###########################
###### INPUT FILES ########
###########################

module(load="imfile" mode="inotify")


input(type="imfile"
      File="/var/log/iptables.log"
      Tag="pf_plop/env_prod/profile_iptables/svcid_iptables/app/reset.json"
      Severity="info"
)



#################################
###### OUTPUT TO LOGHOSTS #######
#################################



#if $msg contains 'PROTO=TCP' and $msg contains 'DPT=10023' then /var/log/plop.log;DPT10023
#& stop
#if $msg contains 'PROTO=TCP' and $msg contains 'DPT=10024' then /var/log/plop.log;DPT10024
#& stop
#if $msg contains 'PROTO=TCP' then /var/log/plop.log;DPT
#& stop


#set $.format = $msg;
#if ( $msg contains 'DPT=10023' ) then set $.dpt = 'PLOP10023';
#if ( $msg contains 'DPT=10024' ) then set $.dpt = 'PLOP10024';
#else set $.dpt = '';

template(name="json_iptables" type="list" option.json="on") {
  constant(value="{")
  constant(value="\"timestamp\":\"")
    property(name="timereported" dateFormat="rfc3339")
  constant(value="\",\"host\":\"")
    property(name="hostname")
  constant(value="\",\"severity\":\"")
    property(name="syslogseverity-text")
  constant(value="\",\"facility\":\"")
    property(name="syslogfacility-text")
  constant(value="\",\"syslog-tag\":\"")
    property(name="syslogtag")
#  constant(value="\",\"DPT_LABEL\":\"")
#    property(name="$.dpt")
  constant(value="\",\"LOG_LABEL\":\"")
    property(name="msg" regex.type="ERE" regex.submatch="1" regex.nomatchmode="BLANK" regex.expression="^(LOG.*)IN=.*$")
  constant(value="\",\"IN\":\"")
    property(name="msg" regex.type="ERE" regex.submatch="1" regex.nomatchmode="BLANK" regex.expression="IN=([a-z0-9]+)")
  constant(value="\",\"SRC\":\"")
    property(name="msg" regex.type="ERE" regex.submatch="1" regex.nomatchmode="BLANK" regex.expression="SRC=([0-9\\.]+)")
  constant(value="\",\"DST\":\"")
    property(name="msg" regex.type="ERE" regex.submatch="1" regex.nomatchmode="BLANK" regex.expression="DST=([0-9\\.]+)")
  constant(value="\",\"LEN\":\"")
    property(name="msg" regex.type="ERE" regex.submatch="1" regex.nomatchmode="BLANK" regex.expression="LEN=([0-9]+)")
  constant(value="\",\"TOS\":\"")
    property(name="msg" regex.type="ERE" regex.submatch="1" regex.nomatchmode="BLANK" regex.expression="TOS=([0-9a-hx]+)")
  constant(value="\",\"PREC\":\"")
    property(name="msg" regex.type="ERE" regex.submatch="1" regex.nomatchmode="BLANK" regex.expression="PREC=([0-9a-hx]+)")
  constant(value="\",\"TTL\":\"")
    property(name="msg" regex.type="ERE" regex.submatch="1" regex.nomatchmode="BLANK" regex.expression="TTL=([0-9]+)")
  constant(value="\",\"SPT\":\"")
    property(name="msg" regex.type="ERE" regex.submatch="1" regex.nomatchmode="BLANK" regex.expression="SPT=([0-9]+)")
  constant(value="\",\"DPT\":\"")
    property(name="msg" regex.type="ERE" regex.submatch="1" regex.nomatchmode="BLANK" regex.expression="DPT=([0-9]+)")
  constant(value="\",\"WINDOW\":\"")
    property(name="msg" regex.type="ERE" regex.submatch="1" regex.nomatchmode="BLANK" regex.expression="WINDOW=([0-9]+)")
  constant(value="\",\"RES\":\"")
    property(name="msg" regex.type="ERE" regex.submatch="1" regex.nomatchmode="BLANK" regex.expression="RES=([0-9a-hx]+)")
  constant(value="\",\"FLAGS\":\"")
    property(name="msg" regex.type="ERE" regex.submatch="1" regex.nomatchmode="BLANK" regex.expression="^.*RES=0x00 (.*) URGP=0")
  constant(value="\",\"URGP\":\"")
    property(name="msg" regex.type="ERE" regex.submatch="1" regex.nomatchmode="BLANK" regex.expression="URGP=([01])")
  constant(value="\"}\n")
}


if $syslogtag == 'pf_plop/env_prod/profile_iptables/svcid_iptables/app/reset.json' then /var/log/plop.log;json_iptables
& stop