From 1ecd1f2d8c90c2fd00d05549662371392a9f1bc8 Mon Sep 17 00:00:00 2001
From: Kameron Kenny <1267885+kkenny@users.noreply.github.com>
Date: Tue, 18 Jun 2024 20:59:09 -0400
Subject: [PATCH] divide config

---
 config/syslog-ng.conf              | 273 +---------------------------
 config/syslog-ng.conf.d/unifi.conf | 275 +++++++++++++++++++++++++++++
 2 files changed, 276 insertions(+), 272 deletions(-)
 create mode 100644 config/syslog-ng.conf.d/unifi.conf

diff --git a/config/syslog-ng.conf b/config/syslog-ng.conf
index 1b43cee..6c98c06 100644
--- a/config/syslog-ng.conf
+++ b/config/syslog-ng.conf
@@ -9,185 +9,12 @@ source s_local { internal(); };
 source s_network_tcp { syslog(transport(tcp) port(6601)); };
 source s_network_udp { syslog(transport(udp) port(5514)); };
 
-filter f_unifi_suricata { match("suricata" value("PROGRAM")); };
-filter f_unifi_bash_history { match("bash" value("PROGRAM")); };
-filter f_unifi_fw_lan { match("LAN_" value("PID")); };
-filter f_unifi_fw_wan { match("WAN_" value("PID")); };
-filter f_unifi_fw_dnat { match("DNAT_" value("PID")); };
-filter f_unifi_fw_guest { match("GUEST_" value("PID")); };
-filter f_unifi_dnsmasq { match("dnsmasq" value("PID")); };
-filter f_unifi_systemd { match("systemd" value("PID")); };
-filter f_unifi_stahtd { message("stahtd"); };
-filter f_unifi_mcad { message("mcad"); };
-filter f_unifi_hostapd { message("hostapd"); };
-filter f_unifi_wlan { message("wlan:"); };
-
-parser p_kv { kv-parser(prefix("kv.")); };
-parser p_suricata_json { json-parser(prefix("suricata.")); };
-parser p_fw_src_ip_geoip2_city {
-  geoip2(
-    "${kv.SRC}",
-    prefix( "geoip2.source." )
-    database( "/config/GeoIP/GeoLite2-City.mmdb" )
-  );
-};
-
-parser p_fw_dst_ip_geoip2_city {
-  geoip2(
-    "${kv.DST}",
-    prefix( "geoip2.destination." )
-    database( "/config/GeoIP/GeoLite2-City.mmdb" )
-  );
-};
-
-parser p_suricata_dest_ip_geoip2_city {
-  geoip2(
-    "${suricata.dest_ip}",
-    prefix( "geoip2.destination." )
-    database( "/config/GeoIP/GeoLite2-City.mmdb" )
-  );
-};
-parser p_suricata_src_ip_geoip2_city {
-  geoip2(
-    "${suricata.src_ip}",
-    prefix( "geoip2.source." )
-    database( "/config/GeoIP/GeoLite2-City.mmdb" )
-  );
-};
 
 destination d_local {
   file("/var/log/messages");
   file("/var/log/messages-kv.log" template("$ISODATE $HOST $(format-welf --scope all-nv-pairs)\n") frac-digits(3));
 };
 
-destination d_unifi_fw { file("/var/log/unifi_fw.log"); };
-
-destination d_unifi_suricata {
-  elasticsearch-http(
-    index("unifi-suricata")
-    type("")
-    user("elastic")
-    password("forty6and2")
-    url("http://pi501.in.thelinuxpro.net:9200/_bulk")
-    template("$(format-json --scope rfc5424 --scope dot-nv-pairs
-    --rekey .* --shift 1 --scope nv-pairs
-    --exclude DATE @timestamp=${ISODATE})")
-    persist-name("d_unifi_suricata")
-  );
-};
-
-destination d_unifi_bash_history {
-  elasticsearch-http(
-    index("unifi-bash-history")
-    type("")
-    user("elastic")
-    password("forty6and2")
-    url("http://pi501.in.thelinuxpro.net:9200/_bulk")
-    template("$(format-json --scope rfc5424 --scope dot-nv-pairs
-    --rekey .* --shift 1 --scope nv-pairs
-    --exclude DATE @timestamp=${ISODATE})")
-    persist-name("d_unifi_bash_history")
-  );
-};
-
-destination d_unifi_firewall {
-  elasticsearch-http(
-    index("unifi-firewall")
-    type("")
-    user("elastic")
-    password("forty6and2")
-    url("http://pi501.in.thelinuxpro.net:9200/_bulk")
-    template("$(format-json --scope rfc5424 --scope dot-nv-pairs
-    --rekey .* --shift 1 --scope nv-pairs
-    --exclude DATE @timestamp=${ISODATE})")
-    persist-name("d_unifi_firewall")
-  );
-};
-
-destination d_unifi_dnsmasq {
-  elasticsearch-http(
-    index("unifi-dnsmasq")
-    type("")
-    user("elastic")
-    password("forty6and2")
-    url("http://pi501.in.thelinuxpro.net:9200/_bulk")
-    template("$(format-json --scope rfc5424 --scope dot-nv-pairs
-    --rekey .* --shift 1 --scope nv-pairs
-    --exclude DATE @timestamp=${ISODATE})")
-    persist-name("d_unifi_dnsmasq")
-  );
-};
-
-destination d_unifi_systemd {
-  elasticsearch-http(
-    index("unifi-systemd")
-    type("")
-    user("elastic")
-    password("forty6and2")
-    url("http://pi501.in.thelinuxpro.net:9200/_bulk")
-    template("$(format-json --scope rfc5424 --scope dot-nv-pairs
-    --rekey .* --shift 1 --scope nv-pairs
-    --exclude DATE @timestamp=${ISODATE})")
-    persist-name("d_unifi_systemd")
-  );
-};
-
-destination d_unifi_stahtd {
-  elasticsearch-http(
-    index("unifi-stahtd")
-    type("")
-    user("elastic")
-    password("forty6and2")
-    url("http://pi501.in.thelinuxpro.net:9200/_bulk")
-    template("$(format-json --scope rfc5424 --scope dot-nv-pairs
-    --rekey .* --shift 1 --scope nv-pairs
-    --exclude DATE @timestamp=${ISODATE})")
-    persist-name("d_unifi_stahtd")
-  );
-};
-
-destination d_unifi_mcad {
-  elasticsearch-http(
-    index("unifi-mcad")
-    type("")
-    user("elastic")
-    password("forty6and2")
-    url("http://pi501.in.thelinuxpro.net:9200/_bulk")
-    template("$(format-json --scope rfc5424 --scope dot-nv-pairs
-    --rekey .* --shift 1 --scope nv-pairs
-    --exclude DATE @timestamp=${ISODATE})")
-    persist-name("d_unifi_mcad")
-  );
-};
-
-destination d_unifi_hostapd {
-  elasticsearch-http(
-    index("unifi-hostapd")
-    type("")
-    user("elastic")
-    password("forty6and2")
-    url("http://pi501.in.thelinuxpro.net:9200/_bulk")
-    template("$(format-json --scope rfc5424 --scope dot-nv-pairs
-    --rekey .* --shift 1 --scope nv-pairs
-    --exclude DATE @timestamp=${ISODATE})")
-    persist-name("d_unifi_hostapd")
-  );
-};
-
-destination d_unifi_wlan {
-  elasticsearch-http(
-    index("unifi-wlan")
-    type("")
-    user("elastic")
-    password("forty6and2")
-    url("http://pi501.in.thelinuxpro.net:9200/_bulk")
-    template("$(format-json --scope rfc5424 --scope dot-nv-pairs
-    --rekey .* --shift 1 --scope nv-pairs
-    --exclude DATE @timestamp=${ISODATE})")
-    persist-name("d_unifi_wlan")
-  );
-};
-
 destination d_syslog_ng_es {
   elasticsearch-http(
     index("syslog-ng")
@@ -202,105 +29,6 @@ destination d_syslog_ng_es {
   );
 };
 
-log {
-  source(s_network_udp);
-  filter(f_unifi_suricata);
-  parser(p_suricata_json);
-  parser(p_suricata_src_ip_geoip2_city);
-  parser(p_suricata_dest_ip_geoip2_city);
-  destination(d_unifi_suricata);
-  flags(final);
-};
-
-log {
-  source(s_network_udp);
-  filter(f_unifi_bash_history);
-  destination(d_unifi_bash_history);
-  flags(final);
-};
-
-log {
-  source(s_network_udp);
-  filter(f_unifi_fw_lan);
-  parser(p_kv);
-  parser(p_fw_src_ip_geoip2_city);
-  parser(p_fw_dst_ip_geoip2_city);
-  destination(d_unifi_firewall);
-  flags(final);
-};
-
-log {
-  source(s_network_udp);
-  filter(f_unifi_fw_wan);
-  parser(p_kv);
-  parser(p_fw_src_ip_geoip2_city);
-  parser(p_fw_dst_ip_geoip2_city);
-  destination(d_unifi_firewall);
-  flags(final);
-};
-
-log {
-  source(s_network_udp);
-  filter(f_unifi_fw_dnat);
-  parser(p_kv);
-  parser(p_fw_src_ip_geoip2_city);
-  parser(p_fw_dst_ip_geoip2_city);
-  destination(d_unifi_firewall);
-  flags(final);
-};
-
-log {
-  source(s_network_udp);
-  filter(f_unifi_fw_guest);
-  parser(p_kv);
-  parser(p_fw_src_ip_geoip2_city);
-  parser(p_fw_dst_ip_geoip2_city);
-  destination(d_unifi_firewall);
-  flags(final);
-};
-
-log {
-  source(s_network_udp);
-  filter(f_unifi_dnsmasq);
-  destination(d_unifi_dnsmasq);
-  flags(final);
-};
-
-log {
-  source(s_network_udp);
-  filter(f_unifi_systemd);
-  destination(d_unifi_systemd);
-  flags(final);
-};
-
-log {
-  source(s_network_udp);
-  filter(f_unifi_stahtd);
-  destination(d_unifi_stahtd);
-  flags(final);
-};
-
-log {
-  source(s_network_udp);
-  filter(f_unifi_mcad);
-  destination(d_unifi_mcad);
-  flags(final);
-};
-
-log {
-  source(s_network_udp);
-  filter(f_unifi_hostapd);
-  destination(d_unifi_hostapd);
-  flags(final);
-};
-
-log {
-  source(s_network_udp);
-  filter(f_unifi_wlan);
-  destination(d_unifi_wlan);
-  flags(final);
-};
-
 log {
   source(s_local);
   source(s_network_tcp);
@@ -308,3 +36,4 @@ log {
   destination(d_syslog_ng_es);
 };
 
+@include "/config/syslog-ng.conf.d/*.conf"
diff --git a/config/syslog-ng.conf.d/unifi.conf b/config/syslog-ng.conf.d/unifi.conf
new file mode 100644
index 0000000..51fb23a
--- /dev/null
+++ b/config/syslog-ng.conf.d/unifi.conf
@@ -0,0 +1,275 @@
+filter f_unifi_suricata { match("suricata" value("PROGRAM")); };
+filter f_unifi_bash_history { match("bash" value("PROGRAM")); };
+filter f_unifi_fw_lan { match("LAN_" value("PID")); };
+filter f_unifi_fw_wan { match("WAN_" value("PID")); };
+filter f_unifi_fw_dnat { match("DNAT_" value("PID")); };
+filter f_unifi_fw_guest { match("GUEST_" value("PID")); };
+filter f_unifi_dnsmasq { match("dnsmasq" value("PID")); };
+filter f_unifi_systemd { match("systemd" value("PID")); };
+filter f_unifi_stahtd { message("stahtd"); };
+filter f_unifi_mcad { message("mcad"); };
+filter f_unifi_hostapd { message("hostapd"); };
+filter f_unifi_wlan { message("wlan:"); };
+
+parser p_kv { kv-parser(prefix("kv.")); };
+
+parser p_suricata_json { json-parser(prefix("suricata.")); };
+
+parser p_fw_src_ip_geoip2_city {
+  geoip2(
+    "${kv.SRC}",
+    prefix( "geoip2.source." )
+    database( "/config/GeoIP/GeoLite2-City.mmdb" )
+  );
+};
+
+parser p_fw_dst_ip_geoip2_city {
+  geoip2(
+    "${kv.DST}",
+    prefix( "geoip2.destination." )
+    database( "/config/GeoIP/GeoLite2-City.mmdb" )
+  );
+};
+
+parser p_suricata_dest_ip_geoip2_city {
+  geoip2(
+    "${suricata.dest_ip}",
+    prefix( "geoip2.destination." )
+    database( "/config/GeoIP/GeoLite2-City.mmdb" )
+  );
+};
+
+parser p_suricata_src_ip_geoip2_city {
+  geoip2(
+    "${suricata.src_ip}",
+    prefix( "geoip2.source." )
+    database( "/config/GeoIP/GeoLite2-City.mmdb" )
+  );
+};
+
+destination d_unifi_fw { file("/var/log/unifi_fw.log"); };
+
+destination d_unifi_suricata {
+  elasticsearch-http(
+    index("unifi-suricata")
+    type("")
+    user("elastic")
+    password("forty6and2")
+    url("http://pi501.in.thelinuxpro.net:9200/_bulk")
+    template("$(format-json --scope rfc5424 --scope dot-nv-pairs
+    --rekey .* --shift 1 --scope nv-pairs
+    --exclude DATE @timestamp=${ISODATE})")
+    persist-name("d_unifi_suricata")
+  );
+};
+
+destination d_unifi_bash_history {
+  elasticsearch-http(
+    index("unifi-bash-history")
+    type("")
+    user("elastic")
+    password("forty6and2")
+    url("http://pi501.in.thelinuxpro.net:9200/_bulk")
+    template("$(format-json --scope rfc5424 --scope dot-nv-pairs
+    --rekey .* --shift 1 --scope nv-pairs
+    --exclude DATE @timestamp=${ISODATE})")
+    persist-name("d_unifi_bash_history")
+  );
+};
+
+destination d_unifi_firewall {
+  elasticsearch-http(
+    index("unifi-firewall")
+    type("")
+    user("elastic")
+    password("forty6and2")
+    url("http://pi501.in.thelinuxpro.net:9200/_bulk")
+    template("$(format-json --scope rfc5424 --scope dot-nv-pairs
+    --rekey .* --shift 1 --scope nv-pairs
+    --exclude DATE @timestamp=${ISODATE})")
+    persist-name("d_unifi_firewall")
+  );
+};
+
+destination d_unifi_dnsmasq {
+  elasticsearch-http(
+    index("unifi-dnsmasq")
+    type("")
+    user("elastic")
+    password("forty6and2")
+    url("http://pi501.in.thelinuxpro.net:9200/_bulk")
+    template("$(format-json --scope rfc5424 --scope dot-nv-pairs
+    --rekey .* --shift 1 --scope nv-pairs
+    --exclude DATE @timestamp=${ISODATE})")
+    persist-name("d_unifi_dnsmasq")
+  );
+};
+
+destination d_unifi_systemd {
+  elasticsearch-http(
+    index("unifi-systemd")
+    type("")
+    user("elastic")
+    password("forty6and2")
+    url("http://pi501.in.thelinuxpro.net:9200/_bulk")
+    template("$(format-json --scope rfc5424 --scope dot-nv-pairs
+    --rekey .* --shift 1 --scope nv-pairs
+    --exclude DATE @timestamp=${ISODATE})")
+    persist-name("d_unifi_systemd")
+  );
+};
+
+destination d_unifi_stahtd {
+  elasticsearch-http(
+    index("unifi-stahtd")
+    type("")
+    user("elastic")
+    password("forty6and2")
+    url("http://pi501.in.thelinuxpro.net:9200/_bulk")
+    template("$(format-json --scope rfc5424 --scope dot-nv-pairs
+    --rekey .* --shift 1 --scope nv-pairs
+    --exclude DATE @timestamp=${ISODATE})")
+    persist-name("d_unifi_stahtd")
+  );
+};
+
+destination d_unifi_mcad {
+  elasticsearch-http(
+    index("unifi-mcad")
+    type("")
+    user("elastic")
+    password("forty6and2")
+    url("http://pi501.in.thelinuxpro.net:9200/_bulk")
+    template("$(format-json --scope rfc5424 --scope dot-nv-pairs
+    --rekey .* --shift 1 --scope nv-pairs
+    --exclude DATE @timestamp=${ISODATE})")
+    persist-name("d_unifi_mcad")
+  );
+};
+
+destination d_unifi_hostapd {
+  elasticsearch-http(
+    index("unifi-hostapd")
+    type("")
+    user("elastic")
+    password("forty6and2")
+    url("http://pi501.in.thelinuxpro.net:9200/_bulk")
+    template("$(format-json --scope rfc5424 --scope dot-nv-pairs
+    --rekey .* --shift 1 --scope nv-pairs
+    --exclude DATE @timestamp=${ISODATE})")
+    persist-name("d_unifi_hostapd")
+  );
+};
+
+destination d_unifi_wlan {
+  elasticsearch-http(
+    index("unifi-wlan")
+    type("")
+    user("elastic")
+    password("forty6and2")
+    url("http://pi501.in.thelinuxpro.net:9200/_bulk")
+    template("$(format-json --scope rfc5424 --scope dot-nv-pairs
+    --rekey .* --shift 1 --scope nv-pairs
+    --exclude DATE @timestamp=${ISODATE})")
+    persist-name("d_unifi_wlan")
+  );
+};
+
+log {
+  source(s_network_udp);
+  filter(f_unifi_suricata);
+  parser(p_suricata_json);
+  parser(p_suricata_src_ip_geoip2_city);
+  parser(p_suricata_dest_ip_geoip2_city);
+  destination(d_unifi_suricata);
+  flags(final);
+};
+
+log {
+  source(s_network_udp);
+  filter(f_unifi_bash_history);
+  destination(d_unifi_bash_history);
+  flags(final);
+};
+
+log {
+  source(s_network_udp);
+  filter(f_unifi_fw_lan);
+  parser(p_kv);
+  parser(p_fw_src_ip_geoip2_city);
+  parser(p_fw_dst_ip_geoip2_city);
+  destination(d_unifi_firewall);
+  flags(final);
+};
+
+log {
+  source(s_network_udp);
+  filter(f_unifi_fw_wan);
+  parser(p_kv);
+  parser(p_fw_src_ip_geoip2_city);
+  parser(p_fw_dst_ip_geoip2_city);
+  destination(d_unifi_firewall);
+  flags(final);
+};
+
+log {
+  source(s_network_udp);
+  filter(f_unifi_fw_dnat);
+  parser(p_kv);
+  parser(p_fw_src_ip_geoip2_city);
+  parser(p_fw_dst_ip_geoip2_city);
+  destination(d_unifi_firewall);
+  flags(final);
+};
+
+log {
+  source(s_network_udp);
+  filter(f_unifi_fw_guest);
+  parser(p_kv);
+  parser(p_fw_src_ip_geoip2_city);
+  parser(p_fw_dst_ip_geoip2_city);
+  destination(d_unifi_firewall);
+  flags(final);
+};
+
+log {
+  source(s_network_udp);
+  filter(f_unifi_dnsmasq);
+  destination(d_unifi_dnsmasq);
+  flags(final);
+};
+
+log {
+  source(s_network_udp);
+  filter(f_unifi_systemd);
+  destination(d_unifi_systemd);
+  flags(final);
+};
+
+log {
+  source(s_network_udp);
+  filter(f_unifi_stahtd);
+  destination(d_unifi_stahtd);
+  flags(final);
+};
+
+log {
+  source(s_network_udp);
+  filter(f_unifi_mcad);
+  destination(d_unifi_mcad);
+  flags(final);
+};
+
+log {
+  source(s_network_udp);
+  filter(f_unifi_hostapd);
+  destination(d_unifi_hostapd);
+  flags(final);
+};
+
+log {
+  source(s_network_udp);
+  filter(f_unifi_wlan);
+  destination(d_unifi_wlan);
+  flags(final);
+};