input { stdin { type => "ezpaarse" } } filter { # mutate { # gsub => [ "message" , '"', "" ] # } csv { separator => ";" columns => [ "date","shib_uid","platform","platform_name","publisher_name","rtype","mime","print_identifier","online_identifier","title_id","doi","publication_title","unitid","domain","year","institution","datetime","doi-publication-title","doi-publication-date-year","doi-publisher","doi-type","doi-ISSN","doi-subject","doi-license-content-version","doi-license-URL","geoip-country","geoip-latitude","geoip-longitude","host","ezproxy-groups","url","status","size","Referer","user-agent","Cookie","ezproxy-session" ] } if [shib_uid] == "login" { mutate { add_field => { "not_user" => "%{shib_uid}" } } } else { date { match => [ "datetime", "ISO8601" ] } grok { match => { "shib_uid" => "(?:.*@%{NOTSPACE:domain_uid}.*|.*)"} } anonymize { algorithm => "SHA1" fields => [ "shib_uid" ] key => "agimus-ng" } #mutate { # lowercase => [ "shib_uid" ] # split => { "shib_uid" => "@" } # add_field => { # "uid" => "%{[shib_uid][0]}@%{[shib_uid][1]}" # "domain_uid" => "%{[shib_uid][1]}" # } # remove_field => [ "%{[shib_uid]}", "%{shib_uid}" ] #} grok { match => { "Cookie" => "(?:.*AGIMUS=%{NOTSPACE:agimus}.*|.*)"} } if [agimus] { mutate { gsub => [ "agimus", ";", "" ] } elasticsearch { hosts => ["localhost"] query => "_type:trace AND _id:%{agimus}" sort => "" fields => { "ldap_uid"=>"uid" } } if [uid] { elasticsearch { hosts => ["localhost"] query => "_type:ldap AND _id:%{uid}" sort => "" fields => { __VOS_ATTRIBUTS_HASHES__ } remove_field => [ "agimus" ] add_field => { "query_done" => "true" } } anonymize { algorithm => "SHA1" fields => [ "uid" ] key => "PASSWORD" } if [query_done] { mutate { lowercase => [ "supannEntiteAffectationPrincipale", "supannEtuDiplome", "supannEtuCursusAnnee", "supannEtuSecteurDisciplinaire", "supannEtuRegimeInscription", "supannEtablissement" ] remove_field => [ "query_done"] } if [eduPersonPrimaryAffiliation] { translate { field => "eduPersonPrimaryAffiliation" dictionary_path => "/opt/logstash-translate-dictionnary/eduPersonPrimaryAffiliation.yaml" destination => "eduPersonPrimaryAffiliationHR" fallback => "%{eduPersonPrimaryAffiliation}" } } else { mutate { add_field => { "eduPersonPrimaryAffiliationHR" => "INCONNU" } } } # if [supannEntiteAffectationPrincipale] { # translate { # field => "supannEntiteAffectationPrincipale" # dictionary_path => "/opt/logstash-translate-dictionnary/supannEntiteAffectationPrincipale.yaml" # destination => "supannEntiteAffectationPrincipaleHR" # fallback => "%{supannEntiteAffectationPrincipale}" # } # } else { # mutate { # add_field => { # "supannEntiteAffectationPrincipaleHR" => "INCONNU" # } # } # } # if [supannEtuDiplome] { # translate { # field => "supannEtuDiplome" # dictionary_path => "/opt/logstash-translate-dictionnary/supannEtuDiplome.yaml" # destination => "supannEtuDiplomeHR" # fallback => "%{supannEtuDiplome}" # } # } else { # mutate { # add_field => { # "supannEtuDiplomeHR" => "INCONNU" # } # } # } # if [supannEtuCursusAnnee] { # translate { # field => "supannEtuCursusAnnee" # dictionary_path => "/opt/logstash-translate-dictionnary/supannEtuCursusAnnee.yaml" # destination => "supannEtuCursusAnneeHR" # fallback => "%{supannEtuCursusAnnee}" # } # } else { # mutate { # add_field => { # "supannEtuCursusAnneeHR" => "INCONNU" # } # } # } # if [supannEtuSecteurDisciplinaire] { # translate { # field => "supannEtuSecteurDisciplinaire" # dictionary_path => "/opt/logstash-translate-dictionnary/supannEtuSecteurDisciplinaire.yaml" # destination => "supannEtuSecteurDisciplinaireHR" # fallback => "%{supannEtuSecteurDisciplinaire}" # } # } else { # mutate { # add_field => { # "supannEtuSecteurDisciplinaireHR" => "INCONNU" # } # } # } # if [supannEtuRegimeInscription] { # translate { # field => "supannEtuRegimeInscription" # dictionary_path => "/opt/logstash-translate-dictionnary/supannEtuRegimeInscription.yaml" # destination => "supannEtuRegimeInscriptionHR" # fallback => "%{supannEtuRegimeInscription}" # } # } else { # mutate { # add_field => { # "supannEtuRegimeInscriptionHR" => "INCONNU" # } # } # } # if [supannEtablissement] { # translate { # field => "supannEtablissement" # dictionary_path => "/opt/logstash-translate-dictionnary/supannEtablissement.yaml" # destination => "supannEtablissementHR" # fallback => "%{supannEtablissement}" # } # } else { # mutate { # add_field => { # "supannEtablissementHR" => "INCONNU" # } # } # } } else { mutate { add_field => { "no_ldap" => "%{uid}" } } } } } else { } mutate { # convert => { "[geoip][location]" => "float" } convert => { "size" => "string" } #"size" => "integer" convert => { "status" => "string" } #"status" => "integer" #convert => { "datetime" => "string" } #"datetime" => "date" rename => { "datetime" => "timedate" } remove_field => [ "column33" , "column34" , "column35" , "column36" , "column37" , "date" , "doi-publication-title","doi-publication-date-year","doi-publisher","doi-type","doi-ISSN","doi-subject","doi-license-content-version","doi-license-URL","geoip-latitude" , "geoip-longitude" , "geoip-country", "user" ] } } } output { # if "_grokparsefailure" not in [tags] { # if [not_user] { # No thing todo # } else if [no_ldap] { # stdout { # codec => line { format => "Pas de LDAP pour [%{no_ldap}]" } # } # } else { if [not_user] { } else { # stdout { # codec => rubydebug # } elasticsearch { hosts => "localhost" document_type => "ezpaarse" #index => "logstash-test" } } # } # } else { # stdout { # codec => line { # format => "probleme analyse grok pour %{message}" # } # } # } }