search

crowdsecurity / hub

Main repository for crowdsec scenarios/parsers
https://hub.crowdsec.net
156 stars 149 forks source link

Javascript logger support #768

Open LaurenceJJones opened 1 year ago

LaurenceJJones commented 1 year ago

In most "cases" a user will use a reverse proxy for nodejs applications. However, a user may just not a bind nodejs to 80,443, in this case we may want to support some loggers provided to nodejs ecosystem:

Winston was my and many go to express logger. It support JSON as well as text so these both must be covered to have successful parser.

Morgan I use to use this before Winston.

We should normalise the Parsed and Meta attributes from all nodes so it works with http-base scenarios.

We must make it clear if they have a reverse proxy they do not also need to set this up

LaurenceJJones commented 1 year ago

My idea was to have a single parser for "express" or "javascript" then we can use filters to provided context to groks.

name: crowdsecurity/javascript
filter: evt.Parsed.program startsWith 'javascript'
...
nodes:
  - filter: evt.Parsed.program endsWith 'morgan'
    grok:
     ...
  - filter: evt.Parsed.program endsWith 'winston'
    grok:
     ...
statics:
 .... normalise statics from all parsers

Then acquis

filenames:
  - /var/log/nodejs.log
labels:
  type: javascript-winston