From 6dfe0cc797f0b65a377b2090a12aa948ec07a79a Mon Sep 17 00:00:00 2001 From: kuiperda <44123852+kuiperda@users.noreply.github.com> Date: Thu, 5 Oct 2023 16:24:26 -0400 Subject: [PATCH 1/5] Add route for vcenter json parsing --- plugins/vmware_vcenter.yaml | 45 +++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/plugins/vmware_vcenter.yaml b/plugins/vmware_vcenter.yaml index 267d6963..613169cb 100644 --- a/plugins/vmware_vcenter.yaml +++ b/plugins/vmware_vcenter.yaml @@ -84,6 +84,8 @@ pipeline: - id: prefix_router type: router routes: + - expr: '$record matches "^{*"' + output: gcve_json_parser - expr: '$record matches "^\\d* "' output: pre_parser default: vcenter_parser @@ -106,3 +108,46 @@ pipeline: type: syslog_parser protocol: rfc5424 output: {{ .output }} + + - id: gcve_json_parser + type: json_parser + parse_from: $record + severity: + parse_from: '$record["@fields.severity"]' + timestamp: + layout: "2006-01-02T15:04:05.000000-07:00" + layout_type: gotime + parse_from: '@timestamp' + output: gcve_restructure + + - id: gcve_restructure + type: restructure + ops: + - move: + from: '$record["@version"]' + to: "$record.version" + - move: + from: '$record["@fields.host"]' + to: '$record.host' + - move: + from: '$record["@fields.facility"]' + to: '$record.facility' + - move: + from: '$record["@fields.procid"]' + to: '$record.procid' + - move: + from: '$record["@fields.privatecloud_id"]' + to: '$record.privatecloud_id' + - move: + from: '$record["@fields.privatecloud_name"]' + to: '$record.privatecloud_name' + - move: + from: '$record["@fields.alias"]' + to: '$record.alias' + - move: + from: '$record["@fields.company_name"]' + to: '$record.company_name' + - move: + from: '$record["@fields.region_id"]' + to: '$record.region_id' + output: {{.output}} \ No newline at end of file From 97c6eae564fb3ec042d96d1ba91799ec8934e616 Mon Sep 17 00:00:00 2001 From: kuiperda <44123852+kuiperda@users.noreply.github.com> Date: Fri, 6 Oct 2023 09:22:30 -0400 Subject: [PATCH 2/5] Add newline --- plugins/vmware_vcenter.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/plugins/vmware_vcenter.yaml b/plugins/vmware_vcenter.yaml index 613169cb..cddd3aac 100644 --- a/plugins/vmware_vcenter.yaml +++ b/plugins/vmware_vcenter.yaml @@ -150,4 +150,5 @@ pipeline: - move: from: '$record["@fields.region_id"]' to: '$record.region_id' - output: {{.output}} \ No newline at end of file + output: {{.output}} + \ No newline at end of file From 75aafcb0b8327302337e7aa6d5daed2c329a9cd6 Mon Sep 17 00:00:00 2001 From: kuiperda <44123852+kuiperda@users.noreply.github.com> Date: Mon, 9 Oct 2023 15:08:17 -0400 Subject: [PATCH 3/5] Fix timestamp parse_from --- plugins/vmware_vcenter.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/vmware_vcenter.yaml b/plugins/vmware_vcenter.yaml index cddd3aac..68930f07 100644 --- a/plugins/vmware_vcenter.yaml +++ b/plugins/vmware_vcenter.yaml @@ -117,7 +117,7 @@ pipeline: timestamp: layout: "2006-01-02T15:04:05.000000-07:00" layout_type: gotime - parse_from: '@timestamp' + parse_from: '$record["@timestamp"]' output: gcve_restructure - id: gcve_restructure From 96c23842b9cc0504b1f84f6987e48fad202c38c0 Mon Sep 17 00:00:00 2001 From: kuiperda <44123852+kuiperda@users.noreply.github.com> Date: Mon, 9 Oct 2023 15:17:02 -0400 Subject: [PATCH 4/5] Bump version --- plugins/vmware_vcenter.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/vmware_vcenter.yaml b/plugins/vmware_vcenter.yaml index 68930f07..c20ff878 100644 --- a/plugins/vmware_vcenter.yaml +++ b/plugins/vmware_vcenter.yaml @@ -1,5 +1,5 @@ # Plugin Info -version: 0.0.9 +version: 0.0.10 title: VMware vCenter description: Log parser for VMware vCenter min_stanza_version: 0.13.16 From d501206095865ed6b7df9ce65042c4940800c15a Mon Sep 17 00:00:00 2001 From: kuiperda <44123852+kuiperda@users.noreply.github.com> Date: Mon, 9 Oct 2023 15:17:59 -0400 Subject: [PATCH 5/5] Bump version properly --- plugins/vmware_vcenter.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/vmware_vcenter.yaml b/plugins/vmware_vcenter.yaml index c20ff878..efb26f5c 100644 --- a/plugins/vmware_vcenter.yaml +++ b/plugins/vmware_vcenter.yaml @@ -1,5 +1,5 @@ # Plugin Info -version: 0.0.10 +version: 1.0.0 title: VMware vCenter description: Log parser for VMware vCenter min_stanza_version: 0.13.16