add pixiu nginx

Author: wpoely86

files/pixiu

@@ -1,3 +1,5 @@
 PIXIU_BASH \s*%{IPORHOST:syslog_hostname} \[%{PROG:program}\]: \[%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND} %{USERNAME} %{GREEDYDATA:command}\] return code=\[%{INT:return_code:int}\], execute (success|failed) by \[%{USERNAME:username}\(uid=%{INT:uid:int}\)\] from \[%{DATA:terminal} \(%{IPORHOST:source_ip}\)\]
 
 PIXIU_APACHE \[%{HTTPDATE:timestamp}\] %{IPORHOST:clientip} %{HTTPDUSER:auth} %{WORD:verb} %{NOTSPACE:request} %{GREEDYDATA:other}
+
+PIXIU_NGINX \s*%{IPORHOST:syslog_hostname} %{SYSLOGPROG} %{IPORHOST:clientip} - %{HTTPDUSER:auth}\s+\[%{HTTPDATE:timestamp}\] \"%{WORD:verb} %{NOTSPACE:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:response:int} %{GREEDYDATA:other}

tests/data/pixiu

@@ -18,13 +18,17 @@ data = [
 #                      '"$log_x_auth_token" "$log_x_csrf_token" "$log_cookie_x_auth_token" "$x_real_ip" '
 #                      '"$log_content_type" "$log_http_accept_language" "$log_http_accept" "$log_http_accept_encoding" ';
 
-#    {
-#        "raw": '<174>Oct 17 12:50:42 HKSTO03-Node1 nginx 127.0.0.1 - -  [17/Oct/2022:12:50:42 +0200] "GET /dsware/service/cluster/storagepool/query*** HTTP/1.1" 200 "0.062" 924 "-" "Apache-HttpClient/5.1 (Java/1.8.0_322)" "-" 127.0.0.1:9527 200 "0.064" "********" "********" "********" "127.0.0.1" "application/json;charset=UTF-8" "-" "-" "gzip, x-gzip, deflate"',
-#        "expected": {
-#            "@source_host": "HKSTO03-Node1",
-#            "program": "nginx",
-#        },
-#    },
+    {
+        "raw": '<174>Oct 17 12:50:42 HKSTO03-Node1 nginx 127.0.0.1 - -  [17/Oct/2022:12:50:42 +0200] "GET /dsware/service/cluster/storagepool/query*** HTTP/1.1" 200 "0.062" 924 "-" "Apache-HttpClient/5.1 (Java/1.8.0_322)" "-" 127.0.0.1:9527 200 "0.064" "********" "********" "********" "127.0.0.1" "application/json;charset=UTF-8" "-" "-" "gzip, x-gzip, deflate"',
+        "expected": {
+            "@source_host": "HKSTO03-Node1",
+            "program": "nginx",
+            "clientip": "127.0.0.1",
+            "verb": "GET",
+            "request": "/dsware/service/cluster/storagepool/query***",
+            "response": 200,
+        },
+    },
     {
         "raw": "<174>Oct 17 13:05:07 C4STO01-Node2 [/bin/bash]: [2022-10-17 13:05:07 root cat httpd.conf] return code=[0], execute success by [root(uid=0)] from [pts/0 (172.18.124.57)]",
         "expected": {

tests/logstash_7.6.2.conf

@@ -16,7 +16,7 @@ filter {
 
         match => {
             # RSYSLOGCUSTOM always last (and no PREFIX)!
-            "message" => ["%{RSYSLOGCUSTOMHEADER}%{PIXIU_BASH}", "%{RSYSLOGPREFIX}%{PIXIU_APACHE}", "%{RSYSLOGPREFIX}%{SU_MSG}", "%{RSYSLOGPREFIX}%{SUDO_MSG}", "%{RSYSLOGPREFIX}%{REFRAME_MSG}", "%{RSYSLOGPREFIX}%{BASH_MSG}", "%{RSYSLOGPREFIX}%{FAIL2BAN_MSG}", "%{RSYSLOGPREFIX}%{SINGULARITY_MSG}", "%{RSYSLOGPREFIX}%{DHCPD_MSG}", "%{RSYSLOGPREFIX}%{SSH_MSG}", "%{RSYSLOGPREFIX}%{MODULECMD_MSG}", "%{RSYSLOGPREFIX}%{LMOD_MSG}", "%{RSYSLOGPREFIX}%{NFS_MSG}", "%{RSYSLOGPREFIX}%{CEPH_MSG}", "%{RSYSLOGPREFIX}%{OPENNEBULA_MSG}", "%{RSYSLOGPREFIX}%{JUBE_MSG}", "%{RSYSLOGPREFIX}%{SHOREWALL_MSG}", "%{RSYSLOGPREFIX}%{KEYVALUE_MSG}", "%{RSYSLOGPREFIX}%{QUATTOR_MSG}", "%{RSYSLOGPREFIX}%{SNOOPY_MSG}", "%{RSYSLOGCUSTOM}"]
+            "message" => ["%{RSYSLOGCUSTOMHEADER}%{PIXIU_BASH}", "%{RSYSLOGCUSTOMHEADER}%{PIXIU_NGINX}", "%{RSYSLOGPREFIX}%{PIXIU_APACHE}", "%{RSYSLOGPREFIX}%{SU_MSG}", "%{RSYSLOGPREFIX}%{SUDO_MSG}", "%{RSYSLOGPREFIX}%{REFRAME_MSG}", "%{RSYSLOGPREFIX}%{BASH_MSG}", "%{RSYSLOGPREFIX}%{FAIL2BAN_MSG}", "%{RSYSLOGPREFIX}%{SINGULARITY_MSG}", "%{RSYSLOGPREFIX}%{DHCPD_MSG}", "%{RSYSLOGPREFIX}%{SSH_MSG}", "%{RSYSLOGPREFIX}%{MODULECMD_MSG}", "%{RSYSLOGPREFIX}%{LMOD_MSG}", "%{RSYSLOGPREFIX}%{NFS_MSG}", "%{RSYSLOGPREFIX}%{CEPH_MSG}", "%{RSYSLOGPREFIX}%{OPENNEBULA_MSG}", "%{RSYSLOGPREFIX}%{JUBE_MSG}", "%{RSYSLOGPREFIX}%{SHOREWALL_MSG}", "%{RSYSLOGPREFIX}%{KEYVALUE_MSG}", "%{RSYSLOGPREFIX}%{QUATTOR_MSG}", "%{RSYSLOGPREFIX}%{SNOOPY_MSG}", "%{RSYSLOGCUSTOM}"]
         }
     }