Created
June 3, 2021 13:24
-
-
Save asaf400/00f6a61f0eb1527f1a033ed3d398714d to your computer and use it in GitHub Desktop.
Aerospike Security Grok patterns
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Aerospike Security GROK Patterns Extensions - author asaf.levy (@asaf400 github) | |
| # Meant to extend the existing patterns: https://github.com/aerospike/aerospike-elk/blob/master/logstash/patterns/aerospike | |
| # And then can be loded within the match stenza of 'aerospike_logstash.conf' file | |
| # grok { | |
| # tag_on_failure => ["patterns_filter_failure"] | |
| # patterns_dir => ["/etc/logstash/conf.d/patterns"] | |
| # match => { | |
| # "message" => ["%{AS_NS}","%{AS_TICK}","%{AS_NSUP}","%{AS_XDR}","%{AS_SINDEX}","%{AS_ERR}","%{AS_SEC}","%{AS_LOG}"] | |
| # } | |
| # } | |
| AS_SEC %{AS_SECURITY_BASE} | |
| AS_SECURITY_BASE %{AS_HEADER}(?:%{AS_SECURITY_TEMPLATE}|%{AS_SECURITY_LOGIN}) | |
| AS_SECURITY_LOGIN login - %{GREEDYDATA:login} | |
| AS_SECURITY_DELIMITER (%{SPACE}\|%{SPACE}) | |
| AS_SECURITY_DELIMITER_OPT (%{SPACE}\|%{SPACE})? | |
| AS_SECURITY_TEMPLATE %{AS_SECURITY_SEGMENT:state}%{AS_SECURITY_DELIMITER}%{AS_SECURITY_CLIENT}%{AS_SECURITY_DELIMITER_OPT}%{AS_SECURITY_AUTHUSER}%{AS_SECURITY_DELIMITER}%{AS_SECURITY_ACTION}%{AS_SECURITY_DELIMITER}%{AS_SECURITY_DETAIL} | |
| AS_SECURITY_ACTION action:%{SPACE}%{WORD:action} | |
| AS_SECURITY_WORD (?:[a-zA-Z0-9_.]+) | |
| AS_SECURITY_SEGMENT (?:%{DATA}+) | |
| AS_SECURITY_CLIENT (client:%{SPACE}%{AS_SECURITY_CLIENT_HOSTPORT:client})? | |
| AS_SECURITY_CLIENT_HOSTPORT %{AS_SECURITY_CLIENT_HOST}%{AS_SECURITY_CLIENT_PORT} | |
| AS_SECURITY_CLIENT_HOST %{IPORHOST:client_host} | |
| AS_SECURITY_CLIENT_PORT (?::%{POSINT:client_port})? | |
| AS_SECURITY_AUTHUSER authenticated user:%{SPACE}(?:%{USERNAME:authenticated_user}|%{DATA:authenticated_user}?) | |
| AS_SECURITY_DETAIL detail:%{SPACE}(?:%{AS_SECURITY_DETAIL_DATA_OP}|%{AS_SECURITY_DETAIL_USER}|%{AS_SECURITY_DETAIL_OTHER}) | |
| AS_SECURITY_DETAIL_DATA_OP (?:[{]%{WORD:namespace}\|%{WORD:set}[}])%{AS_SECURITY_DETAIL_DATA_OP_DIGEST} | |
| AS_SECURITY_DETAIL_DATA_OP_DIGEST (?:%{AS_SECURITY_SEGMENT}D\|%{WORD:digest}\]) | |
| AS_SECURITY_DETAIL_USER user=(?:%{USERNAME:user}) | |
| AS_SECURITY_DETAIL_OTHER (?:%{GREEDYDATA:detail}) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment