Datadog has presented his full set of rules starting from my examples reported to them by ticket/feedback. I'll try to make some tests in order to change my set and optimize my solution.
These are their actual rules on the Grok Parser "Parsing Stunnel Proxy logs":
Parsing rules
stunnel.service.connected_remote_server_from %{_date_stunnel} LOG%{_log_status}\[%{_session_id}\]\: Service \[%{_service_name}\] connected remote server from %{_local_ip}\:%{_local_port}
stunnel.service.accepted_connection_from %{_date_stunnel} LOG%{_log_status}\[%{_session_id}\]\: Service \[%{_service_name}\] accepted connection from %{_client_ip}\:%{_client_port}
stunnel.certificate.accepted %{_date_stunnel} LOG%{_log_status}\[%{_session_id}\]\: Certificate accepted at depth\=%{_cert_depth}\: %{_cert_info}
stunnel.connection.closed_reset %{_date_stunnel} LOG%{_log_status}\[%{_session_id}\]\: Connection (closed|reset)\: %{_byte_sent_to_ssl} byte\(s\) sent to SSL\, %{_byte_sent_to_socket} byte\(s\) sent to socket
stunnel.s_connect %{_date_stunnel} LOG%{_log_status}\[%{_session_id}\]\: (s_connect|transfer)\: (connect|connected|connecting|s_poll_wait) %{_backend_ip}\:%{_backend_port}(\: %{_error_message})?
stunnel.fallback %{_date_stunnel} LOG%{_log_status}\[%{_session_id}\]\: %{_error_message}
Datadog has presented his full set of rules starting from my examples reported to them by ticket/feedback. I'll try to make some tests in order to change my set and optimize my solution.
These are their actual rules on the Grok Parser "Parsing Stunnel Proxy logs":
Parsing rules
Helper rules
Final considerations
As we can see
stunnel.log_status
is now replaced withlevel
, so the Status Remapper has to be fixed up with the new variable name.Date Remapper has no differences because the variable
date
is untouched except for the TZ's information.