34 lines
1.5 KiB
YAML
34 lines
1.5 KiB
YAML
filter: "evt.Meta.service == 'http' && evt.Meta.log_type in ['http_access-log', 'http_error-log']"
|
|
description: "Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource"
|
|
name: crowdsecurity/http-logs
|
|
pattern_syntax:
|
|
DIR: "^.*/"
|
|
FILE: "[^/].*?"
|
|
EXT: "\\.[^.]*$|$"
|
|
nodes:
|
|
- statics:
|
|
- parsed: "impact_completion"
|
|
# the value of a field can as well be determined as the result of an expression
|
|
expression: "evt.Meta.http_status in ['404', '403', '502'] ? 'false' : 'true'"
|
|
- target: evt.Parsed.static_ressource
|
|
value: 'false'
|
|
# let's split the path?query if possible
|
|
- grok:
|
|
pattern: "^%{GREEDYDATA:request}\\?%{GREEDYDATA:http_args}$"
|
|
apply_on: request
|
|
# this is another node, with its own pattern_syntax
|
|
- #debug: true
|
|
grok:
|
|
pattern: "%{DIR:file_dir}(%{FILE:file_frag}%{EXT:file_ext})?"
|
|
apply_on: request
|
|
statics:
|
|
- meta: http_path
|
|
expression: "evt.Parsed.http_path"
|
|
# meta af
|
|
- meta: http_args_len
|
|
expression: "len(evt.Parsed.http_args)"
|
|
- parsed: file_name
|
|
expression: evt.Parsed.file_frag + evt.Parsed.file_ext
|
|
- parsed: static_ressource
|
|
expression: "Upper(evt.Parsed.file_ext) in ['.JPG', '.CSS', '.JS', '.JPEG', '.PNG', '.SVG', '.MAP', '.ICO', '.OTF', '.GIF', '.MP3', '.MP4', '.WOFF', '.WOFF2', '.TTF', '.OTF', '.EOT', '.WEBP', '.WAV', '.GZ', '.BROTLI', '.BVR', '.TS', '.BMP', '.AVIF'] ? 'true' : 'false'"
|