File Coverage

blib/lib/Search/ESsearcher/Templates/bf2b.pm

Criterion	Covered	Total	%
statement	8	12	66.6
branch			n/a
condition			n/a
subroutine	3	7	42.8
pod	0	4	0.0
total	11	23	47.8

line	stmt	sub	pod	time	code
1					package Search::ESsearcher::Templates::bf2b;
2
3	1	1		74881	use 5.006;
	1			15
4	1	1		6	use strict;
	1			2
	1			25
5	1	1		5	use warnings;
	1			2
	1			222
6
7					=head1 NAME
8
9					Search::ESsearcher::Templates::sfail2ban - Provicdes support for fail2ban logs sucked down via beats.
10
11					=head1 VERSION
12
13					Version 0.0.2
14
15					=cut
16
17					our $VERSION = '0.0.2';
18
19					=head1 LOGSTASH
20
21					This uses a logstash configuration like below.
22
23					input {
24					beats {
25					host => "10.10.10.10"
26					port => 5044
27					type => "beats"
28					}
29					}
30
31					filter {
32					if [fields][log] == "fail2ban" {
33					grok {
34					match => {
35					"message" => "%{TIMESTAMP_ISO8601:timestamp} %{WORD:log_src}.%{WORD:src_action} \[%{INT:fail2ban_digit}\]: %{LOGLEVEL:loglevel} \[%{NOTSPACE:service}\] %{WORD:ban_status} %{IP:clientip}"
36					}
37					}
38					geoip {
39					source => "clientip"
40					}
41					}
42					}
43
44					output {
45					if [type] == "beats" {
46					elasticsearch {
47					hosts => [ "127.0.0.1:9200" ]
48					}
49					}
50					}
51
52					For filebeats, it is assuming this sort of configuration.
53
54					- type: log
55					paths:
56					- /var/log/fail2ban.log
57					fields:
58					log: fail2ban
59
60					If you have type set different or are using a diffent field, you can change that via --field and --fieldv.
61
62					If you have fields.log set differently, you can set that via --field2 and --field2v.
63
64					=head1 Options
65
66					=head2 --host <host>
67
68					The machine beasts is running on feeding fail2ban info to logstash/ES.
69
70					=head2 --jail <jail>
71
72					The fail2ban jail name to query.
73
74					=head2 --country <country>
75
76					The 2 letter country code.
77
78					=head2 --region <state>
79
80					The state/province/etc to search for.
81
82					=head2 --postal <zipcode>
83
84					The postal code to search for.
85
86					=head2 --city <cide>
87
88					The city to search for.
89
90					=head2 --ip <ip>
91
92					The IP to search for.
93
94					=head2 --size <count>
95
96					The number of items to return.
97
98					=head2 --dgt <date>
99
100					Date greater than.
101
102					=head2 --dgte <date>
103
104					Date greater than or equal to.
105
106					=head2 --dlt <date>
107
108					Date less than.
109
110					=head2 --dlte <date>
111
112					Date less than or equal to.
113
114					=head2 --msg <message>
115
116					Messages to match.
117
118					=head2 --field <field>
119
120					The term field to use for matching them all.
121
122					=head2 --fieldv <fieldv>
123
124					The value of the term field to matching them all.
125
126					=head2 --field2 <field2>
127
128					The term field to use for what beats is setting.
129
130					=head2 --field2v <field2v>
131
132					The value to look for in the field beats is setting.
133
134					=head1 AND, OR, or NOT shortcut
135
136					, OR
137					+ AND
138					! NOT
139
140					A list seperated by any of those will be transformed
141
142					These may be used with program, facility, pid, or host.
143
144					example: --program postfix,spamd
145
146					results: postfix OR spamd
147
148					=head1 date
149
150					date
151
152					/^-/ appends "now" to it. So "-5m" becomes "now-5m".
153
154					/^u\:/ takes what is after ":" and uses Time::ParseDate to convert it to a
155					unix time value.
156
157					Any thing not matching maching any of the above will just be passed on.
158
159					=cut
160
161
162					sub search{
163	0	0	0		return '
164					[% USE JSON ( pretty => 1 ) %]
165					[% DEFAULT o.size = "50" %]
166					[% DEFAULT o.field = "type" %]
167					[% DEFAULT o.fieldv = "beats" %]
168					[% DEFAULT o.field2 = "fields.log" %]
169					[% DEFAULT o.field2v = "fail2ban" %]
170					{
171					"index": "logstash-*",
172					"body": {
173					"size": [% o.size.json %],
174					"query": {
175					"bool": {
176					"must": [
177					{
178					"term": { [% o.field.json %]: [% o.fieldv.json %] }
179					},
180					{
181					"term": { [% o.field2.json %]: [% o.field2v.json %] }
182					},
183					[% IF o.country %]
184					{"query_string": {
185					"default_field": "geoip.country_code2",
186					"query": [% aon( o.country ).json %]
187					}
188					},
189					[% END %]
190					[% IF o.region %]
191					{"query_string": {
192					"default_field": "geoip.region_code",
193					"query": [% aon( o.region ).json %]
194					}
195					},
196					[% END %]
197					[% IF o.city %]
198					{"query_string": {
199					"default_field": "geoip.city_name",
200					"query": [% aon( o.city ).json %]
201					}
202					},
203					[% END %]
204					[% IF o.postal %]
205					{"query_string": {
206					"default_field": "geoip.postal_code",
207					"query": [% aon( o.postal ).json %]
208					}
209					},
210					[% END %]
211					[% IF o.host %]
212					{"query_string": {
213					"default_field": "host",
214					"query": [% aon( o.host ).json %]
215					}
216					},
217					[% END %]
218					[% IF o.jail %]
219					{"query_string": {
220					"default_field": "service",
221					"query": [% aon( o.jail ).json %]
222					}
223					},
224					[% END %]
225					[% IF o.ip %]
226					{"query_string": {
227					"default_field": "clientip",
228					"query": [% aon( o.ip ).json %]
229					}
230					},
231					[% END %]
232					[% IF o.status %]
233					{"query_string": {
234					"default_field": "ban_status",
235					"query": [% aon( o.status ).json %]
236					}
237					},
238					[% END %]
239					[% IF o.msg %]
240					{"query_string": {
241					"default_field": "message",
242					"query": [% o.msg.json %]
243					}
244					},
245					[% END %]
246					[% IF o.dgt %]
247					{"range": {
248					"@timestamp": {
249					"gt": [% pd( o.dgt ).json %]
250					}
251					}
252					},
253					[% END %]
254					[% IF o.dgte %]
255					{"range": {
256					"@timestamp": {
257					"gte": [% pd( o.dgte ).json %]
258					}
259					}
260					},
261					[% END %]
262					[% IF o.dlt %]
263					{"range": {
264					"@timestamp": {
265					"lt": [% pd( o.dlt ).json %]
266					}
267					}
268					},
269					[% END %]
270					[% IF o.dlte %]
271					{"range": {
272					"@timestamp": {
273					"lte": [% pd( o.dlte ).json %]
274					}
275					}
276					},
277					[% END %]
278					]
279					}
280					},
281					"sort": [
282					{
283					"@timestamp": {"order" : "desc"}}
284					]
285					}
286					}
287					';
288					}
289
290					sub options{
291	0	0	0		return '
292					host=s
293					country=s
294					jail=s
295					region=s
296					postal=s
297					status=s
298					city=s
299					ip=s
300					msg=s
301					field=s
302					fieldv=s
303					field2=s
304					field2v=s
305					dgt=s
306					dgte=s
307					dlt=s
308					dlte=s
309					';
310					}
311
312					sub output{
313	0	0	0		return '[% c("cyan") %][% f.timestamp %] [% c("bright_blue") %][% f.host %] '.
314					'[% c("bright_green") %][% f.service %][% c("bright_magenta") %][[% c("bright_yellow") %]'.
315					'[% f.ban_status %][% c("bright_magenta") %]] [% c("white") %][% f.clientip %]';
316					}
317
318					sub help{
319	0	0	0		return '
320
321
322
323					--status <status> The status value of the message.
324					--host <log host> The system beats in question is running on.
325					--jail <jail> The fail2ban jail in question.
326					--ip <ip> The IP to search for.
327
328					--country <country> The 2 letter country code.
329					--region <state> The state/province/etc to search for.
330					--postal <zipcode> The postal code to search for.
331					--city <cide> The city to search for.
332
333					--dgt <date> Date greater than.
334					--dgte <date> Date greater than or equal to.
335					--dlt <date> Date less than.
336					--dlte <date> Date less than or equal to.
337
338					--msg <message> Messages to match.
339
340					--field <field> The term field to use for matching them all.
341					--field2 <field2> The term field to use for what beats is setting.
342					--fieldv <fieldv> The value of the term field to matching them all.
343					--field2v <field2v> The value to look for in the field beats is setting.
344
345
346					AND, OR, or NOT shortcut
347					, OR
348					+ AND
349					! NOT
350
351					A list seperated by any of those will be transformed
352
353					These may be used with host, country, jail, region, postal, city, and ip.
354
355					example: --country CN,RU
356
357
358
359					field and fieldv
360
361					The search template is written with the expectation that logstash is setting
362					"type" with a value of "syslog". If you are using like "tag" instead of "type"
363					or the like, this allows you to change the field and value.
364
365
366
367					date
368
369					/^-/ appends "now" to it. So "-5m" becomes "now-5m".
370
371					/^u\:/ takes what is after ":" and uses Time::ParseDate to convert it to a
372					unix time value.
373
374					Any thing not matching maching any of the above will just be passed on.
375					';
376
377
378					}