Merge pull request #3 from NETWAYS/github-pipelines

Add GitHub pipelines
Modify SELinux filter

Author: afeefghannam89

.github/dependabot.yml

@@ -0,0 +1,7 @@
+---
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: monthly

.github/workflows/logstash.yml

@@ -0,0 +1,32 @@
+---
+name: Logstash Syntax
+on:
+  push:
+    tags:
+      - v*
+    branches:
+      - main
+  pull_request:
+  merge_group:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install gpg
+          wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
+          echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
+          sudo apt-get update
+          sudo apt-get install logstash
+          mkdir -p /tmp/logstash/data /tmp/logstash/logs
+
+      - name: Test with Logstash
+        run: |
+          /usr/share/logstash/bin/logstash  --path.settings /etc/logstash/ --path.config '*conf' --path.data /tmp/logstash/data --path.logs /tmp/logstash/logs --config.test_and_exit

README.md

@@ -1,2 +1,28 @@
 # logstash-pipelines-selinux
-Logstash pipelines for SELinux logs,  This Repository is in development process.
+Logstash pipelines for SELinux logs.
+
+[![CI](https://github.com/netways/selinux-logstash-pipeline/workflows/Logstash%20Syntax/badge.svg?event=push)](https://github.com/netways/selinux-logstash-pipeline/actions?query=workflow%3A%22Logstash+Syntax%22)
+
+## Input and Output ##
+
+This pipeline does not provide inputs or outputs so you can configure whatever you need. Files named `input.conf` and `output.conf` will not interfere with updates via git, so name your files accordingly.
+
+Here are examples how your files could look if you want to use a local Redis instance.
+
+```
+input {
+  redis {
+    host => localhost
+    key => "selinux"
+    data_type => list
+  }
+}
+
+output {
+  redis {
+    key => "forwarder"
+    data_type => list
+    host => localhost
+  }
+}
+```

filter-10-selinux.conf

@@ -2,7 +2,10 @@ filter {
   grok {
     add_tag => "selinux"
     tag_on_failure => "selinux_failure"
-    match => [ "message", ": avc:%{SPACE}%{SPACE}%{DATA:[selinux][avc]}  \{ %{WORD:[selinux][action]} \} for  pid=%{NUMBER:[selinux][pid]} comm=\"%{DATA:[selinux][command]}\" ((src=%{DATA:[selinux][source]})?|(name=\"%{DATA:[selinux][filename]}\" dev=\"%{DATA:[selinux][device]}\" ino=%{NUMBER:[selinux][inode]})?) scontext=%{DATA:[selinux][source][context]} tcontext=%{DATA:[selinux][target][context]} tclass=%{DATA:[selinux][target][class]} permissive=%{NUMBER:[selinux][permissive]}" ]
-       }
+    id => "selinux"
+    match => [ "message", "avc:%{SPACE}%{DATA:[selinux][avc]}  \{ %{WORD:[selinux][action]} \} for  pid=%{NUMBER:[selinux][pid]} comm=\"%{DATA:[selinux][command]}\" ((src=%{DATA:[selinux][source]})?|(name=\"%{DATA:[selinux][filename]}\" dev=\"%{DATA:[selinux][device]}\" ino=%{NUMBER:[selinux][inode]})?) scontext=%{DATA:[selinux][source][context]} tcontext=%{DATA:[selinux][target][context]} tclass=%{DATA:[selinux][target][class]} permissive=%{NUMBER:[selinux][permissive]}" ]
+    add_field => {
+      "[selinux][eventtype]" => "selinux_avc"
+    }
+  }
 }
-