Initial import

widhalmt · widhalmt · commit 3fe291ddfadc · 2024-07-09T12:32:21.000+02:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+    interval: monthly
diff --git a/.github/workflows/logstash.yml b/.github/workflows/logstash.yml
@@ -0,0 +1,40 @@
+---
+name: Logstash Syntax
+on:
+  push:
+    tags:
+      - v*
+    branches:
+      - main
+  pull_request:
+  merge_group:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: true
+      max-parallel: 2
+      matrix:
+        release:
+          - 7
+          - 8
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install gpg
+          wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
+          echo "deb https://artifacts.elastic.co/packages/${{ matrix.release }}.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-${{ matrix.release }}.x.list
+          sudo apt-get update
+          sudo apt-get install logstash
+          mkdir -p /tmp/logstash/data /tmp/logstash/logs
+
+      - name: Test with Logstash
+        run: |
+          /usr/share/logstash/bin/logstash  --path.settings /etc/logstash/ --path.config '*conf' --path.data /tmp/logstash/data --path.logs /tmp/logstash/logs --config.test_and_exit
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,2 @@
+input.conf
+output.conf
diff --git a/README.md b/README.md
@@ -1,2 +1,26 @@
 # iptables-logstash-pipeline
-Logstash pipeline to parse iptables logs
+Ready made code to parse logs from iptables
+
+## Input and Output ##
+
+This pipeline does not provide inputs or outputs so you can configure whatever you need. Files named `input.conf` and `output.conf` will not interfere with updates via git, so name your files accordingly.
+
+Here are examples how your files could look if you want to use a local Redis instance.
+
+```
+input {
+  redis {
+    host => localhost
+    key => "iptables"
+    data_type => list
+  }
+}
+
+output {
+  redis {
+    key => "forwarder"
+    data_type => list
+    host => localhost
+  }
+}
+```
diff --git a/filter-10-iptables.conf b/filter-10-iptables.conf
@@ -0,0 +1,12 @@
+filter {
+
+  kv {
+    target => "iptables"
+  }
+
+  grok {
+    match => ["message","^%{DATA:[iptables][prefix]} IN="]
+    tag_on_failure => ["_grokparsefailure","iptables_failed"]
+  }
+
+}
