eris::role::context - Role for implementing a log context
version 0.007
The field in the context of the log to use to use with the matcher to select a log for parsing. This defaults to the 'program' field and uses the context object's name method as a default equality check.
matcher
context
name
This means eris::log::context::sshd will match any log with the 'program' key set to 'sshd'.
eris::log::context::sshd
The rules for parsing are:
Reserved for it's use as with matcher set to '*', which forces the context to be evaluated for every document.
sub _build_field { '*' } sub _build_matcher { '*' }
Will run the contextualizer for every document.
Instead of apply the matcher to the value, we'll check it against the key.
Say we wanted to run a reverse DNS check on an IP we could:
sub _build_field { '_exists_' } sub _build_matcher { /_ip$/ }
Exists supports the following matchers:
Simple string match against the key
Apply the regex to the key
Checks if the key is contained in the array
The string is considered the name of the field in the document. That key is used to check it's value against the matcher. Using a string are a field name supports the following matcher's.
Check if the lowercase string matches the value at the key designated by field, i.e.
sub _build_field { 'program' } sub _build_matcher { 'sshd' }
This context will call contextualize_message on documents with a field 'program' which has the value 'sshd'.
contextualize_message
Checks the value in the field for against the regex.
sub _build_field { 'program' } sub _build_matcher { /^postfix/ }
This context will call contextualize_message on documents with a field 'program' matching the regex '^postfix'.
Checks the value in the field against all values in the array.
sub _build_field { 'program' } sub _build_matcher { [qw(sort suricata)] }
This context will call contextualize_message on documents with a field 'program' that is either 'snort' or 'suricata'.
Check the return value of the code reference passing the value at the field into the function.
sub _build_field { 'src_ip' } sub _build_matcher { \&check_bad_ips }
This context will call contextualize_message on documents with a field 'src_ip' and call the check_bad_ips() function with the value in the 'src_ip' field if the sub routine return true.
check_bad_ips()
Maybe a String, Regex, ArrayRef, or a CodeRef. See documentation on field for information on the combinations and how to use them.
This method will be called every time a log matches this context. It receives an eris::log object. Call eris::log-add_context> with the name of the context to add to the log context.
eris::log
eris::log-
This is used in sampling and the test suite.
Return an array of log message you expect to use.
This is helpful when developing or testing new elements, call:
eris-context.pl --sample <name_of_context>
To use those messages to see what the contextualizer is doing.
eris::log::contexts, eris::log::contextualizer, eris::role::plugin, eris::log::context::sshd, eris::log::context::snort
Brad Lhotsky <brad@divisionbyzero.net>
This software is Copyright (c) 2015 by Brad Lhotsky.
This is free software, licensed under:
The (three-clause) BSD License
To install eris, copy and paste the appropriate command in to your terminal.
cpanm
cpanm eris
CPAN shell
perl -MCPAN -e shell install eris
For more information on module installation, please visit the detailed CPAN module installation guide.