CSV log processing support with fluentbit integration

Author: codeyourweb

.gitignore

@@ -14,6 +14,7 @@
 /data/log_ingest_data/evtx/*
 /data/log_ingest_data/auditd/*
 /data/log_ingest_data/json/*
+/data/log_ingest_data/csv/*
 /data/mysql_data/*
 /data/yara_triage_data/*
 /docs/graphs/*.bkp

config/docker-config/Dockerfile.fluentbit

@@ -3,10 +3,12 @@ FROM ubuntu:24.04
 RUN mkdir -p fluent-bit /fluent-bit/etc /fluent-bit/scripts /fluent-bit/logs /fluent-bit/database
 WORKDIR /fluent-bit
 COPY config/docker-config/fluentbit-evtx-dump.sh /fluent-bit/scripts/fluentbit-evtx-dump.sh
-RUN chmod +x /fluent-bit/scripts/fluentbit-evtx-dump.sh
+COPY config/docker-config/fluentbit-csv-dump.sh /fluent-bit/scripts/fluentbit-csv-dump.sh
+RUN chmod +x /fluent-bit/scripts/fluentbit-evtx-dump.sh && \
+    chmod +x /fluent-bit/scripts/fluentbit-csv-dump.sh
 
 RUN apt update && \
-    apt install -y curl ca-certificates dpkg gnupg dpkg-dev && \
+    apt install -y curl ca-certificates dpkg gnupg dpkg-dev python3 && \
     curl -L -o /tmp/fluentbit.key https://packages.fluentbit.io/fluentbit.key && \
     gpg --dearmor < /tmp/fluentbit.key > /usr/share/keyrings/fluentbit-keyring.gpg && \
     rm /tmp/fluentbit.key && \

config/docker-config/fluentbit-csv-dump.sh

@@ -0,0 +1,90 @@
+#!/bin/bash
+
+CSV_DIR="/fluent-bit/logs/csv"
+JSON_DIR="/fluent-bit/logs/csv"
+PROCESSED_DIR="/fluent-bit/logs/csv/processed"
+
+mkdir -p "$PROCESSED_DIR" "$JSON_DIR"
+find "$CSV_DIR" -maxdepth 1 -name "*.csv" -print0 | while IFS= read -r -d $'\0' csv_file; do
+    filename=$(basename "$csv_file" .csv)
+    jsonl_file="${JSON_DIR}/${filename}.jsonl"
+    echo "Converting $csv_file to $jsonl_file..."
+    
+    if [ ! -s "$csv_file" ]; then
+        echo "Warning: $csv_file is empty, skipping..."
+        continue
+    fi
+    
+    first_line=$(head -1 "$csv_file")
+    if echo "$first_line" | grep -q ","; then
+        sep=","
+    elif echo "$first_line" | grep -q ";"; then
+        sep=";"
+    elif echo "$first_line" | grep -q $'\t'; then
+        sep=$'\t'
+    elif echo "$first_line" | grep -q "|"; then
+        sep="|"
+    else
+        sep=","
+    fi
+    
+    echo "Using separator: '$sep'"
+    
+    if echo "$first_line" | grep -q "[a-zA-Z]"; then
+        echo "CSV file has headers, using column names"
+        python3 -c "
+import csv
+import json
+import sys
+
+try:
+    with open('$csv_file', 'r', encoding='utf-8') as f:
+        sample = f.read(1024)
+        f.seek(0)
+        sniffer = csv.Sniffer()
+        dialect = sniffer.sniff(sample, delimiters=',$sep')
+        
+        reader = csv.DictReader(f, dialect=dialect)
+        with open('$jsonl_file', 'w', encoding='utf-8') as out_f:
+            for row in reader:
+                json.dump(row, out_f, ensure_ascii=False)
+                out_f.write('\n')
+    print('Conversion successful with Python CSV parser')
+except Exception as e:
+    print(f'Python conversion failed: {e}', file=sys.stderr)
+    sys.exit(1)
+"
+    else
+        echo "CSV file without headers, using column_0, column_1, etc."
+        python3 -c "
+import csv
+import json
+import sys
+
+try:
+    with open('$csv_file', 'r', encoding='utf-8') as f:
+        sample = f.read(1024)
+        f.seek(0)
+        sniffer = csv.Sniffer()
+        dialect = sniffer.sniff(sample, delimiters=',$sep')
+        
+        reader = csv.reader(f, dialect=dialect)
+        with open('$jsonl_file', 'w', encoding='utf-8') as out_f:
+            for row in reader:
+                row_dict = {f'column_{i}': value for i, value in enumerate(row)}
+                json.dump(row_dict, out_f, ensure_ascii=False)
+                out_f.write('\n')
+    print('Conversion successful with Python CSV parser (no headers)')
+except Exception as e:
+    print(f'Python conversion failed: {e}', file=sys.stderr)
+    sys.exit(1)
+"
+    fi
+    
+    if [ $? -eq 0 ]; then
+        echo "Conversion successful. Moving original..."
+        mv "$csv_file" "$PROCESSED_DIR/"
+    else
+        echo "Error occurred during csv to json conversion for $csv_file." >&2
+    fi
+done

config/fluentbit_server/fluent-bit.conf

@@ -13,4 +13,5 @@
 @include /fluent-bit/etc/logs-evtx.conf
 @include /fluent-bit/etc/logs-auditd.conf
 @include /fluent-bit/etc/logs-json.conf
+@include /fluent-bit/etc/logs-csv.conf
 @include /fluent-bit/etc/logs-http.conf

config/fluentbit_server/logs-csv.conf

@@ -0,0 +1,46 @@
+[INPUT]
+    Name          exec
+    Tag           csv.converter.run
+    Interval_Sec  30
+    Interval_NSec 0
+    Buf_Size      128mb
+    Command       /fluent-bit/scripts/fluentbit-csv-dump.sh
+    Oneshot       false
+    Threaded      true
+
+[INPUT]
+    Name         tail
+    Path         /fluent-bit/logs/csv/*.jsonl
+    Tag          csv.logs
+    DB           /fluent-bit/database/csv_jsonl_db.db
+    Parser       json_parser
+    Read_from_Head true
+    Buffer_Chunk_Size 1M
+    Buffer_Max_Size 5M
+    Path_Key      source_file
+
+
+[FILTER]
+    Name         lua
+    Match        csv.logs
+    Script       /fluent-bit/etc/add_timestamp.lua
+    Call         add_timestamp
+
+[OUTPUT]
+    Name         es
+    Match        csv.logs
+    Host         sentinel-kit-db-elasticsearch-es01
+    Port         9200
+    Buffer_Size   5M
+    Logstash_Format     On
+    Logstash_Prefix     ingest-csv
+    Logstash_DateFormat %Y.%m.%d
+    Type         _doc
+    Time_Key     @timestamp
+    Replace_Dots On
+    Suppress_Type_Name On
+    Retry_Limit  False
+    TLS           On
+    TLS.Verify    Off
+    HTTP_User     elastic
+    HTTP_Passwd   ${ELASTIC_PASSWORD}