#
# spot public and internal brutes
#

[INPUT]
    name tail
    path /var/log/{{auth_log_file}}
    parser syslog_no_time
    tag sshguard

# keep only sshguard logs - the rest goes either to audithack-auth (when auth.log) --or-- nowhere (when messages)
[FILTER]
    name grep
    match sshguard
    regex ident ^sshguard$

# https://docs.fluentbit.io/manual/pipeline/filters/parser
# https://docs.fluentbit.io/manual/pipeline/parsers/regular-expression
# provides src_ip on detected attacks
[FILTER]
    name parser
    match sshguard
    key_name message
    parser sshguard_attack
    preserve_key true
    reserve_data true

## provides src_ip_range on blocks
#[FILTER]
#    name parser
#    match sshguard
#    key_name message
#    parser sshguard_block_range
#    preserve_key true
#    reserve_data true

# provides src_ip on blocks
[FILTER]
    name parser
    match sshguard
    key_name message
    parser sshguard_block
    preserve_key true
    reserve_data true

# provides src_ip on unblocks
[FILTER]
    name parser
    match sshguard
    key_name message
    parser sshguard_unblock
    preserve_key true
    reserve_data true

# check/sanitize parsed ip before geoip evaluation and use common source_ip field across various vpn engines
# https://docs.fluentbit.io/manual/pipeline/filters/modify
[FILTER]
    name modify
    match sshguard
    condition key_value_matches src_ip [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
    rename src_ip source_ip

#[FILTER]
#    name modify
#    match sshguard
#    condition key_value_matches src_ip_range [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/[0-9]+
#    rename src_ip_range source_ip_range

# casual/enriched geoip data for peer's public ip
[FILTER]
    name geoip2
    match sshguard
    database /etc/fluent-bit/GeoLite2-City.mmdb
    lookup_key                  source_ip
    record source_city_name     source_ip %{city.names.ru}
    record source_country_name  source_ip %{country.names.ru}
    record nest_lat             source_ip %{location.latitude}
    record nest_lon             source_ip %{location.longitude}
    log_level error

# catch lat lon (lat comes first)
[FILTER]
    name nest
    match sshguard
    operation nest
    wildcard nest_*
    remove_prefix nest_
    nest_under source_location

[FILTER]
    name modify
    match sshguard
    # assume 1/10 of a MB just to get a map line
    add source_bytes              100000
    add destination_bytes         100000
    add destination_name          {{inventory_hostname}}
    # hard-coded variables in ansible inventory
    add destination_country_name  {{country}}
    add destination_city_name     {{city}}
    add nest_lat                  {{lat}}
    add nest_lon                  {{lon}}

[FILTER]
    name nest
    match sshguard
    operation nest
    wildcard nest_*
    remove_prefix nest_
    nest_under destination_location

[FILTER]
    name modify
    match sshguard
    # @timestamp is enough for logs
    remove time
    add sensor sshguard@{{inventory_hostname}}

#[OUTPUT]
#    name file
#    match sshguard
#    path /var/log
#    file fluent-bit.log

[OUTPUT]
    name opensearch
    match sshguard
    host {{log_host}}
    port {{log_port}}
    tls on
    tls.verify on
    index audithack-brutes
    http_user {{log_http_user}}
    http_passwd {{log_http_passwd}}
    suppress_type_name on
    #replace_dots on
    trace_error on