Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- filter {
- if [type] == "kippo" {
- mutate {
- add_tag => [ "ssh" ]
- }
- grok {
- match => [ "message", "%{TIMESTAMP_ISO8601:logdate} \[%{DATA:service}\] %{DATA:message}$"]
- overwrite => [ "message" ]
- }
- date {
- match => [ "logdate" , "YYYY-MM-dd HH:mm:ssZ" ]
- }
- if [service] != "-" and [service] =~ /[^,]+,[^,]+,[^,]+/ {
- grok {
- match => [ "service", "%{DATA:service},%{POSINT:src_port},%{IP:src_ip}"]
- overwrite => [ "service" ]
- }
- if [message] =~ /login attempt \[.*\] (failed|succeeded)/ {
- mutate {
- add_tag => [ "credentials" ]
- }
- }
- } else {
- mutate {
- drop { }
- }
- }
- }
- if [src_ip] {
- geoip {
- source => src_ip
- }
- geoip {
- source => src_ip
- database => "/opt/logstash/vendor/geoip/GeoIPASNum.dat"
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement