-
Notifications
You must be signed in to change notification settings - Fork 1
/
fluent-bit-input.conf
134 lines (119 loc) · 3.65 KB
/
fluent-bit-input.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
##########################################
# Define inputs in this file
# Since these are system-specific, this is a good place to also define what kind of the system we are working with - it would propagate to ECS observer.* fields
@SET observer_hostname=localhost
# NTA stands for network traffic analysis - more generic term than an IDS
@SET observer_type=nta
# Use bro for Bro 2.6+ or zeek for Zeek 3.+
@SET observer_product=bro
@SET observer_version=2.6.3
# Labels
@SET labels_pipeline=zeerbit-ecs
# Suggested values: production, qa, lab etc
@SET labels_env=default
# IMPORTANT! Make sure to point to an actual Zeek spool directory, not to a symlink. Fluent-bit tail DB doesn't work properly with symlinks, which results in duplicates.
@SET zeeklogdir=/usr/local/zeek/spool/zeek
[INPUT]
Name tail
Tag ${observer_product}.conn
Path ${zeeklogdir}/conn.log
DB ${FBIT_PATH}/tail.db
# Interval Sec
# ====
# Read interval (sec) Default: 1
#Refresh_Interval 5
# Using https://github.com/corelight/json-streaming-logs for JSON logging
#[INPUT]
# Name tail
# Tag ${observer_product}.conn.json
# Path ${zeeklogdir}/json_streaming_conn.log
# DB ${FBIT_PATH}/tail.db
# Interval Sec
# ====
# Read interval (sec) Default: 1
#Refresh_Interval 5
[INPUT]
Name tail
Tag ${observer_product}.dhcp
Path ${zeeklogdir}/dhcp.log
DB ${FBIT_PATH}/tail.db
# Interval Sec
# ====
# Read interval (sec) Default: 1
#Refresh_Interval 5
# Using https://github.com/corelight/json-streaming-logs for JSON logging
#[INPUT]
# Name tail
# Tag ${observer_product}.dhcp.json
# Path ${zeeklogdir}/json_streaming_dhcp.log
# DB ${FBIT_PATH}/tail.db
# Interval Sec
# ====
# Read interval (sec) Default: 1
#Refresh_Interval 5
[INPUT]
Name tail
Tag ${observer_product}.dns
Path ${zeeklogdir}/dns.log
DB ${FBIT_PATH}/tail.db
# Interval Sec
# ====
# Read interval (sec) Default: 1
#Refresh_Interval 5
# Using https://github.com/corelight/json-streaming-logs for JSON logging
#[INPUT]
# Name tail
# Tag ${observer_product}.dns.json
# Path ${zeeklogdir}/json_streaming_dns.log
# DB ${FBIT_PATH}/tail.db
# Interval Sec
# ====
# Read interval (sec) Default: 1
#Refresh_Interval 5
[INPUT]
Name tail
Tag ${observer_product}.ssl
Path ${zeeklogdir}/ssl.log
DB ${FBIT_PATH}/tail.db
# Interval Sec
# ====
# Read interval (sec) Default: 1
#Refresh_Interval 5
# Using https://github.com/corelight/json-streaming-logs for JSON logging
#[INPUT]
# Name tail
# Tag ${observer_product}.ssl.json
# Path ${zeeklogdir}/json_streaming_ssl.log
# DB ${FBIT_PATH}/tail.db
# Interval Sec
# ====
# Read interval (sec) Default: 1
#Refresh_Interval 5
[INPUT]
Name tail
Tag ${observer_product}.http
Path ${zeeklogdir}/http.log
DB ${FBIT_PATH}/tail.db
# Interval Sec
# ====
# Read interval (sec) Default: 1
#Refresh_Interval 5
# Using https://github.com/corelight/json-streaming-logs for JSON logging
#[INPUT]
# Name tail
# Tag ${observer_product}.http.json
# Path ${zeeklogdir}/json_streaming_http.log
# DB ${FBIT_PATH}/tail.db
# Interval Sec
# ====
# Read interval (sec) Default: 1
#Refresh_Interval 5
[INPUT]
Name tail
Tag ${observer_product}.zeer_hosts
Path ${zeeklogdir}/zeer_hosts.log
DB ${FBIT_PATH}/tail.db
# Interval Sec
# ====
# Read interval (sec) Default: 1
#Refresh_Interval 5