diff --git a/Dockerfile b/Dockerfile index 62c20fd..9cc6225 100644 --- a/Dockerfile +++ b/Dockerfile @@ -54,7 +54,7 @@ FROM gcr.io/distroless/base-debian12 AS runtime COPY --from=builder /usr/bin/logcorrelator /usr/bin/logcorrelator # Copy example config -COPY --from=builder /build/config.example.conf /etc/logcorrelator/logcorrelator.conf +COPY --from=builder /build/config.example.yml /etc/logcorrelator/logcorrelator.yml # Create necessary directories in builder stage (distroless has no shell) COPY --from=builder /tmp/runtime-root/var /var @@ -65,7 +65,7 @@ COPY --from=builder /tmp/runtime-root/etc /etc # Set entrypoint ENTRYPOINT ["/usr/bin/logcorrelator"] -CMD ["-config", "/etc/logcorrelator/logcorrelator.conf"] +CMD ["-config", "/etc/logcorrelator/logcorrelator.yml"] # ============================================================================= # RPM build stage - create .rpm package entirely in Docker @@ -84,7 +84,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ COPY --from=builder /usr/bin/logcorrelator /tmp/pkgroot/usr/bin/logcorrelator # Copy config and systemd unit -COPY --from=builder /build/config.example.conf /tmp/pkgroot/etc/logcorrelator/logcorrelator.conf +COPY --from=builder /build/config.example.yml /tmp/pkgroot/etc/logcorrelator/logcorrelator.yml COPY logcorrelator.service /tmp/pkgroot/etc/systemd/system/logcorrelator.service # Create directory structure and set permissions @@ -106,7 +106,7 @@ RUN fpm -s dir -t rpm \ --vendor "logcorrelator" \ -p /tmp/logcorrelator-${VERSION}.rpm \ usr/bin/logcorrelator \ - etc/logcorrelator/logcorrelator.conf \ + etc/logcorrelator/logcorrelator.yml \ etc/systemd/system/logcorrelator.service \ var/log/logcorrelator \ var/run/logcorrelator @@ -147,4 +147,4 @@ RUN go mod download || true COPY . . # Default command: run with example config -CMD ["go", "run", "./cmd/logcorrelator", "-config", "config.example.conf"] +CMD ["go", "run", "./cmd/logcorrelator", "-config", "config.example.yml"] diff --git a/README.md b/README.md index c9c9d01..1040532 100644 --- a/README.md +++ b/README.md @@ -60,18 +60,21 @@ docker run -d \ --name logcorrelator \ -v /var/run/logcorrelator:/var/run/logcorrelator \ -v /var/log/logcorrelator:/var/log/logcorrelator \ - -v ./config.conf:/etc/logcorrelator/logcorrelator.conf \ + -v ./config.example.yml:/etc/logcorrelator/logcorrelator.yml \ logcorrelator:latest ``` -### Depuis le package RPM (Rocky Linux 8+) +### Depuis les packages (DEB/RPM) ```bash -# Générer le RPM +# Générer les packages ./build.sh -# Installer le package -sudo rpm -ivh dist/logcorrelator-1.0.0.rpm +# Installer le package DEB (Debian/Ubuntu) +sudo dpkg -i dist/deb/logcorrelator_1.0.0_amd64.deb + +# Installer le package RPM (Rocky Linux 8+) +sudo rpm -ivh dist/rpm/logcorrelator-1.0.0-1.x86_64.rpm # Activer et démarrer le service sudo systemctl enable logcorrelator @@ -88,66 +91,56 @@ sudo systemctl status logcorrelator go build -o logcorrelator ./cmd/logcorrelator # Exécuter -./logcorrelator -config config.example.conf +./logcorrelator -config config.example.yml ``` ## Configuration -La configuration utilise un fichier texte simple avec des directives : +La configuration utilise un fichier YAML : -```bash -# Format: directive value [value...] -# Lignes starting with # sont des commentaires +```yaml +# Service configuration +service: + name: logcorrelator + language: go -service.name logcorrelator -service.language go +# Input sources (at least 2 required) +inputs: + unix_sockets: + - name: apache_source + path: /var/run/logcorrelator/apache.sock + format: json + - name: network_source + path: /var/run/logcorrelator/network.sock + format: json -# Inputs (au moins 2 requis) -input.unix_socket apache_source /var/run/logcorrelator/apache.sock json -input.unix_socket network_source /var/run/logcorrelator/network.sock json +# File output +outputs: + file: + enabled: true + path: /var/log/logcorrelator/correlated.log -# Outputs -output.file.enabled true -output.file.path /var/log/logcorrelator/correlated.log +# ClickHouse output +outputs: + clickhouse: + enabled: false + dsn: clickhouse://user:pass@localhost:9000/db + table: correlated_logs_http_network -output.clickhouse.enabled false -output.clickhouse.dsn clickhouse://user:pass@localhost:9000/db -output.clickhouse.table correlated_logs_http_network -output.clickhouse.batch_size 500 -output.clickhouse.flush_interval_ms 200 - -# Corrélation -correlation.key src_ip,src_port -correlation.time_window.value 1 -correlation.time_window.unit s - -# Politique des orphelins -correlation.orphan_policy.apache_always_emit true -correlation.orphan_policy.network_emit false +# Correlation configuration +correlation: + key: + - src_ip + - src_port + time_window: + value: 1 + unit: s + orphan_policy: + apache_always_emit: true + network_emit: false ``` -### Directives disponibles - -| Directive | Description | Défaut | -|-----------|-------------|--------| -| `service.name` | Nom du service | `logcorrelator` | -| `service.language` | Langage | `go` | -| `input.unix_socket` | Socket Unix (name path [format]) | Requis | -| `output.file.enabled` | Activer sortie fichier | `true` | -| `output.file.path` | Chemin fichier | `/var/log/logcorrelator/correlated.log` | -| `output.clickhouse.enabled` | Activer ClickHouse | `false` | -| `output.clickhouse.dsn` | DSN ClickHouse | - | -| `output.clickhouse.table` | Table ClickHouse | - | -| `output.clickhouse.batch_size` | Taille batch | `500` | -| `output.clickhouse.flush_interval_ms` | Intervalle flush | `200` | -| `output.clickhouse.max_buffer_size` | Buffer max | `5000` | -| `output.clickhouse.drop_on_overflow` | Drop si overflow | `true` | -| `output.stdout.enabled` | Sortie stdout (debug) | `false` | -| `correlation.key` | Clés de corrélation | `src_ip,src_port` | -| `correlation.time_window.value` | Valeur fenêtre | `1` | -| `correlation.time_window.unit` | Unité (ms/s/m) | `s` | -| `correlation.orphan_policy.apache_always_emit` | Émettre A seul | `true` | -| `correlation.orphan_policy.network_emit` | Émettre B seul | `false` | +Exemple complet dans `config.example.yml`. ## Format des logs diff --git a/config.example.conf b/config.example.conf deleted file mode 100644 index 2158601..0000000 --- a/config.example.conf +++ /dev/null @@ -1,41 +0,0 @@ -# logcorrelator configuration file -# Format: directive value [value...] -# Lines starting with # are comments - -# Service configuration -service.name logcorrelator -service.language go - -# Input sources (at least 2 required) -# Format: input.unix_socket [format] -input.unix_socket apache_source /var/run/logcorrelator/apache.sock json -input.unix_socket network_source /var/run/logcorrelator/network.sock json - -# File output -output.file.enabled true -output.file.path /var/log/logcorrelator/correlated.log - -# ClickHouse output -output.clickhouse.enabled false -output.clickhouse.dsn clickhouse://user:pass@localhost:9000/db -output.clickhouse.table correlated_logs_http_network -output.clickhouse.batch_size 500 -output.clickhouse.flush_interval_ms 200 -output.clickhouse.max_buffer_size 5000 -output.clickhouse.drop_on_overflow true -output.clickhouse.async_insert true -output.clickhouse.timeout_ms 1000 - -# Stdout output (for debugging) -output.stdout.enabled false - -# Correlation configuration -correlation.key src_ip,src_port -correlation.time_window.value 1 -correlation.time_window.unit s - -# Orphan policy -# apache_always_emit: always emit A events even without matching B -# network_emit: emit B events alone (usually false) -correlation.orphan_policy.apache_always_emit true -correlation.orphan_policy.network_emit false