peterfroehlich/graylog2.drl

## graylog2.drl
rule "access log"
    when
        m : Message( message matches ".*access.*:.*" )
    then
        Matcher matcher = Pattern.compile("^.* (.*\\.log): ([0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}).* \"([A-Z]{3,7}) (.*) HTTP/1.1\" ([0-9][0-9][0-9]) ([0-9]{1,}) \"(.*)\" \"(.*)\" (?<=[ ])([0-9]+$)").matcher(m.getMessage());
        if (matcher.find()) {
           m.addField("_Logfile",matcher.group(1));
                   m.addField("_clientIp",matcher.group(2));
                   m.addField("_Method",matcher.group(3));
                   m.addField("_URI",matcher.group(4));
           m.addField("_ResponseCode",matcher.group(5));
                   m.addField("_Size",matcher.group(6));
                   m.addField("_Referer",matcher.group(7));
                   m.addField("_UserAgent",matcher.group(8));
           m.addField("_RunTime",matcher.group(9));
        }
end

rule "error log"
    when
        m : Message( message matches ".*error.*:.*" )
    then
        Matcher matcher = Pattern.compile("^.* (.*\\.log): \\[(.*)\\] \\[(.*)\\] \\[.* ([0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}).*\\] (.*)").matcher(m.getMessage());
        if (matcher.find()) {
           m.addField("_Logfile",matcher.group(1));
           m.addField("_messageDate",matcher.group(2));
           m.addField("_messageSeverity",matcher.group(3));
           m.addField("_clientIp",matcher.group(4));
           m.addField("_errorMessage",matcher.group(5));
        }
end

rule "FQDN Hostname"
    when
                m : Message( source matches "^.[^.]*$" )
        then
                String host;
                try {
                    host = InetAddress.getByName( m.getSource() ).getCanonicalHostName();
                } catch(java.net.UnknownHostException e) {
                    host = "default-name--pfsense-in-my-case";
                }
                m.addField("source", host );
end
	rule "access log"
	when
	m : Message( message matches ".access.:.*" )
	then
	Matcher matcher = Pattern.compile("^.* (.\\.log): ([0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}). \"([A-Z]{3,7}) (.) HTTP/1.1\" ([0-9][0-9][0-9]) ([0-9]{1,}) \"(.)\" \"(.*)\" (?<=[ ])([0-9]+$)").matcher(m.getMessage());
	if (matcher.find()) {
	m.addField("_Logfile",matcher.group(1));
	m.addField("_clientIp",matcher.group(2));
	m.addField("_Method",matcher.group(3));
	m.addField("_URI",matcher.group(4));
	m.addField("_ResponseCode",matcher.group(5));
	m.addField("_Size",matcher.group(6));
	m.addField("_Referer",matcher.group(7));
	m.addField("_UserAgent",matcher.group(8));
	m.addField("_RunTime",matcher.group(9));
	}
	end

	rule "error log"
	when
	m : Message( message matches ".error.:.*" )
	then
	Matcher matcher = Pattern.compile("^.* (.\\.log): \\[(.)\\] \\[(.)\\] \\[. ([0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}).\\] (.)").matcher(m.getMessage());
	if (matcher.find()) {
	m.addField("_Logfile",matcher.group(1));
	m.addField("_messageDate",matcher.group(2));
	m.addField("_messageSeverity",matcher.group(3));
	m.addField("_clientIp",matcher.group(4));
	m.addField("_errorMessage",matcher.group(5));
	}
	end

	rule "FQDN Hostname"
	when
	m : Message( source matches "^.[^.]*$" )
	then
	String host;
	try {
	host = InetAddress.getByName( m.getSource() ).getCanonicalHostName();
	} catch(java.net.UnknownHostException e) {
	host = "default-name--pfsense-in-my-case";
	}
	m.addField("source", host );
	end