NAME
eris::role::context - Role for implementing a log context
VERSION
version 0.006
ATTRIBUTES
field
The field in the context of the log to use to use with the matcher
to select a log for parsing. This defaults to the 'program' field and uses the context
object's name
method as a default equality check.
This means eris::log::context::sshd
will match any log with the 'program' key set to 'sshd'.
The rules for parsing are:
- *
-
Reserved for it's use as with
matcher
set to '*', which forces the context to be evaluated for every document.sub _build_field { '*' } sub _build_matcher { '*' }
Will run the contextualizer for every document.
- _exists_
-
Instead of apply the
matcher
to the value, we'll check it against the key.Say we wanted to run a reverse DNS check on an IP we could:
sub _build_field { '_exists_' } sub _build_matcher { /_ip$/ }
Exists supports the following matchers:
- String
-
Simple string match against the key
- Regex
-
Apply the regex to the key
- ArrayRef
-
Checks if the key is contained in the array
- String
-
The string is considered the name of the field in the document. That key is used to check it's value against the
matcher
. Using a string are a field name supports the followingmatcher
's.- String
-
Check if the lowercase string matches the value at the key designated by field, i.e.
sub _build_field { 'program' } sub _build_matcher { 'sshd' }
This context will call
contextualize_message
on documents with a field 'program' which has the value 'sshd'. - Regex
-
Checks the value in the field for against the regex.
sub _build_field { 'program' } sub _build_matcher { /^postfix/ }
This context will call
contextualize_message
on documents with a field 'program' matching the regex '^postfix'. - ArrayRef
-
Checks the value in the field against all values in the array.
sub _build_field { 'program' } sub _build_matcher { [qw(sort suricata)] }
This context will call
contextualize_message
on documents with a field 'program' that is either 'snort' or 'suricata'. - CodeRef
-
Check the return value of the code reference passing the value at the field into the function.
sub _build_field { 'src_ip' } sub _build_matcher { \&check_bad_ips }
This context will call
contextualize_message
on documents with a field 'src_ip' and call thecheck_bad_ips()
function with the value in the 'src_ip' field if the sub routine return true.
matcher
Maybe a String, Regex, ArrayRef, or a CodeRef. See documenation on field for information on the combinations and how to use them.
INTERFACE
contextualize_message
This method will be called everytime a log matches this context. It receives an eris::log
object. Call eris::log-
add_context> with the name of the context to add to the log context.
sample_message
This is used in sampling and the test suite.
Return an array of log message you expect to use.
This is helpful when developing or testing new elements, call:
eris-context.pl --sample <name_of_context>
To use those messages to see what the contextualizer is doing.
SEE ALSO
eris::log::contexts, eris::log::contextualizer, eris::role::plugin, eris::log::context::sshd, eris::log::context::snort
AUTHOR
Brad Lhotsky <brad@divisionbyzero.net>
COPYRIGHT AND LICENSE
This software is Copyright (c) 2015 by Brad Lhotsky.
This is free software, licensed under:
The (three-clause) BSD License