| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172 |
- {
- "input": [
- {
- "type": "hdfs_audit",
- "rowtype": "audit",
- "is_enabled": "true",
- "add_fields": {
- "logType": "HDFSAudit",
- "enforcer": "hadoop-acl",
- "repoType": "1",
- "repo": "hdfs"
- },
- "path": "/root/test-logs/hdfs-audit/hdfs-audit.log"
- }
- ],
- "filter": [
- {
- "filter":"grok",
- "conditions":{
- "fields":{
- "type":[
- "hdfs_audit"
- ]
- }
- },
- "log4j_format":"%d{ISO8601} %-5p %c{2} (%F:%M(%L)) - %m%n",
- "multiline_pattern":"^(%{TIMESTAMP_ISO8601:evtTime})",
- "message_pattern":"(?m)^%{TIMESTAMP_ISO8601:evtTime}%{SPACE}%{LOGLEVEL:level}%{SPACE}%{JAVACLASS:logger_name}:%{SPACE}%{GREEDYDATA:log_message}",
- "post_map_values":{
- "evtTime":{
- "map_date":{
- "target_date_pattern":"yyyy-MM-dd HH:mm:ss,SSS"
- }
- }
- }
- },
- {
- "filter":"keyvalue",
- "sort_order":1,
- "conditions":{
- "fields":{
- "type":[
- "hdfs_audit"
- ]
- }
- },
- "source_field":"log_message",
- "value_split":"=",
- "field_split":"\t",
- "post_map_values":{
- "src":{
- "map_fieldname":{
- "new_fieldname":"resource"
- }
- },
- "ip":{
- "map_fieldname":{
- "new_fieldname":"cliIP"
- }
- },
- "allowed":[
- {
- "map_fieldvalue":{
- "pre_value":"true",
- "post_value":"1"
- }
- },
- {
- "map_fieldvalue":{
- "pre_value":"false",
- "post_value":"0"
- }
- },
- {
- "map_fieldname":{
- "new_fieldname":"result"
- }
- }
- ],
- "cmd":{
- "map_fieldname":{
- "new_fieldname":"action"
- }
- },
- "proto":{
- "map_fieldname":{
- "new_fieldname":"cliType"
- }
- },
- "callerContext":{
- "map_fieldname":{
- "new_fieldname":"req_caller_id"
- }
- }
- }
- },
- {
- "filter":"grok",
- "sort_order":2,
- "source_field":"ugi",
- "remove_source_field":"false",
- "conditions":{
- "fields":{
- "type":[
- "hdfs_audit"
- ]
- }
- },
- "message_pattern":"%{USERNAME:p_user}.+auth:%{USERNAME:p_authType}.+via %{USERNAME:k_user}.+auth:%{USERNAME:k_authType}|%{USERNAME:user}.+auth:%{USERNAME:authType}|%{USERNAME:x_user}",
- "post_map_values":{
- "user":{
- "map_fieldname":{
- "new_fieldname":"reqUser"
- }
- },
- "x_user":{
- "map_fieldname":{
- "new_fieldname":"reqUser"
- }
- },
- "p_user":{
- "map_fieldname":{
- "new_fieldname":"reqUser"
- }
- },
- "k_user":{
- "map_fieldname":{
- "new_fieldname":"proxyUsers"
- }
- },
- "p_authType":{
- "map_fieldname":{
- "new_fieldname":"authType"
- }
- },
- "k_authType":{
- "map_fieldname":{
- "new_fieldname":"proxyAuthType"
- }
- }
- }
- }
- ]
- }
|
