-
Notifications
You must be signed in to change notification settings - Fork 4.9k
/
Copy pathinput.yml
87 lines (80 loc) · 2.22 KB
/
input.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
{{ if eq .input "file" }}
type: log
paths:
{{ range $i, $path := .paths }}
- {{$path}}
{{ end }}
exclude_files: [".gz$"]
{{ else }}
type: {{.input}}
host: "{{.syslog_host}}:{{.syslog_port}}"
{{ end }}
tags: {{.tags | tojson}}
publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
fields_under_root: true
fields:
observer:
vendor: "Squid"
product: "Proxy"
type: "Proxies"
processors:
- script:
lang: javascript
params:
ecs: true
rsa: {{.rsa_fields}}
tz_offset: {{.tz_offset}}
keep_raw: {{.keep_raw_fields}}
debug: {{.debug}}
files:
- ${path.home}/module/squid/log/config/liblogparser.js
- ${path.home}/module/squid/log/config/pipeline.js
{{ if .community_id }}
- community_id: ~
{{ end }}
- registered_domain:
ignore_missing: true
ignore_failure: true
field: dns.question.name
target_field: dns.question.registered_domain
target_subdomain_field: dns.question.subdomain
target_etld_field: dns.question.top_level_domain
- registered_domain:
ignore_missing: true
ignore_failure: true
field: client.domain
target_field: client.registered_domain
target_subdomain_field: client.subdomain
target_etld_field: client.top_level_domain
- registered_domain:
ignore_missing: true
ignore_failure: true
field: server.domain
target_field: server.registered_domain
target_subdomain_field: server.subdomain
target_etld_field: server.top_level_domain
- registered_domain:
ignore_missing: true
ignore_failure: true
field: destination.domain
target_field: destination.registered_domain
target_subdomain_field: destination.subdomain
target_etld_field: destination.top_level_domain
- registered_domain:
ignore_missing: true
ignore_failure: true
field: source.domain
target_field: source.registered_domain
target_subdomain_field: source.subdomain
target_etld_field: source.top_level_domain
- registered_domain:
ignore_missing: true
ignore_failure: true
field: url.domain
target_field: url.registered_domain
target_subdomain_field: url.subdomain
target_etld_field: url.top_level_domain
- add_fields:
target: ''
fields:
ecs.version: 1.12.0