From 54dfc0c63715af15a41a05f64a444d7e2ac2b2f7 Mon Sep 17 00:00:00 2001 From: Jaskaran Sarkaria Date: Thu, 21 Dec 2023 09:01:08 +0000 Subject: [PATCH] =?UTF-8?q?chore:=20=F0=9F=A4=96=20move=20all=20modsec=20l?= =?UTF-8?q?ogging=20here=20(#71)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * chore: 🤖 move all modsec logging here --- configmap.tf | 64 ++++++++++++++++++++++++++++----------- templates/values.yaml.tpl | 27 ++++++++++++++++- 2 files changed, 72 insertions(+), 19 deletions(-) diff --git a/configmap.tf b/configmap.tf index 59b5581..24745b6 100644 --- a/configmap.tf +++ b/configmap.tf @@ -26,34 +26,60 @@ resource "kubernetes_config_map" "fluent-bit-config" { [INPUT] Name tail - Alias modsec_nginx_ingress_audit_index - Tag cp-ingress-modsec-index-audit.* - Path /var/log/audit/*.log - Parser modsec-audit-log-index + Alias modsec_nginx_ingress_audit + Tag cp-ingress-modsec-audit.* + Path /var/log/audit/**/**/* + Parser docker Refresh_Interval 5 Buffer_Max_Size 5MB Buffer_Chunk_Size 1M - Offset_Key pause_position_modsec-audit-index - DB cp-ingress-modsec-audit-index.db + Offset_Key pause_position_modsec-audit + DB cp-ingress-modsec-audit.db DB.locking true Storage.type filesystem Storage.pause_on_chunks_overlimit True [INPUT] Name tail - Alias modsec_nginx_ingress_audit - Tag cp-ingress-modsec-audit.* - Path /var/log/audit/**/**/* - Parser docker + Alias modsec_nginx_ingress_stdout + Tag cp-ingress-modsec-stdout.* + Path /var/log/containers/*nginx-ingress-modsec-controller*_ingress-controllers_controller-*.log + Parser cri-containerd Refresh_Interval 5 Buffer_Max_Size 5MB Buffer_Chunk_Size 1M - Offset_Key pause_position_modsec-audit - DB cp-ingress-modsec-audit.db + Offset_Key pause_position_modsec_stdout + DB cp-ingress-modsec-stdout.db DB.locking true Storage.type filesystem Storage.pause_on_chunks_overlimit True + [FILTER] + Name grep + Match cp-ingress-modsec-stdout.* + regex log (ModSecurity-nginx|modsecurity|OWASP_CRS|owasp-modsecurity-crs) + + [FILTER] + Name kubernetes + Alias modsec_nginx_ingress_stdout + Match cp-ingress-modsec-stdout.* + Kube_Tag_Prefix cp-ingress-modsec-stdout.var.log.containers. + Kube_URL https://kubernetes.default.svc:443 + Kube_CA_File /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + Kube_Token_File /var/run/secrets/kubernetes.io/serviceaccount/token + K8S-Logging.Parser On + K8S-Logging.Exclude On + Keep_Log On + Merge_Log On + Merge_Log_Key log_processed + Buffer_Size 1MB + + [FILTER] + Name lua + Match cp-ingress-modsec-stdout.* + script /fluent-bit/scripts/cb_extract_tag_value.lua + call cb_extract_tag_value + [FILTER] Name lua Match cp-ingress-modsec-audit.* @@ -89,17 +115,19 @@ resource "kubernetes_config_map" "fluent-bit-config" { EOT "custom_parsers.conf" = <<-EOT - [PARSER] - Name modsec-audit-log-index - Format regex - Regex ^(?[^ ]+) (?[^ ]+) (?.*)$ - Time_Key time - Time_Format %d/%m/%Y:T%H:%M:%S.%z [PARSER] Name initial-json Format json Time_Key time Time_Keep On + # CRI-containerd Parser + [PARSER] + # https://rubular.com/r/DjPmoX5HnQMesk + Name cri-containerd + Format regex + Regex ^(?