# CONFIGURED BY ANSIBLE

#
# suricata eve logs
#
# this is a VPN gateway hence "flowfix" to skip 53/udp 53/tcp signatures
#

[INPUT]
    name tail
{% if eve is defined %}
    path {{eve}}
{% else %}
    path /var/log/suricata/eve.json
{% endif %}
    tag eve
    alias suricata
    parser json_no_time

# easy-peasy src subnet name
[FILTER]
    name geoip2
    match source.flowfix
    database /etc/fluent-bit/ke-subnets.mmdb
    lookup_key            src_ip
    record source_subnet  src_ip %{name}
    log_level error

# easy-peasy dest subnet name
[FILTER]
    name geoip2
    match source.flowfix
    database /etc/fluent-bit/ke-subnets.mmdb
    lookup_key                 dest_ip
    record destination_subnet  dest_ip %{name}
    log_level error

# custom mmdb for vpn src (client ip & internal host)
[FILTER]
    name geoip2
    match source.flowfix
    database /etc/fluent-bit/ke.mmdb
    lookup_key          src_ip
    record source_name  src_ip %{name}
    log_level error

# custom mmdb for vpn dest (client ip & internal host)
[FILTER]
    name geoip2
    match source.flowfix
    database /etc/fluent-bit/ke.mmdb
    lookup_key               dest_ip
    record destination_name  dest_ip %{name}
    log_level error

# @timestamp is enough for logs
[FILTER]
    name modify
    match source.flowfix
    remove timestamp
    add sensor suricata@{{inventory_hostname}}

#[OUTPUT]
#    name file
#    match source.flowfix
#    path /var/log
#    file fluent-bit.log

[OUTPUT]
    name opensearch
    match source.flowfix
    host {{log_host}}
    port {{log_port}}
    tls on
    tls.verify on
    http_user {{log_http_user}}
    http_passwd {{log_http_passwd}}
    index suricata-infra
    suppress_type_name on
    #replace_dots on
    trace_error on