forked from philhagen/sof-elk
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path6952-kubernetes.conf
67 lines (59 loc) · 1.79 KB
/
6952-kubernetes.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# SOF-ELK® Configuration File
# (C)2023 Lewes Technology Consulting, LLC
#
# This file parses timestamp+KV Kubernetes logs
filter {
if [type] == "kubernetes" {
if ( "k8s_json" in [tags] ) {
date {
match => [ "[k8s][requestReceivedTimestamp]", "ISO8601" ]
}
mutate {
rename => {
"[k8s][sourceIPs]" => "source_ip"
"[k8s][verb]" => "method"
"[k8s][requestURI]" => "request"
"[k8s][userAgent]" => "useragent"
"[k8s][responseStatus][code]" => "response_code"
}
uppercase => [ "method"]
}
} else {
# pull client IP and optional port apart.
if [k8s][client] {
grok {
patterns_dir => [ "/usr/local/sof-elk/grok-patterns" ]
match => {
"[k8s][client]" => [ "\[?%{IP:client_ip}\]?(?::%{INT:client_port})?" ]
}
}
}
# rename remaining desired subfields from the k8s[] array to the root
# anything not renamed will remain in k8s.* so this is mainly helpful for common fields across data types
mutate {
rename => {
"[k8s][accesskeyid]" => "accesskeyid"
"[k8s][accountid]" => "accountid"
"[k8s][arn]" => "arn"
"[k8s][userid]" => "userid"
"[k8s][username]" => "username"
}
}
# split "groups" into an array if it exists but if it's an empty "[]", drop it
if [k8s][groups] == "[]" {
mutate {
remove_field => [ "groups" ]
}
} else if [k8s][groups] {
mutate {
gsub => [ "[k8s][groups]", "[\[\]]", "" ]
split => { "[k8s][groups]" => " " }
}
}
# # remove the raw[] array and anything left in it
# mutate {
# remove_field => [ "raw" ]
# }
}
}
}