-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfilebeat.docker.yml
172 lines (168 loc) · 6.53 KB
/
filebeat.docker.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/www/html/data/audit.log
json.add_error_key: true
json.message_key: message
setup.ilm.enabled: false
setup.template.settings:
index.number_of_shards: 1
setup.kibana:
host: 'http://ip:5601'
output.elasticsearch.index: 'nextcloud-audit-%{[agent.version]}-%{+yyyy.MM.dd}'
setup.template.name: nextcloud-audit
setup.template.pattern: nextcloud-audit-*
output.elasticsearch:
hosts: 'ip:9200'
enabled: true
processors:
- timestamp:
field: json.time
layouts:
- '2006-01-02T15:04:05-07:00'
- rename:
fields:
- from: json.url
to: url.path
- from: json.message
to: message
- from: json.userAgent
to: user_agent.original
when:
has_fields:
- json.userAgent
ignore_missing: true
fail_on_error: false
- if:
regexp:
message: '(.*?)\(Share ID: (\d*?)\)'
then:
- if:
regexp:
message: 'The folder(.*?)has been shared(.*?)\(Share ID: (\d*?)\)'
then:
- dissect:
tokenizer: 'The folder %{nextcloud.data}'
field: message
target_prefix: ''
fail_on_error: true
- add_fields:
target: nextcloud
fields:
event: "Folder shared"
else:
- if:
regexp:
message: 'The folder(.*?)has been unshared(.*?)\(Share ID: (\d*?)\)'
then:
- dissect:
tokenizer: 'The folder %{nextcloud.data}'
field: message
target_prefix: ''
fail_on_error: true
- add_fields:
target: nextcloud
fields:
event: "Folder unshared"
else:
- if:
regexp:
message: 'The file(.*?)has been shared(.*?)\(Share ID: (\d*?)\)'
then:
- dissect:
tokenizer: 'The file %{nextcloud.data}'
field: message
target_prefix: ''
fail_on_error: true
- add_fields:
target: nextcloud
fields:
event: "File shared"
else:
- if:
regexp:
message: 'The file(.*?)has been unshared(.*?)\(Share ID: (\d*?)\)'
then:
- dissect:
tokenizer: 'The file %{nextcloud.data}'
field: message
target_prefix: ''
fail_on_error: true
- add_fields:
target: nextcloud
fields:
event: "File unshared"
else:
- if:
regexp:
message: '(.*?): (.*?)'
then:
- dissect:
tokenizer: '%{nextcloud.event}: %{nextcloud.data}'
field: message
target_prefix: ''
fail_on_error: true
else:
- if:
contains:
message: Logout occurred
then:
- copy_fields:
fields:
- from: message
to: nextcloud.event
fail_on_error: false
ignore_missing: true
else:
- if:
regexp:
message: '^The shared folder (.*?) has been accessed.$'
then:
- add_fields:
target: nextcloud
fields:
event: "shared folder has been accessed"
- dissect:
tokenizer: 'The shared folder with the %{nextcloud.data} has been accessed.'
field: message
target_prefix: ''
fail_on_error: true
else:
- if:
contains:
message: 'The permissions of the shared folder '
then:
- add_fields:
target: nextcloud
fields:
event: "Permission shared Folder changed"
- dissect:
tokenizer: 'The permissions of the shared folder %{nextcloud.data}'
field: message
target_prefix: ''
fail_on_error: true
else:
- if:
contains:
message: 'The shared file with the token '
then:
- add_fields:
target: nextcloud
fields:
event: "Shared File accessed"
- dissect:
tokenizer: 'The shared file with the %{nextcloud.data}'
field: message
target_prefix: ''
fail_on_error: true
else:
- if:
contains:
message: 'Email address changed '
then:
- dissect:
tokenizer: '%{nextcloud.event} for %{nextcloud.data}'
field: message
target_prefix: ''
fail_on_error: true