From 496e167184f9a9290f59309d781106498f1177cd Mon Sep 17 00:00:00 2001
From: Kameron Kenny <1267885+kkenny@users.noreply.github.com>
Date: Wed, 19 Jun 2024 17:01:28 -0400
Subject: [PATCH] parse docker header

---
 Dockerfile                            |  2 +-
 config/syslog-ng.conf.d/bind-dns.conf | 35 ++++++++++++---------------
 docker-compose.yml                    | 12 +--------
 3 files changed, 17 insertions(+), 32 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 89fdbaf..05a7324 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,7 @@
 FROM debian:latest
 MAINTAINER Kameron Kenny <kkenny379@gmail.com>
 
-LABEL version="20240619.1.5"
+LABEL version="20240619.1.6"
 LABEL description="Debian Based syslog-ng"
 
 RUN apt-get update
diff --git a/config/syslog-ng.conf.d/bind-dns.conf b/config/syslog-ng.conf.d/bind-dns.conf
index ee89763..b3884ed 100644
--- a/config/syslog-ng.conf.d/bind-dns.conf
+++ b/config/syslog-ng.conf.d/bind-dns.conf
@@ -1,5 +1,4 @@
-filter f_bind9_primary { message("bind9-primary"); };
-filter f_bind9_secondary { message("bind9-secondary"); };
+filter f_bind9 { message("bind9"); };
 
 rewrite r_docker_image {
   subst("^5000/tlp/", "image:", value("MESSAGE"));
@@ -15,17 +14,23 @@ rewrite r_docker_image {
 
 parser p_bind_message {
   csv-parser(
-    prefix("bind9.")
     flags(strip-whitespace)
     delimiters(" ")
-    columns("docker_header", "date", "time", "client.header", "client.object_id", "client.ip_port", "client.request", "query.header", "query.request", "query.class", "query.type", "query.flags")
+    columns("docker_header", "bind9.log.date", "bind9.log.time", "bind9.client.header", "bind9.client.object_id", "bind9.client.ip_port", "bind9.client.request", "bind9.query.header", "bind9.query.request", "bind9.query.class", "bind9.query.type", "bind9.query.flags")
   );
 };
 
-parser p_bind_kv {
-  kv-parser(
-    prefix("bind9.")
-    value-separator(":")
+rewrite r_docker_header {
+  subst("5000\/tlp\/", "", value("docker_header"));
+  subst("(:|\/|\[|\])", " ", value("docker_header"));
+};
+
+parser p_docker_header {
+  csv-parser(
+    prefix("docker_header")
+    flags(strip-whitespace)
+    delimiters(" ")
+    columns("docker.image.name", "docker.image.version", "docker.container.name", "docker.container.pid")
   );
 };
 
@@ -55,18 +60,8 @@ log {
   source(s_network_udp);
   filter(f_bind9_primary);
   parser(p_bind_message);
- # rewrite(r_docker_image);
-  #parser(p_bind_kv);
-  destination(d_bind_logs);
-  flags(final);
-};
-
-log {
-  source(s_network_udp);
-  filter(f_bind9_secondary);
-  parser(p_bind_message);
-#  rewrite(r_docker_image);
-#  parser(p_bind_kv);
+  rewrite(r_docker_header);
+  parser(p_docker_header);
   destination(d_bind_logs);
   flags(final);
 };
diff --git a/docker-compose.yml b/docker-compose.yml
index 0fb1460..ea92975 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -10,18 +10,8 @@ services:
   syslog-ng:
     build:
       dockerfile: Dockerfile
-    image: docker-registry1.in.thelinuxpro.net:5000/tlp/syslog-ng:240619.1.5
+    image: docker-registry1.in.thelinuxpro.net:5000/tlp/syslog-ng:240619.1.6
     container_name: syslog-ng
-      #environment:
-        #- TZ:America/Indianapolis
-      #- PUID=0
-      #- PGID=0
-      #volumes:
-      #- syslog-ng_logs:/var/log
-      #ports:
-      #- 514:5514/udp
-      #- 601:6601/tcp
-      #- 6514:6514/tcp
     restart: unless-stopped
     networks:
       infra_dev_net: