#
# spot public and internal brutes
#

[INPUT]
    name systemd
    systemd_filter _SYSTEMD_UNIT=sshguard.service
    read_from_tail on
    tag sshguard

# https://docs.fluentbit.io/manual/pipeline/filters/parser
# https://docs.fluentbit.io/manual/pipeline/parsers/regular-expression
# provides src_ip on detected attacks
[FILTER]
    name parser
    match sshguard
    key_name MESSAGE
    parser sshguard_attack
    Preserve_Key true
    Reserve_Data true

## provides src_ip_range on blocks
#[FILTER]
#    name parser
#    match sshguard
#    key_name MESSAGE
#    parser sshguard_block_range
#    Preserve_Key true
#    Reserve_Data true

# provides src_ip on blocks
[FILTER]
    name parser
    match sshguard
    key_name MESSAGE
    parser sshguard_block
    Preserve_Key true
    Reserve_Data true

# provides src_ip on unblocks
[FILTER]
    name parser
    match sshguard
    key_name MESSAGE
    parser sshguard_unblock
    Preserve_Key true
    Reserve_Data true

# check/sanitize parsed ip before geoip evaluation and use common source_ip field across various vpn engines
# https://docs.fluentbit.io/manual/pipeline/filters/modify
[FILTER]
    name modify
    match sshguard
    condition key_value_matches src_ip [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
    rename src_ip source_ip

#[FILTER]
#    name modify
#    match sshguard
#    condition key_value_matches src_ip_range [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/[0-9]+
#    rename src_ip_range source_ip_range

# casual/enriched geoip data for peer's public ip
[FILTER]
    name geoip2
    match sshguard
    database /etc/fluent-bit/GeoLite2-City.mmdb
    lookup_key                  source_ip
    record source_city_name     source_ip %{city.names.ru}
    record source_country_name  source_ip %{country.names.ru}
    record nest_lat             source_ip %{location.latitude}
    record nest_lon             source_ip %{location.longitude}
    log_level error

# catch lat lon (lat comes first)
[FILTER]
    name nest
    match sshguard
    operation nest
    wildcard nest_*
    remove_prefix nest_
    nest_under source_location

# hard-coded geoip data for Chisinau data-center
# https://www.iplocation.net/ip-lookup
[FILTER]
    name modify
    match sshguard
    # assume 1/10 of a MB just to get a Map Line
    add source_bytes              100000
    add destination_bytes         100000
    add destination_name          {{ansible_hostname}}
    #add destination_ip           ...
    add nest_lat                  47.0060
    add nest_lon                  28.8567
    add destination_city_name     Chisinau
    add destination_country_name  Moldova

[FILTER]
    name nest
    match sshguard
    operation nest
    wildcard nest_*
    remove_prefix nest_
    nest_under destination_location

[FILTER]
    name modify
    match sshguard
    add sensor flb@{{ansible_hostname}}

#[OUTPUT]
#    name file
#    match sshguard
#    path /var/log
#    file fluent-bit.log

[OUTPUT]
    name opensearch
    match sshguard
    host {{log_host}}
    port {{log_port}}
    tls on
    tls.verify on
    index audithack-brutes
    http_user {{log_http_user}}
    http_passwd {{log_http_passwd}}
    suppress_type_name on
    #replace_dots on
    trace_error on