The Log Engine is a high-performance log analysis and defense subsystem built into NetXFW. It uses Zero-Copy technology to directly process byte streams, supporting everything from simple keyword matching to complex logical expression analysis, capable of real-time threat intelligence extraction from logs and automatic execution of defense actions (such as IP blocking).
Byte Mode by default, directly operates on memory bytes, no string conversion overhead.path).key=value), JSON field extraction, delimiter extraction.Configure the log_engine section in config.yaml:
log_engine:
enabled: true # Enable engine
workers: 4 # Concurrent processing goroutines
files: # Log files to monitor
- "/var/log/nginx/access.log"
- "/var/log/auth.log"
- "/var/log/syslog"
rules: [] # Rule list (see below)
Log Engine supports two rule writing methods, which can be mixed based on complexity.
Suitable for quickly configuring common matching logic. Uses intuitive fields similar to Cloudflare WAF.
Field Description:
| Field | Alias | Description | Logic |
|---|---|---|---|
contains |
and, is, keywords |
Must contain all specified content | AND (&&) |
any_contains |
or |
Must contain any specified content | OR (||) |
not_contains |
not |
Must not contain any specified content | NOT (!) |
regex |
- | Must match regex pattern | AND |
path |
- | Only effective when matching this file path | Filter |
Frequency Control Fields:
| Field | Description | Default |
|---|---|---|
threshold |
Trigger threshold (count) | 0 (single match triggers immediately) |
interval |
Count time window (seconds) | 60 |
Example 1: SSH Brute Force Defense
Rule: In auth.log, if contains “Failed password” and doesn’t contain “invalid user”, appears 5 times within 60 seconds, then block.
- id: "ssh_bruteforce"
path: "/var/log/auth.log"
action: "dynblack"
is:
- "Failed password"
not:
- "invalid user" # Exclude specific false positives
threshold: 5
interval: 60
Example 2: Block Specific User-Agent Rule: Block requests containing “Go-http-client” or “python-requests”.
- id: "block_scrapers"
path: "*.log"
action: "dynblack"
or:
- "Go-http-client"
- "python-requests"
- "curl/"
For complex logic, use Expr expression language:
Example: Complex SQL Injection Detection
- id: "sqli_advanced"
path: "/var/log/nginx/access.log"
action: "dynblack"
expr: |
contains(line, "SELECT") &&
(contains(line, "UNION") || contains(line, "DROP")) &&
!contains(line, "internal-monitor")
threshold: 3
interval: 60
| Action Value | String Form | Description | Duration |
|---|---|---|---|
0 |
log |
Only log alert | N/A |
1 |
dynblack |
Add to dynamic blacklist | Auto-expire (configurable) |
1 |
dynblack:1h |
Add to dynamic blacklist with duration | Specified duration (e.g., 10m, 1h, 30s) |
2 |
blacklist / lock / deny |
Add to static blacklist | Permanent |
Note: Actions support both numeric form (
0/1/2) and string form, both are equivalent.
Extract key=value pairs from logs:
- id: "extract_kv"
path: "/var/log/app.log"
extract:
type: "kv"
fields:
- "ip"
- "status"
- "user"
Extract fields from JSON logs:
- id: "extract_json"
path: "/var/log/json.log"
extract:
type: "json"
fields:
- "remote_addr"
- "request.method"
- "response.status"
Extract fields by delimiter:
- id: "extract_csv"
path: "/var/log/csv.log"
extract:
type: "delimiter"
delimiter: ","
fields:
- { name: "ip", index: 0 }
- { name: "status", index: 2 }
Adjust worker count based on log volume:
log_engine:
buffer_size: 4096 # Read buffer size (bytes)
log_engine:
batch_size: 100 # Process in batches
batch_timeout: "1s" # Batch timeout
Log Engine exposes Prometheus metrics:
netxfw_log_lines_processed_totalnetxfw_log_rules_triggered_totalnetxfw_log_blocks_totalcurl http://localhost:11811/api/log-engine/health