API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 5th, 2017
694
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
YAML 9.57 KB | None | 0 0
raw download clone embed print report
  1. ## Input para RSYSLOG
  2. input {
  3.   tcp {
  4.     host => "192.168.0.2"
  5.     port => 10514
  6.     codec => "json"
  7.     type => "rsyslog"
  8.   }
  9. }
  10.  
  11. ## Input para beats do Windows (Filebeat e Winlogbeat)
  12. input {
  13.   beats {
  14.     host => "192.168.0.2"
  15.     port => 5044
  16.     codec => plain {
  17.         charset => "UTF-8"
  18.     #charset => "ASCII-8BIT"
  19.     }
  20.   }
  21. }
  22.  
  23. ## Input para Filebeat OSSEC-Linux
  24. input {
  25.   beats {
  26.     host => "192.168.0.2"
  27.     port => 5045
  28.     codec => json {
  29.         charset => "UTF-8"
  30.     #charset => "ASCII-8BIT"
  31.     }
  32.   }
  33. }
  34.  
  35. ## Input para Logs do Proxy IWSVA - TrendMicro
  36. input {
  37.   syslog {
  38.     type => "proxy_fwd_iwsva"
  39.     port => 8514
  40.   }
  41. }
  42.  
  43. ## Input para Oracle ASH
  44. input {
  45.   jdbc {
  46.     type => "ash_oracle"
  47.     jdbc_validate_connection => true
  48.     jdbc_connection_string => "jdbc:oracle:thin:@yyyy:1521/dbdev02"
  49.     jdbc_user => "xxxx"
  50.     jdbc_password => "xxxx"
  51.     jdbc_driver_library => "/etc/logstash/jdbc/ojdbc8.jar"
  52.     jdbc_driver_class => "Java::oracle.jdbc.driver.OracleDriver"
  53.     statement => "SELECT * FROM dba_audit_trail WHERE extended_timestamp > :sql_last_value"
  54.     last_run_metadata_path => "/mnt/elk_backups/logstash_last_run/logstash-oradb.lastrun"
  55. #    use_column_value => true
  56. #    tracking_column => sessionid
  57.     record_last_run => true
  58.     clean_run => false
  59.     jdbc_paging_enabled => true
  60.     jdbc_page_size => 10000
  61.     sql_log_level => debug
  62.     schedule => "* * * * *"
  63.   }
  64. }
  65.  
  66. ## Filtro para Logs do Proxy IWSVA - TrendMicro
  67. filter {
  68.   if [type] == "proxy_fwd_iwsva" {
  69.     grok {
  70.       match => ["message", "(<([^.]+)>([^.]+)\.xxxxxx\.com\.br: )<(?<timestamp>.+)> \[(?<event_type>.+)\] Access tracking log (?<data_kv>.*)"]
  71.       overwrite => ["timestamp"]
  72.     }
  73.     if ("_grokparsefailure" in [tags]) {
  74.       drop {}
  75.     }
  76.  
  77.     kv {   # Divide os pares de chave-valor da linha
  78.       source => "data_kv"
  79.       field_split => ","
  80.       # TODO - Remover futuramente: workaround para um bug na estrutura kv do log com algumas URLs
  81.       include_keys => ["tk_category", "tk_category_type", "tk_client_ip", "tk_date_field", "tk_domain", "tk_file_name", "tk_mime_content", "tk_operation", "tk_path", "tk_protocol", "tk_server", "tk_server_ip", "tk_size", "tk_uid", "tk_url", "tk_username"]
  82.     }
  83.     date {
  84.       match => ["timestamp", "EEE, dd MMM YYYY HH:mm:ss',BRT'"]
  85.       timezone => ["America/Sao_Paulo"]
  86.     }
  87.     geoip {
  88.       source => "tk_server_ip"
  89.     }
  90.     # Converte para texto o numero da categoria
  91.     translate {
  92.       field => "tk_category"
  93.       destination => "category"
  94.       override => true
  95.       dictionary => [   "1", "Adult/Mature Content",
  96.                         "3", "Pornography",
  97.                         "4", "Sex Education",
  98.                         "5", "Intimate Apparel/Swimsuit",
  99.                         "6", "Nudity",
  100.                         "8", "Alcohol/Tobacco",
  101.                         "9", "Illegal/Questionable",
  102.                         "10", "Tasteless",
  103.                         "11", "Gambling",
  104.                         "14", "Violence/Hate/Racism",
  105.                         "15", "Weapons",
  106.                         "16", "Abortion",
  107.                         "18", "Recreation/Hobbies",
  108.                         "19", "Arts",
  109.                         "20", "Entertainment",
  110.                         "21", "Business/Economy",
  111.                         "22", "Cult/Occult",
  112.                         "23", "Internet Radio and TV",
  113.                         "24", "Internet Telephony",
  114.                         "25", "Illegal Drugs",
  115.                         "26", "Marijuana",
  116.                         "27", "Education",
  117.                         "29", "Cultural Institutions",
  118.                         "30", "Activist Groups",
  119.                         "31", "Financial Services",
  120.                         "32", "Brokerage/Trading",
  121.                         "33", "Games",
  122.                         "34", "Government/Legal",
  123.                         "35", "Military",
  124.                         "36", "Politics",
  125.                         "37", "Health",
  126.                         "38", "Computers/Internet",
  127.                         "39", "Proxy Avoidance",
  128.                         "40", "Search Engines/Portals",
  129.                         "41", "Internet Infrastructure",
  130.                         "42", "Blogs/Web Communications",
  131.                         "43", "Photo Searches",
  132.                         "44", "Alternative Journals",
  133.                         "45", "Job Search/Careers",
  134.                         "46", "News/Media",
  135.                         "47", "Personals/Dating",
  136.                         "48", "Translators / Cached Pages",
  137.                         "49", "Reference",
  138.                         "50", "Social Networking",
  139.                         "51", "Chat/Instant Messaging",
  140.                         "52", "Email",
  141.                         "53", "Newsgroups",
  142.                         "54", "Religion",
  143.                         "55", "Personal Sites",
  144.                         "56", "Personal Network Storage/File Download Server",
  145.                         "57", "Peer-to-peer",
  146.                         "58", "Shopping",
  147.                         "59", "Auctions",
  148.                         "60", "Real Estate",
  149.                         "61", "Society/Lifestyle",
  150.                         "62", "Gay/Lesbian",
  151.                         "63", "Gun Clubs/Hunting",
  152.                         "64", "Restaurants/Food",
  153.                         "65", "Sports",
  154.                         "66", "Travel",
  155.                         "67", "Vehicles",
  156.                         "68", "Humor",
  157.                         "69", "Streaming Media/MP3",
  158.                         "70", "Ringtones/Mobile Phone Downloads",
  159.                         "71", "Software Downloads",
  160.                         "72", "Pay to Surf",
  161.                         "73", "Potentially Malicious Software",
  162.                         "74", "Spyware",
  163.                         "75", "Phishing",
  164.                         "76", "Spam",
  165.                         "77", "Adware",
  166.                         "78", "Malware Accomplice",
  167.                         "79", "Disease Vector",
  168.                         "80", "Cookies",
  169.                         "81", "Dialers",
  170.                         "82", "Hacking",
  171.                         "83", "Joke Program",
  172.                         "84", "Password Cracking",
  173.                         "85", "Remote Access Program",
  174.                         "86", "Made for AdSense",
  175.                         "87", "For Kids",
  176.                         "88", "Web Advertisement",
  177.                         "89", "Web Hosting",
  178.                         "90", "Untested"
  179.                         ]
  180.     }
  181.     mutate {
  182.       convert => ["tk_size", "integer"]
  183.       remove_field => ["host", "priority", "severity", "facility", "facility_label", "severity_label",  "data_kv", "message", "tk_server", "program", "logsource", "event_type" ]
  184.     }
  185.   }
  186.   # Seta o timestamp para o do ASH, não o atual timestamp (do servidor).
  187.   if [type] == "ash_oracle" {
  188.         mutate { convert => [ "extended_timestamp" , "string" ]}
  189.         date { match => ["extended_timestamp", "ISO8601"]}
  190.   }
  191. }
  192.  
  193. ## Output para Elasticsearch nos dois servidores
  194.  
  195. output {
  196.   if [type] == "rsyslog" {
  197.     elasticsearch {
  198.       user => "aaaaa"
  199.       password => "xxxxxx"
  200.       ssl => true
  201.       ssl_certificate_verification => true
  202.       truststore => "/etc/logstash/truststore.jks"
  203.       truststore_password => "aaaaaa"
  204.       manage_template => false
  205.       # template => "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-6.3.0-java/lib/logstash/outputs/elasticsearch/elasticsearch-template-es2x.json"
  206.       # template_overwrite => false
  207.       hosts => [ "localhost:9200", "ccccc.yuuuuu.com.br:9200" ]
  208.       index => "logstash-%{+YYYY.MM.dd}"
  209.     }
  210.   }
  211.   if [type] == "proxy_fwd_iwsva" {
  212.     elasticsearch {
  213.       user => "aaaaa"
  214.       password => "xxxxxx"
  215.       ssl => true
  216.       ssl_certificate_verification => true
  217.       truststore => "/etc/logstash/truststore.jks"
  218.       truststore_password => "aaaaaa"
  219.       manage_template => false
  220.       template_overwrite => false
  221.       index => "logstash-%{[type]}-%{+YYYY.MM.dd}"
  222.       hosts => [ "localhost:9200", "ccccc.yuuuuu.com.br:9200" ]
  223.     }
  224.   }
  225.   if [@metadata][beat] == "winlogbeat" or [@metadata][beat] == "filebeat" {    
  226.     elasticsearch {
  227.       user => "aaaaa"
  228.       password => "xxxxxx"
  229.       ssl => true
  230.       ssl_certificate_verification => true
  231.       truststore => "/etc/logstash/truststore.jks"
  232.       truststore_password => "aaaaaa"
  233.       hosts => [ "localhost:9200", "ccccc.yuuuuu.com.br:9200" ]
  234.       manage_template => false
  235.       index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
  236.       document_type => "%{[@metadata][type]}"
  237.     }
  238.   }
  239.   if [@metadata][beat] == "ossec" {
  240.     elasticsearch {
  241.       user => "aaaaa"
  242.       password => "xxxxxx"
  243.       ssl => true
  244.       ssl_certificate_verification => true
  245.       truststore => "/etc/logstash/truststore.jks"
  246.       truststore_password => "aaaaaa"
  247.       hosts => [ "localhost:9200", "ccccc.yuuuuu.com.br:9200" ]
  248.       manage_template => false
  249.       index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
  250.       document_type => "%{[@metadata][type]}"
  251.     }
  252.   }
  253.   if [type] == "ash_oracle" {
  254.       elasticsearch {
  255.       user => "aaaaa"
  256.       password => "xxxxxx"
  257.       ssl => true
  258.       ssl_certificate_verification => true
  259.       truststore => "/etc/logstash/truststore.jks"
  260.       truststore_password => "aaaaaa"
  261.       hosts => [ "localhost:9200", "ccccc.yuuuuu.com.br:9200" ]
  262.       index => "ash-oracle-%{+YYYY.MM.dd}"
  263. #     stdout { codec => rubydebug }
  264.       }
  265.   }
  266. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!