-
Notifications
You must be signed in to change notification settings - Fork 0
/
example-draff.yaml
161 lines (147 loc) · 7.52 KB
/
example-draff.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
# ===========================================================================
# General configuration
# ===========================================================================
# Where to find the daily newline-delimited JSON dumpfiles.
# `%s` is a placeholder for the date (e.g. `20221012`).
# logfile: /var/log/logstash/dump-%s.ndjson
logfile: example-log.ndjson
# When using the `--email` flag:
email_to:
- administrator@example.com
email_subject: Server Log Summary
# Optionally include links from the email to your Kibana instance:
kibana_base_url: https://elk.local
# In your Kibana instance, go to /app/management/kibana/dataViews,
# and click on the Data View corresponding to your Logstash messages.
# Copy the UUID from the URL.
elasticsearch_data_view_id: 00000000-0000-0000-0000-000000000000
# A [PHP datetime format string](https://www.php.net/manual/en/datetime.format.php#refsect1-datetime.format-parameters)
# for the index corresponding to a particular event.
# Use backslash to escape literal characters.
# For example, `\e\l\k-Ymd` would map an event that occurred on 2022-10-12 to Elasticsearch index `elk-20221012`.
elasticsearch_index_date_format: '\e\l\k-Ymd'
# ===========================================================================
# Rewrites
# ===========================================================================
# Rewrites are regular expressions that alter values in particular fields.
# They're applied prior to aggregation,
# so you can use them to deduplicate similar/redundant messages.
rewrites:
url.path: # The name of the field to alter.
# The key is a regular expression of text to match in the specified field;
# the value is what to replace the matched text with.
# Example: hide UUIDs.
'\b[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}\b': '<deduped>'
# ===========================================================================
# Annotations
# ===========================================================================
# Annotations are regular expressions that add links to matched text.
# You can use this to reference issues you've reported but haven't fixed yet,
# as a reminder to refrain from filing duplicate reports.
annotations:
# The key is a regular expression of text to match in any field;
# the value is what the matching text should link to.
# Example: in log messages about 404 errors, add a reminder about the issue I created for adding a favicon.
'/favicon.ico': 'https://example.com/issue-tracker/todo/47925-add-a-favicon'
# ===========================================================================
# Summaries
# ===========================================================================
# Each summary is a section in the output email;
# it matches (selects) certain log messages,
# then formats them into a table (or multiple tables).
# Summaries are processed in the same order that they appear here.
summaries:
# Example: summarize HTTP 404 errors:
🕷 HTTP 404 not found: # This is the display name of this summary block.
# The description is shown between the title and the first chart.
# Potentially useful for suggesting next steps to take based on the chart data.
description: If there are many requests for the same path, consider adding a redirect.
select:
# `select` is an array of hashes.
# The outer array is ORred;
# the inner hash is ANDed.
# The hash key is the field to filter on;
# the hash value is a regular expression to apply to the field's value.
# Example: match log messages that either have Drupal Watchdog Type `page not found`, OR (came from Apache access logs AND have HTTP response code 404).
- drupal.type: ^page not found$
- event.dataset: ^apache.access$
http.response.status_code: ^404$
charts:
# `charts` take the log messages selected above
# and format them into tables.
# Each chart in a summary operates on the same set of messages,
# allowing you to aggregate the data in different ways.
# Example: show which target URLs are returning 404 errors:
Grouped by target URL: # This is the display name of this summary block's chart.
group_by:
- server.domain
- url.path
show_fields:
- server.domain
- url.path
- user_agent.name # This field isn't part of the group_by, so its column is labeled "(poly)" to indicate that each table cell in this column shows just a single representative value, but there may be other values not shown.
# Example: show which clients are making requests that result in 404 errors:
Grouped by client IP:
group_by: client.ip
show_fields:
- client.ip
- client.domain
- server.domain
- url.path
# Draff automatically converts the `select` query into a link to Kibana Discover. If the automatically-generated query is inadequate, you can optionally override it:
kibana_query: 'drupal.type:"page not found" OR (event.dataset:apache.access AND http.response.status_code:404)'
# Example: summarize IMAP logins:
📬 IMAP Login:
description: If there are many failed attempts from a single IP, consider blocking that IP.
select:
- log.syslog.identifier: ^dovecot$
process.name: ^imap-login$
event.action: ^Login$
charts:
Grouped by user + IP:
count: 1000 # By default, draff shows the top 5 groups with the most occurrences. You can pick a higher number to see more groups.
group_by:
- client.user.name
- client.ip
show_fields:
- client.user.name
- client.ip
- client.domain
🕷 HTTP 5xx server error:
concern: true # This causes the summary block to be highlighted in yellow, indicating that any messages here are potentially concerning.
description: Fix these.
select:
- event.dataset: ^apache.access$
http.response.status_code: ^5
charts:
Grouped by URL + status:
group_by:
- server.domain
- url.path
- http.response.status_code
show_fields:
- server.domain
- url.path
- http.response.status_code
- client.domain
# This last summary is a catch-all.
# It doesn't have a `select`,
# so it collects all events that weren't already processed by preceding summaries.
ℹ️ Other:
description: 'Goal: either fix, or weed out (in the Logstash filter configuration), or categorize (above) these log messages, to keep this section empty.'
charts:
Grouped by message:
group_by: message
sort_by: host.name ascending
show_fields:
- host.name
- event.dataset
- message
Top leftover sources:
group_by: event.dataset
show_fields:
- event.dataset
Top leftover hosts:
group_by: host.name
show_fields:
- host.name