File Coverage

blib/lib/Search/ESsearcher/Templates/bf2b.pm

Criterion	Covered	Total	%
statement	8	12	66.6
branch			n/a
condition			n/a
subroutine	3	7	42.8
pod	0	4	0.0
total	11	23	47.8

line	stmt	sub	pod	time	code
1					package Search::ESsearcher::Templates::bf2b;
2
3	1	1		67997	use 5.006;
	1			11
4	1	1		6	use strict;
	1			2
	1			39
5	1	1		6	use warnings;
	1			2
	1			202
6
7					=head1 NAME
8
9					Search::ESsearcher::Templates::sfail2ban - Provicdes support for fail2ban logs sucked down via beats.
10
11					=head1 VERSION
12
13					Version 0.0.1
14
15					=cut
16
17					our $VERSION = '0.0.1';
18
19					=head1 LOGSTASH
20
21					This uses a logstash configuration like below.
22
23					input {
24					beats {
25					host => "10.10.10.10"
26					port => 5044
27					type => "beats"
28					}
29					}
30
31					filter {
32					if [fields][log] == "fail2ban" {
33					grok {
34					match => {
35					"message" => "%{TIMESTAMP_ISO8601:timestamp} %{WORD:log_src}.%{WORD:src_action} \[%{INT:fail2ban_digit}\]: %{LOGLEVEL:loglevel} \[%{NOTSPACE:service}\] %{WORD:ban_status} %{IP:clientip}"
36					}
37					}
38					geoip {
39					source => "clientip"
40					}
41					mutate {
42					convert => [ "[geoip][coordinates]", "float" ]
43					}
44					}
45					}
46
47					output {
48					if [type] == "beats" {
49					elasticsearch {
50					hosts => [ "127.0.0.1:9200" ]
51					}
52					}
53					}
54
55					For filebeats, it is assuming this sort of configuration.
56
57					- type: log
58					paths:
59					- /var/log/fail2ban.log
60					fields:
61					log: fail2ban
62
63					If you have type set different or are using a diffent field, you can change that via --field and --fieldv.
64
65					If you have fields.log set differently, you can set that via --field2 and --field2v.
66
67					=head1 Options
68
69					=head2 --host <host>
70
71					The machine beasts is running on feeding fail2ban info to logstash/ES.
72
73					=head2 --jail <jail>
74
75					The fail2ban jail name to query.
76
77					=head2 --country <country>
78
79					The 2 letter country code.
80
81					=head2 --region <state>
82
83					The state/province/etc to search for.
84
85					=head2 --postal <zipcode>
86
87					The postal code to search for.
88
89					=head2 --city <cide>
90
91					The city to search for.
92
93					=head2 --ip <ip>
94
95					The IP to search for.
96
97					=head2 --size <count>
98
99					The number of items to return.
100
101					=head2 --dgt <date>
102
103					Date greater than.
104
105					=head2 --dgte <date>
106
107					Date greater than or equal to.
108
109					=head2 --dlt <date>
110
111					Date less than.
112
113					=head2 --dlte <date>
114
115					Date less than or equal to.
116
117					=head2 --msg <message>
118
119					Messages to match.
120
121					=head2 --field <field>
122
123					The term field to use for matching them all.
124
125					=head2 --fieldv <fieldv>
126
127					The value of the term field to matching them all.
128
129					=head2 --field2 <field2>
130
131					The term field to use for what beats is setting.
132
133					=head2 --field2v <field2v>
134
135					The value to look for in the field beats is setting.
136
137					=head1 AND, OR, or NOT shortcut
138
139					, OR
140					+ AND
141					! NOT
142
143					A list seperated by any of those will be transformed
144
145					These may be used with program, facility, pid, or host.
146
147					example: --program postfix,spamd
148
149					results: postfix OR spamd
150
151					=head1 date
152
153					date
154
155					/^-/ appends "now" to it. So "-5m" becomes "now-5m".
156
157					/^u\:/ takes what is after ":" and uses Time::ParseDate to convert it to a
158					unix time value.
159
160					Any thing not matching maching any of the above will just be passed on.
161
162					=cut
163
164
165					sub search{
166	0	0	0		return '
167					[% USE JSON ( pretty => 1 ) %]
168					[% DEFAULT o.size = "50" %]
169					[% DEFAULT o.field = "type" %]
170					[% DEFAULT o.fieldv = "beats" %]
171					[% DEFAULT o.field2 = "fields.log" %]
172					[% DEFAULT o.field2v = "fail2ban" %]
173					{
174					"index": "logstash-*",
175					"body": {
176					"size": [% o.size.json %],
177					"query": {
178					"bool": {
179					"must": [
180					{
181					"term": { [% o.field.json %]: [% o.fieldv.json %] }
182					},
183					{
184					"term": { [% o.field2.json %]: [% o.field2v.json %] }
185					},
186					[% IF o.country %]
187					{"query_string": {
188					"default_field": "geoip.country_code2",
189					"query": [% aon( o.country ).json %]
190					}
191					},
192					[% END %]
193					[% IF o.region %]
194					{"query_string": {
195					"default_field": "geoip.region_code",
196					"query": [% aon( o.region ).json %]
197					}
198					},
199					[% END %]
200					[% IF o.city %]
201					{"query_string": {
202					"default_field": "geoip.city_name",
203					"query": [% aon( o.city ).json %]
204					}
205					},
206					[% END %]
207					[% IF o.postal %]
208					{"query_string": {
209					"default_field": "geoip.postal_code",
210					"query": [% aon( o.postal ).json %]
211					}
212					},
213					[% END %]
214					[% IF o.host %]
215					{"query_string": {
216					"default_field": "host",
217					"query": [% aon( o.host ).json %]
218					}
219					},
220					[% END %]
221					[% IF o.jail %]
222					{"query_string": {
223					"default_field": "service",
224					"query": [% aon( o.jail ).json %]
225					}
226					},
227					[% END %]
228					[% IF o.ip %]
229					{"query_string": {
230					"default_field": "clientip",
231					"query": [% aon( o.ip ).json %]
232					}
233					},
234					[% END %]
235					[% IF o.status %]
236					{"query_string": {
237					"default_field": "ban_status",
238					"query": [% aon( o.status ).json %]
239					}
240					},
241					[% END %]
242					[% IF o.msg %]
243					{"query_string": {
244					"default_field": "message",
245					"query": [% o.msg.json %]
246					}
247					},
248					[% END %]
249					[% IF o.dgt %]
250					{"range": {
251					"@timestamp": {
252					"gt": [% pd( o.dgt ).json %]
253					}
254					}
255					},
256					[% END %]
257					[% IF o.dgte %]
258					{"range": {
259					"@timestamp": {
260					"gte": [% pd( o.dgte ).json %]
261					}
262					}
263					},
264					[% END %]
265					[% IF o.dlt %]
266					{"range": {
267					"@timestamp": {
268					"lt": [% pd( o.dlt ).json %]
269					}
270					}
271					},
272					[% END %]
273					[% IF o.dlte %]
274					{"range": {
275					"@timestamp": {
276					"lte": [% pd( o.dlte ).json %]
277					}
278					}
279					},
280					[% END %]
281					]
282					}
283					},
284					"sort": [
285					{
286					"@timestamp": {"order" : "desc"}}
287					]
288					}
289					}
290					';
291					}
292
293					sub options{
294	0	0	0		return '
295					host=s
296					country=s
297					jail=s
298					region=s
299					postal=s
300					status=s
301					city=s
302					ip=s
303					msg=s
304					field=s
305					fieldv=s
306					field2=s
307					field2v=s
308					dgt=s
309					dgte=s
310					dlt=s
311					dlte=s
312					';
313					}
314
315					sub output{
316	0	0	0		return '[% c("cyan") %][% f.timestamp %] [% c("bright_blue") %][% f.host %] '.
317					'[% c("bright_green") %][% f.service %][% c("bright_magenta") %][[% c("bright_yellow") %]'.
318					'[% f.ban_status %][% c("bright_magenta") %]] [% c("white") %][% f.clientip %]';
319					}
320
321					sub help{
322	0	0	0		return '
323
324
325
326					--status <status> The status value of the message.
327					--host <log host> The system beats in question is running on.
328					--jail <jail> The fail2ban jail in question.
329					--ip <ip> The IP to search for.
330
331					--country <country> The 2 letter country code.
332					--region <state> The state/province/etc to search for.
333					--postal <zipcode> The postal code to search for.
334					--city <cide> The city to search for.
335
336					--dgt <date> Date greater than.
337					--dgte <date> Date greater than or equal to.
338					--dlt <date> Date less than.
339					--dlte <date> Date less than or equal to.
340
341					--msg <message> Messages to match.
342
343					--field <field> The term field to use for matching them all.
344					--field2 <field2> The term field to use for what beats is setting.
345					--fieldv <fieldv> The value of the term field to matching them all.
346					--field2v <field2v> The value to look for in the field beats is setting.
347
348
349					AND, OR, or NOT shortcut
350					, OR
351					+ AND
352					! NOT
353
354					A list seperated by any of those will be transformed
355
356					These may be used with host, country, jail, region, postal, city, and ip.
357
358					example: --country CN,RU
359
360
361
362					field and fieldv
363
364					The search template is written with the expectation that logstash is setting
365					"type" with a value of "syslog". If you are using like "tag" instead of "type"
366					or the like, this allows you to change the field and value.
367
368
369
370					date
371
372					/^-/ appends "now" to it. So "-5m" becomes "now-5m".
373
374					/^u\:/ takes what is after ":" and uses Time::ParseDate to convert it to a
375					unix time value.
376
377					Any thing not matching maching any of the above will just be passed on.
378					';
379
380
381					}