# CONFIGURED BY ANSIBLE

# parse public network scans from SMA

[INPUT]
    name tail
    path /var/log/sma/mass.*.jsonfix
    path_key filename
    parser json_masscan
    tag sma
    alias sma
    #read_from_head true
    skip_empty_lines on

# 1000 ops/s in average over 1 minute
#[FILTER]
#    name         throttle
#    match        sma.*
#    rate         1000
#    window       60
#    interval     1s
#    print_status true

# extract target and range from filename (absolute file path)
[FILTER]
    name lua
    match sma
    script flb_sma.lua
    call add_fields

[FILTER]
    name modify
    match sma
    # clean-up filename
    remove filename
    add sensor sma@{{inventory_hostname}}

#[OUTPUT]
#    name file
#    match sma
#    path /var/log
#    file fluent-bit.log

[OUTPUT]
{% if log_output == 'vlogs' %}
    name http
    match sma
    host {{log_host}}
    port {{log_port}}
    uri /insert/jsonline?_stream_fields=stream&_msg_field=sensor&_time_field=date
    # &debug=1
    format json_lines
    json_date_format iso8601
{% else %}
    name opensearch
    match sma
    host {{log_host}}
    port {{log_port}}
    tls on
    tls.verify {{ssl_verify}}
    index audithack-scan-public
    http_user {{log_http_user}}
    http_passwd {{log_http_passwd}}
    suppress_type_name on
    #replace_dots on
    trace_error on
    buffer_size 50MB
    compress gzip
{% endif %}