zsprackett · January 17, 2014 05:21
diff --git a/graylog2.drl b/graylog2.drl
 import org.graylog2.plugin.logmessage.LogMessage
 import java.util.regex.Matcher
 import java.util.regex.Pattern

 rule "apache_access"
  when
    m : LogMessage( facility == "local4" )
  then
    Matcher matcher =
    Pattern.compile("^\\S+\\s+apache:\\s+(\\S+)\\s+(\\S+)\\s+\\S+\\s+(\\S+)\\s+\\[(.+)]\\s+(.*)$").matcher(m.getShortMessage());
    if (matcher.find()) {
      m.setFacility("apache");
      m.addAdditionalData("_vhost",matcher.group(1).toString().toLowerCase());
      m.addAdditionalData("_client_ip",matcher.group(2));
      m.addAdditionalData("_remote_user",matcher.group(3));
      m.addAdditionalData("_request_date",matcher.group(4));

      Matcher domain = Pattern.compile("\\.([^\\.\\s]+\\.[^\\.\\s]+)$").matcher(matcher.group(1));
      if (domain.find()) {
        m.addAdditionalData("_domain", domain.group(1).toString().toLowerCase());
      }

      // Split this up because long requests break the regex
      Matcher part2 =
      Pattern.compile("\"(\\S+)\\s+(\\S+).*\"\\s+(\\d+)\\s+(\\S+)\\s+\"([^\"]*)\"\\s+\"([^\"]*)\"").matcher(matcher.group(5));
      if (part2.find()) {
        m.addAdditionalData("_method",part2.group(1));
        m.addAdditionalData("_request",part2.group(2));
        m.addAdditionalData("_http_response_code",part2.group(3));
        m.addAdditionalData("_response_size",part2.group(4));
        m.addAdditionalData("_referrer",part2.group(5));
        m.addAdditionalData("_useragent",part2.group(6));

        Matcher module =
        Pattern.compile("module=([^&]+)").matcher(part2.group(2));
        if (module.find()) {
          m.addAdditionalData("_sugar_module", module.group(1).toString().toLowerCase());
        }

        Matcher entrypoint =
        Pattern.compile("entryPoint=([^&]+)").matcher(part2.group(2));
        if (entrypoint.find()) {
          m.addAdditionalData("_sugar_entrypoint", entrypoint.group(1).toString().toLowerCase());
        }
      }
   }
  end

 rule "httpd_error"
  when
    m : LogMessage( facility == "local5" )
  then
    Matcher apache = Pattern.compile("^\\S+\\s+apache:\\s+\\[([^\\]]+)\\]\\s+\\[error\\]\\s+\\[client\\s+(\\S+)\\]\\s+(.*)$").matcher(m.getShortMessage());
    if (apache.find()) {
      m.setFacility("apache_error");
      m.addAdditionalData("_request_date",apache.group(1));
      m.addAdditionalData("_client_ip",apache.group(2));
      Matcher matcher = Pattern.compile("\\/mnt\\/[a-zA-Z0-9]+\\/(store\\d+)\\/([a-zA-Z0-9\\.]+)\\/([a-zA-Z0-9]+)\\/").matcher(apache.group(3));
      if (matcher.find()) {
        m.addAdditionalData("_store",matcher.group(1));
        m.addAdditionalData("_domain",matcher.group(2).toString().toLowerCase());
        m.addAdditionalData("_vhost",matcher.group(3) + '.' + matcher.group(2).toString().toLowerCase());
      } else {
        matcher = Pattern.compile("\\/var\\/www\\/[a-zA-Z0-9]+\\/([a-zA-Z0-9\\.]+)\\/([a-zA-Z0-9]+)\\/").matcher(apache.group(3));
        if (matcher.find()) {
          m.addAdditionalData("_domain",matcher.group(1).toString().toLowerCase());
          m.addAdditionalData("_vhost",matcher.group(2) + '.' + matcher.group(1).toString().toLowerCase());
        }
      }
    }
  end

 rule "haproxy"
  when
    m : LogMessage( facility == "local2" )
  then
    Matcher matcher =
    Pattern.compile("^\\S+\\s+haproxy\\[(\\d+)]:\\s+(\\d+\\.\\d+\\.\\d+\\.\\d+):\\d+\\s+\\[(\\S+)]\\s+(\\S+)\\s+([^/]+)/(\\S+)\\s+-?\\d+/-?\\d+/-?\\d+/-?\\d+/-?\\d+\\s+(\\d+)\\s+(\\d+)\\s+\\S+\\s+\\d+/\\d+/\\d+/\\d+/\\d+\\s+\\d+/\\d+\\s+\\{([^\\}]+)?\\}\\s+(.*)$").matcher(m.getShortMessage());

    if (matcher.find()) {
      m.setFacility("haproxy");

      m.addAdditionalData("_pid",matcher.group(1));
      m.addAdditionalData("_client_ip",matcher.group(2));
      m.addAdditionalData("_request_date",matcher.group(3));
      m.addAdditionalData("_frontend_name",matcher.group(4));
      m.addAdditionalData("_backend_name",matcher.group(5));
      m.addAdditionalData("_server_name",matcher.group(6));
      m.addAdditionalData("_http_response_code",matcher.group(7));
      m.addAdditionalData("_response_size",matcher.group(8));
      if (matcher.group(9) != null) {
        m.addAdditionalData("_vhost",matcher.group(9).toString().toLowerCase());
      }
      // Long requests can break the regex
      Matcher request = Pattern.compile("\"([^\"]+)\"").matcher(matcher.group(10));
      if (request.find()) {
        m.addAdditionalData("_request",request.group(1));
      }
    }
  end

 //rule "debug"
 //  when
 //    m : LogMessage()
 //  then
 //    System.out.println("THERE WAS A MATCH FOR MESSAGE " + m.getShortMessage());
 //  end
	import org.graylog2.plugin.logmessage.LogMessage
	import java.util.regex.Matcher
	import java.util.regex.Pattern

	rule "apache_access"
	when
	m : LogMessage( facility == "local4" )
	then
	Matcher matcher =
	Pattern.compile("^\\S+\\s+apache:\\s+(\\S+)\\s+(\\S+)\\s+\\S+\\s+(\\S+)\\s+\\[(.+)]\\s+(.*)$").matcher(m.getShortMessage());
	if (matcher.find()) {
	m.setFacility("apache");
	m.addAdditionalData("_vhost",matcher.group(1).toString().toLowerCase());
	m.addAdditionalData("_client_ip",matcher.group(2));
	m.addAdditionalData("_remote_user",matcher.group(3));
	m.addAdditionalData("_request_date",matcher.group(4));

	Matcher domain = Pattern.compile("\\.([^\\.\\s]+\\.[^\\.\\s]+)$").matcher(matcher.group(1));
	if (domain.find()) {
	m.addAdditionalData("_domain", domain.group(1).toString().toLowerCase());
	}

	// Split this up because long requests break the regex
	Matcher part2 =
	Pattern.compile("\"(\\S+)\\s+(\\S+).\"\\s+(\\d+)\\s+(\\S+)\\s+\"([^\"])\"\\s+\"([^\"]*)\"").matcher(matcher.group(5));
	if (part2.find()) {
	m.addAdditionalData("_method",part2.group(1));
	m.addAdditionalData("_request",part2.group(2));
	m.addAdditionalData("_http_response_code",part2.group(3));
	m.addAdditionalData("_response_size",part2.group(4));
	m.addAdditionalData("_referrer",part2.group(5));
	m.addAdditionalData("_useragent",part2.group(6));

	Matcher module =
	Pattern.compile("module=([^&]+)").matcher(part2.group(2));
	if (module.find()) {
	m.addAdditionalData("_sugar_module", module.group(1).toString().toLowerCase());
	}

	Matcher entrypoint =
	Pattern.compile("entryPoint=([^&]+)").matcher(part2.group(2));
	if (entrypoint.find()) {
	m.addAdditionalData("_sugar_entrypoint", entrypoint.group(1).toString().toLowerCase());
	}
	}
	}
	end

	rule "httpd_error"
	when
	m : LogMessage( facility == "local5" )
	then
	Matcher apache = Pattern.compile("^\\S+\\s+apache:\\s+\\[([^\\]]+)\\]\\s+\\[error\\]\\s+\\[client\\s+(\\S+)\\]\\s+(.*)$").matcher(m.getShortMessage());
	if (apache.find()) {
	m.setFacility("apache_error");
	m.addAdditionalData("_request_date",apache.group(1));
	m.addAdditionalData("_client_ip",apache.group(2));
	Matcher matcher = Pattern.compile("\\/mnt\\/[a-zA-Z0-9]+\\/(store\\d+)\\/([a-zA-Z0-9\\.]+)\\/([a-zA-Z0-9]+)\\/").matcher(apache.group(3));
	if (matcher.find()) {
	m.addAdditionalData("_store",matcher.group(1));
	m.addAdditionalData("_domain",matcher.group(2).toString().toLowerCase());
	m.addAdditionalData("_vhost",matcher.group(3) + '.' + matcher.group(2).toString().toLowerCase());
	} else {
	matcher = Pattern.compile("\\/var\\/www\\/[a-zA-Z0-9]+\\/([a-zA-Z0-9\\.]+)\\/([a-zA-Z0-9]+)\\/").matcher(apache.group(3));
	if (matcher.find()) {
	m.addAdditionalData("_domain",matcher.group(1).toString().toLowerCase());
	m.addAdditionalData("_vhost",matcher.group(2) + '.' + matcher.group(1).toString().toLowerCase());
	}
	}
	}
	end

	rule "haproxy"
	when
	m : LogMessage( facility == "local2" )
	then
	Matcher matcher =
	Pattern.compile("^\\S+\\s+haproxy\\[(\\d+)]:\\s+(\\d+\\.\\d+\\.\\d+\\.\\d+):\\d+\\s+\\[(\\S+)]\\s+(\\S+)\\s+([^/]+)/(\\S+)\\s+-?\\d+/-?\\d+/-?\\d+/-?\\d+/-?\\d+\\s+(\\d+)\\s+(\\d+)\\s+\\S+\\s+\\d+/\\d+/\\d+/\\d+/\\d+\\s+\\d+/\\d+\\s+\\{([^\\}]+)?\\}\\s+(.*)$").matcher(m.getShortMessage());

	if (matcher.find()) {
	m.setFacility("haproxy");

	m.addAdditionalData("_pid",matcher.group(1));
	m.addAdditionalData("_client_ip",matcher.group(2));
	m.addAdditionalData("_request_date",matcher.group(3));
	m.addAdditionalData("_frontend_name",matcher.group(4));
	m.addAdditionalData("_backend_name",matcher.group(5));
	m.addAdditionalData("_server_name",matcher.group(6));
	m.addAdditionalData("_http_response_code",matcher.group(7));
	m.addAdditionalData("_response_size",matcher.group(8));
	if (matcher.group(9) != null) {
	m.addAdditionalData("_vhost",matcher.group(9).toString().toLowerCase());
	}
	// Long requests can break the regex
	Matcher request = Pattern.compile("\"([^\"]+)\"").matcher(matcher.group(10));
	if (request.find()) {
	m.addAdditionalData("_request",request.group(1));
	}
	}
	end

	//rule "debug"
	// when
	// m : LogMessage()
	// then
	// System.out.println("THERE WAS A MATCH FOR MESSAGE " + m.getShortMessage());
	// end