Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- GNU nano 3.2 /etc/logstash/conf.d/suricata.conf
- input {
- beats {
- port => 5044
- codec => "json_lines"
- #codec => json
- }
- }
- filter {
- if [application] == "suricata" {
- date {
- match => [ "timestamp", "ISO8601" ]
- }
- ruby {
- code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;"
- }
- }
- if [src_ip] {
- geoip {
- source => "src_ip"
- target => "geoip"
- add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
- add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
- }
- mutate {
- convert => [ "[geoip][coordinates]", "float" ]
- }
- if ![geoip.ip] {
- if [dest_ip] {
- geoip {
- source => "dest_ip"
- target => "geoip"
- add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
- add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
- }
- mutate {
- convert => [ "[geoip][coordinates]", "float" ]
- }
- }
- }
- }
- }
- output {
- elasticsearch { hosts => ["localhost:9200"] }
- #stdout { codec => rubydebug }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
