Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- input {
- tcp {
- port => 5513
- type => paloalto
- }
- }
- ######## PALOALTO FILTER #####################
- filter {
- if [type] == "paloalto" {
- grok {
- patterns_dir => "C:\elk\logstash\vendor\bundle\jruby\1.9\gems\logstash-patterns-core-2.0.5\patterns"
- match => [ "message", "%<%{POSINT}>%{MONTH} %{MONTHDAY} %{TIME} %{GREEDYDATA:palo_message}" ]
- }
- mutate {
- rename => ["palomessage", "message"]
- }
- if [type] == "paloalto" and [message] =~ /TRAFFIC/ {
- csv {
- columns => [ "Domain", "ReceiveTime", "SerialNum #", "Type", "Threat-ContentType", "ConfigVersion", "GenerateTime", "SourceAddress", "DestinationAddress", "NATSourceIP", "NATDestinationIP", "Rule", "SourceUser","DestinationUser","Application","VirtualSystem","SourceZone","DestinationZone","InboundInterface","OutboundInterface","LogAction","TimeLogged","SessionID","RepeatCount","SourcePort","DestinationPort","NATSourcePort","NATDestinationPort","Flags","IPprotocol","Action","Bytes","BytesSent","BytesReceived","Packets","StartTime","ElapsedTimeInSec)","Category","Padding","seqno","actionflags","SourceCountry","DestinationCountry","cpadding","pkts_sent","pkts_received", "session_end_reason"
- ]
- }
- }
- else if [type] == "paloalto" and [message] !~ /TRAFFIC/ {
- csv {
- columns => [ "Domain", "ReceiveTime", "SerialNum", "Type", "Threat-ContentType", "ConfigVersion", "GenerateTime", "SourceAddress", "DestinationAddress", "NATSourceIP", "NATDestinationIP", "Rule", "SourceUser", "DestinationUser", "Application", "VirtualSystem", "SourceZone", "DestinationZone", "InboundInterface", "OutboundInterface", "LogAction", "TimeLogged", "SessionID", "RepeatCount", "SourcePort", "DestinationPort", "NATSourcePort", "NATDestinationPort" , "Flags", "IPprotocol", "Action", "URL", "Threat-ContentName", "Category", "reportid", "Severity", "Direction", "seqno", "actionflags", SourceCountry, "DestinationCountry", "cpadding", "ContentType", "pcap_id", "filedigest", "cloud", "url_idx", "user_agent", "filetype", "xff", "referer", "sender", "subject", "recipient"
- ]
- }
- }
- date {
- timezone => "America/Chicago"
- match => [ "GenerateTime", "YYYY/MM/dd HH:mm:ss" ]
- }
- mutate {
- convert => [ "Bytes", "integer" ]
- convert => [ "BytesReceived", "integer" ]
- convert => [ "BytesSent", "integer" ]
- convert => [ "ElapsedTimeInSec", "integer" ]
- convert => [ "geoip.area_code", "integer" ]
- convert => [ "geoip.dma_code", "integer" ]
- convert => [ "geoip.latitude", "float" ]
- convert => [ "geoip.longitude", "float" ]
- convert => [ "NATDestinationPort", "integer" ]
- convert => [ "NATSourcePort", "integer" ]
- convert => [ "Packets", "integer" ]
- convert => [ "pkts_received", "integer" ]
- convert => [ "pkts_sent", "integer" ]
- convert => [ "seqno", "integer" ]
- gsub => [ "Rule", " ", "_", "Application", "( |-)", "_" ]
- remove_field => [ "message", "raw_message" ]
- }
- ################ GEO LOCATION ######################################
- if [SourceAddress] and [SourceAddress] !~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" {
- geoip {
- database => "C:\elk\logstash\GeoLiteCity.dat"
- source => "SourceAddress"
- target => "SourceGeo"
- }
- #Delete 0,0 in SourceGeo.location if equal to 0,0
- if ([SourceGeo.location] and [SourceGeo.location] =~ "0,0") {
- mutate {
- replace => [ "SourceGeo.location", "" ]
- }
- }
- }
- #Geolocate logs that have DestinationAddress and if that DestinationAddress is a non-RFC1918 address
- if [DestinationAddress] and [DestinationAddress] !~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" {
- geoip {
- database => "C:\elk\logstash\GeoLiteCity.dat"
- source => "DestinationAddress"
- target => "DestinationGeo"
- }
- #Delete 0,0 in DestinationGeo.location if equal to 0,0
- if ([DestinationGeo.location] and [DestinationGeo.location] =~ "0,0") {
- mutate {
- replace => [ "DestinationAddress.location", "" ]
- }
- }
- }
- #Takes the 5-tuple of source address, source port, destination address, destination port, and protocol and does a SHA1 hash to fingerprint the flow. This is a useful
- #way to be able to do top N terms queries on flows, not just on one field.
- if [SourceAddress] and [DestinationAddress] {
- fingerprint {
- concatenate_sources => true
- method => "SHA1"
- key => "logstash"
- source => [ "SourceAddress", "SourcePort", "DestinationAddress", "DestinationPort", "IPProtocol" ]
- }
- }
- }
- }
- output {
- if [type] == "paloalto" {
- elasticsearch {
- hosts => ["localhost:9200"]
- index => "palo-firewall-%{+YYYY.MM.dd}"
- template => "C:\elk\logstash\elasticsearch-template.json"
- template_overwrite => true
- }
- }
- }
- ################# END OF FILTER ####################################
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement