markuskont · January 19, 2018 14:10
diff --git a/150-syslog-ng-share.conf b/150-syslog-ng-share.conf
 filter f_local_sshd_login_coop { program("sshd") or program("systemd-logind") };
 filter f_local_apache_coop { program("apache") };
 filter f_local_daemon_coop { facility(3) and not program("named") };
 filter f_local_kernel_coop { facility(0) };
 filter f_local_coop { filter(f_local_sshd_login_coop) or filter(f_local_daemon_coop) or filter(f_local_kernel_coop) or filter(f_local_apache_coop) };

 filter f_local_suri_coop { program("suricata") };
 filter f_local_suri_coop_alert { match( "alert" value(".cee.event_type") type("string") ) };

 parser p_cee { json-parser( marker("@cee:") prefix(".cee.")); };

 template t_suri__json {
  template("$(format-json --scope dot-nv-pairs --exclude .cee.http*)\n");
 };
 template t_suri__unstruct {
  template("<9>$DATE $HOST $MSGHDR$FULLHOST,${.cee.timestamp},${.cee.event_type},${.cee.src_ip},${.cee.src_port},${.cee.dest_ip},${.cee.dest_port},${.cee.proto},${.cee.alert.signature},${.cee.alert.signature_id},${.cee.alert.category},${.cee.alert.severity}\n");
 };

 destination d_local_testing { file("/var/log/testing/filtered/${FACILITY}/${PRIORITY}-${YEAR}-${MONTH}-${DAY}"); };
 destination d_local_testing2 {
  file(
    "/var/log/testing/suri_json-${YEAR}-${MONTH}-${DAY}"
    template(t_suri__json)
  );
 };
 destination d_local_testing3 {
  file(
    "/var/log/testing/suri_unstruct-${YEAR}-${MONTH}-${DAY}"
    template(t_suri__unstruct)
  );
 };

 log {
  source(s_src);
  source(s_remote_ietf);
  source(s_remote_tcp);
  filter(f_local_suri_coop);
  parser(p_cee);
  filter(f_local_suri_coop_alert);
  destination(d_local_testing3);
 };

 log {
  source(s_src);
  source(s_remote_ietf);
  source(s_remote_tcp);
  filter(f_local_coop);
  destination(d_local_testing);
 };
	filter f_local_sshd_login_coop { program("sshd") or program("systemd-logind") };
	filter f_local_apache_coop { program("apache") };
	filter f_local_daemon_coop { facility(3) and not program("named") };
	filter f_local_kernel_coop { facility(0) };
	filter f_local_coop { filter(f_local_sshd_login_coop) or filter(f_local_daemon_coop) or filter(f_local_kernel_coop) or filter(f_local_apache_coop) };

	filter f_local_suri_coop { program("suricata") };
	filter f_local_suri_coop_alert { match( "alert" value(".cee.event_type") type("string") ) };

	parser p_cee { json-parser( marker("@cee:") prefix(".cee.")); };

	template t_suri__json {
	template("$(format-json --scope dot-nv-pairs --exclude .cee.http*)\n");
	};
	template t_suri__unstruct {
	template("<9>$DATE $HOST $MSGHDR$FULLHOST,${.cee.timestamp},${.cee.event_type},${.cee.src_ip},${.cee.src_port},${.cee.dest_ip},${.cee.dest_port},${.cee.proto},${.cee.alert.signature},${.cee.alert.signature_id},${.cee.alert.category},${.cee.alert.severity}\n");
	};

	destination d_local_testing { file("/var/log/testing/filtered/${FACILITY}/${PRIORITY}-${YEAR}-${MONTH}-${DAY}"); };
	destination d_local_testing2 {
	file(
	"/var/log/testing/suri_json-${YEAR}-${MONTH}-${DAY}"
	template(t_suri__json)
	);
	};
	destination d_local_testing3 {
	file(
	"/var/log/testing/suri_unstruct-${YEAR}-${MONTH}-${DAY}"
	template(t_suri__unstruct)
	);
	};

	log {
	source(s_src);
	source(s_remote_ietf);
	source(s_remote_tcp);
	filter(f_local_suri_coop);
	parser(p_cee);
	filter(f_local_suri_coop_alert);
	destination(d_local_testing3);
	};

	log {
	source(s_src);
	source(s_remote_ietf);
	source(s_remote_tcp);
	filter(f_local_coop);
	destination(d_local_testing);
	};