Guest User

Untitled

a guest
Mar 5th, 2017
654
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. File 1:
  2. 01-inputs.conf
  3.  
  4. #tcp syslog stream via 5140
  5. input {
  6. tcp {
  7. type => "syslog"
  8. port => 5140
  9. }
  10. }
  11. #udp syslogs stream via 5140
  12. input {
  13. udp {
  14. type => "syslog"
  15. port => 5140
  16. }
  17. }
  18.  
  19.  
  20. File 2:
  21. 30-outputs.conf
  22.  
  23. output {
  24. elasticsearch {
  25.  
  26. hosts => localhost
  27.  
  28. index => "logstash-%{+YYYY.MM.dd}" }
  29. # stdout { codec => rubydebug }
  30. }
  31.  
  32. File 3:
  33. 11-pfsense.conf
  34.  
  35. filter {
  36. if "PFSense" in [tags] {
  37. grok {
  38. add_tag => [ "firewall" ]
  39. match => [ "message", "<(?<evtid>.*)>(?<datetime>(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\s+(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) (?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:[0-5][0-9])) (?<prog>.*?): (?<msg>.*)" ]
  40. }
  41. mutate {
  42. gsub => ["datetime"," "," "]
  43. }
  44. date {
  45. match => [ "datetime", "MMM dd HH:mm:ss" ]
  46. timezone => "America/New_York"
  47. }
  48. mutate {
  49. replace => [ "message", "%{msg}" ]
  50. }
  51. mutate {
  52. remove_field => [ "msg", "datetime" ]
  53. }
  54. }
  55. if [prog] =~ /^filterlog$/ {
  56. mutate {
  57. remove_field => [ "msg", "datetime" ]
  58. }
  59. grok {
  60. patterns_dir => "/etc/logstash/conf.d/patterns"
  61. match => [ "message", "%{PFSENSE_LOG_DATA}%{PFSENSE_IP_SPECIFIC_DATA}%{PFSENSE_IP_DATA}%{PFSENSE_PROTOCOL_DATA}",
  62. "message", "%{PFSENSE_LOG_DATA}%{PFSENSE_IPv4_SPECIFIC_DATA_ECN}%{PFSENSE_IP_DATA}%{PFSENSE_PROTOCOL_DATA}" ]
  63. }
  64. mutate {
  65. lowercase => [ 'proto' ]
  66. }
  67. geoip {
  68. add_tag => [ "GeoIP" ]
  69. source => "src_ip"
  70. # Optional GeoIP database
  71.  
  72.  
  73.  
  74.  
  75. # Comment out the below if you do not wise to utilize and omit last three steps dealing with (recommended) suffix
  76. database => "/etc/logstash/GeoLite2-City.mmdb"
  77. }
  78. }
  79. }
  80.  
  81. File 4:
  82. pfsense2-2.grok
  83.  
  84. # GROK match pattern for logstash.conf filter: %{PFSENSE_LOG_DATA}%{PFSENSE_IP_SPECIFIC_DATA}%{PFSENSE_IP_DATA}%{PFSENSE_PROTOCOL_DATA}
  85.  
  86.  
  87. # GROK Custom Patterns (add to patterns directory and reference in GROK filter for pfSense events):
  88.  
  89.  
  90. # GROK Patterns for pfSense 2.3 Logging Format
  91. #
  92. # Created 27 Jan 2015 by J. Pisano (Handles TCP, UDP, and ICMP log entries)
  93. # Edited 14 Feb 2015 by Elijah Paul elijah.paul@gmail.com
  94. # Edited 10 Mar 2015 by Bernd Zeimetz <bernd@bzed.de>
  95. # taken from https://gist.github.com/elijahpaul/f5f32d4e914dcb7fedd2
  96. # - adding PFSENSE_ prefix
  97. # - adding carp patterns
  98. #
  99. # Usage: Use with following GROK match pattern
  100. #
  101. # %{PFSENSE_LOG_DATA}%{PFSENSE_IP_SPECIFIC_DATA}%{PFSENSE_IP_DATA}%{PFSENSE_PROTOCOL_DATA}
  102.  
  103.  
  104. PFSENSE_LOG_DATA (%{INT:rule}),(%{INT:sub_rule}),,(%{INT:tracker}),(%{WORD:iface}),(%{WORD:reason}),(%{WORD:action}),(%{WORD:direction}),(%{INT:ip_ver}),
  105. PFSENSE_IP_SPECIFIC_DATA (%{PFSENSE_IPv4_SPECIFIC_DATA}|%{PFSENSE_IPv6_SPECIFIC_DATA})
  106. PFSENSE_IPv4_SPECIFIC_DATA (%{BASE16NUM:tos}),,(%{INT:ttl}),(%{INT:id}),(%{INT:offset}),(%{WORD:flags}),(%{INT:proto_id}),(%{WORD:proto}),
  107. PFSENSE_IPv4_SPECIFIC_DATA_ECN (%{BASE16NUM:tos}),(%{INT:ecn}),(%{INT:ttl}),(%{INT:id}),(%{INT:offset}),(%{WORD:flags}),(%{INT:proto_id}),(%{WORD:proto}),
  108. PFSENSE_IPv6_SPECIFIC_DATA (%{BASE16NUM:class}),(%{DATA:flow_label}),(%{INT:hop_limit}),(%{WORD:proto}),(%{INT:proto_id}),
  109. PFSENSE_IP_DATA (%{INT:length}),(%{IP:src_ip}),(%{IP:dest_ip}),
  110. PFSENSE_PROTOCOL_DATA (%{PFSENSE_TCP_DATA}|%{PFSENSE_UDP_DATA}|%{PFSENSE_ICMP_DATA}|%{PFSENSE_CARP_DATA})
  111. PFSENSE_TCP_DATA (%{INT:src_port}),(%{INT:dest_port}),(%{INT:data_length}),(%{WORD:tcp_flags}),(%{INT:sequence_number}),(%{INT:ack_number}),(%{INT:tcp_window}),(%{DATA:urg_data}),(%{DATA:tcp_options})
  112. PFSENSE_UDP_DATA (%{INT:src_port}),(%{INT:dest_port}),(%{INT:data_length})
  113. PFSENSE_ICMP_DATA (%{PFSENSE_ICMP_TYPE}%{PFSENSE_ICMP_RESPONSE})
  114. PFSENSE_ICMP_TYPE (?<icmp_type>(request|reply|unreachproto|unreachport|unreach|timeexceed|paramprob|redirect|maskreply|needfrag|tstamp|tstampreply)),
  115. PFSENSE_ICMP_RESPONSE (%{PFSENSE_ICMP_ECHO_REQ_REPLY}|%{PFSENSE_ICMP_UNREACHPORT}| %{PFSENSE_ICMP_UNREACHPROTO}|%{PFSENSE_ICMP_UNREACHABLE}|%{PFSENSE_ICMP_NEED_FLAG}|%{PFSENSE_ICMP_TSTAMP}|%{PFSENSE_ICMP_TSTAMP_REPLY})
  116. PFSENSE_ICMP_ECHO_REQ_REPLY (%{INT:icmp_echo_id}),(%{INT:icmp_echo_sequence})
  117. PFSENSE_ICMP_UNREACHPORT (%{IP:icmp_unreachport_dest_ip}),(%{WORD:icmp_unreachport_protocol}),(%{INT:icmp_unreachport_port})
  118. PFSENSE_ICMP_UNREACHPROTO (%{IP:icmp_unreach_dest_ip}),(%{WORD:icmp_unreachproto_protocol})
  119. PFSENSE_ICMP_UNREACHABLE (%{GREEDYDATA:icmp_unreachable})
  120. PFSENSE_ICMP_NEED_FLAG (%{IP:icmp_need_flag_ip}),(%{INT:icmp_need_flag_mtu})
  121. PFSENSE_ICMP_TSTAMP (%{INT:icmp_tstamp_id}),(%{INT:icmp_tstamp_sequence})
  122. PFSENSE_ICMP_TSTAMP_REPLY (%{INT:icmp_tstamp_reply_id}),(%{INT:icmp_tstamp_reply_sequence}),(%{INT:icmp_tstamp_reply_otime}),(%{INT:icmp_tstamp_reply_rtime}),(%{INT:icmp_tstamp_reply_ttime})
  123.  
  124.  
  125. PFSENSE_CARP_DATA (%{WORD:carp_type}),(%{INT:carp_ttl}),(%{INT:carp_vhid}),(%{INT:carp_version}),(%{INT:carp_advbase}),(%{INT:carp_advskew})
  126.  
  127.  
  128. DHCPD (%{DHCPDISCOVER}|%{DHCPOFFER}|%{DHCPREQUEST}|%{DHCPACK}|%{DHCPINFORM}|%{DHCPRELEASE})
  129. DHCPDISCOVER %{WORD:dhcp_action} from %{COMMONMAC:dhcp_client_mac}%{SPACE}(\(%{GREEDYDATA:dhcp_client_hostname}\))? via (?<dhcp_client_vlan>[0-9a-z_]*)(: %{GREEDYDATA:dhcp_load_balance})?
  130. DHCPOFFER %{WORD:dhcp_action} on %{IPV4:dhcp_client_ip} to %{COMMONMAC:dhcp_client_mac}%{SPACE}(\(%{GREEDYDATA:dhcp_client_hostname}\))? via (?<dhcp_client_vlan>[0-9a-z_]*)
  131. DHCPREQUEST %{WORD:dhcp_action} for %{IPV4:dhcp_client_ip}%{SPACE}(\(%{IPV4:dhcp_ip_unknown}\))? from %{COMMONMAC:dhcp_client_mac}%{SPACE}(\(%{GREEDYDATA:dhcp_client_hostname}\))? via (?<dhcp_client_vlan>[0-9a-z_]*)(: %{GREEDYDATA:dhcp_request_message})?
  132. DHCPACK %{WORD:dhcp_action} on %{IPV4:dhcp_client_ip} to %{COMMONMAC:dhcp_client_mac}%{SPACE}(\(%{GREEDYDATA:dhcp_client_hostname}\))? via (?<dhcp_client_vlan>[0-9a-z_]*)
  133. DHCPINFORM %{WORD:dhcp_action} from %{IPV4:dhcp_client_ip} via %(?<dhcp_client_vlan>[0-9a-z_]*)
  134. DHCPRELEASE %{WORD:dhcp_action} of %{IPV4:dhcp_client_ip} from %{COMMONMAC:dhcp_client_mac}%{SPACE}(\(%{GREEDYDATA:dhcp_client_hostname}\))? via
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×