Skip to content

Commit e035faf

Browse files
LorisFriedelLorisFriedel
authored
Fix Teleport log pipeline Grok parser rules containing newlines (#19721)
1 parent df2fa2a commit e035faf

File tree

1 file changed

+3
-12
lines changed

1 file changed

+3
-12
lines changed

teleport/assets/logs/teleport.yaml

Lines changed: 3 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -154,30 +154,21 @@ pipeline:
154154
user_kind:1 events/emitter.go:288
155155
grok:
156156
supportRules: >-
157-
_log_prefix
158-
%{date("yyyy-MM-dd'T'HH:mm:ssZZ"):date}\s+%{word:log.level}\s+(\[%{notSpace:teleport.component}\])?\s+%{notSpace}
159-
157+
_log_prefix %{date("yyyy-MM-dd'T'HH:mm:ssZZ"):date}\s+%{word:log.level}\s+(\[%{notSpace:teleport.component}\])?\s+%{notSpace}
160158
161159
_log_common_attr %{_log_prefix}\s+(addr.local:%{ipOrHost:network.client.ip}:%{port:network.client.port}\s+)?(addr.remote:%{ipOrHost:network.destination.ip}:%{port:network.destination.port}\s+)?+cluster_name:%{notSpace:teleport.cluster_name}\s+code:%{notSpace:teleport.code}\s+ei:%{notSpace:teleport.eid}
162160
matchRules: >-
163-
parse_audit_user_login
164-
%{_log_common_attr}\s+event:%{notSpace:teleport.event_type}\s+method:%{notSpace:teleport.method}\s+mfa_device_name:%{notSpace:teleport.mfa_device_name}\s+mfa_device_type:%{notSpace:teleport.mfa_device_type}\s+mfa_device_uuid:%{notSpace:teleport.mfa_device_uuid}\s+required_private_key_policy:%{notSpace:teleport.required_private_key_policy}\s+success:%{notSpace:teleport.success}\s+time:%{notSpace:teleport.time}\s+uid:%{notSpace:teleport.uid}\s+user:%{notSpace:teleport.user}\s+user_agent:%{regex("[a-zA-Z/0-9.
165-
(;_),]+"):http.useragent}\s%{notSpace}
161+
parse_audit_user_login %{_log_common_attr}\s+event:%{notSpace:teleport.event_type}\s+method:%{notSpace:teleport.method}\s+mfa_device_name:%{notSpace:teleport.mfa_device_name}\s+mfa_device_type:%{notSpace:teleport.mfa_device_type}\s+mfa_device_uuid:%{notSpace:teleport.mfa_device_uuid}\s+required_private_key_policy:%{notSpace:teleport.required_private_key_policy}\s+success:%{notSpace:teleport.success}\s+time:%{notSpace:teleport.time}\s+uid:%{notSpace:teleport.uid}\s+user:%{notSpace:teleport.user}\s+user_agent:%{regex("[a-zA-Z/0-9. (;_),]+"):http.useragent}\s%{notSpace}
166162
167163
parse_audit_session_start %{_log_common_attr}\s+event:%{notSpace:teleport.event_type}\s+initial_command:%{notSpace:teleport.initial_command}\s+login:%{notSpace:teleport.login}\s+namespace:%{notSpace:teleport.namespace}\s+private_key_policy:%{notSpace:teleport.private_key_policy}\s+proto:%{notSpace:teleport.proto}\s+server_addr:%{notSpace:teleport.server_addr}\s+server_hostname:%{notSpace:network.host.name}\s+server_id:%{notSpace:teleport.server_id}\s+session_recording:%{notSpace:teleport.session_recording}\s+sid:%{notSpace:teleport.sid}\s+size:%{notSpace:teleport.size}\s+time:%{notSpace:teleport.time}\s+uid:%{notSpace:teleport.uid}\s+user:%{notSpace:teleport.user}\s+user_kind:%{notSpace:teleport.user_kind}\s+%{regex("[^:]*"):log.file}:%{number:log.line_number}.*
168164
169-
170165
parse_audit_session_leave %{_log_common_attr}\s+event:%{notSpace:teleport.event_type}\s+login:%{notSpace:teleport.login}\s+namespace:%{notSpace:teleport.namespace}\s+private_key_policy:%{notSpace:teleport.private_key_policy}\s+server_addr:%{notSpace:teleport.server_addr}\s+%{data::keyvalue(":","a-zA-Z-_.<>")}\s+%{regex("[^:]*"):log.file}:%{number:log.line_number}.*
171166
172-
173167
parse_audot_session_end %{_log_common_attr}\s+enhanced_recording:%{notSpace:teleport.enhanced_recording}\s+event:%{notSpace:teleport.event_type}\s+interactive:%{notSpace:teleport.interactive}\s+login:%{notSpace:teleport.login}\s+namespace:%{notSpace:teleport.namespace}\s+participants:%{notSpace:teleport.participants}\s+private_key_policy:%{notSpace:teleport.private_key_policy}\s+proto:%{notSpace:teleport.proto}\s+server_addr:%{notSpace:teleport.server_addr}\s+server_hostname:%{notSpace:network.host.name}\s+server_id:%{notSpace:teleport.server_id}\s+session_recording:%{notSpace:teleport.session_recording}\s+session_start:%{notSpace:teleport.session_start}\s+session_stop:%{notSpace:teleport.session_stop}\s+sid:%{notSpace:teleport.sid}\s+time:%{notSpace:teleport.time}\s+uid:%{notSpace:teleport.uid}\s+user:%{notSpace:teleport.user}\s+user_kind:%{notSpace:teleport.user_kind}\s+%{regex("[^:]*"):log.file}:%{number:log.line_number}.*
174168
175-
176169
parse_audit_session_data %{_log_common_attr}\s+event:%{notSpace:teleport.event_type}\s+login:%{notSpace:teleport.login}\s+namespace:%{notSpace:teleport.namespace}\s+private_key_policy:%{notSpace:teleport.private_key_policy}\s+rx:%{notSpace:teleport.bytes_read}\s+server_hostname:%{notSpace:network.host.name}\s+server_id:%{notSpace:teleport.server_id}\s+sid:%{notSpace:teleport.sid}\s+time:%{notSpace:teleport.time}\s+tx:%{notSpace:network.bytes_written}\s+uid:%{notSpace:teleport.uid}\s+user:%{notSpace:teleport.user}\s+user_kind:%{notSpace:teleport.user_kind}\s+%{regex("[^:]*"):log.file}:%{number:log.line_number}.*
177170
178-
179-
parse_user_login %{_log_common_attr}\s+error:%{regex("[\\[]*.*\\]"):teleport.event_error}\s+event:%{notSpace:teleport.event_type}\s+method:%{notSpace:teleport.method}\s+success:%{notSpace:teleport.success}\s+time:%{notSpace:teleport.time}\s+uid:%{notSpace:teleport.uid}\s+user:%{notSpace:teleport.user}\s+user_agent:%{regex("[a-zA-Z/0-9.
180-
(;_),]+"):http.useragent}\s%{notSpace}
171+
parse_user_login %{_log_common_attr}\s+error:%{regex("[\\[]*.*\\]"):teleport.event_error}\s+event:%{notSpace:teleport.event_type}\s+method:%{notSpace:teleport.method}\s+success:%{notSpace:teleport.success}\s+time:%{notSpace:teleport.time}\s+uid:%{notSpace:teleport.uid}\s+user:%{notSpace:teleport.user}\s+user_agent:%{regex("[a-zA-Z/0-9. (;_),]+"):http.useragent}\s%{notSpace}
181172
182173
parse_common_prefix %{_log_prefix}.*
183174
- type: user-agent-parser

0 commit comments

Comments
 (0)