we listen on all.
	# Tuning: https://codeascraft.com/2012/08/13/performance-tuning-syslog-ng/
	# log-fetch-limit = number of lines from source in a "chunk"
	# log-iw-size = max-connections * log-fetch-limit
	# log-fifo-size = log-iw-size * 20 (set globally above)
	#
	source s_udp5432_F5 {
	# Default protocol is TCP, so specify UDP
	network(port(5432) transport("udp") max-connections(500) log-fetch-limit(1000) log-iw-size(100000) flags(assume-utf8, syslog-protocol));
	};

	############################################################################
	### Filters
	# filters for F5 types
	# This makes sure no LB pings are in the directory
	filter f_F5_AFM { host("f5" type(glob) flags("ignore-case"))};

	# AFM logtype filtering
	filter f_F5_ipint { match("asu-ip-intelligence" value("MESSAGE")) };
	filter f_F5_afmevent { match("[A-Z][A-Z]\/[^\"]+" value("MESSAGE")) };
	#############################################################################
	### Rewrites
	#
	rewrite r_F5_trim {
	subst("/Common/", "", value("MESSAGE") type ("pcre") flags("global"));
	# CIM allows allowed, blocked, dropped, unknown
	#subst("Accept", "allowed", value("MESSAGE") type ("pcre") flags("global"));
	#subst("Drop", "dropped", value("MESSAGE") type ("pcre") flags("global"));
	#subst("?", "blocked", value("MESSAGE") type ("pcre") flags("global"));
	#subst("?", "unknown", value("MESSAGE") type ("pcre") flags("global"));
	};

	#############################################################################
	### Destinations
	#

	# AFM Destinations
	destination d_F5_ipint {
	file("/syslog/F5/${HOST}/`LOGHOST`.ipint.${YEAR}${MONTH}${DAY}-$HOUR-$(/ $MIN 15)");
	};

	destination d_F5_afmevent {
	file("/syslog/F5/${HOST}/`LOGHOST`.afmevent.${YEAR}${MONTH}${DAY}-$HOUR");
	};

	destination d_F5_dosprotect {
	file("/syslog/F5/${HOST}/`LOGHOST`.dosprotect.${YEAR}${MONTH}${DAY}-$HOUR");
	};

	destination d_F5_unknown {
	file("/syslog/F5/${HOST}/`LOGHOST`.unknown.${YEAR}${MONTH}${DAY}-$HOUR");
	};

	#############################################################################
	### Logging
	#
	# Multiple log destinations means multi-threading!

	# Log F5 DDOS Appliances
	log {
	source (s_udp5432_F5);
	# Remember these are ANDs
	filter (f_F5_ipint);
	filter (f_F5_AFM);
	rewrite (r_F5_trim);
	destination(d_F5_ipint);
	flags(final);
	};

	log {
	source (s_udp5432_F5);
	# Remember these are ANDs
	filter (f_F5_afmevent);
	filter (f_F5_AFM);
	rewrite (r_F5_trim);
	destination(d_F5_afmevent);
	flags(final);
	};

	log {
	source (s_udp5432_F5);
	filter (f_F5_AFM);
	rewrite (r_F5_trim);
	destination(d_F5_dosprotect);
	flags(final);
	};

	log {
	source (s_udp5432_F5);
	rewrite (r_F5_trim);
	destination(d_F5_unknown);
	flags(final);
	};