Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- filter {
- if [type] == "syslog" {
- if "devname" in [message] {
- mutate {
- add_tag => [ "COUPEFEU", "FORTIGATE" ]
- }
- }
- if "%ASA-" in [message] {
- mutate {
- add_tag => [ "Firewall", "ASA" ]
- }
- }
- if "VPN" in [message] {
- mutate {
- add_tag => [ "VPN" ]
- }
- }
- if "SOC" in [message] {
- mutate {
- add_tag => [ "SOC" ]
- }
- }
- if "IPS" in [message] {
- mutate {
- add_tag => [ "IPS" ]
- }
- }
- if "printer" in [message] {
- mutate {
- add_tag => [ "hp-printers" ]
- }
- }
- #
- #
- #
- # Parse Fortigate
- if "FORTIGATE" in [tags] {
- grok {
- match => [ "message", "%{SYSLOG5424PRI}%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_host} %{GREEDYDATA:kv}" ]
- remove_field => ["message"]
- remove_field => ["syslog_timestamp"]
- # remove_field => ["type"]
- }
- syslog_pri { }
- kv {
- source => "kv"
- exclude_keys => [ "type", "subtype" ]
- field_split => " "
- value_split => "="
- }
- date {
- match => [ "logtimestamp", "ISO8601" ]
- locale => "en"
- timezone =>"America/Montreal"
- remove_field => [ "logtimestamp" ]
- }
- mutate {
- convert => [ "rcvdbyte", "integer" ]
- convert => [ "countdlp", "integer" ]
- convert => [ "countweb", "integer" ]
- convert => [ "countav", "integer" ]
- convert => [ "countemail", "integer" ]
- convert => [ "countips", "integer" ]
- convert => [ "duration", "integer" ]
- convert => [ "sentpkt", "integer" ]
- convert => [ "rcvdpkt", "integer" ]
- convert => [ "sentbyte", "integer" ]
- convert => [ "shaperdroprcvdbyte", "integer" ]
- convert => [ "shaperdropsentbyte", "integer" ]
- convert => [ "filesize", "integer" ]
- convert => [ "count", "integer" ]
- convert => [ "total", "integer" ]
- convert => [ "totalsession", "integer" ]
- convert => [ "bandwidth", "integer" ]
- #rename => { "type" => "ftg-type" }
- }
- #Geolocate logs that have SourceAddress and if that SourceAddress is a non-RFC1918 address or APIPA address
- if [srcip] and [srcip] !~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" {
- geoip {
- database => "/etc/logstash/GeoLiteCity.dat"
- source => "srcip"
- target => "SourceGeo"
- add_tag => [ "traffic-wan" ]
- }
- }
- #filtrer le traffic RITM du traffic internet pour input dans un second index
- if [srcip] and [srcip] =~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" {
- mutate {
- add_tag => [ "src-traffic-ritm" ]
- ["SourceGeo.location"] => "geo_point"
- }
- #Delete 0,0 in SourceGeo.location if equal to 0,0
- #if ([srcip.location] and [srcip.location] =~ "0,0") {
- #mutate {
- # ["SourceGeo.location"] => "geo_point"
- #}
- #}
- #}
- #Geolocate logs that have DestinationAddress and if that DestinationAddress is a non-RFC1918 address or APIPA address
- if [dstip] and [dstip] !~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" {
- geoip {
- database => "/etc/logstash/GeoLiteCity.dat"
- source => "dstip"
- target => "DestinationGeo"
- add_tag => [ "traffic-wan" ]
- }
- }
- #filtrer le traffic RITM du traffic internet pour input dans un second index
- if [dstip] and [dstip] =~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" {
- mutate {
- add_tag => [ "dst-traffic-ritm" ]
- ["DestinationGeo.location"] => "geo_point"
- }
- #Delete 0,0 in DestinationGeo.location if equal to 0,0
- #if ([dstip.location] and [dstip.location] =~ "0,0") {
- #mutate {
- # ["DestinationGeo.location"] => "geo_point"
- # }
- #}
- }
- }
- #
- #
- #
- #
- # Parse ASA
- if "Firewall" in [tags] {
- grok {
- #strips timestamp and host off of the front of the syslog message leaving the raw message generated by the syslog client and saves it as "raw_message"
- #patterns_dir => "/opt/logstash/patterns"
- match => [ "message", "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_host} %{GREEDYDATA:cisco_message}" ]
- add_field => [ "received_at", "%{syslog_timestamp}" ]
- }
- syslog_pri { }
- date {
- match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss", "MMM dd yyyy HH:mm:ss", "MMM d yyyy HH:mm:ss", "MMM dd HH:mm:ss", "MMM dd yyyy HH:mm:ss" ]
- timezone => "Australia/Melbourne"
- }
- #parse ASA log
- grok {
- # patterns_dir => "/opt/logstash/patterns"
- # break_on_match => false
- match => [
- "cisco_message", "%{CISCOFW106001}",
- "cisco_message", "%{CISCOFW106006_106007_106010}",
- "cisco_message", "%{CISCOFW106014}",
- "cisco_message", "%{CISCOFW106015}",
- "cisco_message", "%{CISCOFW106021}",
- "cisco_message", "%{CISCOFW106023}",
- "cisco_message", "%{CISCOFW106100}",
- "cisco_message", "%{CISCOFW110002}",
- "cisco_message", "%{CISCOFW302010}",
- "cisco_message", "%{CISCOFW302013_302014_302015_302016}",
- "cisco_message", "%{CISCOFW302020_302021}",
- "cisco_message", "%{CISCOFW305011}",
- "cisco_message", "%{CISCOFW313001_313004_313008}",
- "cisco_message", "%{CISCOFW313005}",
- "cisco_message", "%{CISCOFW402117}",
- "cisco_message", "%{CISCOFW402119}",
- "cisco_message", "%{CISCOFW419001}",
- "cisco_message", "%{CISCOFW419002}",
- "cisco_message", "%{CISCOFW500004}",
- "cisco_message", "%{CISCOFW602303_602304}",
- "cisco_message", "%{CISCOFW710001_710002_710003_710005_710006}",
- "cisco_message", "%{CISCOFW713172}",
- "cisco_message", "%{CISCOFW733100}"
- ]
- }
- mutate {
- remove_field => [ "message", "cisco_message" ]
- }
- #Geolocate logs that have SourceAddress and if that SourceAddress is a non-RFC1918 address or APIPA address
- if [src_ip] and [src_ip] !~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" {
- geoip {
- database => "/etc/logstash/GeoLiteCity.dat"
- source => "src_ip"
- target => "SourceGeo"
- # add_tag => [ "geoip" ]
- }
- #Delete 0,0 in SourceGeo.location if equal to 0,0
- if ([src_ip.location] and [src_ip.location] =~ "0,0") {
- mutate {
- replace => [ "SourceGeo.location", "" ]
- }
- }
- }
- #Geolocate logs that have DestinationAddress and if that DestinationAddress is a non-RFC1918 address or APIPA address
- if [dst_ip] and [dst_ip] !~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" {
- geoip {
- database => "/etc/logstash/GeoLiteCity.dat"
- source => "dst_ip"
- target => "DestinationGeo"
- # add_tag => [ "geoip" ]
- }
- #Delete 0,0 in DestinationGeo.location if equal to 0,0
- if ([dst_ip.location] and [dst_ip.location] =~ "0,0") {
- mutate {
- replace => [ "DestinationGeo.location", "" ]
- }
- }
- }
- }
- # Parse VPN Access Log
- else if "VPN" in [tags] {
- grok {
- match => { "message" =>
- "%{SYSLOGTIMESTAMP:syslog_timestamp}%{SPACE}%{IP:vpn_device}%{SPACE}%{WORD:syslog_program}%{SPACE}\-\-\>%{WORD:passcode}%{SPACE}\-\-\>%{HOSTNAME:vpn_concentrator}%{SPACE}\-\-\>%{USERNAME:username}%{SPACE}\-\-\>%{IP:client_ip}%{SPACE}\-\-\>%{WORD}%{SPACE}%{WORD:status}"}
- add_field => [ "received_at", "%{@timestamp}" ]
- add_field => [ "received_from", "%{vpn_device}" ]
- remove_field => [ "%{vpn_device}" ]
- }
- syslog_pri { }
- date {
- match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss", "MMM dd yyyy HH:mm:ss", "MMM d yyyy HH:mm:ss", "MMM dd HH:mm:ss", "MMM dd yyyy HH:mm:ss" ]
- timezone => "Australia/Melbourne"
- }
- # if "_grokparsefailure" in [tags] {
- # drop { }
- #}
- geoip {
- source => "client_ip"
- }
- }
- else if "IPS" in [tags] {
- grok {
- match => [
- "message", "%{SYSLOGTIMESTAMP:syslog_timestamp}%{SPACE}%{IP:ips}%{SPACE}%{WORD:syslog_program}:%{SPACE}%{WORD:ips_device}\-\-\>%{USERNAME:attack_name}:%{SPACE}%{GREEDYDATA:attack_type}\-\-\>%{WORD:severity_rating}\-\-\>%{IP:src_ip}\-\-\>%{IP:dst_ip}-\-\>%{WORD:direction}",
- "message", "%{SYSLOGTIMESTAMP:syslog_timestamp}%{SPACE}%{IP:ips}%{SPACE}%{WORD:syslog_program}:%{SPACE}%{WORD:ips_device}\-\-\>%{USERNAME:attack_name}:%{SPACE}%{GREEDYDATA:attack_type}\-\-\>%{WORD:severity_rating}\-\-\>%{GREEDYDATA:not_applicable}\-\-\>%{GREEDYDATA:not_applicable}-\-\>%{WORD:direction}"
- ]
- add_field => [ "received_at", "%{@timestamp}" ]
- add_field => [ "received_from", "%{ips_device}" ]
- remove_field => [ "%{ips_device}" ]
- }
- #
- syslog_pri { }
- date {
- match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss", "MMM dd yyyy HH:mm:ss", "MMM d yyyy HH:mm:ss", "MMM dd HH:mm:ss", "MMM dd yyyy HH:mm:ss" ]
- timezone => "Australia/Melbourne"
- }
- if [src_ip] and [src_ip] !~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" {
- geoip {
- database => "/etc/logstash/GeoLiteCity.dat"
- source => "src_ip"
- target => "SourceGeo"
- }
- #Delete 0,0 in SourceGeo.location if equal to 0,0
- if ([SourceGeo.location] and [SourceGeo.location] =~ "0,0") {
- mutate {
- replace => [ "SourceGeo.location", "" ]
- }
- }
- }
- #Geolocate logs that have DestinationAddress and if that DestinationAddress is a non-RFC1918 address or APIPA address
- if [dst_ip] and [dst_ip] !~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" {
- geoip {
- database => "/etc/logstash/GeoLiteCity.dat"
- source => "dst_ip"
- target => "DestinationGeo"
- }
- #Delete 0,0 in DestinationGeo.location if equal to 0,0
- if ([DestinationGeo.location] and [DestinationGeo.location] =~ "0,0") {
- mutate {
- replace => [ "DestinationAddress.location", "" ]
- }
- }
- }
- }
- else if "hp-printers" in [tags] {
- grok {
- match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
- add_field => [ "received_at", "%{@timestamp}" ]
- # add_field => [ "received_from", "%{host}" ]
- }
- syslog_pri { }
- kv {
- source => "syslog_message"
- field_split => "; "
- }
- mutate {
- split => { "syslog_message" => ";" }
- }
- mutate {
- rename => [
- "[syslog_message][0]", "event",
- "[syslog_message][1]", "name"
- ]
- remove_field => "[syslog_message][0]"
- remove_field => "syslog_message"
- }
- if [event] =~ /Security/ {
- mutate {
- split => { "event" => ": " }
- }
- mutate {
- remove_field => "[event][0]"
- rename => [
- "[event][1]", "event_security"
- ]
- }
- }
- mutate {
- remove_field => [ "message" ]
- }
- # if [syslog_severity] == "Very Low" {
- # mutate {
- # replace => { "syslog_severity" => "very_low" }
- # }
- #}
- # mutate {
- # lowercase => [ "syslog_severity" ]
- # }
- if [outcome] == "success" {
- translate {
- field => "event"
- destination => "syslog_severity"
- override => true
- fallback => "no match"
- dictionary_path => "/etc/logstash/hp_patterns_success.yml"
- }
- } else if [outcome] == "failure" {
- translate {
- field => "event"
- destination => "syslog_severity"
- override => true
- fallback => "no match"
- dictionary_path => "/etc/logstash/hp_patterns_failure.yml"
- }
- }
- date {
- match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
- }
- }
- else {
- grok {
- match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}"
- }
- add_field => [ "received_at", "%{syslog_timestamp}" ]
- # add_field => [ "received_from", "%{host}" ]
- }
- syslog_pri { }
- date {
- match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss", "MMM dd yyyy HH:mm:ss", "MMM d yyyy HH:mm:ss", "MMM dd HH:mm:ss", "MMM dd yyyy HH:mm:ss" ]
- timezone => "Australia/Melbourne"
- }
- # if "_grokparsefailure" in [tags] {
- # drop { }
- #}
- if [syslog_program] == "err sshd" {
- grok {
- match => { "syslog_message" => "%{IP:target_ip}"
- }
- }
- geoip {
- source => "target_ip"
- }
- }
- }
- if "FORTIGATE" in [tags] and [srcip] and [dstip] {
- fingerprint {
- concatenate_sources => true
- method => "SHA1"
- key => "logstash"
- source => [ "srcip", "dstip", "dstport", "protocol" ]
- }
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement