Logstash Config 4-24-18

1. input {
2. file {
3. path => "/report_service/logs/final/img/img-pdsimage-http/*access_*.log"
4. start_position => "beginning"
5. ignore_older => 0
6. sincedb_path => "/report_service/logstash/sincedb/img/img-pdsimage-http.sincedb"
7. add_field => {
8. "node" => "img"
9. "log_source" => "img-pdsimage-http"
10. "log_format" => "apache_combined"
11. }
12. id => "file_input_img-pdsimage-http"
13. }
14. file {
15. path => "/report_service/logs/final/img/img-pdsimage-ftp/xferlog*"
16. start_position => "beginning"
17. ignore_older => 0
18. sincedb_path => "/report_service/logstash/sincedb/img/img-pdsimage-ftp.sincedb"
19. add_field => {
20. "node" => "img"
21. "log_source" => "img-pdsimage-ftp"
22. "log_format" => "ftp"
23. }
24. id => "file_input_img-pdsimage-ftp"
25. }
26. file {
27. path => "/report_service/logs/final/img/img-ida-http/*access_*.log"
28. start_position => "beginning"
29. ignore_older => 0
30. sincedb_path => "/report_service/logstash/sincedb/img/img-ida-http.sincedb"
31. add_field => {
32. "node" => "img"
33. "log_source" => "img-ida-http"
34. "log_format" => "apache_combined"
35. }
36. id => "file_input_img-ida-http"
37. }
38. file {
39. path => "/report_service/logs/final/img/img-ida-ftp/xferlog*"
40. start_position => "beginning"
41. ignore_older => 0
42. sincedb_path => "/report_service/logstash/sincedb/img/img-ida-ftp.sincedb"
43. add_field => {
44. "node" => "img"
45. "log_source" => "img-ida-ftp"
46. "log_format" => "ftp"
47. }
48. id => "file_input_img-ida-ftp"
49. }
50. file {
51. path => "/report_service/logs/final/img/img-pdsmaps-http/*access_*.log"
52. start_position => "beginning"
53. ignore_older => 0
54. sincedb_path => "/report_service/logstash/sincedb/img/img-pdsmaps-http.sincedb"
55. add_field => {
56. "node" => "img"
57. "log_source" => "img-pdsmaps-http"
58. "log_format" => "apache_combined"
59. }
60. id => "file_input_img-pdsmaps-http"
61. }
62. file {
63. path => "/report_service/logs/final/img/img-planetary-http/*access_*.log"
64. start_position => "beginning"
65. ignore_older => 0
66. sincedb_path => "/report_service/logstash/sincedb/img/img-planetary-http.sincedb"
67. add_field => {
68. "node" => "img"
69. "log_source" => "img-planetary-http"
70. "log_format" => "apache_combined"
71. }
72. id => "file_input_img-planetary-http"
73. }
74. file {
75. path => "/report_service/logs/final/img/img-pdsimg1-http/access_log.*-*-*.txt"
76. start_position => "beginning"
77. ignore_older => 0
78. sincedb_path => "/report_service/logstash/sincedb/img/img-pdsimg1-http.sincedb"
79. add_field => {
80. "node" => "img"
81. "log_source" => "img-pdsimg1-http"
82. "log_format" => "apache_combined"
83. }
84. id => "file_input_img-pdsimg1-http"
85. }
86. file {
87. path => "/report_service/logs/final/img/img-pdsimg2-http/access_log.*-*-*.txt"
88. start_position => "beginning"
89. ignore_older => 0
90. sincedb_path => "/report_service/logstash/sincedb/img/img-pdsimg2-http.sincedb"
91. add_field => {
92. "node" => "img"
93. "log_source" => "img-pdsimg2-http"
94. "log_format" => "apache_combined"
95. }
96. id => "file_input_img-pdsimg2-http"
97. }
98. file {
99. path => "/report_service/logs/final/img/img-pdsimg3-http/access_log.*-*-*.txt"
100. start_position => "beginning"
101. ignore_older => 0
102. sincedb_path => "/report_service/logstash/sincedb/img/img-pdsimg3-http.sincedb"
103. add_field => {
104. "node" => "img"
105. "log_source" => "img-pdsimg3-http"
106. "log_format" => "missing_auth"
107. }
108. id => "file_input_img-pdsimg3-http"
109. }
110. }
111.  
112. filter {
113.  
114. # Currently, @timestamp is set to the current time. We store that in the
115. # index_time field so that we can tell when records are ingested. Later,
116. # @timestamp will be overwritten with the timestamp of the logged request.
117. mutate {
118. add_field => { "index_time" => "%{@timestamp}" }
119. }
120.  
121. # Parse the logged request. Despite the fact that we convert all logs into
122. # Apache/Combined format beforehand, some requests will still contain
123. # inconsistencies, so we use a different message format when handling logs
124. # from different sources (specified by the file input plugin as log_format).
125. if [log_format] == "apache_combined" {
126. grok {
127. match => { "message" => "%{COMBINEDAPACHELOG}" }
128. id => "grok_filter_parse_apache_combinded"
129. }
130. useragent {
131. source => "agent"
132. id => "useragent_filter_parse_apache_combinded"
133. }
134. } else if [log_format] == "missing_auth" {
135. grok {
136. patterns_dir => [ "./patterns" ]
137. match => { "message" => "%{HTTPD_MISSINGAUTH}" }
138. id => "grok_filter_parse_missing_auth"
139. }
140. useragent {
141. source => "agent"
142. id => "useragent_filter_parse_missing_auth"
143. }
144. } else if [log_format] == "ftp" {
145. # Parse logged request
146. grok {
147. patterns_dir => [ "./patterns" ]
148. match => { "message" => "%{HTTPD_ADAPTEDLOG}" }
149. id => "grok_filter_parse_httpd_adaptedlog"
150. }
151. # Search for spiders
152. grok {
153. patterns_dir => ["./patterns"]
154. match => { "ident" => "%{BOTS}" }
155. add_field => { "device" => "Spider" }
156. tag_on_failure => []
157. id => "grok_filter_ftp_spiders"
158. }
159. }
160.  
161. # Determine the geographic location from which the request came.
162. if ![tags] {
163. geoip { source => "clientip" }
164. }
165.  
166. # Reverse lookup any raw IP addresses to get the domain from which the
167. # request originated.
168. if ![tags] {
169. mutate {
170. add_field => { "clientdomain" => "%{clientip}" }
171. }
172. grok {
173. match => { "clientdomain" => "%{IP}" }
174. add_tag => [ "_clientip_lookup_failure" ]
175. tag_on_failure => []
176. id => "grok_filter_raw_ip_check"
177. }
178. if "_clientip_lookup_failure" in [tags] {
179. dns {
180. action => "replace"
181. reverse => [ "clientdomain" ]
182. nameserver => [ "8.8.8.8", "8.8.4.4" ]
183. remove_tag => [ "_clientip_lookup_failure" ]
184. hit_cache_size => 1000
185. failed_cache_size => 1000
186. failed_cache_ttl => 60
187. }
188. }
189. }
190.  
191. # Additional filtering for spiders
192. if [device] != "Spider" and [clientdomain]{
193. grok {
194. patterns_dir => ["./patterns"]
195. match => { "clientdomain" => "%{BOTS}" }
196. tag_on_failure => []
197. add_tag => ["_its_a_bot"]
198. id => "grok_filter_domain_spiders"
199. }
200. if "_its_a_bot" in [tags]{
201. mutate {
202. update => { "device" => "Spider" }
203. remove_tag => [ "_its_a_bot" ]
204. }
205. }
206. }
207.  
208. # Get the client's top level domain.
209. tld {
210. source => "clientdomain"
211. }
212.  
213. # I *think* that this is where we format the timestamp to Kibana's preferred format.
214. date {
215. match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
216. }
217.  
218. # Use the raw event message as a UUID to avoid duplication in elasticsearch
219. fingerprint {
220. source => "message"
221. target => "[@metadata][fingerprint]"
222. method => "MURMUR3"
223. }
224.  
225. # Finally, remove the tags field if it is empty to show that the event is good
226. # to ingest
227. if [tags] == [] {
228. mutate {
229. remove_field => ["tags"]
230. }
231. }
232.  
233. }
234.  
235. output {
236. if [tags] {
237. # Print the event details if any tags are present
238. stdout { codec => "rubydebug" }
239. } else {
240. # If the event has no tags, simply print a dot to help track throughput
241. stdout { codec => line { format => "%{path}" } }
242. }
243. elasticsearch {
244. hosts => [ "localhost:9200" ]
245. index => "report"
246. document_id => "%{[@metadata][fingerprint]}"
247. }
248. }