# Content of the file /etc/logstash/conf.d/ossec.log# Logstash is on the same m

1. # Content of the file /etc/logstash/conf.d/ossec.log
2. # Logstash is on the same machine as OSSEC.
3. # Logstash should run with OSSEC group privileges
4.  
5. input {
6. file {
7. type => "OSSEC"
8. path => "/var/ossec/logs/alerts/alerts.log"
9. codec => multiline {
10. pattern => "^\*\*"
11. negate => true
12. what => "previous"
13. }
14. }
15. }
16.  
17. filter {
18. if [type] == "OSSEC" {
19. grok {
20. match => ["message", "(?m)\*\* Alert %{DATA}:%{SPACE}%{WORD}?%{SPACE}\- %{DATA:ossec_group}\n%{YEAR} %{SYSLOGTIMESTAMP} \(%{DATA:reporting_host}\) %{IP:reporting_ip}\-\>%{DATA:reporting_source}\nRule: %{NONNEGINT:rule_number} \(level %{NONNEGINT:severity}\) \-\> '%{DATA:signature}'\n%{GREEDYDATA:remaining_message}"]
21. match => ["message", "(?m)\*\* Alert %{DATA}:%{SPACE}%{WORD}?%{SPACE}\- %{DATA:ossec_group}\n%{YEAR} %{SYSLOGTIMESTAMP} %{DATA:reporting_host}\-\>%{DATA:reporting_source}\nRule: %{NONNEGINT:rule_number} \(level %{NONNEGINT:severity}\) \-\> '%{DATA:signature}'\n%{GREEDYDATA:remaining_message}"]
22. }
23. grok {
24. match => ["remaining_message", "(?m)(Src IP: %{IP:src_ip}%{SPACE})?(Src Port: %{NONNEGINT:src_port}%{SPACE})?(Dst IP: %{IP:dst_ip}%{SPACE})?(Dst Port: %{NONNEGINT:dst_port}%{SPACE})?(User: %{USER:user}%{SPACE})?%{GREEDYDATA:real_message}"]
25. }
26. grok {
27. match => ["real_message", "(?m)\S+\syum\S+\sInstalled:\s%{GREEDYDATA:package}" ]
28. match => ["real_message", "(?m)\S+\syum\S+\sErased:\s%{GREEDYDATA:package}" ]
29. match => ["real_message", "(?m)\S+\syum\S+\sUpdated:\s%{GREEDYDATA:package}" ]
30. match => ["real_message", "(?m)Integrity checksum changed for: \'%{PATH:file}\'%{GREEDYDATA}" ]
31. match => ["real_message", "(?m)File \'%{PATH:file}\' was deleted%{GREEDYDATA}" ]
32. match => ["real_message", "(?m)\S+\sarpwatch: new station %{IP} %{COMMONMAC:src_mac} %{GREEDYDATA}" ]
33. match => ["real_message", "(?m)\S+\sarpwatch: bogon %{IP} %{COMMONMAC:src_mac} %{GREEDYDATA}" ]
34. match => ["real_message", "(?m)\S+\sarpwatch: ethernet mismatch %{IP} %{COMMONMAC:src_mac} %{GREEDYDATA}" ]
35. }
36. mutate {
37. convert => [ "severity", "integer"]
38. remove_field => [ "syslog_program", "tags", "remaining_message", "path", "real_message" ]
39. }
40.  
41. if [src_ip] {
42. geoip {
43. source => "src_ip"
44. target => "src_geoip"
45. database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
46. fields => [ "country_code2", "country_name" ]
47. }
48. }
49.  
50. if [dst_ip] {
51. geoip {
52. source => "dst_ip"
53. target => "dst_geoip"
54. database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
55. fields => [ "country_code2", "country_name" ]
56. }
57. }
58. }
59. }
60.  
61. output {
62. if [type] == "OSSEC" {
63. elasticsearch {
64. flush_size => 1
65. protocol => "transport"
66. host => "xxx.xxx.xxx.xxx"
67. cluster => "xxxxx"
68. index => "logstash-ossec-%{+YYYY.MM.dd}"
69. }
70. }
71. }