add mtail role
This commit is contained in:
29
roles/mtail/files/rules/nginx.mtail
Normal file
29
roles/mtail/files/rules/nginx.mtail
Normal file
@ -0,0 +1,29 @@
|
||||
getfilename() !~ /nginx\/.*\.log$/ {
|
||||
stop
|
||||
}
|
||||
|
||||
counter nginx_http_requests_total by vhost, method, code
|
||||
counter nginx_http_response_size_bytes_total by vhost, method, code
|
||||
|
||||
histogram nginx_http_response_time_seconds buckets 0.0, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1.0, 2.5, 5.0, 10.0, 25.0, 50.0 by vhost, method, code
|
||||
|
||||
/^/ +
|
||||
/(?P<vhost>[0-9A-Za-z\.\-:]+) / +
|
||||
/(?P<remote_addr>\S+) / +
|
||||
/- / +
|
||||
/(?P<remote_user>\S+) / +
|
||||
/\[(?P<time_local>\d{2}\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2} (\+|-)\d{4})\] / +
|
||||
/"(?P<request_method>[A-Z]+) (?P<request_uri>\S+) (?P<http_version>HTTP\/[0-9\.]+)" / +
|
||||
/(?P<status>\d{3}) / +
|
||||
/(?P<bytes_sent>\d+) / +
|
||||
/(?P<request_time>\d+\.\d+) / +
|
||||
/"(?P<http_referer>\S+)" / +
|
||||
/"(?P<http_user_agent>[[:print:]]+)" / +
|
||||
/"(?P<http_x_forwarded_for>\S+)"/ +
|
||||
/$/ {
|
||||
nginx_http_requests_total[$vhost][$request_method][$status]++
|
||||
|
||||
nginx_http_response_size_bytes_total[$vhost][$request_method][$status] += $bytes_sent
|
||||
|
||||
nginx_http_response_time_seconds[$vhost][$request_method][$status] = $request_time
|
||||
}
|
||||
32
roles/mtail/files/rules/syslog.mtail
Normal file
32
roles/mtail/files/rules/syslog.mtail
Normal file
@ -0,0 +1,32 @@
|
||||
getfilename() !~ /^\/var\/log\/syslog\// {
|
||||
stop
|
||||
}
|
||||
|
||||
def syslog {
|
||||
/(?P<date>(?P<legacy_date>\w+\s+\d+\s+\d+:\d+:\d+)|(?P<rfc3339_date>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d+[+-]\d{2}:\d{2}))/ +
|
||||
/\s+(?:\w+@)?(?P<hostname>[\w\.-]+)\s+(?P<application>[\w\.-]+)(?:\[(?P<pid>\d+)\])?:\s+(?P<message>.*)/ {
|
||||
# If the legacy_date regexp matched, try this format.
|
||||
len($legacy_date) > 0 {
|
||||
strptime($legacy_date, "Jan _2 15:04:05")
|
||||
}
|
||||
# If the RFC3339 style matched, parse it this way.
|
||||
len($rfc3339_date) > 0 {
|
||||
strptime($rfc3339_date, "2006-01-02T15:04:05-07:00")
|
||||
}
|
||||
# Call into the decorated block
|
||||
next
|
||||
}
|
||||
}
|
||||
|
||||
counter syslog_loglines_total by application
|
||||
counter ssh_invalid_user
|
||||
|
||||
@syslog {
|
||||
syslog_loglines_total[$application]++
|
||||
$application == "sshd" {
|
||||
$message =~ /^Invalid user/ {
|
||||
ssh_invalid_user++
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user