Open LaurenceJJones opened 1 year ago
My idea was to have a single parser for "express" or "javascript" then we can use filters to provided context to groks.
name: crowdsecurity/javascript
filter: evt.Parsed.program startsWith 'javascript'
...
nodes:
- filter: evt.Parsed.program endsWith 'morgan'
grok:
...
- filter: evt.Parsed.program endsWith 'winston'
grok:
...
statics:
.... normalise statics from all parsers
Then acquis
filenames:
- /var/log/nodejs.log
labels:
type: javascript-winston
In most "cases" a user will use a reverse proxy for nodejs applications. However, a user may just not a bind nodejs to 80,443, in this case we may want to support some loggers provided to nodejs ecosystem:
Winston was my and many go to express logger. It support JSON as well as text so these both must be covered to have successful parser.
Morgan I use to use this before Winston.
We should normalise the
Parsed
andMeta
attributes from all nodes so it works with http-base scenarios.We must make it clear if they have a reverse proxy they do not also need to set this up