Skip to content
Snippets Groups Projects
Verified Commit 57503a2e authored by Lucas Charles's avatar Lucas Charles :speech_balloon: Committed by Douglas Barbosa Alexandre
Browse files

Update filebeat config to parse modsec logs as JSON

Adds additional processor for parsing modsec audit logs as JSON from
`modsecurity-log` sidecar

See #14707 for more details
parent 7b6b11a6
No related branches found
No related tags found
No related merge requests found
Pipeline #118045925 failed
---
title: Parse filebeat modsec logs as JSON
merge_request: 24836
author:
type: changed
......@@ -23,6 +23,29 @@ filebeat:
output.elasticsearch:
enabled: true
hosts: ["http://elastic-stack-elasticsearch-client:9200"]
filebeat.prospectors:
- type: log
enabled: true
paths:
- /var/log/*.log
- /var/log/messages
- /var/log/syslog
- type: docker
containers.ids:
- "*"
json.keys_under_root: true
json.ignore_decoding_error: true
processors:
- add_kubernetes_metadata:
- drop_event:
when:
equals:
kubernetes.container.name: "filebeat"
- decode_json_fields:
fields: ["message"]
when:
equals:
kubernetes.container.name: "modsecurity-log"
fluentd:
enabled: false
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment