File: //opt/microsoft/omsagent/plugin/filter_syslog_security.rb
# frozen_string_literal: true
module Fluent
class SyslogSecurityEventsFilter < Filter
Fluent::Plugin.register_filter('filter_syslog_security', self)
def initialize
super
require_relative 'omslog'
require_relative 'oms_common'
require_relative 'security_lib'
end
# Interval in seconds to refresh the cache
config_param :ip_cache_refresh_interval, :integer, :default => 300
def configure(conf)
super
@ip_cache = OMS::IPcache.new @ip_cache_refresh_interval
end
def start
super
end
def shutdown
super
end
def filter(tag, time, record)
# Get the data type name (blob in ODS) from record tag
# Only records that can be associated to a blob are processed
# Get the correct identifier from the ident string or nil for unknown identifier
ident = OMS::Security.get_ident(record['ident'])
data_type = OMS::Security.get_data_type(ident)
return nil if data_type.nil?
# The tag should looks like this : oms.security.local4.warn
tags = tag.split('.')
new_record = {
'ident' => ident,
# Use Time.now, because it is the only way to get subsecond precision in version 0.12.
# The time may be slightly in the future from the ingestion time.
'Timestamp' => OMS::Common::fast_utc_to_iso8601_format(Time.now.utc),
'EventTime' => OMS::Common::fast_utc_to_iso8601_format(Time.at(time).utc),
'Message' => "#{ident}: #{record['message']}",
'Facility' => tags[tags.size - 2],
'Severity' => tags[tags.size - 1],
'Host' => record['host']
}
host_ip = @ip_cache.get_ip(record['host'])
if host_ip.nil?
OMS::Log.warn_once("Failed to get the IP for #{record['host']}.")
else
new_record['HostIP'] = host_ip
end
# p record
wrapper = {
'DataType' => data_type,
'IPName' => 'Security',
'DataItems' => [new_record]
}
wrapper
end
end
end