From 1bba05a5370d32dc94167ff1ecb603708e2118f7 Mon Sep 17 00:00:00 2001
From: Kameron Kenny <1267885+kkenny@users.noreply.github.com>
Date: Fri, 21 Jun 2024 14:27:38 -0400
Subject: [PATCH] add nginx log config

---
 Dockerfile                         |  2 +-
 config/syslog-ng.conf.d/nginx.conf | 72 ++++++++++++++++++++++++++++++
 docker-compose.yml                 |  2 +-
 3 files changed, 74 insertions(+), 2 deletions(-)
 create mode 100644 config/syslog-ng.conf.d/nginx.conf

diff --git a/Dockerfile b/Dockerfile
index a525020..9eabf60 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,7 @@
 FROM debian:latest
 MAINTAINER Kameron Kenny <kkenny379@gmail.com>
 
-LABEL version="20240621.1.2"
+LABEL version="20240621.2.1"
 LABEL description="Debian Based syslog-ng"
 
 RUN apt-get update
diff --git a/config/syslog-ng.conf.d/nginx.conf b/config/syslog-ng.conf.d/nginx.conf
new file mode 100644
index 0000000..71afeb5
--- /dev/null
+++ b/config/syslog-ng.conf.d/nginx.conf
@@ -0,0 +1,72 @@
+filter f_nginx { match("nginx" value("PROGRAM")); };
+
+rewrite r_docker_image {
+  subst("^5000/tlp/", "image:", value("MESSAGE"));
+  subst(":(?=(\d*\.\d*\.\d*))", " version:", value("MESSAGE"));
+  subst('(\/)(?=\S*\[)', " container_name:", value("MESSAGE"));
+  subst('((?!=container_name:(\S*))\[(?=\d*))', " pid:", value("MESSAGE"));
+  subst('((?!=pid:(\d*))\]:)', "", value("MESSAGE"));
+  subst('((?!=pid:(\d*))\ )', " datetime:", value("MESSAGE"));
+  subst('((?!=datetime:(\d*-\w*-\d*))\ )', "_", value("MESSAGE"));
+  subst('((?!=datetime:(\d*-\w*-\d*_\d*)):)', ".", value("MESSAGE"));
+  subst('((?!=datetime:(\d*-\w*-\d*_\d*\.\d*)):)', ".", value("MESSAGE"));
+};
+
+parser p_nginx_message {
+  csv-parser(
+    dialect(escape-double-char)
+    flags(strip-whitespace)
+    delimiters(" ")
+    quote-pairs('""[]')
+    columns("docker", "nginx.client.ip", "nginx.ident", "nginx.auth", "nginx.timestamp", "nginx.request", "nginx.response", "nginx.bytes", "nginx.referrer", "nginx.agent")
+  );
+};
+
+rewrite r_docker_header {
+  subst(":", " ", value("docker"));
+  subst("\/", " ", value("docker"));
+  subst('\[', " ", value("docker"));
+  subst('\]', " ", value("docker"));
+};
+
+parser p_docker_header {
+  csv-parser(
+    template("${docker}")
+    flags(strip-whitespace)
+    delimiters(" ")
+    columns("docker.image.name", "docker.container.name", "docker.container.pid")
+  );
+};
+
+parser p_nginx_client_ip_geoip2_city {
+  geoip2(
+    "${nginx.client.ip}",
+    prefix( "geoip2.source." )
+    database( "/config/GeoIP/GeoLite2-City.mmdb" )
+  );
+};
+
+destination d_nginx_logs {
+  elasticsearch-http(
+    index("nginx-logs")
+    type("")
+    user("elastic")
+    password("forty6and2")
+    url("http://pi501.in.thelinuxpro.net:9200/_bulk")
+    template("$(format-json --scope rfc5424 --scope dot-nv-pairs
+    --rekey .* --shift 1 --scope nv-pairs
+    --exclude DATE @timestamp=${ISODATE})")
+    persist-name("d_nginx_logs")
+  );
+};
+
+log {
+  source(s_network_udp);
+  filter(f_nginx);
+  parser(p_nginx_message);
+  rewrite(r_docker_header);
+  parser(p_docker_header);
+  parser(p_nginx_client_ip_geoip2_city);
+  destination(d_nginx_logs);
+  flags(final);
+};
diff --git a/docker-compose.yml b/docker-compose.yml
index 25ed141..8a9f13e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -10,7 +10,7 @@ services:
   syslog-ng:
     build:
       dockerfile: Dockerfile
-    image: docker-registry1.in.thelinuxpro.net:5000/tlp/syslog-ng:240621.1.2
+    image: docker-registry1.in.thelinuxpro.net:5000/tlp/syslog-ng:240621.2.1
     container_name: syslog-ng
     restart: unless-stopped
     networks: