NAME

eris::role::context - Role for implementing a log context

VERSION

version 0.006

ATTRIBUTES

field

The field in the context of the log to use to use with the matcher to select a log for parsing. This defaults to the 'program' field and uses the context object's name method as a default equality check.

This means eris::log::context::sshd will match any log with the 'program' key set to 'sshd'.

The rules for parsing are:

*

Reserved for it's use as with matcher set to '*', which forces the context to be evaluated for every document.

sub _build_field   { '*' }
sub _build_matcher { '*' }

Will run the contextualizer for every document.

_exists_

Instead of apply the matcher to the value, we'll check it against the key.

Say we wanted to run a reverse DNS check on an IP we could:

sub _build_field   { '_exists_' }
sub _build_matcher { /_ip$/ }

Exists supports the following matchers:

String

Simple string match against the key

Regex

Apply the regex to the key

ArrayRef

Checks if the key is contained in the array

String

The string is considered the name of the field in the document. That key is used to check it's value against the matcher. Using a string are a field name supports the following matcher's.

String

Check if the lowercase string matches the value at the key designated by field, i.e.

sub _build_field   { 'program' }
sub _build_matcher { 'sshd' }

This context will call contextualize_message on documents with a field 'program' which has the value 'sshd'.

Regex

Checks the value in the field for against the regex.

sub _build_field   { 'program' }
sub _build_matcher { /^postfix/ }

This context will call contextualize_message on documents with a field 'program' matching the regex '^postfix'.

ArrayRef

Checks the value in the field against all values in the array.

sub _build_field   { 'program' }
sub _build_matcher { [qw(sort suricata)] }

This context will call contextualize_message on documents with a field 'program' that is either 'snort' or 'suricata'.

CodeRef

Check the return value of the code reference passing the value at the field into the function.

sub _build_field   { 'src_ip' }
sub _build_matcher { \&check_bad_ips }

This context will call contextualize_message on documents with a field 'src_ip' and call the check_bad_ips() function with the value in the 'src_ip' field if the sub routine return true.

matcher

Maybe a String, Regex, ArrayRef, or a CodeRef. See documenation on field for information on the combinations and how to use them.

INTERFACE

contextualize_message

This method will be called everytime a log matches this context. It receives an eris::log object. Call eris::log-add_context> with the name of the context to add to the log context.

sample_message

This is used in sampling and the test suite.

Return an array of log message you expect to use.

This is helpful when developing or testing new elements, call:

eris-context.pl --sample <name_of_context>

To use those messages to see what the contextualizer is doing.

SEE ALSO

eris::log::contexts, eris::log::contextualizer, eris::role::plugin, eris::log::context::sshd, eris::log::context::snort

AUTHOR

Brad Lhotsky <brad@divisionbyzero.net>

COPYRIGHT AND LICENSE

This software is Copyright (c) 2015 by Brad Lhotsky.

This is free software, licensed under:

The (three-clause) BSD License