# CONFIGURED BY ANSIBLE

# grab haproxy logs from systemd
[INPUT]
    name systemd
    systemd_filter _SYSTEMD_UNIT=haproxy.service
    read_from_tail on
    lowercase on
    strip_underscores on
    threaded true
    tag haproxy
    alias haproxy

# keep only the systemd message field
[FILTER]
    name record_modifier
    match haproxy
    whitelist_key message

# connection logs
[FILTER]
    name grep
    match source.cnx
    regex message client_ip

# maintenance logs
[FILTER]
    name grep
    match source.ops
    exclude message client_ip

# failing non-json message field remains - clean-up right after
[FILTER]
    name parser
    match source.cnx
    key_name message
    parser json_no_time

# this is imperfect as we are dropping failed parsing
# and there's quite a lot esp. with systemd (trailing crap after the json)
[FILTER]
    name grep
    match source.cnx
    regex client_ip .*

# provides method path http_version
[FILTER]
    name parser
    match source.cnx
    key_name http_request
    parser split_request
    reserve_data true

# provides page
[FILTER]
    name parser
    match source.cnx
    key_name path
    parser strip_querystr
    reserve_data true
    preserve_key true

# obfuscate tokens passwords codes
# provides path_first and eventually path_second
[FILTER]
    name parser
    match source.cnx
    key_name path
    parser obfus_secrets
    reserve_data true

# concatenate path_first (and path_second when there is) back to path
# https://docs.fluentbit.io/manual/pipeline/filters/lua
[FILTER]
    name lua
    match source.cnx
    script flb_haproxy.lua
    call concat_path

# casual/enriched geoip for public network source
[FILTER]
    name geoip2
    match source.cnx
    database /etc/fluent-bit/GeoLite2-City.mmdb
    lookup_key                  client_ip
    record source_city_name     client_ip %{city.names.ru}
    record source_country_name  client_ip %{country.names.ru}
    record nest_lat             client_ip %{location.latitude}
    record nest_lon             client_ip %{location.longitude}
    log_level error

# geospatial field name without a dot
[FILTER]
    name nest
    match source.cnx
    operation nest
    wildcard nest_*
    remove_prefix nest_
    nest_under source_location

[FILTER]
    name modify
    match source.cnx
    # @timestamp is enough for logs - remove haproxy timestamp
    remove request_date
    # clean-up obfuscation artifacts
    remove path_first
    remove path_second

[FILTER]
    name modify
    match source.*
    add sensor haproxy-{{env}}@{{inventory_hostname_short}}

#[OUTPUT]
#    name file
#    match source.cnx
#    #match source.ops
#    path /var/log
#    file fluent-bit.log

# connection logs
[OUTPUT]
    name opensearch
    match source.cnx
    host {{log_host}}
    port {{log_port}}
    tls on
    tls.verify {{ssl_verify}}
    http_user {{log_http_user}}
    http_passwd {{log_http_passwd}}
    index haproxy-{{env}}
    suppress_type_name on
    #replace_dots on
    trace_error on
{% if heavy_load is defined %}
    # {{inventory_hostname_short}} is heavy load
    buffer_size 50M
{% endif %}
    compress gzip

# maintenance logs
[OUTPUT]
    name opensearch
    match source.ops
    host {{log_host}}
    port {{log_port}}
    tls on
    tls.verify {{ssl_verify}}
    http_user {{log_http_user}}
    http_passwd {{log_http_passwd}}
    index audithack-haproxy
    suppress_type_name on
    #replace_dots on
    trace_error on