Skip to content

Instantly share code, notes, and snippets.

@w4

w4/ingest-juniper-security-logs.nix

Created July 25, 2022 01:17
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save w4/34f73697afaedd7fd75c5d8ec1d0e526 to your computer and use it in GitHub Desktop.
Save w4/34f73697afaedd7fd75c5d8ec1d0e526 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ingest-juniper-security-logs.nix
{ config, pkgs, lib, ... }:
{
containers.grafana = {
autoStart = true;
ephemeral = true;
bindMounts = {
"/data" = {
hostPath = "/data/random/grafana";
isReadOnly = false;
};
};
macvlans = [ "vlan101" ];
config = { config, pkgs, ... }:
let
unstable = import <nixos-unstable-small> {};
vectorConfig =
{
sources = {
syslog = {
type = "socket";
address = "0.0.0.0:601";
mode = "tcp";
framing.method = "octet_counting";
framing.octet_counting.max_length = 102400;
};
};
transforms = {
parse_log = {
type = "remap";
inputs = ["syslog"];
source = ''
.junos = parse_syslog!(.message)."junos@2636.1.1.1.2.136"
.source_address = .junos."source-address"
'';
};
geoip = {
type = "geoip";
inputs = ["parse_log"];
database = ./GeoLite2-City.mmdb;
source = "source_address";
target = "geoip";
};
asn = {
type = "geoip";
inputs = ["geoip"];
database = ./GeoLite2-ASN.mmdb;
source = "source_address";
target = "asn";
};
};
sinks = {
loki = {
type = "loki";
inputs = ["asn"];
endpoint = "http://127.0.0.1:3030";
encoding.codec = "json";
labels = {
forwarder = "vector";
};
};
};
};
vector = unstable.rustPlatform.buildRustPackage {
pname = "vector";
version = "0.23.0";
src = pkgs.fetchFromGitHub {
owner = "vectordotdev";
repo = "vector";
rev = "v0.23.0";
sha256 = "sha256-Y1RysuCWvdbqckW54r1uH/K9YTuAZk8T4M3HRGFm0EM=";
};
cargoSha256 = "sha256-VBmJfRCwSv3t5DPzVj92ajGYk5Ju8xqr4v7IDU17498=";
nativeBuildInputs = with pkgs; [ pkg-config cmake perl ];
buildInputs = with pkgs; [ oniguruma openssl protobuf rdkafka zstd ];
PROTOC = "${pkgs.protobuf}/bin/protoc";
PROTOC_INCLUDE = "${pkgs.protobuf}/include";
RUSTONIG_SYSTEM_LIBONIG = true;
LIBCLANG_PATH = "${pkgs.llvmPackages.libclang.lib}/lib";
TZDIR = "${pkgs.tzdata}/share/zoneinfo";
CARGO_FEATURE_DYNAMIC_LINKING=1;
buildNoDefaultFeatures = true;
buildFeatures = ["sinks" "sources" "transforms" "vrl-cli"];
doCheck = false;
};
in {
imports = [ <nixos-unstable-small/nixos/modules/services/logging/vector.nix> ];
disabledModules = [ "services/logging/vector.nix" ];
networking = {
interfaces.mv-vlan101.ipv4.addresses = [ { address = "10.0.64.118"; prefixLength = 24; } ];
defaultGateway = "10.0.64.2";
nameservers = [ "10.0.64.1" ];
firewall.allowedUDPPorts = [ 514 ];
firewall.allowedTCPPorts = [ 3000 514 601 ];
};
environment.systemPackages = with pkgs; [ syslogng ];
users.groups.vector = { };
users.users.vector = {
description = "Vector service user";
group = "vector";
isSystemUser = true;
};
systemd.services.vector = {
description = "Vector event and log aggregator";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
requires = [ "network-online.target" ];
serviceConfig =
let
format = pkgs.formats.toml { };
conf = format.generate "vector.toml" vectorConfig;
validateConfig = file:
pkgs.runCommand "validate-vector-conf" { } ''
${vector}/bin/vector validate --no-environment "${file}"
ln -s "${file}" "$out"
'';
in
{
ExecStart = "${vector}/bin/vector --config ${validateConfig conf}";
User = "vector";
Group = "vector";
Restart = "no";
StateDirectory = "vector";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
};
};
services.grafana = {
enable = true;
addr = "0.0.0.0";
domain = "grafana.home";
dataDir = "/data/grafana";
analytics.reporting.enable = false;
};
services.loki = {
enable = true;
dataDir = "/data/loki";
configuration = {
server.http_listen_port = 3030;
auth_enabled = false;
ingester = {
lifecycler = {
address = "127.0.0.1";
ring = {
kvstore.store = "inmemory";
replication_factor = 1;
};
};
chunk_idle_period = "1h";
max_chunk_age = "1h";
chunk_target_size = 999999;
chunk_retain_period = "30s";
max_transfer_retries = 0;
};
schema_config = {
configs = [{
from = "2022-07-24";
store = "boltdb-shipper";
object_store = "filesystem";
schema = "v11";
index = {
prefix = "index_";
period = "24h";
};
}];
};
storage_config = {
boltdb_shipper = {
active_index_directory = "/data/loki/boltdb-shipper-active";
cache_location = "/data/loki/boltdb-shipper-cache";
cache_ttl = "24h";
shared_store = "filesystem";
};
filesystem.directory = "/data/loki/chunks";
};
limits_config = {
reject_old_samples = true;
reject_old_samples_max_age = "168h";
};
chunk_store_config.max_look_back_period = "0s";
table_manager = {
retention_deletes_enabled = false;
retention_period = "0s";
};
compactor = {
working_directory = "/data/loki";
shared_store = "filesystem";
compactor_ring.kvstore.store = "inmemory";
};
};
};
system.stateVersion = "21.11";
};
};
internal-proxy.endpoints."grafana" = "10.0.64.118:3000";
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment