HTTP status code change to INT instead of POSINT

outflanknl · Jul 17, 2020 · 1e96e65 · 1e96e65
1 parent 9da4918
commit 1e96e65
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 6 deletions.
diff --git a/elkserver/logstash/conf.d/20-redir-haproxy.conf b/elkserver/logstash/conf.d/20-redir-haproxy.conf
@@ -78,12 +78,12 @@ filter {
     if "xforwardedfor:-" in [message] {
       # Lines without X-Forwarded-For identified with "xforwardedfor:-"
       grok {
-        match => { "messagenosyslog" => [ "GMT:%{HTTPDATE:redirtraffic.timestamp} frontend:(?<redir.frontendname>([^/]*))/(([^/]*))/%{IPORHOST:redir.frontendip}:%{POSINT:redir.frontendport} backend:%{NOTSPACE:redir.backendname} client:%{IPORHOST:redirtraffic.sourceip}:%{POSINT:redirtraffic.sourceport} xforwardedfor:- headers:\{\|(?<redirtraffic.headersall>([^\}]*))} statuscode:%{POSINT:redirtraffic.httpstatus} request:%{GREEDYDATA:redirtraffic.httprequest}" ] }
+        match => { "messagenosyslog" => [ "GMT:%{HTTPDATE:redirtraffic.timestamp} frontend:(?<redir.frontendname>([^/]*))/(([^/]*))/%{IPORHOST:redir.frontendip}:%{POSINT:redir.frontendport} backend:%{NOTSPACE:redir.backendname} client:%{IPORHOST:redirtraffic.sourceip}:%{POSINT:redirtraffic.sourceport} xforwardedfor:- headers:\{\|(?<redirtraffic.headersall>([^\}]*))} statuscode:%{INT:redirtraffic.httpstatus} request:%{GREEDYDATA:redirtraffic.httprequest}" ] }
       }
     } else if "request:" in [message] {
     # Lines with X-Forwarded-For set. We already filtered out the 'xfordwardedfor:-', so anything left with a large enough log line should be good 
       grok {
-        match => { "messagenosyslog" => [ "GMT:%{HTTPDATE:redirtraffic.timestamp} frontend:(?<redir.frontendname>([^/]*))/(([^/]*))/%{IPORHOST:redir.frontendip}:%{POSINT:redir.frontendport} backend:%{NOTSPACE:redir.backendname} client:%{IPORHOST:redirtraffic.sourceipcdn}:%{POSINT:redirtraffic.sourceportcdn} xforwardedfor:%{IPORHOST:redirtraffic.sourceip} headers:\{\|(?<redirtraffic.headersall>([^\}]*))} statuscode:%{POSINT:redirtraffic.httpstatus} request:%{GREEDYDATA:redirtraffic.httprequest}" ] }
+        match => { "messagenosyslog" => [ "GMT:%{HTTPDATE:redirtraffic.timestamp} frontend:(?<redir.frontendname>([^/]*))/(([^/]*))/%{IPORHOST:redir.frontendip}:%{POSINT:redir.frontendport} backend:%{NOTSPACE:redir.backendname} client:%{IPORHOST:redirtraffic.sourceipcdn}:%{POSINT:redirtraffic.sourceportcdn} xforwardedfor:%{IPORHOST:redirtraffic.sourceip} headers:\{\|(?<redirtraffic.headersall>([^\}]*))} statuscode:%{INT:redirtraffic.httpstatus} request:%{GREEDYDATA:redirtraffic.httprequest}" ] }
         add_tag => [ "redirtrafficxforwardedfor" ]
       }
     } else {

diff --git a/elkserver/logstash/conf.d/30-redir-apache.conf b/elkserver/logstash/conf.d/30-redir-apache.conf
@@ -30,12 +30,12 @@ filter {
     if "xforwardedfor:-" in [message] {
       # Lines without X-Forwarded-For identified with "xforwardedfor:-"
       grok {
-        match => { "messagenosyslog" => [ "frontend:(?<redir.frontendname>([^/]*))/%{IPORHOST:redir.frontendip}:%{POSINT:redir.frontendport} backend:%{NOTSPACE:redir.backendname} client:%{IPORHOST:redirtraffic.sourceip}:%{POSINT:redirtraffic.sourceport} xforwardedfor:- headers:\{(?<redirtraffic.headersall>([^\}]*))} statuscode:%{POSINT:redirtraffic.httpstatus} request:%{GREEDYDATA:redirtraffic.httprequest}" ] }
+        match => { "messagenosyslog" => [ "frontend:(?<redir.frontendname>([^/]*))/%{IPORHOST:redir.frontendip}:%{POSINT:redir.frontendport} backend:%{NOTSPACE:redir.backendname} client:%{IPORHOST:redirtraffic.sourceip}:%{POSINT:redirtraffic.sourceport} xforwardedfor:- headers:\{(?<redirtraffic.headersall>([^\}]*))} statuscode:%{INT:redirtraffic.httpstatus} request:%{GREEDYDATA:redirtraffic.httprequest}" ] }
       }
     } else if "request:" in [message] {
     # Lines with X-Forwarded-For set. We already filtered out the 'xfordwardedfor:-', so anything left with a large enough log line should be good 
       grok {
-        match => { "messagenosyslog" => [ "frontend:(?<redir.frontendname>([^/]*))/%{IPORHOST:redir.frontendip}:%{POSINT:redir.frontendport} backend:%{NOTSPACE:redir.backendname} client:%{IPORHOST:redirtraffic.sourceipcdn}:%{POSINT:redirtraffic.sourceportcdn} xforwardedfor:%{IPORHOST:redirtraffic.sourceip} headers:\{(?<redirtraffic.headersall>([^\}]*))} statuscode:%{POSINT:redirtraffic.httpstatus} request:%{GREEDYDATA:redirtraffic.httprequest}" ] }
+        match => { "messagenosyslog" => [ "frontend:(?<redir.frontendname>([^/]*))/%{IPORHOST:redir.frontendip}:%{POSINT:redir.frontendport} backend:%{NOTSPACE:redir.backendname} client:%{IPORHOST:redirtraffic.sourceipcdn}:%{POSINT:redirtraffic.sourceportcdn} xforwardedfor:%{IPORHOST:redirtraffic.sourceip} headers:\{(?<redirtraffic.headersall>([^\}]*))} statuscode:%{INT:redirtraffic.httpstatus} request:%{GREEDYDATA:redirtraffic.httprequest}" ] }
         add_tag => [ "redirtrafficxforwardedfor" ]
       }
     } else {

diff --git a/elkserver/logstash/conf.d/40-redir-nginx.conf b/elkserver/logstash/conf.d/40-redir-nginx.conf
@@ -30,12 +30,12 @@ filter {
     if "xforwardedfor:-" in [message] {
       # Lines without X-Forwarded-For identified with "xforwardedfor:-"
       grok {
-        match => { "messagenosyslog" => [ "frontend:(?<redir.frontendname>([^/]*))/%{IPORHOST:redir.frontendip}:%{POSINT:redir.frontendport} backend:%{NOTSPACE:redir.backendname} client:%{IPORHOST:redirtraffic.sourceip}:%{POSINT:redirtraffic.sourceport} xforwardedfor:- headers:\{(?<redirtraffic.headersall>([^\}]*))} statuscode:%{POSINT:redirtraffic.httpstatus} request:%{GREEDYDATA:redirtraffic.httprequest}" ] }
+        match => { "messagenosyslog" => [ "frontend:(?<redir.frontendname>([^/]*))/%{IPORHOST:redir.frontendip}:%{POSINT:redir.frontendport} backend:%{NOTSPACE:redir.backendname} client:%{IPORHOST:redirtraffic.sourceip}:%{POSINT:redirtraffic.sourceport} xforwardedfor:- headers:\{(?<redirtraffic.headersall>([^\}]*))} statuscode:%{INT:redirtraffic.httpstatus} request:%{GREEDYDATA:redirtraffic.httprequest}" ] }
       }
     } else if "request:" in [message] {
     # Lines with X-Forwarded-For set. We already filtered out the 'xfordwardedfor:-', so anything left with a large enough log line should be good 
       grok {
-        match => { "messagenosyslog" => [ "frontend:(?<redir.frontendname>([^/]*))/%{IPORHOST:redir.frontendip}:%{POSINT:redir.frontendport} backend:%{NOTSPACE:redir.backendname} client:%{IPORHOST:redirtraffic.sourceipcdn}:%{POSINT:redirtraffic.sourceportcdn} xforwardedfor:%{IPORHOST:redirtraffic.sourceip} headers:\{(?<redirtraffic.headersall>([^\}]*))} statuscode:%{POSINT:redirtraffic.httpstatus} request:%{GREEDYDATA:redirtraffic.httprequest}" ] }
+        match => { "messagenosyslog" => [ "frontend:(?<redir.frontendname>([^/]*))/%{IPORHOST:redir.frontendip}:%{POSINT:redir.frontendport} backend:%{NOTSPACE:redir.backendname} client:%{IPORHOST:redirtraffic.sourceipcdn}:%{POSINT:redirtraffic.sourceportcdn} xforwardedfor:%{IPORHOST:redirtraffic.sourceip} headers:\{(?<redirtraffic.headersall>([^\}]*))} statuscode:%{INT:redirtraffic.httpstatus} request:%{GREEDYDATA:redirtraffic.httprequest}" ] }
         add_tag => [ "redirtrafficxforwardedfor" ]
       }
     } else {