From 9c22be7c42fce3f35e329e48dd777e56791be901 Mon Sep 17 00:00:00 2001
From: Kameron Kenny <1267885+kkenny@users.noreply.github.com>
Date: Wed, 23 Oct 2024 20:54:33 -0400
Subject: [PATCH] add nas81

---
 config/syslog-ng.conf.d/nas81.conf | 44 ++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 config/syslog-ng.conf.d/nas81.conf

diff --git a/config/syslog-ng.conf.d/nas81.conf b/config/syslog-ng.conf.d/nas81.conf
new file mode 100644
index 0000000..8ce3ed1
--- /dev/null
+++ b/config/syslog-ng.conf.d/nas81.conf
@@ -0,0 +1,44 @@
+filter f_nas81_suricata { match("suricata" value("PROGRAM")); };
+filter f_nas18_host { match("nas81" value("HOST")); };
+parser p_kv { kv-parser(prefix("kv.")); };
+
+parser p_suricata_dest_ip_geoip2_city {
+  geoip2(
+    "${suricata.dest_ip}",
+    prefix( "geoip2.destination." )
+    database( "/config/GeoIP/GeoLite2-City.mmdb" )
+  );
+};
+
+parser p_suricata_src_ip_geoip2_city {
+  geoip2(
+    "${suricata.src_ip}",
+    prefix( "geoip2.source." )
+    database( "/config/GeoIP/GeoLite2-City.mmdb" )
+  );
+};
+
+destination d_nas81_suricata {
+  elasticsearch-http(
+    index("nas81-suricata")
+    type("")
+    user("elastic")
+    password("forty6and2")
+    url("http://pi501.in.thelinuxpro.net:9200/_bulk")
+    template("$(format-json --scope rfc5424 --scope dot-nv-pairs
+    --rekey .* --shift 1 --scope nv-pairs
+    --exclude DATE @timestamp=${ISODATE})")
+    persist-name("d_nas81_suricata")
+  );
+};
+
+log {
+  source(s_network_udp);
+  filter(f_nas81_host);
+  parser(p_suricata_json);
+  parser(p_suricata_src_ip_geoip2_city);
+  parser(p_suricata_dest_ip_geoip2_city);
+  destination(d_nas81_suricata);
+  flags(final);
+};
+