UNPKG

nsyslog

Version:

Modular new generation log agent. Reads, transform, aggregate, correlate and send logs from sources to destinations

github.com/solzimer/nsyslog

solzimer/nsyslog

92 lines (87 loc) 7.1 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
{ "config" : { "datadir" : "/tmp/nsyslog", "input" : {"buffer" : 100} }, "inputs" : { "lines" : { "type" : "static", "config" : { "loop" : false, "lines" : [ "<188>0 2019-11-13T01:03:54+01:00 172.26.200.6 2812027172003338(root) - - - 46809403 Threat@FLOW: From 45.227.254.30:59674(aggregate1.21) to 79.170.8.238:135(-), threat name: Blacklist-IP, threat type: Attack, threat subtype: Risk IP, App/Protocol: IPv4/TCP, action: DROP, defender: PTF, severity: Low, detected low reputation ip: 45.227.254.30, category: Scanner, reputation score 100, hit-count: 1(in the last 5 seconds)", "<188>0 2019-11-13T01:03:56+01:00 172.26.200.6 2812027172003338(root) - - - 46809403 Threat@FLOW: From 185.173.35.41:63867(aggregate1.21) to 79.170.8.139:1521(-), threat name: Blacklist-IP, threat type: Attack, threat subtype: Risk IP, App/Protocol: IPv4/TCP, action: DROP, defender: PTF, severity: Low, detected low reputation ip: 185.173.35.41, category: Scanner, reputation score 68, hit-count: 1(in the last 5 seconds)", "<188>0 2019-11-13T01:03:57+01:00 172.26.200.6 2812027172003338(root) - - - 46809403 Threat@FLOW: From 107.189.11.160:54320(aggregate1.21) to 79.170.8.248:23(-), threat name: Blacklist-IP, threat type: Attack, threat subtype: Risk IP, App/Protocol: IPv4/TCP, action: DROP, defender: PTF, severity: Low, detected low reputation ip: 107.189.11.160, category: Scanner/Brute-Forcer, reputation score 84, hit-count: 1(in the last 5 seconds)", "<188>0 2019-11-13T01:03:58+01:00 172.26.200.6 2812027172003338(root) - - - 46809403 Threat@FLOW: From 93.174.95.106:25932(aggregate1.21) to 79.170.8.35:49(-), threat name: Blacklist-IP, threat type: Attack, threat subtype: Risk IP, App/Protocol: IPv4/TCP, action: DROP, defender: PTF, severity: High, detected low reputation ip: 93.174.95.106, category: Bot, reputation score 68, hit-count: 1(in the last 5 seconds)", "<188>0 2019-11-13T01:03:58+01:00 172.26.200.6 2812027172003338(root) - - - 46809403 Threat@FLOW: From 119.147.144.22:46831(aggregate1.21) to 79.170.8.234:445(-), threat name: Blacklist-IP, threat type: Attack, threat subtype: Risk IP, App/Protocol: IPv4/TCP, action: DROP, defender: PTF, severity: Low, detected low reputation ip: 119.147.144.22, category: Scanner, reputation score 68, hit-count: 1(in the last 5 seconds)", "<188>0 2019-11-13T01:03:59+01:00 172.26.200.6 2812027172003338(root) - - - 46809403 Threat@FLOW: From 77.73.48.14:57594(aggregate1.21) to 79.170.8.163:1433(-), threat name: Blacklist-IP, threat type: Attack, threat subtype: Risk IP, App/Protocol: IPv4/TCP, action: DROP, defender: PTF, severity: Low, detected low reputation ip: 77.73.48.14, category: Scanner, reputation score 84, hit-count: 1(in the last 5 seconds)", "<188>0 2019-11-13T01:03:59+01:00 172.26.200.6 2812027172003338(root) - - - 46809403 Threat@FLOW: From 185.94.111.1:52385(aggregate1.21) to 79.170.8.66:161(-), threat name: Blacklist-IP, threat type: Attack, threat subtype: Risk IP, App/Protocol: IPv4/UDP, action: DROP, defender: PTF, severity: Low, detected low reputation ip: 185.94.111.1, category: Scanner/DDos-Attacker, reputation score 92, hit-count: 1(in the last 6 seconds)", "<188>0 2019-11-13T01:03:59+01:00 172.26.200.6 2812027172003338(root) - - - 46809403 Threat@FLOW: From 185.209.0.18:56942(aggregate1.21) to 79.170.8.13:4323(-), threat name: Blacklist-IP, threat type: Attack, threat subtype: Risk IP, App/Protocol: IPv4/TCP, action: DROP, defender: PTF, severity: Low, detected low reputation ip: 185.209.0.18, category: Scanner, reputation score 55, hit-count: 1(in the last 5 seconds)", "<188>0 2019-11-13T01:03:59+01:00 172.26.200.6 2812027172003338(root) - - - 46809403 Threat@FLOW: From 185.173.35.53:50013(aggregate1.21) to 79.170.8.237:1434(-), threat name: Blacklist-IP, threat type: Attack, threat subtype: Risk IP, App/Protocol: IPv4/UDP, action: DROP, defender: PTF, severity: Low, detected low reputation ip: 185.173.35.53, category: Scanner, reputation score 68, hit-count: 1(in the last 6 seconds)", "<188>0 2019-11-13T01:04:00+01:00 172.26.200.6 2812027172003338(root) - - - 46809403 Threat@FLOW: From 89.248.169.17:36669(aggregate1.21) to 79.170.8.176:9000(-), threat name: Blacklist-IP, threat type: Attack, threat subtype: Risk IP, App/Protocol: IPv4/TCP, action: DROP, defender: PTF, severity: Low, detected low reputation ip: 89.248.169.17, category: Scanner/Brute-Forcer, reputation score 68, hit-count: 6(in the last 11 seconds)", "<188>0 2019-11-13T01:04:01+01:00 172.26.200.6 2812027172003338(root) - - - 46809403 Threat@FLOW: From 111.93.214.78:56731(aggregate1.21) to 79.170.8.57:445(-), threat name: Blacklist-IP, threat type: Attack, threat subtype: Risk IP, App/Protocol: IPv4/TCP, action: DROP, defender: PTF, severity: Low, detected low reputation ip: 111.93.214.78, category: Scanner, reputation score 68, hit-count: 1(in the last 5 seconds)", "<188>0 2019-11-13T01:04:02+01:00 172.26.200.6 2812027172003338(root) - - - 46809403 Threat@FLOW: From 186.42.182.40:47004(aggregate1.21) to 79.170.8.46:1433(-), threat name: Blacklist-IP, threat type: Attack, threat subtype: Risk IP, App/Protocol: IPv4/TCP, action: DROP, defender: PTF, severity: Low, detected low reputation ip: 186.42.182.40, category: Scanner, reputation score 68, hit-count: 1(in the last 5 seconds)", "<188>0 2019-11-13T01:04:02+01:00 172.26.200.6 2812027172003338(root) - - - 46809403 Threat@FLOW: From 37.49.230.18:51308(aggregate1.21) to 79.170.8.57:80(-), threat name: Blacklist-IP, threat type: Attack, threat subtype: Risk IP, App/Protocol: IPv4/TCP, action: DROP, defender: PTF, severity: Low, detected low reputation ip: 37.49.230.18, category: Scanner, reputation score 68, hit-count: 1(in the last 5 seconds)" ] } } }, "processors" : { "syslog" : { "type" : "syslogparser", "config" : {} }, "parser" : { "type" : "transform", "config" : { "input" : "${syslog}", "output" : "out", "pipeline" : [ {"$addFields" : {"idx" : {"$indexOfBytes":["$message",","]}}}, { "$addFields" : { "head" : {"$trim": {"input" : {"$substr" : ["$message",0,"$idx"]}}}, "content" : {"$trim" : {"input" : {"$substr" : ["$message",{"$add":[1,"$idx"]},-1]}} } } }, { "$addFields" : { "csv" : { "$keyval" : { "$map" : { "input" : {"$split" : ["$content",", "]}, "as" : "row", "in" : {"$split" : ["$$row",": "]} } } } } } ] } } }, "transporters" : { "console" : { "type" : "console", "config" : { "format" : { "syslog" : "${syslog}", "props" : "${out.csv}" }, "json" : { "format" : true, "spaces" : 2, "color" : true } } }, "null" : { "type" : "null" } }, "flows" : [ {"id":"flow1", "from":"lines", "fork":false, "processors":["syslog","parser"], "transporters":"console"} ] }