-
Notifications
You must be signed in to change notification settings - Fork 1
/
fluent-bit-test.conf
144 lines (122 loc) · 3.75 KB
/
fluent-bit-test.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
[SERVICE]
# Flush
# =====
# Set an interval of seconds before to flush records to a destination
Flush 5
# Daemon
# ======
# Instruct Fluent Bit to run in foreground or background mode.
Daemon Off
# Log_Level
# =========
# Set the verbosity level of the service, values can be:
#
# - error
# - warning
# - info
# - debug
# - trace
#
# By default 'info' is set, that means it includes 'error' and 'warning'.
Log_Level debug
Log_File ${FBIT_LOG}
# Parsers_File
# ============
# Specify an optional 'Parsers' configuration file
Parsers_File parsers.conf
Plugins_File plugins.conf
# HTTP Server
# ===========
# Enable/Disable the built-in HTTP Server for metrics
HTTP_Server Off
HTTP_Listen 0.0.0.0
HTTP_Port 2020
##########################################
# Define inputs FOR TESTING in this file
# Since these are system-specific, this is a good place to also define what kind of the system we are working with - it would propagate to ECS observer.* fields
@SET observer_hostname=testhost
# NTA stands for network traffic analysis - more generic term than an IDS
@SET observer_type=nta
# Use bro for Bro 2.6+ or zeek for Zeek 3.+
@SET observer_product=bro
@SET observer_version=2.6.3
# Labels
@SET labels_pipeline=zeerbit-ecs
@SET labels_env=development
#[INPUT]
# Name tail
# Tag ${observer_product}.conn
# Path /usr/local/etc/fluent-bit/test/conn.log
# Interval Sec
# ====
# Read interval (sec) Default: 1
#Refresh_Interval 5
# Using https://github.com/corelight/json-streaming-logs for JSON logging
#[INPUT]
# Name tail
# Tag ${observer_product}.conn.json
# Path /usr/local/etc/fluent-bit/test/json_streaming_conn.log
#[INPUT]
# Name tail
# Tag ${observer_product}.dhcp
# Path /usr/local/etc/fluent-bit/test/dhcp.log
# Interval Sec
# ====
# Read interval (sec) Default: 1
#Refresh_Interval 5
# Using https://github.com/corelight/json-streaming-logs for JSON logging
#[INPUT]
# Name tail
# Tag ${observer_product}.dhcp.json
# Path /usr/local/etc/fluent-bit/test/json_streaming_dhcp.log
#[INPUT]
# Name tail
# Tag ${observer_product}.dns
# Path /usr/local/etc/fluent-bit/test/dns.log
# Interval Sec
# ====
# Read interval (sec) Default: 1
#Refresh_Interval 5
# Using https://github.com/corelight/json-streaming-logs for JSON logging
#[INPUT]
# Name tail
# Tag ${observer_product}.dns.json
# Path /usr/local/etc/fluent-bit/test/json_streaming_dns.log
#[INPUT]
# Name tail
# Tag ${observer_product}.ssl
# Path /usr/local/etc/fluent-bit/test/ssl.log
# Interval Sec
# ====
# Read interval (sec) Default: 1
#Refresh_Interval 5
# Using https://github.com/corelight/json-streaming-logs for JSON logging
#[INPUT]
# Name tail
# Tag ${observer_product}.ssl.json
# Path /usr/local/etc/fluent-bit/test/json_streaming_ssl.log
#[INPUT]
# Name tail
# Tag ${observer_product}.http
# Path /usr/local/etc/fluent-bit/test/http.log
# Interval Sec
# ====
# Read interval (sec) Default: 1
#Refresh_Interval 5
# Using https://github.com/corelight/json-streaming-logs for JSON logging
#[INPUT]
# Name tail
# Tag ${observer_product}.http.json
# Path /usr/local/etc/fluent-bit/test/json_streaming_http.log
[INPUT]
Name tail
Tag ${observer_product}.zeer_hosts
Path /usr/local/etc/fluent-bit/test/zeer_hosts.log
# Interval Sec
# ====
# Read interval (sec) Default: 1
#Refresh_Interval 5
@INCLUDE fluent-bit-filters.conf
[OUTPUT]
Name stdout
Match ${observer_product}.*