This is a prototype Fluent Bit container using a filter plugin which calls the GreyNoise API to drop, re-route, or enrich records. This specific filter leverages the Fluent Bit Lua script filter.
These instructions will cover usage information and for the docker container
In order to run this container you'll need docker installed.
In order to run make stats you will need jq installed
- Sign-Up for GreyNoise
- Copy
.env_exampleto.env - Copy your GreyNoise API key from the
Accountsection in the top right corner - Replace the
<REPLACE_ME>in.envwith your API key
docker run --env-file .env -it -p 2020:2020 -v $(PWD):/app greynoise/greynoise-fluentbit-lua:latest -c /app/conf/myconfig.confGREYNOISE_API_KEY- GreyNoise API key to use for HTTP requests.GREYNOISE_IP_FIELD- Named field from the Fluent Bit parser to use for IP lookups.GREYNOISE_LUA_LOG_LEVEL- Lua logging level (info/error/warning/debug)GREYNOISE_LUA_CACHE_SIZE- The number of IP records to cache in-memory before overwriting.
/app- Core working directory (mounted from the base repo folder)
The sample data tests are meant to be run from the repo base folder.
This example just generates the same JSON line over and over.
- Copy
.env_exampleto.env - Copy your GreyNoise API key from the
Accountsection in the top right corner - Replace the
<REPLACE_ME>in.envwith your API key - Run
make build - Run
make run
This example watches reads a log file in and watches for new lines.
- Run
make run-tail - Run
make statsin another terminal to see metrics
This is the same as #2 except this leverages rewrite_tag filter to drop records. This config drops invalid IPv4 records, bogon address space, GreyNoise RIOT records, and GreyNoise Noise records.
- Run
make run-rewrite - Run
make statsin another terminal to see metrics (note the drop rates)
- Create a directory for your configs
mkdir conf - Add your Fluent Bit configs and parsers to