dailyDriver/fluent-bit.nix at main · impulseSecDev/dailyDriver · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
###############################################################################
# Fluent-bit
###############################################################################
{ config, lib, pkgs, ... }:
{
  sops.secrets = {
    "elastic_password" = {};
    "es_host" = {};
    "elastic_user" = {};
  };

  # Lua script to parse Tailscale SSH sessions from login _CMDLINE
  environment.etc."fluent-bit/tailscale-parse.lua".text = ''
    function parse_tailscale(tag, timestamp, record)
      local cmdline = record["_CMDLINE"]
      if cmdline then
        -- Match Tailscale CGNAT IP in -h 100.x.x.x
        local ip = string.match(cmdline, "-h%s+(100%.[%d%.]+)")
        if ip then
          record["tailscale_src_ip"] = ip
          record["tailscale_ssh"]    = true
          record["event_type"]       = "tailscale_login"
        end
      end
      return 1, timestamp, record
    end
  '';

  environment.etc."fluent-bit/fail2ban-parse.lua".text = ''
    function parse_fail2ban(tag, timestamp, record)
      local msg = record["message"] or ""
      local jail, action, ip = string.match(msg, "%[([^%]]+)%]%s+(%w+)%s+([%d%.]+)")
      if jail then
        record["jail"] = jail
        record["action"] = action
        record["src_ip"] = ip
      end
      local jail_only = string.match(msg, "%[([^%]]+)%]")
      if jail_only and not jail then
        record["jail"] = jail_only
      end
      return 1, timestamp, record
    end
  '';

  sops.templates."fluent-bit.conf" = {
    content = ''
      [SERVICE]
          flush     1
          log_level info
          daemon    off
          Parsers_File /etc/fluent-bit/parsers.conf

      [INPUT]
          name    systemd
          tag     dailydriver.journal

      [INPUT]
          name tail
          path /var/log/*.log
          tag  nixos.tail

      [INPUT]
          name              systemd
          tag               dailydriver.fail2ban
          systemd_filter    _SYSTEMD_UNIT=fail2ban.service
          db                /var/lib/fluent-bit/fail2ban.db

      [FILTER]
          name   modify
          match  *
          remove SYSLOG_TIMESTAMP

      [FILTER]
          name    lua
          match   *.journal
          script  /etc/fluent-bit/tailscale-parse.lua
          call    parse_tailscale

      [FILTER]
          name   lua
          match  dailydriver.fail2ban
          script /etc/fluent-bit/fail2ban-parse.lua
          call   parse_fail2ban

      [FILTER]
          name     record_modifier
          match    dailydriver.*
          Record   hostname playwashere
          Record   source   dailydriver

      [OUTPUT]
          name               es
          match              *
          host               ${config.sops.placeholder."es_host"}
          port               9200
          http_user          ${config.sops.placeholder."elastic_user"}
          http_passwd        ${config.sops.placeholder."elastic_password"}
          logstash_format    On
          logstash_prefix    dailydriver
          suppress_type_name On
          buffer_size        10MB
    '';
    path = "/run/secrets/fluent-bit.conf";
    mode = "0444";
    owner = "root";
    group = "root";
  };

  services.fluent-bit = {
    enable = true;
    configurationFile = config.sops.templates."fluent-bit.conf".path;
  };

  systemd.services.fluent-bit = {
    serviceConfig = {
      SupplementaryGroups = [ "adm" ];
      StateDirectory      = lib.mkForce "fluent-bit";
      StateDirectoryMode  = "0750";
    };
  };
}