Feedback

2014-04-14 09:23:36 -07:00 · 2014-04-14 09:23:36 -07:00 · 6698c89e16
--- a/examples/heka-apache/heka.toml
+++ b/examples/heka-apache/heka.toml
@ -1,24 +1,19 @@
 [syslog]
 type="LogstreamerInput"
-log_directory="/var/log/syslog/systems/web/"
+log_directory="/var/log/syslog/systems/web"
 file_match='(?P<Year>\d+)-(?P<Month>\d+)-(?P<Day>\d+).log'
 priority = ["Year", "Month", "Day"]
 oldest_duration="2h"

 [apache_transform_decoder]
-type = "PayloadRegexDecoder"
-match_regex = '^.*?[(?P<Timestamp>[^\]]+)\] "(?P<Method>[A-Z]+) (?P<Url>[^\s]+)[^"]*" (?P<StatusCode>\d+) (?P<RequestSize>\d+) "(?P<Referer>[^"]*)" "(?P<Browser>[^"]*)"'
-timestamp_layout = "02/Jan/2006:15:04:05 -0700"
+type = "SandboxDecoder"
+script_type = "lua"
+filename = "lua_decoders/apache_access.lua"

-[apache_transform_decoder.message_fields]
-Type = "ApacheLogfile"
-Logger = "apache"
-Url|uri = "%Url%"
-Method = "%Method%"
-Status = "%StatusCode%"
-RequestSize|B = "%RequestSize%"
-Referer = "%Referer%"
-Browser = "%Browser%"
+[apache_transform_decoder.config]
+log_format = '%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"'
+# type = "ApacheLogfile" # this should be something more specific incase multiple services are being aggregated upstream
+user_agent_transform = true

 # Start commenting here if you don't want any stdout
 [stdout]
@ -28,7 +23,7 @@ payload_only = true
 # Finish commenting here

 [ElasticSearchOutput]
-message_matcher = "Type!='heka.all-report'"
+message_matcher = 'Type !~ /^heka\./'
 cluster = "mozdefqa"
 index = "events"
 type_name = "event"
--- a/examples/heka-lua-bro-intel/brointel.lua
+++ b/examples/heka-lua-bro-intel/brointel.lua
@ -3,7 +3,7 @@ require "string"
 -- Some magic for parsing tab-separated logs
 local sep = lpeg.P"\t"
 local elem = lpeg.C((1-sep)^0)
-grammar = lpeg.Ct(elem * (sep * elem)^0) -- split on tabs, return as table
+local grammar = -lpeg.P"#" * lpeg.Ct(elem * (sep * elem)^0) -- ignore comment, split on tabs, return as table

 local msg = {
    Type = "bronotice_log",
@ -30,27 +30,22 @@ local msg = {
 function process_message()
    local log = read_message("Payload")

-    -- Don't take comments
-    if string.sub(log, 1, 1) ~= "#" then
-        local matches = grammar:match(log)
-        if not matches then return -1 end
+    local matches = grammar:match(log)
+    if not matches then return -1 end

-        -- populating our fields
-        msg.Fields['details.ts'] = matches[1]
-        msg.Fields['details.uid'] = matches[2]
-        msg.Fields['details.sourceipaddress'] = matches[3]
-        msg.Fields['details.sourceport'] = matches[4]
-        msg.Fields['details.destinationipaddress'] = matches[5]
-        msg.Fields['details.destinationport'] = matches[6]
-        msg.Fields['details.proto'] = matches[10]
-        msg.Fields['details.note'] = matches[11]
-        msg.Fields['details.msg'] = matches[12]
-        msg.Fields['details.sub'] = matches[13]
-        -- Our summary is the concatenation of other fields
-        msg.Fields['summary'] = msg.Fields['details.note'] .. " " .. msg.Fields['details.msg'] .. " " .. msg.Fields['details.sub']
-        inject_message(msg)
-        return 0
-    else
-        return -1 -- do not send bro comments
-    end
+    -- populating our fields
+    msg.Fields['details.ts'] = matches[1]
+    msg.Fields['details.uid'] = matches[2]
+    msg.Fields['details.sourceipaddress'] = matches[3]
+    msg.Fields['details.sourceport'] = matches[4]
+    msg.Fields['details.destinationipaddress'] = matches[5]
+    msg.Fields['details.destinationport'] = matches[6]
+    msg.Fields['details.proto'] = matches[10]
+    msg.Fields['details.note'] = matches[11]
+    msg.Fields['details.msg'] = matches[12]
+    msg.Fields['details.sub'] = matches[13]
+    -- Our summary is the concatenation of other fields
+    msg.Fields['summary'] = string.format("%s %s %s", msg.Fields['details.note'], msg.Fields['details.msg'], msg.Fields['details.sub'])
+    inject_message(msg)
+    return 0
 end
--- a/examples/heka-lua-bro-intel/heka.toml
+++ b/examples/heka-lua-bro-intel/heka.toml
@ -17,7 +17,7 @@ message_matcher = "FALSE"
 # Finish commenting here

 [ElasticSearchOutput]
-message_matcher = "Type!='heka.all-report'"
+message_matcher = 'Type !~ /^heka\./'
 cluster = "mozdefqa"
 index = "events"
 type_name = "event"
--- a/examples/heka-lua-bro-notice/bronotice.lua
+++ b/examples/heka-lua-bro-notice/bronotice.lua
@ -3,7 +3,7 @@ require "string"
 -- Some magic for parsing tab-separated logs
 local sep = lpeg.P"\t"
 local elem = lpeg.C((1-sep)^0)
-grammar = lpeg.Ct(elem * (sep * elem)^0) -- split on tabs, return as table
+local grammar = -lpeg.P"#" * lpeg.Ct(elem * (sep * elem)^0) -- ignore comment, split on tabs, return as table

 local msg = {
    Type = "bronotice_log",
@ -30,27 +30,22 @@ local msg = {
 function process_message()
    local log = read_message("Payload")

-    -- Don't take comments
-    if string.sub(log, 1, 1) ~= "#" then
-        local matches = grammar:match(log)
-        if not matches then return -1 end
+    local matches = grammar:match(log)
+    if not matches then return -1 end

-        -- populating our fields
-        msg.Fields['details.ts'] = matches[1]
-        msg.Fields['details.uid'] = matches[2]
-        msg.Fields['details.sourceipaddress'] = matches[3]
-        msg.Fields['details.sourceport'] = matches[4]
-        msg.Fields['details.destinationipaddress'] = matches[5]
-        msg.Fields['details.destinationport'] = matches[6]
-        msg.Fields['details.proto'] = matches[10]
-        msg.Fields['details.note'] = matches[11]
-        msg.Fields['details.msg'] = matches[12]
-        msg.Fields['details.sub'] = matches[13]
-        -- Our summary is the concatenation of other fields
-        msg.Fields['summary'] = msg.Fields['details.note'] .. " " .. msg.Fields['details.msg'] .. " " .. msg.Fields['details.sub']
-        inject_message(msg)
-        return 0
-    else
-        return -1 -- do not send bro comments
-    end
+    -- populating our fields
+    msg.Fields['details.ts'] = matches[1]
+    msg.Fields['details.uid'] = matches[2]
+    msg.Fields['details.sourceipaddress'] = matches[3]
+    msg.Fields['details.sourceport'] = matches[4]
+    msg.Fields['details.destinationipaddress'] = matches[5]
+    msg.Fields['details.destinationport'] = matches[6]
+    msg.Fields['details.proto'] = matches[10]
+    msg.Fields['details.note'] = matches[11]
+    msg.Fields['details.msg'] = matches[12]
+    msg.Fields['details.sub'] = matches[13]
+    -- Our summary is the concatenation of other fields
+    msg.Fields['summary'] = string.format("%s %s %s", msg.Fields['details.note'], msg.Fields['details.msg'], msg.Fields['details.sub'])
+    inject_message(msg)
+    return 0
 end
--- a/examples/heka-lua-bro-notice/heka.toml
+++ b/examples/heka-lua-bro-notice/heka.toml
@ -17,7 +17,7 @@ message_matcher = "FALSE"
 # Finish commenting here

 [ElasticSearchOutput]
-message_matcher = "Type!='heka.all-report'"
+message_matcher = 'Type !~ /^heka\./'
 cluster = "mozdefqa"
 index = "events"
 type_name = "event"