From 52aa805f28bac674fa4152a4b871fe2d65ef2a2c Mon Sep 17 00:00:00 2001
From: Kameron Kenny <1267885+kkenny@users.noreply.github.com>
Date: Mon, 17 Jun 2024 12:41:17 -0400
Subject: [PATCH] add fw log for guest and add sending suricata

---
 Dockerfile            |  2 +-
 config/syslog-ng.conf | 59 ++++++++++++++++++++++++++++++++++++++++---
 docker-compose.yml    |  2 +-
 3 files changed, 58 insertions(+), 5 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index f7f9f7b..43dc5c3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
 FROM lscr.io/linuxserver/syslog-ng:latest
 
-LABEL version="20240615.1.1"
+LABEL version="20240617.1.1"
 LABEL description="syslog-ng"
 
 RUN mkdir -p /config
diff --git a/config/syslog-ng.conf b/config/syslog-ng.conf
index d051fb8..e37690f 100644
--- a/config/syslog-ng.conf
+++ b/config/syslog-ng.conf
@@ -9,9 +9,12 @@ source s_local { internal(); };
 source s_network_tcp { syslog(transport(tcp) port(6601)); };
 source s_network_udp { syslog(transport(udp) port(5514)); };
 
-filter f_unifi_fw_lan { match("LAN" value("PID")); };
-filter f_unifi_fw_wan { match("WAN" value("PID")); };
-filter f_unifi_fw_dnat { match("DNAT" value("PID")); };
+filter f_unifi_suricata { match("suricata" value("PROGRAM")); };
+filter f_unifi_bash_history { match("bash" value("PROGRAM")); };
+filter f_unifi_fw_lan { match("LAN_" value("PID")); };
+filter f_unifi_fw_wan { match("WAN_" value("PID")); };
+filter f_unifi_fw_dnat { match("DNAT_" value("PID")); };
+filter f_unifi_fw_guest { match("GUEST_" value("PID")); };
 filter f_unifi_dnsmasq { match("dnsmasq" value("PID")); };
 filter f_unifi_systemd { match("systemd" value("PID")); };
 filter f_unifi_stahtd { message("stahtd"); };
@@ -28,6 +31,34 @@ destination d_local {
 
 destination d_unifi_fw { file("/var/log/unifi_fw.log"); };
 
+destination d_unifi_suricata {
+  elasticsearch-http(
+    index("unifi-suricata")
+    type("")
+    user("elastic")
+    password("forty6and2")
+    url("http://pi501.in.thelinuxpro.net:9200/_bulk")
+    template("$(format-json --scope rfc5424 --scope dot-nv-pairs
+    --rekey .* --shift 1 --scope nv-pairs
+    --exclude DATE @timestamp=${ISODATE})")
+    persist-name("d_unifi_suricata")
+  );
+};
+
+destination d_unifi_bash_history {
+  elasticsearch-http(
+    index("unifi-bash-history")
+    type("")
+    user("elastic")
+    password("forty6and2")
+    url("http://pi501.in.thelinuxpro.net:9200/_bulk")
+    template("$(format-json --scope rfc5424 --scope dot-nv-pairs
+    --rekey .* --shift 1 --scope nv-pairs
+    --exclude DATE @timestamp=${ISODATE})")
+    persist-name("d_unifi_bash_history")
+  );
+};
+
 destination d_unifi_firewall {
   elasticsearch-http(
     index("unifi-firewall")
@@ -140,6 +171,20 @@ destination d_syslog_ng_es {
   );
 };
 
+log {
+  source(s_network_udp);
+  filter(f_unifi_suricata);
+  destination(d_unifi_suricata);
+  flags(final);
+};
+
+log {
+  source(s_network_udp);
+  filter(f_unifi_bash_history);
+  destination(d_unifi_bash_history);
+  flags(final);
+};
+
 log {
   source(s_network_udp);
   filter(f_unifi_fw_lan);
@@ -164,6 +209,14 @@ log {
   flags(final);
 };
 
+log {
+  source(s_network_udp);
+  filter(f_unifi_fw_guest);
+  parser(p_kv);
+  destination(d_unifi_firewall);
+  flags(final);
+};
+
 log {
   source(s_network_udp);
   filter(f_unifi_dnsmasq);
diff --git a/docker-compose.yml b/docker-compose.yml
index 37241a6..a678630 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -10,7 +10,7 @@ services:
   syslog-ng:
     build:
       dockerfile: Dockerfile
-    image: docker-registry1.in.thelinuxpro.net:5000/tlp/syslog-ng:240615.1.1
+    image: docker-registry1.in.thelinuxpro.net:5000/tlp/syslog-ng:240617.1.1
     container_name: syslog-ng
     environment:
       - PUID=0