From e0d4da5f445ded4f360249dd7b8b01a259ad2c09 Mon Sep 17 00:00:00 2001
From: ThanKarab <tkarabatsis@hotmail.com>
Date: Wed, 6 Nov 2024 11:00:27 +0200
Subject: [PATCH] Fix for syslog timestamp pattern

---
 dev/docker-compose.yml                    | 7 +++++--
 elk_stack/logstash/pipeline/logstash.conf | 8 ++++----
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/dev/docker-compose.yml b/dev/docker-compose.yml
index 4a86d12e..5c00882a 100644
--- a/dev/docker-compose.yml
+++ b/dev/docker-compose.yml
@@ -13,6 +13,7 @@ services:
       interval: 30s
       timeout: 30s
       retries: 3
+
   exareme2_global_rabbitmq:
     image: madgik/exareme2_rabbitmq:${EXAREME2}
     ports:
@@ -193,13 +194,14 @@ services:
       ### LOGGER ###
       LOG_LEVEL: INFO
       LOG_LEVEL_FRAMEWORK: INFO
-      ALGORITHM_UPDATE_INTERVAL: 30     # seconds
+      FEDERATION: dementia
       ### Database ###
       PORTAL_DB_URL: jdbc:postgresql://portalbackend_db:5433/portal
       PORTAL_DB_SERVER: portalbackend_db:5433
       PORTAL_DB_USER: portal
       PORTAL_DB_PASSWORD: portalpwd
       ### Exareme2 ###
+      ALGORITHM_UPDATE_INTERVAL: 30     # seconds
       EXAREME2_URL: http://172.17.0.1:5000
       ### Keycloak ###
       AUTHENTICATION: 0
@@ -310,4 +312,5 @@ services:
 #      - '8443:8443'
 #    depends_on:
 #      - keycloak_db
-#    restart: unless-stopped
\ No newline at end of file
+#    restart: unless-stopped
+
diff --git a/elk_stack/logstash/pipeline/logstash.conf b/elk_stack/logstash/pipeline/logstash.conf
index 3e751944..c61c1c79 100644
--- a/elk_stack/logstash/pipeline/logstash.conf
+++ b/elk_stack/logstash/pipeline/logstash.conf
@@ -4,7 +4,7 @@ input
     port => 5010
     type => syslog
     codec => multiline {
-      pattern => "<%{NUMBER}>%{MONTH} %{MONTHDAY} %{TIME} %{DATA}: %{TIMESTAMP_ISO8601} %{GREEDYDATA}"
+      pattern => "<%{NUMBER}>%{MONTH}%{SPACE}%{MONTHDAY}%{SPACE}%{TIME}%{SPACE}%{DATA}: %{TIMESTAMP_ISO8601} %{GREEDYDATA}"
       negate => true
       what => "previous"
     }
@@ -20,13 +20,13 @@ filter {
     match => [      
     
       # ----- Match EXAREME2 logs -----
-      "message", "<%{NUMBER}>%{MONTH} %{MONTHDAY} %{TIME} %{DATA}: %{TIMESTAMP_ISO8601:log_timestamp} - %{LOGLEVEL:loglevel} - %{DATA:method} - \[%{DATA:federation}\] - \[%{DATA:service}\] - \[%{DATA:node_id}\] - \[%{DATA:request_id}\] - %{GREEDYDATA:log_message}",
+      "message", "<%{NUMBER}>%{MONTH}%{SPACE}%{MONTHDAY}%{SPACE}%{TIME}%{SPACE}%{DATA}: %{TIMESTAMP_ISO8601:log_timestamp} - %{LOGLEVEL:loglevel} - %{DATA:method} - \[%{DATA:federation}\] - \[%{DATA:service}\] - \[%{DATA:node_id}\] - \[%{DATA:request_id}\] - %{GREEDYDATA:log_message}",
       
       # ----- Match PORTAL-BACKEND user generated logs -----
-      "message", "<%{NUMBER}>%{MONTH} %{MONTHDAY} %{TIME} %{DATA}: %{TIMESTAMP_ISO8601:log_timestamp} - %{LOGLEVEL:loglevel}%{SPACE}- %{DATA:logger} - \[%{DATA:federation}\] - \[%{DATA:service}\] - User -> %{DATA:user} , Endpoint -> \(%{WORD:http_method}\) %{URIPATH:http_path} , Info -> %{GREEDYDATA:log_message}",
+      "message", "<%{NUMBER}>%{MONTH}%{SPACE}%{MONTHDAY}%{SPACE}%{TIME}%{SPACE}%{DATA}: %{TIMESTAMP_ISO8601:log_timestamp} - %{LOGLEVEL:loglevel}%{SPACE}- %{DATA:logger} - \[%{DATA:federation}\] - \[%{DATA:service}\] - User -> %{DATA:user} , Endpoint -> \(%{WORD:http_method}\) %{URIPATH:http_path} , Info -> %{GREEDYDATA:log_message}",
       
       # ----- Match PORTAL-BACKEND system generated logs -----
-      "message", "<%{NUMBER}>%{MONTH} %{MONTHDAY} %{TIME} %{DATA}: %{TIMESTAMP_ISO8601:log_timestamp} - %{LOGLEVEL:loglevel}%{SPACE}- %{DATA:logger} - \[%{DATA:federation}\] - \[%{DATA:service}\] - %{GREEDYDATA:log_message}"
+      "message", "<%{NUMBER}>%{MONTH}%{SPACE}%{MONTHDAY}%{SPACE}%{TIME}%{SPACE}%{DATA}: %{TIMESTAMP_ISO8601:log_timestamp} - %{LOGLEVEL:loglevel}%{SPACE}- %{DATA:logger} - \[%{DATA:federation}\] - \[%{DATA:service}\] - %{GREEDYDATA:log_message}"
     ]
     
     add_tag => [ "parsed" ]