filter: "evt.Meta.service == 'http' && evt.Meta.log_type in ['http_access-log', 'http_error-log']"
description: "Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource"
name: crowdsecurity/http-logs
pattern_syntax:
  DIR: "^.*/"
  FILE: "[^/].*?"
  EXT: "\\.[^.]*$|$"
nodes:
  - statics:
     - parsed: "impact_completion"
       # the value of a field can as well be determined as the result of an expression
       expression: "evt.Meta.http_status in ['404', '403', '502'] ? 'false' : 'true'"
     - target: evt.Parsed.static_ressource
       value: 'false'
  # let's split the path?query if possible
  - grok:
      pattern: "^%{GREEDYDATA:request}\\?%{GREEDYDATA:http_args}$"
      apply_on: request
  # this is another node, with its own pattern_syntax
  - #debug: true
    grok:
      pattern: "%{DIR:file_dir}(%{FILE:file_frag}%{EXT:file_ext})?"
      apply_on: request
      statics:
        - meta: http_path
          expression: "evt.Parsed.http_path"
          # meta af
        - meta: http_args_len
          expression: "len(evt.Parsed.http_args)"
        - parsed: file_name
          expression: evt.Parsed.file_frag + evt.Parsed.file_ext
        - parsed: static_ressource
          expression: "Upper(evt.Parsed.file_ext) in ['.JPG', '.CSS', '.JS', '.JPEG', '.PNG', '.SVG', '.MAP', '.ICO', '.OTF', '.GIF', '.MP3', '.MP4', '.WOFF', '.WOFF2', '.TTF', '.OTF', '.EOT', '.WEBP', '.WAV', '.GZ', '.BROTLI', '.BVR', '.TS', '.BMP', '.AVIF'] ? 'true' : 'false'"