Skip to content

Instantly share code, notes, and snippets.

@wstrange

wstrange/logstash for OpenIDM OpenAM OpenDJ

Created July 31, 2014 17:38
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save wstrange/74267aae451be9523ccf to your computer and use it in GitHub Desktop.
Save wstrange/74267aae451be9523ccf to your computer and use it in GitHub Desktop.
Download ZIP
logstash tes - openidm openam opendj
Raw
logstash for OpenIDM OpenAM OpenDJ
input {
file {
type => idmRecon
# start_position => beginning
path => "/opt/openidm/audit/recon.csv"
}
file {
type => idmActivity
# start_position => beginning
path => "/opt/openidm/audit/activity.csv"
}
file {
type => djAccess
# start_position => beginning
path => "/logs/dj/access"
}
file {
type => amAccess
# start_position => beginning
path => "/logs/am/log/amAuthentication.*"
}
file {
type => SAML2
# start_position => beginning
path => "/logs/am/log/SAML2.*"
}
}
filter {
if [type] == "djAccess" {
grok {
match => ["message",
"%{SYSLOG5424SD:timestamp} %{WORD:op} %{WORD:optype} conn=%{POSINT:connid} op=%{POSINT:opnum} msgID=%{POSINT:msgid}"
]
}
if [op] == "SEARCH" {
drop {}
}
}
if [type] == "idmRecon" {
csv {
columns => [
"idX","action","actionId","ambiguousTargetObjectIds","entryType","message","reconciling","reconId",
"rootActionId","situation","sourceObjectId","status","targetObjectId","timestamp"
]
}
date {
match => ["timestamp", "ISO8601"]
}
}
if [type] == "idmActivity" {
csv {
columns => [
"_id","action","activityId","after","before","changedFields","message","objectId","parentActionid",
"passwordChanged","requester","rev","rootActionId","status","timestamp"
]
}
date {
match => ["timestamp", "ISO8601"]
}
}
if [type] == "amAccess" {
csv {
columns => [time,Data,LoginID,ContextID, IPAddr, LogLevel,
Domain, LoggedBy, MessageID, ModuleName, NameID, HostName]
match => ["message",
"%{SYSLOG5424SD:timestamp} %{WORD:op} %{WORD:optype} conn=%{POSINT:connid} op=%{POSINT:opnum} msgID=%{POSINT:msgid}"
]
}
if [op] == "SEARCH" {
drop {}
}
}
if [type] == "idmRecon" {
csv {
columns => [
"idX","action","actionId","ambiguousTargetObjectIds","entryType","message","reconciling","reconId",
"rootActionId","situation","sourceObjectId","status","targetObjectId","timestamp"
]
}
date {
match => ["timestamp", "ISO8601"]
}
}
if [type] == "idmActivity" {
csv {
columns => [
"_id","action","activityId","after","before","changedFields","message","objectId","parentActionid",
"passwordChanged","requester","rev","rootActionId","status","timestamp"
]
}
date {
match => ["timestamp", "ISO8601"]
}
}
if [type] == "amAccess" {
csv {
columns => [time,Data,LoginID,ContextID, IPAddr, LogLevel,
Domain, LoggedBy, MessageID, ModuleName, NameID, HostName]
separator => " "
}
date {
match => ["time", "yyyy-MM-dd HH:mm:ss"]
}
geoip {
database => "/usr/share/GeoIP/GeoIP.dat"
source => ["IPAddr"]
}
}
if [type] == "SAML2" {
csv {
columns => [time,Data,LoginID,ContextID, IPAddr, LogLevel,
Domain, LoggedBy, MessageID, ModuleName, NameID, HostName]
separator => " "
}
date {
match => ["time", "yyyy-MM-dd HH:mm:ss"]
}
geoip {
database => "/usr/share/GeoIP/GeoIP.dat"
source => ["IPAddr"]
}
}
}
output {
# Use stdout in debug mode again to see what logstash makes of the event.
# stdout {
# codec => rubydebug
# }
elasticsearch { host => localhost }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment