TerribleDev/TimberWinR
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

more doc

Browse Source
This commit is contained in:
Eric Fontana
2014-07-30 07:49:05 -04:00
parent 6e50ad9a54
commit 7265514b4c
2 changed files with 68 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
Filters.md
View File

@@ -9,22 +9,58 @@ The following filters are provided.
| *[mutate][6]* |Similar to the [logstash mutate][3] filter | *[mutate][6]* |Similar to the [logstash mutate][3] filter
Example Input: Example Input:
```json ```json
{ "Filters": [
"TimberWinR": {
"Inputs": {
"WindowsEvents": [
{ {
"source": "System,Application", "grok": {
"binaryFormat": "PRINT", "condition": "[type] == \"Win32-Eventlog\"",
"resolveSIDS": true "match": [
"Message",
""
],
"remove_field": [
"ComputerName"
]
} }
},
{
"grok": {
"match": [
"message",
"%{SYSLOGLINE}"
],
"add_field": [
"Hello", "from %{logsource}"
]
}
},
{
"date": {
"condition": "[type] == \"Win32-FileLog\"",
"match": [
"timestamp",
"MMM d HH:mm:sss",
"MMM dd HH:mm:ss"
],
"add_field": [
"UtcTimestamp"
],
"convertToUTC": true
}
},
{
"mutate": {
"_comment": "Custom Rules",
"rename": [
"ComputerName", "Host",
"host", "Host",
"message","Message",
"type","Type",
"SID", "Username"
] ]
} }
} }
} ]
``` ```
[1]: http://logstash.net/docs/1.4.2/filters/grok [1]: http://logstash.net/docs/1.4.2/filters/grok
[2]: http://logstash.net/docs/1.4.2/filters/date [2]: http://logstash.net/docs/1.4.2/filters/date
[3]: http://logstash.net/docs/1.4.2/filters/mutate [3]: http://logstash.net/docs/1.4.2/filters/mutate

26
mdocs/GrokFilter.md
View File

@@ -21,7 +21,7 @@ For the above example, your grok filter would look something like this:
%{NUMBER:duration} %{IP:client} %{NUMBER:duration} %{IP:client}
## Mutate Operations ## Grok Operations
The following operations are allowed when mutating a field. The following operations are allowed when mutating a field.
| Operation | Type | Description | Operation | Type | Description
@@ -46,13 +46,7 @@ The pattern for this could be:
``` ```
%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration} %{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}
``` ```
And if the message matches, then 5 fields would be added to the event: Given this configuration
1. client=55.3.244.1
2. method=GET
3. request=/index.html
4. bytes=15824
5. duration=0.043
```json ```json
"Filters": [ "Filters": [
{ {
@@ -62,17 +56,25 @@ And if the message matches, then 5 fields would be added to the event:
"%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}"
], ],
"add_tag": [ "add_tag": [
"rn_%{Index}", "http_log"
"bar"
], ],
"add_field": [ "add_field": [
"foo_%{logsource}", "verb", "%{method}"
"Hello dude from %{ComputerName}"
] ]
} }
} }
] ]
``` ```
And if the message matches, then 6 fields would be added to the event:
1. client=55.3.244.1
2. method=GET
3. request=/index.html
4. bytes=15824
5. duration=0.043
6. verb=GET
And the following tag will be added
1. tag: { "http_log" }
### condition "C# expression" ### condition "C# expression"
If present, the condition must evaluate to true in order for the remaining operations to be performed. If there is no condition specified If present, the condition must evaluate to true in order for the remaining operations to be performed. If there is no condition specified