diff --git a/configmap.tf b/configmap.tf index 59b5581..24745b6 100644 --- a/configmap.tf +++ b/configmap.tf @@ -26,34 +26,60 @@ resource "kubernetes_config_map" "fluent-bit-config" { [INPUT] Name tail - Alias modsec_nginx_ingress_audit_index - Tag cp-ingress-modsec-index-audit.* - Path /var/log/audit/*.log - Parser modsec-audit-log-index + Alias modsec_nginx_ingress_audit + Tag cp-ingress-modsec-audit.* + Path /var/log/audit/**/**/* + Parser docker Refresh_Interval 5 Buffer_Max_Size 5MB Buffer_Chunk_Size 1M - Offset_Key pause_position_modsec-audit-index - DB cp-ingress-modsec-audit-index.db + Offset_Key pause_position_modsec-audit + DB cp-ingress-modsec-audit.db DB.locking true Storage.type filesystem Storage.pause_on_chunks_overlimit True [INPUT] Name tail - Alias modsec_nginx_ingress_audit - Tag cp-ingress-modsec-audit.* - Path /var/log/audit/**/**/* - Parser docker + Alias modsec_nginx_ingress_stdout + Tag cp-ingress-modsec-stdout.* + Path /var/log/containers/*nginx-ingress-modsec-controller*_ingress-controllers_controller-*.log + Parser cri-containerd Refresh_Interval 5 Buffer_Max_Size 5MB Buffer_Chunk_Size 1M - Offset_Key pause_position_modsec-audit - DB cp-ingress-modsec-audit.db + Offset_Key pause_position_modsec_stdout + DB cp-ingress-modsec-stdout.db DB.locking true Storage.type filesystem Storage.pause_on_chunks_overlimit True + [FILTER] + Name grep + Match cp-ingress-modsec-stdout.* + regex log (ModSecurity-nginx|modsecurity|OWASP_CRS|owasp-modsecurity-crs) + + [FILTER] + Name kubernetes + Alias modsec_nginx_ingress_stdout + Match cp-ingress-modsec-stdout.* + Kube_Tag_Prefix cp-ingress-modsec-stdout.var.log.containers. + Kube_URL https://kubernetes.default.svc:443 + Kube_CA_File /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + Kube_Token_File /var/run/secrets/kubernetes.io/serviceaccount/token + K8S-Logging.Parser On + K8S-Logging.Exclude On + Keep_Log On + Merge_Log On + Merge_Log_Key log_processed + Buffer_Size 1MB + + [FILTER] + Name lua + Match cp-ingress-modsec-stdout.* + script /fluent-bit/scripts/cb_extract_tag_value.lua + call cb_extract_tag_value + [FILTER] Name lua Match cp-ingress-modsec-audit.* @@ -89,17 +115,19 @@ resource "kubernetes_config_map" "fluent-bit-config" { EOT "custom_parsers.conf" = <<-EOT - [PARSER] - Name modsec-audit-log-index - Format regex - Regex ^(?[^ ]+) (?[^ ]+) (?.*)$ - Time_Key time - Time_Format %d/%m/%Y:T%H:%M:%S.%z [PARSER] Name initial-json Format json Time_Key time Time_Keep On + # CRI-containerd Parser + [PARSER] + # https://rubular.com/r/DjPmoX5HnQMesk + Name cri-containerd + Format regex + Regex ^(?