# CONFIGURED BY ANSIBLE # # trace netbird agent connected peers # [INPUT] name tail path /var/log/netbird-peers.json tag peers parser json_no_time [FILTER] name nest match peers operation lift nested_under iceCandidateEndpoint # provides remote_ip [FILTER] name parser match peers key_name remote parser strip_port preserve_key true reserve_data true # check/sanitize parsed ip before geoip evaluation and use common source_ip field across various vpn engines # https://docs.fluentbit.io/manual/pipeline/filters/modify [FILTER] name modify match peers condition key_value_matches remote_ip [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ rename remote_ip source_ip # casual/enriched geoip data for peer's public ip [FILTER] name geoip2 match peers database /etc/fluent-bit/GeoLite2-City.mmdb lookup_key source_ip record source_city_name source_ip %{city.names.ru} record source_country_name source_ip %{country.names.ru} record nest_lat source_ip %{location.latitude} record nest_lon source_ip %{location.longitude} log_level error [FILTER] name nest match peers operation nest wildcard nest_* remove_prefix nest_ nest_under source_location # use common client ip_field across various vpn engines [FILTER] name modify match peers condition key_value_matches netbirdIp [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ rename netbirdIp client_ip # custom geoip data for peer's internal ip [FILTER] name geoip2 match peers database /etc/fluent-bit/ke.mmdb lookup_key client_ip record source_name client_ip %{name} log_level error [FILTER] name modify match peers # use common tx/rx field across various vpn engines rename transferReceived source_bytes rename transferSent destination_bytes add destination_name {{inventory_hostname}} # hard-coded variables in ansible inventory add destination_country_name {{country}} add destination_city_name {{city}} add nest_lat {{lat}} add nest_lon {{lon}} [FILTER] name nest match peers operation nest wildcard nest_* remove_prefix nest_ nest_under destination_location [FILTER] name modify match peers add sensor peers@{{inventory_hostname}} #[OUTPUT] # name file # match peers # path /var/log # file fluent-bit.log [OUTPUT] name opensearch match peers host {{log_host}} port {{log_port}} tls on tls.verify on index audithack-peers http_user {{log_http_user}} http_passwd {{log_http_passwd}} suppress_type_name on #replace_dots on trace_error on