---
# Graylog API Configuration
graylog_api_url: "https://logs.debyl.io/api"
# graylog_api_token: defined in vault

# Default index set for new streams (Default Stream index set)
graylog_default_index_set: "6955a9d3cc3f442e78805871"

# Stream definitions
graylog_streams:
  - title: "debyltech-api"
    description: "Lambda API events from debyltech-api service"
    rules:
      - field: "service"
        value: "debyltech-api"
        type: 1  # EXACT match
        inverted: false

  - title: "caddy-access"
    description: "Web traffic access logs from Caddy"
    rules:
      - field: "source"
        value: "caddy"
        type: 1
        inverted: false
      - field: "log_type"
        value: "access"
        type: 1
        inverted: false

  - title: "caddy-fulfillr"
    description: "Fulfillr-specific web traffic"
    rules:
      - field: "source"
        value: "caddy"
        type: 1
        inverted: false
      - field: "tag"
        value: "caddy.fulfillr"
        type: 1
        inverted: false

  - title: "ssh-security"
    description: "SSH access and security logs"
    rules:
      - field: "source"
        value: "sshd"
        type: 1
        inverted: false

  - title: "container-logs"
    description: "Container stdout/stderr from Podman"
    rules:
      - field: "source"
        value: "podman"
        type: 1
        inverted: false

  - title: "zomboid-connections"
    description: "Zomboid game server connection logs"
    rules:
      - field: "log_type"
        value: "zomboid_connection"
        type: 1
        inverted: false

  - title: "zomboid-ratelimit"
    description: "Zomboid rate-limited connection attempts"
    rules:
      - field: "log_type"
        value: "zomboid_ratelimit"
        type: 1
        inverted: false

  - title: "fail2ban-actions"
    description: "Fail2ban ban and unban events"
    rules:
      - field: "source"
        value: "fail2ban"
        type: 1
        inverted: false

# Pipeline definitions
graylog_pipelines:
  - title: "GeoIP Enrichment"
    description: "Add geographic information to access logs"
    stages:
      - stage: 0
        match: "EITHER"
        rules:
          - "geoip_caddy_access"
          - "geoip_zomboid"

  - title: "Debyltech Event Classification"
    description: "Categorize debyltech-api events"
    stages:
      - stage: 0
        match: "EITHER"
        rules:
          - "classify_order_events"
          - "classify_review_events"
          - "classify_backinstock_events"
          - "classify_shipping_events"
          - "classify_product_events"
      - stage: 1
        match: "EITHER"
        rules:
          - "classify_default_events"

# Pipeline rule definitions
graylog_pipeline_rules:
  - title: "geoip_caddy_access"
    description: "GeoIP lookup for Caddy access logs"
    source: |
      rule "GeoIP for Caddy Access"
      when
        has_field("request_remote_ip")
      then
        let ip = to_string($message.request_remote_ip);
        let geo = lookup("geoip-lookup", ip);
        set_field("geo_country", geo["country"].iso_code);
        set_field("geo_city", geo["city"].names.en);
        set_field("geo_coordinates", geo["coordinates"]);
      end

  - title: "geoip_zomboid"
    description: "GeoIP lookup for Zomboid connection logs"
    source: |
      rule "GeoIP for Zomboid"
      when
        has_field("src_ip")
      then
        let ip = to_string($message.src_ip);
        let geo = lookup("geoip-lookup", ip);
        set_field("geo_country", geo["country"].iso_code);
        set_field("geo_city", geo["city"].names.en);
        set_field("geo_coordinates", geo["coordinates"]);
      end

  - title: "classify_order_events"
    description: "Classify order events"
    source: |
      rule "Classify order events"
      when
        has_field("event") AND contains(to_string($message.event), "order")
      then
        set_field("event_category", "order");
      end

  - title: "classify_review_events"
    description: "Classify review events"
    source: |
      rule "Classify review events"
      when
        has_field("event") AND contains(to_string($message.event), "review")
      then
        set_field("event_category", "review");
      end

  - title: "classify_backinstock_events"
    description: "Classify back-in-stock events"
    source: |
      rule "Classify back-in-stock events"
      when
        has_field("event") AND contains(to_string($message.event), "backinstock")
      then
        set_field("event_category", "backinstock");
      end

  - title: "classify_shipping_events"
    description: "Classify shipping events"
    source: |
      rule "Classify shipping events"
      when
        has_field("event") AND contains(to_string($message.event), "shipping")
      then
        set_field("event_category", "shipping");
      end

  - title: "classify_product_events"
    description: "Classify product events"
    source: |
      rule "Classify product events"
      when
        has_field("event") AND contains(to_string($message.event), "product")
      then
        set_field("event_category", "product");
      end

  - title: "classify_default_events"
    description: "Default category for unclassified events"
    source: |
      rule "Classify default events"
      when
        has_field("event") AND NOT has_field("event_category")
      then
        set_field("event_category", "other");
      end

# Pipeline to stream connections
graylog_pipeline_connections:
  - pipeline: "GeoIP Enrichment"
    streams:
      - "caddy-access"
      - "caddy-fulfillr"
      - "zomboid-connections"
      - "zomboid-ratelimit"

  - pipeline: "Debyltech Event Classification"
    streams:
      - "debyltech-api"