Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: 🤖 move all modsec logging here #71

Merged
merged 2 commits into from
Dec 21, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 46 additions & 18 deletions configmap.tf
Original file line number Diff line number Diff line change
Expand Up @@ -26,34 +26,60 @@ resource "kubernetes_config_map" "fluent-bit-config" {

[INPUT]
Name tail
Alias modsec_nginx_ingress_audit_index
Tag cp-ingress-modsec-index-audit.*
Path /var/log/audit/*.log
Parser modsec-audit-log-index
Alias modsec_nginx_ingress_audit
Tag cp-ingress-modsec-audit.*
Path /var/log/audit/**/**/*
Parser docker
Refresh_Interval 5
Buffer_Max_Size 5MB
Buffer_Chunk_Size 1M
Offset_Key pause_position_modsec-audit-index
DB cp-ingress-modsec-audit-index.db
Offset_Key pause_position_modsec-audit
DB cp-ingress-modsec-audit.db
DB.locking true
Storage.type filesystem
Storage.pause_on_chunks_overlimit True

[INPUT]
Name tail
Alias modsec_nginx_ingress_audit
Tag cp-ingress-modsec-audit.*
Path /var/log/audit/**/**/*
Parser docker
Alias modsec_nginx_ingress_stdout
Tag cp-ingress-modsec-stdout.*
Path /var/log/containers/*nginx-ingress-modsec-controller*_ingress-controllers_controller-*.log
Parser cri-containerd
Refresh_Interval 5
Buffer_Max_Size 5MB
Buffer_Chunk_Size 1M
Offset_Key pause_position_modsec-audit
DB cp-ingress-modsec-audit.db
Offset_Key pause_position_modsec_stdout
DB cp-ingress-modsec-stdout.db
DB.locking true
Storage.type filesystem
Storage.pause_on_chunks_overlimit True

[FILTER]
Name grep
Match cp-ingress-modsec-stdout.*
regex log (ModSecurity-nginx|modsecurity|OWASP_CRS|owasp-modsecurity-crs)

[FILTER]
Name kubernetes
Alias modsec_nginx_ingress_stdout
Match cp-ingress-modsec-stdout.*
Kube_Tag_Prefix cp-ingress-modsec-stdout.var.log.containers.
Kube_URL https://kubernetes.default.svc:443
Kube_CA_File /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
Kube_Token_File /var/run/secrets/kubernetes.io/serviceaccount/token
K8S-Logging.Parser On
K8S-Logging.Exclude On
Keep_Log On
Merge_Log On
Merge_Log_Key log_processed
Buffer_Size 1MB

[FILTER]
Name lua
Match cp-ingress-modsec-stdout.*
script /fluent-bit/scripts/cb_extract_tag_value.lua
call cb_extract_tag_value

[FILTER]
Name lua
Match cp-ingress-modsec-audit.*
Expand Down Expand Up @@ -89,17 +115,19 @@ resource "kubernetes_config_map" "fluent-bit-config" {
EOT

"custom_parsers.conf" = <<-EOT
[PARSER]
Name modsec-audit-log-index
Format regex
Regex ^(?<url>[^ ]+) (?<client_ip>[^ ]+) (?<log>.*)$
Time_Key time
Time_Format %d/%m/%Y:T%H:%M:%S.%z
[PARSER]
Name initial-json
Format json
Time_Key time
Time_Keep On
# CRI-containerd Parser
[PARSER]
# https://rubular.com/r/DjPmoX5HnQMesk
Name cri-containerd
Format regex
Regex ^(?<time>[^ ]+) (?<stream>stdout|stderr) (?<logtag>[^ ]*) (?<log>.*)$
Time_Key time
Time_Format %Y-%m-%dT%H:%M:%S.%L%z

[PARSER]
Name generic-json
Expand Down
27 changes: 26 additions & 1 deletion templates/values.yaml.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,18 @@ controller:
- name: logrotate-config
configMap:
name: logrotate-config
- hostPath:
path: /var/log
type: ""
name: varlog
- hostPath:
path: /var/lib/docker/containers
type: ""
name: varlibdockercontainers
- hostPath:
path: /etc/machine-id
type: File
name: etcmachineid

extraVolumeMounts:
## Additional volumeMounts to the controller main container.
Expand Down Expand Up @@ -49,7 +61,9 @@ controller:
mountPath: /var/log/audit

extraContainers:
- name: flb-modsec-audit-logs
- name: flb-modsec-logs
securityContext:
runAsGroup: 0
image: fluent/fluent-bit:${fluent_bit_version}
volumeMounts:
- name: fluent-bit-config
Expand All @@ -58,6 +72,14 @@ controller:
mountPath: /fluent-bit/scripts/
- name: logs-volume
mountPath: /var/log/audit/
- mountPath: /var/log/
name: varlog
- mountPath: /var/lib/docker/containers
name: varlibdockercontainers
readOnly: true
- mountPath: /etc/machine-id
name: etcmachineid
readOnly: true
- name: logrotate
securityContext:
runAsGroup: 82
Expand All @@ -74,6 +96,9 @@ controller:
service cron start
sleep infinity
volumeMounts:
- name: logs-volume
mountPath: /var/log/audit/

- name: logrotate-config
mountPath: /home
- name: logs-volume
Expand Down
Loading