# # trace wireguard connected peers # [INPUT] name tail path /var/log/wireguard-peers.json tag peers parser json_no_time # use common source_ip field across various vpn engines [FILTER] name modify match peers condition key_value_matches endpoint_ip [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ rename endpoint_ip source_ip # casual/enriched geoip data for peer public ip [FILTER] name geoip2 match peers database /etc/fluent-bit/GeoLite2-City.mmdb lookup_key source_ip record source_city_name source_ip %{city.names.ru} record source_country_name source_ip %{country.names.ru} record nest_lat source_ip %{location.latitude} record nest_lon source_ip %{location.longitude} log_level error [FILTER] name nest match peers operation nest wildcard nest_* remove_prefix nest_ nest_under source_location # use common client_ip field across various vpn engines [FILTER] name modify match peers condition key_value_matches allowed_ip [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ rename allowed_ip client_ip # custom geoip data for peer's internal ip [FILTER] name geoip2 match peers database /etc/fluent-bit/ke.mmdb lookup_key client_ip record source_name client_ip %{name} log_level error # hard-coded geoip data for Moscow data-center [FILTER] name modify match peers # use common tx/rx field across various vpn engines rename transfer_rx source_bytes rename transfer_tx destination_bytes add destination_name {{ansible_hostname}} #add destination_ip ... add nest_lat 55.7386 add nest_lon 37.6068 add destination_city_name Москва add destination_country_name Россия [FILTER] name nest match peers operation nest wildcard nest_* remove_prefix nest_ nest_under destination_location [FILTER] name modify match peers add sensor flb@{{ansible_hostname}} #[OUTPUT] # name file # match peers # path /var/log # file fluent-bit.log [OUTPUT] name opensearch match peers host {{log_host}} port {{log_port}} tls on tls.verify on index audithack-peers http_user {{log_http_user}} http_passwd {{log_http_passwd}} suppress_type_name on #replace_dots on trace_error on