Commit dbc82d41 authored by Lucas Charles's avatar Lucas Charles Committed by Douglas Barbosa Alexandre

Update filebeat config to parse modsec logs as JSON

Adds additional processor for parsing modsec audit logs as JSON from
`modsecurity-log` sidecar

See https://gitlab.com/gitlab-org/gitlab/issues/14707 for more details
parent 98272880
---
title: Parse filebeat modsec logs as JSON
merge_request: 24836
author:
type: changed
...@@ -23,6 +23,29 @@ filebeat: ...@@ -23,6 +23,29 @@ filebeat:
output.elasticsearch: output.elasticsearch:
enabled: true enabled: true
hosts: ["http://elastic-stack-elasticsearch-client:9200"] hosts: ["http://elastic-stack-elasticsearch-client:9200"]
filebeat.prospectors:
- type: log
enabled: true
paths:
- /var/log/*.log
- /var/log/messages
- /var/log/syslog
- type: docker
containers.ids:
- "*"
json.keys_under_root: true
json.ignore_decoding_error: true
processors:
- add_kubernetes_metadata:
- drop_event:
when:
equals:
kubernetes.container.name: "filebeat"
- decode_json_fields:
fields: ["message"]
when:
equals:
kubernetes.container.name: "modsecurity-log"
fluentd: fluentd:
enabled: false enabled: false
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment