Skip to content

Fluentbit

Jump to bottom
Cedric Hebert edited this page May 17, 2024 · 3 revisions

The demo application comes with a pre-configured Fluent-bit instance and agent. We chose Fluent-bit as it is an open-source, versatile and very popular solution when it comes to log management, meaning it should be relatively easy for you to connect Cloud Active Defense alerts to your preferred solution.

The instance

The instance is a simple container configured in docker-compose.yaml. We expose its default port to ensure the connectivity with the agent. The fluentbit container waits for alerts to be sent to it. Whenever an alert is received, it is displayed in the console.

The instance is configured with two files that we mount as volumes - going this way allows Fluentbit to be configured without having to create a dedicated Dockerfile.

fluent-bit.conf

Comes with the following setup:

[SERVICE]

Global properties.

log_level debug:

  • Verbose output, useful for troubleshooting and development. Can be safely turned to info.

parsers_file /fluent-bit/etc/custom_parsers.conf:

  • The file dealing with how the content should be parsed before being forwarded (or here: display to the local console).

[INPUT]

Where and how logs are collected.

Name forward:

  • The input plugin to use, in this case, forward. This plugin allows Fluent Bit to receive logs from the agent running in the proxy.

Listen 0.0.0.0:

  • Fluent Bit will listen on all its available network interfaces.

Port 24224:

  • The port number on which Fluent Bit will listen for incoming log data (default).

[OUTPUT]

The output destination for the processed logs.

Name stdout:

  • The output plugin to use, in this case, stdout. This plugin outputs the logs to the standard output (console).

Match **:

  • Pattern to match tags from incoming logs. ** matches all tags, meaning all logs will be sent to this output.

[FILTER]

Filter(s) that process logs between input and output stages.

First filter

Name grep:

  • The filter plugin to use, in this case, grep. This plugin filters logs based on regular expressions.

Match *:

  • Specifies which logs to apply this filter to. * means this filter will apply to all logs.

Regex $log['alert'] true:

  • Defines the regular expression to filter logs. This expression will match logs where the alert field within the log object is set to true.

Second filter

Name parser:

  • The filter plugin to use, in this case, parser. This plugin applies a parser to transform log data.

Match *:

  • Specifies which logs to apply this filter to. * means this filter will apply to all logs.

Parser decoy_custom:

  • The name of the parser to apply, as defined in the parsers_file specified earlier. decoy_custom is the name of the parser defined in /fluent-bit/etc/custom_parsers.conf.

Key_Name log:

  • Specifies the key within the log record to apply the parser to. log is the key where the data to be parsed is located.
Clone this wiki locally