module(load="imfile")       # lecture slapd.log.json
module(load="mmjsonparse")  # parsing slapd.log.json

# Template de mise en forme JSON
template(name="sendJsonToGrayLogTemplate"
    type="list" option.json="on") {
    constant(value="{ ")
    constant(value="\"facility\":\"local4\", ")
    constant(value="\"facility_num\":\"20\", ")
    constant(value="\"level\":\"6\", ")
    constant(value="\"type\":\"")
    property(name="programname")
    constant(value="\", ")
    # on renomme les proprietes venant de openldap-log-parser
    constant(value="\"time\":\"")
    property(name="$!time")
    constant(value="\", ")
    constant(value="\"source\":\"")
    property(name="$!hostname")
    constant(value="\", ")
    constant(value="\"process\":\"")
    property(name="$!process")
    constant(value="\", ")
    constant(value="\"client_ip\":\"")
    property(name="$!client_ip")
    constant(value="\", ")
    constant(value="\"client_port\":\"")
    property(name="$!client_port")
    constant(value="\", ")
    constant(value="\"server_ip\":\"")
    property(name="$!server_ip")
    constant(value="\", ")
    constant(value="\"server_port\":\"")
    property(name="$!server_port")
    constant(value="\", ")
    constant(value="\"bind_dn\":\"")
    property(name="$!bind_dn")
    constant(value="\", ")
    constant(value="\"conn_id\":\"")
    property(name="$!conn_id")
    constant(value="\", ")
    constant(value="\"conn_fd\":\"")
    property(name="$!conn_fd")
    constant(value="\", ")
    constant(value="\"op_id\":\"")
    property(name="$!op_id")
    constant(value="\", ")
    constant(value="\"op_type\":\"")
    property(name="$!op_type")
    constant(value="\", ")
    constant(value="\"bind_method\":\"")
    property(name="$!bind_method")
    constant(value="\", ")
    constant(value="\"bind_mech\":\"")
    property(name="$!bind_mech")
    constant(value="\", ")
    constant(value="\"bind_ssf\":\"")
    property(name="$!bind_ssf")
    constant(value="\", ")
    constant(value="\"ssf\":\"")
    property(name="$!ssf")
    constant(value="\", ")
    constant(value="\"starttls\":\"")
    property(name="$!starttls")
    constant(value="\", ")
    constant(value="\"mod_dn\":\"")
    property(name="$!mod_dn")
    constant(value="\", ")
    constant(value="\"mod_attr\":\"")
    property(name="$!mod_attr")
    constant(value="\", ")
    constant(value="\"add_dn\":\"")
    property(name="$!add_dn")
    constant(value="\", ")
    constant(value="\"del_dn\":\"")
    property(name="$!del_dn")
    constant(value="\", ")
    constant(value="\"passmod_dn\":\"")
    property(name="$!passmod_dn")
    constant(value="\", ")
    constant(value="\"res_tag\":\"")
    property(name="$!result_tag")
    constant(value="\", ")
    constant(value="\"res_oid\":\"")
    property(name="$!result_oid")
    constant(value="\", ")
    constant(value="\"res_err\":\"")
    property(name="$!result_err")
    constant(value="\", ")
    constant(value="\"res_qtime\":\"")
    property(name="$!result_qtime")
    constant(value="\", ")
    constant(value="\"res_etime\":\"")
    property(name="$!result_etime")
    constant(value="\", ")
    constant(value="\"res_text\":\"")
    property(name="$!result_text")
    constant(value="\", ")
    constant(value="\"search_base\":\"")
    property(name="$!search_base")
    constant(value="\", ")
    constant(value="\"search_scope\":\"")
    property(name="$!search_scope")
    constant(value="\", ")
    constant(value="\"search_deref\":\"")
    property(name="$!search_deref")
    constant(value="\", ")
    constant(value="\"search_filter\":\"")
    property(name="$!search_filter")
    constant(value="\", ")
    constant(value="\"search_attr\":\"")
    property(name="$!search_attr")
    constant(value="\", ")
    constant(value="\"search_res_tag\":\"")
    property(name="$!search_res_tag")
    constant(value="\", ")
    constant(value="\"search_res_err\":\"")
    property(name="$!search_res_err")
    constant(value="\", ")
    constant(value="\"search_res_qtime\":\"")
    property(name="$!search_res_qtime")
    constant(value="\", ")
    constant(value="\"search_res_etime\":\"")
    property(name="$!search_res_etime")
    constant(value="\", ")
    constant(value="\"search_res_nentries\":\"")
    property(name="$!search_res_nentries")
    constant(value="\", ")
    constant(value="\"search_res_text\":\"")
    property(name="$!search_res_text")
    constant(value="\", ")
    constant(value="\"message\":\"")
    property(name="$!message")
    constant(value="\" ")
    constant(value=" }")
}

# On envoit les logs ldap vers openldap-log-parser qui tourne en tant que service
if $programname == 'slapd' then action(
    type="omfwd"
    Target="127.0.0.1"
    Port="6514"
    Protocol="tcp"
    template="RSYSLOG_FileFormat")

# Le flux post openldap-log-parser, qu'on relit pour envoyer vers graylog
input(type="imfile"
    File="/var/log/slapd.log.json"
    Tag="openldap-agg"
    addMetadata="on"
    ruleset="remoteAllJsonLog"
)

ruleset(name="remoteAllJsonLog") {
    action(type="mmjsonparse" cookie="")
    action(
        type="omfwd"
        Target="graylog.example.org"
        Port="2514"
        Protocol="tcp"
        template="sendJsonToGrayLogTemplate"
    )
    stop
}