API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Oct 23rd, 2017
191
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.79 KB | None | 0 0
raw download clone embed print report
  1. filter {
  2. if [type] == "syslog" {
  3. if "devname" in [message] {
  4. mutate {
  5. add_tag => [ "COUPEFEU", "FORTIGATE" ]
  6. }
  7. }
  8.  
  9. if "%ASA-" in [message] {
  10. mutate {
  11. add_tag => [ "Firewall", "ASA" ]
  12. }
  13. }
  14. if "VPN" in [message] {
  15. mutate {
  16. add_tag => [ "VPN" ]
  17. }
  18. }
  19. if "SOC" in [message] {
  20. mutate {
  21. add_tag => [ "SOC" ]
  22. }
  23. }
  24. if "IPS" in [message] {
  25. mutate {
  26. add_tag => [ "IPS" ]
  27. }
  28. }
  29. if "printer" in [message] {
  30. mutate {
  31. add_tag => [ "hp-printers" ]
  32. }
  33. }
  34.  
  35. #
  36. #
  37. #
  38. # Parse Fortigate
  39. if "FORTIGATE" in [tags] {
  40. grok {
  41. match => [ "message", "%{SYSLOG5424PRI}%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_host} %{GREEDYDATA:kv}" ]
  42. remove_field => ["message"]
  43. remove_field => ["syslog_timestamp"]
  44. # remove_field => ["type"]
  45. }
  46. syslog_pri { }
  47.  
  48. kv {
  49. source => "kv"
  50. exclude_keys => [ "type", "subtype" ]
  51. field_split => " "
  52. value_split => "="
  53. }
  54.  
  55. date {
  56. match => [ "logtimestamp", "ISO8601" ]
  57. locale => "en"
  58. timezone =>"America/Montreal"
  59. remove_field => [ "logtimestamp" ]
  60. }
  61.  
  62. mutate {
  63. convert => [ "rcvdbyte", "integer" ]
  64. convert => [ "countdlp", "integer" ]
  65. convert => [ "countweb", "integer" ]
  66. convert => [ "countav", "integer" ]
  67. convert => [ "countemail", "integer" ]
  68. convert => [ "countips", "integer" ]
  69. convert => [ "duration", "integer" ]
  70. convert => [ "sentpkt", "integer" ]
  71. convert => [ "rcvdpkt", "integer" ]
  72. convert => [ "sentbyte", "integer" ]
  73. convert => [ "shaperdroprcvdbyte", "integer" ]
  74. convert => [ "shaperdropsentbyte", "integer" ]
  75. convert => [ "filesize", "integer" ]
  76. convert => [ "count", "integer" ]
  77. convert => [ "total", "integer" ]
  78. convert => [ "totalsession", "integer" ]
  79. convert => [ "bandwidth", "integer" ]
  80. #rename => { "type" => "ftg-type" }
  81. }
  82.  
  83.  
  84. #Geolocate logs that have SourceAddress and if that SourceAddress is a non-RFC1918 address or APIPA address
  85. if [srcip] and [srcip] !~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" {
  86. geoip {
  87. database => "/etc/logstash/GeoLiteCity.dat"
  88. source => "srcip"
  89. target => "SourceGeo"
  90. add_tag => [ "traffic-wan" ]
  91. }
  92. }
  93.  
  94. #filtrer le traffic RITM du traffic internet pour input dans un second index
  95. if [srcip] and [srcip] =~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" {
  96. mutate {
  97. add_tag => [ "src-traffic-ritm" ]
  98. ["SourceGeo.location"] => "geo_point"
  99. }
  100.  
  101. #Delete 0,0 in SourceGeo.location if equal to 0,0
  102. #if ([srcip.location] and [srcip.location] =~ "0,0") {
  103. #mutate {
  104. # ["SourceGeo.location"] => "geo_point"
  105. #}
  106. #}
  107. #}
  108.  
  109. #Geolocate logs that have DestinationAddress and if that DestinationAddress is a non-RFC1918 address or APIPA address
  110. if [dstip] and [dstip] !~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" {
  111. geoip {
  112. database => "/etc/logstash/GeoLiteCity.dat"
  113. source => "dstip"
  114. target => "DestinationGeo"
  115. add_tag => [ "traffic-wan" ]
  116. }
  117. }
  118.  
  119. #filtrer le traffic RITM du traffic internet pour input dans un second index
  120. if [dstip] and [dstip] =~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" {
  121. mutate {
  122. add_tag => [ "dst-traffic-ritm" ]
  123. ["DestinationGeo.location"] => "geo_point"
  124. }
  125.  
  126. #Delete 0,0 in DestinationGeo.location if equal to 0,0
  127. #if ([dstip.location] and [dstip.location] =~ "0,0") {
  128. #mutate {
  129. # ["DestinationGeo.location"] => "geo_point"
  130. # }
  131. #}
  132. }
  133. }
  134. #
  135. #
  136. #
  137. #
  138.  
  139. # Parse ASA
  140. if "Firewall" in [tags] {
  141. grok {
  142. #strips timestamp and host off of the front of the syslog message leaving the raw message generated by the syslog client and saves it as "raw_message"
  143. #patterns_dir => "/opt/logstash/patterns"
  144. match => [ "message", "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_host} %{GREEDYDATA:cisco_message}" ]
  145. add_field => [ "received_at", "%{syslog_timestamp}" ]
  146. }
  147. syslog_pri { }
  148. date {
  149. match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss", "MMM dd yyyy HH:mm:ss", "MMM d yyyy HH:mm:ss", "MMM dd HH:mm:ss", "MMM dd yyyy HH:mm:ss" ]
  150. timezone => "Australia/Melbourne"
  151. }
  152.  
  153. #parse ASA log
  154. grok {
  155. # patterns_dir => "/opt/logstash/patterns"
  156. # break_on_match => false
  157. match => [
  158. "cisco_message", "%{CISCOFW106001}",
  159. "cisco_message", "%{CISCOFW106006_106007_106010}",
  160. "cisco_message", "%{CISCOFW106014}",
  161. "cisco_message", "%{CISCOFW106015}",
  162. "cisco_message", "%{CISCOFW106021}",
  163. "cisco_message", "%{CISCOFW106023}",
  164. "cisco_message", "%{CISCOFW106100}",
  165. "cisco_message", "%{CISCOFW110002}",
  166. "cisco_message", "%{CISCOFW302010}",
  167. "cisco_message", "%{CISCOFW302013_302014_302015_302016}",
  168. "cisco_message", "%{CISCOFW302020_302021}",
  169. "cisco_message", "%{CISCOFW305011}",
  170. "cisco_message", "%{CISCOFW313001_313004_313008}",
  171. "cisco_message", "%{CISCOFW313005}",
  172. "cisco_message", "%{CISCOFW402117}",
  173. "cisco_message", "%{CISCOFW402119}",
  174. "cisco_message", "%{CISCOFW419001}",
  175. "cisco_message", "%{CISCOFW419002}",
  176. "cisco_message", "%{CISCOFW500004}",
  177. "cisco_message", "%{CISCOFW602303_602304}",
  178. "cisco_message", "%{CISCOFW710001_710002_710003_710005_710006}",
  179. "cisco_message", "%{CISCOFW713172}",
  180. "cisco_message", "%{CISCOFW733100}"
  181. ]
  182. }
  183. mutate {
  184. remove_field => [ "message", "cisco_message" ]
  185. }
  186. #Geolocate logs that have SourceAddress and if that SourceAddress is a non-RFC1918 address or APIPA address
  187. if [src_ip] and [src_ip] !~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" {
  188. geoip {
  189. database => "/etc/logstash/GeoLiteCity.dat"
  190. source => "src_ip"
  191. target => "SourceGeo"
  192. # add_tag => [ "geoip" ]
  193. }
  194. #Delete 0,0 in SourceGeo.location if equal to 0,0
  195. if ([src_ip.location] and [src_ip.location] =~ "0,0") {
  196. mutate {
  197. replace => [ "SourceGeo.location", "" ]
  198. }
  199. }
  200. }
  201.  
  202. #Geolocate logs that have DestinationAddress and if that DestinationAddress is a non-RFC1918 address or APIPA address
  203. if [dst_ip] and [dst_ip] !~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" {
  204. geoip {
  205. database => "/etc/logstash/GeoLiteCity.dat"
  206. source => "dst_ip"
  207. target => "DestinationGeo"
  208. # add_tag => [ "geoip" ]
  209. }
  210. #Delete 0,0 in DestinationGeo.location if equal to 0,0
  211. if ([dst_ip.location] and [dst_ip.location] =~ "0,0") {
  212. mutate {
  213. replace => [ "DestinationGeo.location", "" ]
  214. }
  215. }
  216. }
  217. }
  218. # Parse VPN Access Log
  219. else if "VPN" in [tags] {
  220. grok {
  221. match => { "message" =>
  222. "%{SYSLOGTIMESTAMP:syslog_timestamp}%{SPACE}%{IP:vpn_device}%{SPACE}%{WORD:syslog_program}%{SPACE}\-\-\>%{WORD:passcode}%{SPACE}\-\-\>%{HOSTNAME:vpn_concentrator}%{SPACE}\-\-\>%{USERNAME:username}%{SPACE}\-\-\>%{IP:client_ip}%{SPACE}\-\-\>%{WORD}%{SPACE}%{WORD:status}"}
  223. add_field => [ "received_at", "%{@timestamp}" ]
  224. add_field => [ "received_from", "%{vpn_device}" ]
  225. remove_field => [ "%{vpn_device}" ]
  226. }
  227. syslog_pri { }
  228. date {
  229. match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss", "MMM dd yyyy HH:mm:ss", "MMM d yyyy HH:mm:ss", "MMM dd HH:mm:ss", "MMM dd yyyy HH:mm:ss" ]
  230. timezone => "Australia/Melbourne"
  231. }
  232. # if "_grokparsefailure" in [tags] {
  233. # drop { }
  234. #}
  235. geoip {
  236. source => "client_ip"
  237. }
  238. }
  239. else if "IPS" in [tags] {
  240. grok {
  241. match => [
  242. "message", "%{SYSLOGTIMESTAMP:syslog_timestamp}%{SPACE}%{IP:ips}%{SPACE}%{WORD:syslog_program}:%{SPACE}%{WORD:ips_device}\-\-\>%{USERNAME:attack_name}:%{SPACE}%{GREEDYDATA:attack_type}\-\-\>%{WORD:severity_rating}\-\-\>%{IP:src_ip}\-\-\>%{IP:dst_ip}-\-\>%{WORD:direction}",
  243. "message", "%{SYSLOGTIMESTAMP:syslog_timestamp}%{SPACE}%{IP:ips}%{SPACE}%{WORD:syslog_program}:%{SPACE}%{WORD:ips_device}\-\-\>%{USERNAME:attack_name}:%{SPACE}%{GREEDYDATA:attack_type}\-\-\>%{WORD:severity_rating}\-\-\>%{GREEDYDATA:not_applicable}\-\-\>%{GREEDYDATA:not_applicable}-\-\>%{WORD:direction}"
  244. ]
  245. add_field => [ "received_at", "%{@timestamp}" ]
  246. add_field => [ "received_from", "%{ips_device}" ]
  247. remove_field => [ "%{ips_device}" ]
  248. }
  249. #
  250. syslog_pri { }
  251. date {
  252. match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss", "MMM dd yyyy HH:mm:ss", "MMM d yyyy HH:mm:ss", "MMM dd HH:mm:ss", "MMM dd yyyy HH:mm:ss" ]
  253. timezone => "Australia/Melbourne"
  254. }
  255. if [src_ip] and [src_ip] !~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" {
  256. geoip {
  257. database => "/etc/logstash/GeoLiteCity.dat"
  258. source => "src_ip"
  259. target => "SourceGeo"
  260. }
  261. #Delete 0,0 in SourceGeo.location if equal to 0,0
  262. if ([SourceGeo.location] and [SourceGeo.location] =~ "0,0") {
  263. mutate {
  264. replace => [ "SourceGeo.location", "" ]
  265. }
  266. }
  267. }
  268. #Geolocate logs that have DestinationAddress and if that DestinationAddress is a non-RFC1918 address or APIPA address
  269. if [dst_ip] and [dst_ip] !~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" {
  270. geoip {
  271. database => "/etc/logstash/GeoLiteCity.dat"
  272. source => "dst_ip"
  273. target => "DestinationGeo"
  274. }
  275. #Delete 0,0 in DestinationGeo.location if equal to 0,0
  276. if ([DestinationGeo.location] and [DestinationGeo.location] =~ "0,0") {
  277. mutate {
  278. replace => [ "DestinationAddress.location", "" ]
  279. }
  280. }
  281. }
  282. }
  283. else if "hp-printers" in [tags] {
  284. grok {
  285. match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
  286. add_field => [ "received_at", "%{@timestamp}" ]
  287. # add_field => [ "received_from", "%{host}" ]
  288. }
  289. syslog_pri { }
  290. kv {
  291. source => "syslog_message"
  292. field_split => "; "
  293. }
  294. mutate {
  295. split => { "syslog_message" => ";" }
  296. }
  297. mutate {
  298. rename => [
  299. "[syslog_message][0]", "event",
  300. "[syslog_message][1]", "name"
  301. ]
  302. remove_field => "[syslog_message][0]"
  303. remove_field => "syslog_message"
  304. }
  305. if [event] =~ /Security/ {
  306. mutate {
  307. split => { "event" => ": " }
  308. }
  309. mutate {
  310. remove_field => "[event][0]"
  311. rename => [
  312. "[event][1]", "event_security"
  313. ]
  314. }
  315. }
  316. mutate {
  317. remove_field => [ "message" ]
  318. }
  319. # if [syslog_severity] == "Very Low" {
  320. # mutate {
  321. # replace => { "syslog_severity" => "very_low" }
  322. # }
  323. #}
  324. # mutate {
  325. # lowercase => [ "syslog_severity" ]
  326. # }
  327. if [outcome] == "success" {
  328. translate {
  329. field => "event"
  330. destination => "syslog_severity"
  331. override => true
  332. fallback => "no match"
  333. dictionary_path => "/etc/logstash/hp_patterns_success.yml"
  334. }
  335. } else if [outcome] == "failure" {
  336. translate {
  337. field => "event"
  338. destination => "syslog_severity"
  339. override => true
  340. fallback => "no match"
  341. dictionary_path => "/etc/logstash/hp_patterns_failure.yml"
  342. }
  343. }
  344.  
  345. date {
  346. match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
  347. }
  348. }
  349. else {
  350. grok {
  351. match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}"
  352. }
  353. add_field => [ "received_at", "%{syslog_timestamp}" ]
  354. # add_field => [ "received_from", "%{host}" ]
  355. }
  356. syslog_pri { }
  357. date {
  358. match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss", "MMM dd yyyy HH:mm:ss", "MMM d yyyy HH:mm:ss", "MMM dd HH:mm:ss", "MMM dd yyyy HH:mm:ss" ]
  359. timezone => "Australia/Melbourne"
  360. }
  361. # if "_grokparsefailure" in [tags] {
  362. # drop { }
  363. #}
  364.  
  365. if [syslog_program] == "err sshd" {
  366. grok {
  367. match => { "syslog_message" => "%{IP:target_ip}"
  368. }
  369. }
  370. geoip {
  371. source => "target_ip"
  372. }
  373. }
  374. }
  375. if "FORTIGATE" in [tags] and [srcip] and [dstip] {
  376. fingerprint {
  377. concatenate_sources => true
  378. method => "SHA1"
  379. key => "logstash"
  380. source => [ "srcip", "dstip", "dstport", "protocol" ]
  381. }
  382. }
  383. }
  384. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!