ma logging: init server

This commit is contained in:
makefu 2019-09-25 14:01:32 +02:00
parent 571bb27631
commit 784e676045
3 changed files with 154 additions and 3 deletions

View file

@ -0,0 +1,19 @@
if ( [program] == "dnsmasq") {
grok {
patterns_dir => ["${./patterns}"]
match => {
"message" => [
"^%{logdate:LOGDATE} dnsmasq\[[\d]+\]\: query\[[\w]+\] %{domain:DOMAIN} from %{clientip:CLIENTIP}"
, "^%{logdate:LOGDATE} dnsmasq\[[\d]+\]\: reply %{domain:DOMAIN} is %{ip:IP}"
, "^%{logdate:LOGDATE} dnsmasq\[[\d]+\]\: %{blocklist:BLOCKLIST} %{domain:DOMAIN} is %{ip:IP}"
]
}
}
date {
match => [ "LOGDATE", "MMM dd HH:mm:ss", "MMM d HH:mm:ss", "ISO8601" ]
}
geoip {
source => "IP"
}
}

View file

@ -0,0 +1,15 @@
BLOCKLIST [\/\w\.]+
DOMAIN [\w\.\-]+
DNSID \d+
PORT \d+
DNSRESPONSE cached|reply|forwarded|query
# TODO: there are some strange responses for certain queries like <CNAME> or ...
IPORWORD %{IP}|[<>\.\/\w>]+
# TODO use public suffix list by mozilla
TLD [a-z]{2,63}
# matches CCSLD and TLD together (e.g. co.uk )
CCSLD_TLD [a-z]+\.uk
# actually after a CCTLD this would be the third level domain ...
PUBLIC_SUFFIX (xn--)?%{FUNCTIONAL_SLD}\.(%{CCSLD_TLD}|%{TLD})
FUNCTIONAL_SLD [a-z0-9-]{1,63}

View file

@ -1,18 +1,29 @@
{pkgs, config, ...}: {pkgs, config, ...}:
with import <stockholm/lib>;
let let
es-port = 9200; es-port = 9200;
kibana-port = 5601; kibana-port = 5601;
primaryName = "log.${config.krebs.build.host.name}";
serverAliases = [ "${primaryName}.r" "${primaryName}.lan" ];
in { in {
services.nginx.virtualHosts.${primaryName} = {
inherit serverAliases;
locations."/" = {
proxyPass = "http://localhost:5601/";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
'';
};
};
services.elasticsearch = { services.elasticsearch = {
enable = true; enable = true;
listenAddress = "0.0.0.0";
port = es-port; port = es-port;
}; };
services.kibana = { services.kibana = {
enable = true; enable = true;
listenAddress = "0.0.0.0";
port = kibana-port; port = kibana-port;
}; };
@ -20,4 +31,110 @@ in {
iptables -A INPUT -i retiolum -p tcp --dport ${toString es-port} -j ACCEPT iptables -A INPUT -i retiolum -p tcp --dport ${toString es-port} -j ACCEPT
iptables -A INPUT -i retiolum -p tcp --dport ${toString kibana-port} -j ACCEPT iptables -A INPUT -i retiolum -p tcp --dport ${toString kibana-port} -j ACCEPT
''; '';
# send logs directly to elasticsearch
services.journalbeat = {
enable = true;
package = pkgs.journalbeat7;
extraConfig = ''
logging:
to_syslog: true
level: info
metrics.enabled: false
template.enabled: false
output.logstash:
hosts: [ "127.0.0.1:5044" ]
template.enabled: false
index: journalbeat
journalbeat.inputs:
- paths: []
seek: cursor
'';
};
services.logstash = {
enable = true;
# package = pkgs.logstash5;
# plugins = [ pkgs.logstash-contrib ];
inputConfig =
''
syslog {
timezone => "Etc/UTC"
}
beats {
port => 5044
}
'';
filterConfig =
''
# Assume Beats
if [syslog] {
mutate {
add_field => { "program" => "%{[syslog][identifier]}" }
}
}
'' +
''
if ![program] {
mutate {
add_field => { "program" => "unknown" }
}
}
'' +
''
if ([program] == "logstash") {
drop {}
}
'' +
''
if ( [program] == "dnsmasq") {
grok {
patterns_dir => ["${./patterns}"]
match => {
"message" => [
"^%{DNSID:dnsid} %{IP:client}/%{PORT} %{DNSRESPONSE:dnstype}\[[\w]+\] %{DOMAIN:domain} from %{IP}"
, "^%{DNSID:dnsid} %{IP:client}/%{PORT} %{DNSRESPONSE:dnstype} %{DOMAIN:domain} is %{IPORWORD:resolved_ip}"
, "^%{DNSID:dnsid} %{IP:client}/%{PORT} %{DNSRESPONSE:dnstype} %{DOMAIN:domain} to %{IP:upstream_dns}"
]
}
}
if [resolved_ip] {
geoip {
source => "resolved_ip"
}
}
mutate {
rename => { "host" => "syslog_host" }
}
# Target is to parse the the first and second significant part of the domain
grok {
patterns_dir => ["${./patterns}"]
match => { "domain" => [ "%{PUBLIC_SUFFIX:dns_suffix}$" ] }
}
if [client] {
mutate { copy => { "client" => "clientip" } }
dns {
reverse => [ "client"]
action => "replace"
hostsfile => [ "/etc/hosts" ]
hit_cache_ttl => 1600
failed_cache_ttl => 60
}
}
}
'' + ''
if ( [program] == "proftpd") {
kv {
field_split => " "
}
}
'';
outputConfig =
''
#stdout {
# codec => rubydebug
#}
elasticsearch { }
'';
};
} }