crowdsec/pkg/parser/grok_pattern.go

57 lines
1.9 KiB
Go
Raw Normal View History

package parser
2020-05-15 09:39:16 +00:00
import (
"time"
2020-05-15 09:39:16 +00:00
"github.com/antonmedv/expr/vm"
2021-09-09 12:46:16 +00:00
"github.com/crowdsecurity/grokky"
2020-05-15 09:39:16 +00:00
)
// Used mostly for statics
2020-05-15 09:39:16 +00:00
type ExtraField struct {
//if the target is indicated by name Struct.Field etc,
TargetByName string `yaml:"target,omitempty"`
//if the target field is in Event map
Parsed string `yaml:"parsed,omitempty"`
//if the target field is in Meta map
Meta string `yaml:"meta,omitempty"`
//if the target field is in Enriched map
Enriched string `yaml:"enriched,omitempty"`
//the source is a static value
Value string `yaml:"value,omitempty"`
//or the result of an Expression
ExpValue string `yaml:"expression,omitempty"`
RunTimeValue *vm.Program `json:"-"` //the actual compiled filter
//or an enrichment method
Method string `yaml:"method,omitempty"`
}
type GrokPattern struct {
//the field to which regexp is going to apply
TargetField string `yaml:"apply_on,omitempty"`
//the grok/regexp by name (loaded from patterns/*)
RegexpName string `yaml:"name,omitempty"`
//a proper grok pattern
RegexpValue string `yaml:"pattern,omitempty"`
//the runtime form of regexpname / regexpvalue
RunTimeRegexp grokky.Pattern `json:"-"` //the actual regexp
//the output of the expression is going to be the source for regexp
ExpValue string `yaml:"expression,omitempty"`
RunTimeValue *vm.Program `json:"-"` //the actual compiled filter
2022-04-19 09:25:27 +00:00
//a grok can contain statics that apply if pattern is successful
2020-05-15 09:39:16 +00:00
Statics []ExtraField `yaml:"statics,omitempty"`
}
type DataCapture struct {
Name string `yaml:"name,omitempty"`
Key string `yaml:"key,omitempty"`
KeyExpression *vm.Program `yaml:"-"`
Value string `yaml:"value,omitempty"`
ValueExpression *vm.Program `yaml:"-"`
TTL string `yaml:"ttl,omitempty"`
TTLVal time.Duration `yaml:"-"`
MaxMapSize int `yaml:"size,omitempty"`
Strategy string `yaml:"strategy,omitempty"`
}