From d062559bae5ccb9001586daf6f609e513ff78545 Mon Sep 17 00:00:00 2001
From: Thomas Widhalm <thomas.widhalm@netways.de>
Date: Fri, 3 May 2019 17:56:46 +0200
Subject: [PATCH] start rules for TlsStream logs

helps with #13
---
 filter-50-pluginchecktask.conf |  2 +-
 filter-50-tlsstream.conf       | 24 ++++++++++++++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)
 create mode 100644 filter-50-tlsstream.conf

diff --git a/filter-50-pluginchecktask.conf b/filter-50-pluginchecktask.conf
index c2138c6..d574779 100644
--- a/filter-50-pluginchecktask.conf
+++ b/filter-50-pluginchecktask.conf
@@ -7,7 +7,7 @@ filter {
         add_tag => "icinga_checkcommandforobject"
         tag_on_failure => ["_grokparsefailure","icinga_checkcommandforobject_failed"]
         add_field => {
-          "[icinga][eventtype]" => "icinga_checkcommandforobject"
+          "[icinga][eventtype]" => "checkcommandforobject"
         }
       }
     }
diff --git a/filter-50-tlsstream.conf b/filter-50-tlsstream.conf
new file mode 100644
index 0000000..083694b
--- /dev/null
+++ b/filter-50-tlsstream.conf
@@ -0,0 +1,24 @@
+filter {
+  if [icinga][facility] == "TlsStream" {
+    if [message] =~ /^OpenSSL error:/ {
+      grok {
+        match => ["message","OpenSSL error: error:%{DATA:[icinga][sslerrorcode]}:%{GREEDYDATA:[icinga][sslerrordetails]}"]
+        id => "icinga_opensslerror"
+        add_tag => "icinga_opensslerror"
+        tag_on_failure => ["_grokparsefailure","icinga_opensslerror_failed"]
+        add_field => {
+          "[icinga][eventtype]" => "opensslerror"
+        }
+      }
+    } else if [message] == "TLS stream was disconnected." {
+      mutate {
+        id => "icinga_tlsstreamdisconnected"
+        add_tag => "icinga_tlsstreamdisconnected"
+        add_field => {
+          "[icinga][eventtype]" => "tlsstreamdisconnected"
+        }
+      }
+    }
+  }
+}
+