Merge pull request #630 from PratikshaSonawane/GRD-89925

GRD-89925 Fixed the filter for FlexibleServers Azure Postgres - [DO NOT MERGE]

gdp-packages/profile/AzurePostgresOverEventHubProfile/filter/filter.conf

@@ -1,105 +1,74 @@
 filter
-	{	
-		  if [type] == "profile_name"
-		{
-			json 
-				{
-					source => "message"   
-			    }
-            split
-				{
-					field => "records"
-				}
-			mutate  
-				{
-					add_field => {"pre_fix" => "%{[records][properties][prefix]}"}
-					add_field => {"tempmessage" => "%{[records][properties][message]}"}
-					add_field => {"e_level" => "%{[records][properties][errorLevel]}"} 
-					add_field => {"server_instance_name" => "%{[records][LogicalServerName]}"}
-				}
-			grok 
-				{
-					match => { "pre_fix" => "(?<timestamp>[^[A-Z]]*)[A-Z]{3}:(?<client_ip>[^:]*):(?<db_user>[^@]*)@(?<db_name>[^:]*):\[(?<session_id>[^\]]*)\]:(?<app_name>[^:]*):(?<sql_state>[^:]*)"							} 
-				}	
-            if[timestamp] and [e_level]		
-			{
-			if [db_name]
-				{
-					mutate 
-						{
-							replace => { "db_name"=> "%{enrollment_id}:%{server_instance_name}:%{db_name}" }
-						}
-				}
-			mutate
-				{
-					add_field => { "server_hostname" => "%{enrollment_id}_%{server_instance_name}" }
-				}
-
-			if [client_ip]
-				{
-					grok { match => {client_ip => "(?<clientIP>[^(]*)\((?<clientPort>[^)]*)"} }	
-				}
-			if[e_level] == "LOG"
-				{
-					if[tempmessage] =~ "AUDIT"
-					{
-
-						if[tempmessage] =~ "FUNCTION"
-							{
-							grok{
-									match => { "tempmessage" => "(?<audit>[^:]*):(?<session>[^:]*),%{GREEDYDATA:statement};%{GREEDYDATA:state}"}
-								}
-							}
-						else{
-							grok{
-									match => { "tempmessage" => "(?<audit>[^:]*):(?<session>[^:]*),,%{GREEDYDATA:statement},%{GREEDYDATA:state}"}
-								}
-							}
-						if[statement]
-						{
-							mutate	{
-									gsub => ["statement","\"",""]			
-								}
-						}
-					}
-					else{
-					drop {}
-					}
-				}
-			if[e_level] == "ERROR"
-				{
-					if[tempmessage]
-						{
-							mutate 
-							{
-								gsub => ["tempmessage","\"",""]		
-							}
-						}
-				}
-			if[e_level] == "FATAL"
-				{
-					if[tempmessage]
-						{
-							mutate
-							{
-								gsub => ["tempmessage","\"",""]
-							}
-						}
-				}
-			if[pre_fix] =~ "azure_superuser"
-				{
-					drop {}
-				}	
-			else{
-					azure_postgresql_guardium_plugin_filter{}
-				}
-			mutate  {
-						remove_field => ["@version","type","@timestamp","sequence","host", "records","ResourceGroup","resourceId","operationName","SubscriptionId","time","category","properties","pre_fix","db_user","timestamp","db_name","session_id","clientIP","clientPort","statement","sql_state","client_ip","session","server_instance_name","enrollment_id","state","tempmessage","message","e_level","audit","server_hostname","app_name"] 
-					}
-		}
-         else
-			{
-				drop{}
-			}		 
-	}
-	}
+{
+    if [type] == "profile_name" {
+        json {
+        	source => "message"
+        }
+        split {
+            field => "records"
+        }
+        if [records][properties][prefix] {
+            mutate { add_field => {"pre_fix" => "%{[records][properties][prefix]}"}  }
+        }
+        else {
+            mutate { add_field => {"pre_fix" => "%{[records][properties][message]}"} }
+        }
+        mutate {
+        	add_field => {"tempmessage" => "%{[records][properties][message]}"}
+            add_field => {"e_level" => "%{[records][properties][errorLevel]}"}
+        }
+        if [records][LogicalServerName] {
+            mutate  { add_field => {"server_instance_name" => "%{[records][LogicalServerName]}" } }
+        }
+        else {
+            mutate { add_field => {"resource" => "%{[records][resourceId]}"} }
+            grok { match => { "resource" => ".*/%{GREEDYDATA:server_instance_name}" } }
+        }
+        grok { match => { "pre_fix" => "(?<timestamp>[^[A-Z]]*)[A-Z]{3}:(?<client_ip>[^:]*):(?<db_user>[^@]*)@(?<db_name>[^:]*):\[(?<session_id>[^\]]*)\]:(?<app_name>[^:]*):(?<sql_state>[^:]*)" } }
+        if[timestamp] and [e_level] {
+            if [db_name] {
+        	    mutate { replace => { "db_name"=> "%{enrollment_id}:%{server_instance_name}:%{db_name}" } }
+        	}
+        	mutate { add_field => { "server_hostname" => "%{enrollment_id}_%{server_instance_name}" } }
+            if [client_ip] {
+        		grok { match => {client_ip => "(?<clientIP>[^(]*)\((?<clientPort>[^)]*)"} }
+        	}
+        	if[e_level] == "LOG" {
+        	    if[tempmessage] =~ "AUDIT" {
+                    if[tempmessage] =~ "FUNCTION" {
+        			    grok { match => { "tempmessage" => "(?<audit>[^:]*):(?<session>[^:]*),%{GREEDYDATA:statement};%{GREEDYDATA:state}"}}
+        			}
+        			else {
+        			    grok { match => { "tempmessage" => "(?<audit>[^:]*):(?<session>[^:]*),,%{GREEDYDATA:statement},%{GREEDYDATA:state}"}}
+        			}
+        	    }
+        		else{
+        		    drop {}
+        		}
+        	}
+        	if[e_level] == "ERROR" {
+        	    if[tempmessage] {
+        		    mutate { gsub => ["tempmessage","\"",""] }
+        		}
+        	}
+        	if[e_level] == "FATAL" {
+        	    if[tempmessage] {
+        		    mutate { gsub => ["tempmessage","\"",""] }
+        		}
+        	}
+        	if[pre_fix] =~ "azure_superuser" or [db_user] =~ "azuresu" or [statement] == "SELECT 1" or [statement] == "SELECT current_schema(),session_user" or [statement] == "UPDATE public.lsnmover SET id = id+1, update_time=now()" or [statement] =="UPDATE public.lsnmover SET id = id+1, update_time=now();" or [statement] == "SELECT version();"
+        	{
+        	    drop {}
+        	}
+            else{
+        	    azure_postgresql_guardium_plugin_filter{}
+        		mutate { gsub => [ "GuardRecord", "\\u0027", "'" ] }
+        	}
+        	# Remove unnecessary fields
+            prune { whitelist_names => ["GuardRecord"] }
+        }
+        else {
+            drop{}
+        }
+    }
+}