diff --git a/etc/filebeat/filebeat.yml b/etc/filebeat/filebeat.yml index da0be9f..588f224 100644 --- a/etc/filebeat/filebeat.yml +++ b/etc/filebeat/filebeat.yml @@ -13,6 +13,7 @@ output.elasticsearch: username: "admin" password: "${OPENSEARCH_INITIAL_ADMIN_PASSWORD}" protocol: "https" + pipeline: "filebeat_opengnsys_pipeline" ssl.enabled: true ssl.verification_mode: full ssl.certificate: "/etc/filebeat/ogagent-fb.${SUBDOMAIN}.crt.pem" diff --git a/etc/opensearch/pipelines.json b/etc/opensearch/pipelines.json index 9060c22..2e241ed 100644 --- a/etc/opensearch/pipelines.json +++ b/etc/opensearch/pipelines.json @@ -590,6 +590,55 @@ } ] }, + "filebeat_opengnsys_pipeline": { + "description": "Parsea logs JSON de opengnsys y extrae loggedin/loggedout con sus datos", + "processors": [ + { + "json": { + "field": "message", + "target_field": "parsed_json", + "ignore_failure": true + } + }, + { + "set": { + "field": "parsed_json.host", + "value": "{{host.hostname}}", + "ignore_empty_value": true + } + }, + { + "set": { + "field": "parsed_json.agent", + "value": "{{agent.name}}", + "ignore_empty_value": true + } + }, + { + "set": { + "field": "parsed_json.ip", + "value": "{{host.ip.0}}", + "ignore_empty_value": true + } + }, + { + "grok": { + "field": "parsed_json.message", + "patterns": [ + "Requesting using POST %{URIPROTO}://%{IPORHOST}:%{NUMBER}/opengnsys/rest/ogagent/%{WORD:parsed_json.ogagent_action}, data: %{GREEDYDATA:parsed_json.ogagent_data}" + ], + "ignore_failure": true + } + }, + { + "json": { + "field": "parsed_json.ogagent_data", + "target_field": "parsed_json.ogagent_parsed", + "ignore_failure": true + } + } + ] + }, "copy-message-pipeline" : { "description" : "Pipeline que copia el campo message a message_raw", "processors" : [