Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## Input para RSYSLOG
- input {
- tcp {
- host => "192.168.0.2"
- port => 10514
- codec => "json"
- type => "rsyslog"
- }
- }
- ## Input para beats do Windows (Filebeat e Winlogbeat)
- input {
- beats {
- host => "192.168.0.2"
- port => 5044
- codec => plain {
- charset => "UTF-8"
- #charset => "ASCII-8BIT"
- }
- }
- }
- ## Input para Filebeat OSSEC-Linux
- input {
- beats {
- host => "192.168.0.2"
- port => 5045
- codec => json {
- charset => "UTF-8"
- #charset => "ASCII-8BIT"
- }
- }
- }
- ## Input para Logs do Proxy IWSVA - TrendMicro
- input {
- syslog {
- type => "proxy_fwd_iwsva"
- port => 8514
- }
- }
- ## Input para Oracle ASH
- input {
- jdbc {
- type => "ash_oracle"
- jdbc_validate_connection => true
- jdbc_connection_string => "jdbc:oracle:thin:@yyyy:1521/dbdev02"
- jdbc_user => "xxxx"
- jdbc_password => "xxxx"
- jdbc_driver_library => "/etc/logstash/jdbc/ojdbc8.jar"
- jdbc_driver_class => "Java::oracle.jdbc.driver.OracleDriver"
- statement => "SELECT * FROM dba_audit_trail WHERE extended_timestamp > :sql_last_value"
- last_run_metadata_path => "/mnt/elk_backups/logstash_last_run/logstash-oradb.lastrun"
- # use_column_value => true
- # tracking_column => sessionid
- record_last_run => true
- clean_run => false
- jdbc_paging_enabled => true
- jdbc_page_size => 10000
- sql_log_level => debug
- schedule => "* * * * *"
- }
- }
- ## Filtro para Logs do Proxy IWSVA - TrendMicro
- filter {
- if [type] == "proxy_fwd_iwsva" {
- grok {
- match => ["message", "(<([^.]+)>([^.]+)\.xxxxxx\.com\.br: )<(?<timestamp>.+)> \[(?<event_type>.+)\] Access tracking log (?<data_kv>.*)"]
- overwrite => ["timestamp"]
- }
- if ("_grokparsefailure" in [tags]) {
- drop {}
- }
- kv { # Divide os pares de chave-valor da linha
- source => "data_kv"
- field_split => ","
- # TODO - Remover futuramente: workaround para um bug na estrutura kv do log com algumas URLs
- include_keys => ["tk_category", "tk_category_type", "tk_client_ip", "tk_date_field", "tk_domain", "tk_file_name", "tk_mime_content", "tk_operation", "tk_path", "tk_protocol", "tk_server", "tk_server_ip", "tk_size", "tk_uid", "tk_url", "tk_username"]
- }
- date {
- match => ["timestamp", "EEE, dd MMM YYYY HH:mm:ss',BRT'"]
- timezone => ["America/Sao_Paulo"]
- }
- geoip {
- source => "tk_server_ip"
- }
- # Converte para texto o numero da categoria
- translate {
- field => "tk_category"
- destination => "category"
- override => true
- dictionary => [ "1", "Adult/Mature Content",
- "3", "Pornography",
- "4", "Sex Education",
- "5", "Intimate Apparel/Swimsuit",
- "6", "Nudity",
- "8", "Alcohol/Tobacco",
- "9", "Illegal/Questionable",
- "10", "Tasteless",
- "11", "Gambling",
- "14", "Violence/Hate/Racism",
- "15", "Weapons",
- "16", "Abortion",
- "18", "Recreation/Hobbies",
- "19", "Arts",
- "20", "Entertainment",
- "21", "Business/Economy",
- "22", "Cult/Occult",
- "23", "Internet Radio and TV",
- "24", "Internet Telephony",
- "25", "Illegal Drugs",
- "26", "Marijuana",
- "27", "Education",
- "29", "Cultural Institutions",
- "30", "Activist Groups",
- "31", "Financial Services",
- "32", "Brokerage/Trading",
- "33", "Games",
- "34", "Government/Legal",
- "35", "Military",
- "36", "Politics",
- "37", "Health",
- "38", "Computers/Internet",
- "39", "Proxy Avoidance",
- "40", "Search Engines/Portals",
- "41", "Internet Infrastructure",
- "42", "Blogs/Web Communications",
- "43", "Photo Searches",
- "44", "Alternative Journals",
- "45", "Job Search/Careers",
- "46", "News/Media",
- "47", "Personals/Dating",
- "48", "Translators / Cached Pages",
- "49", "Reference",
- "50", "Social Networking",
- "51", "Chat/Instant Messaging",
- "52", "Email",
- "53", "Newsgroups",
- "54", "Religion",
- "55", "Personal Sites",
- "56", "Personal Network Storage/File Download Server",
- "57", "Peer-to-peer",
- "58", "Shopping",
- "59", "Auctions",
- "60", "Real Estate",
- "61", "Society/Lifestyle",
- "62", "Gay/Lesbian",
- "63", "Gun Clubs/Hunting",
- "64", "Restaurants/Food",
- "65", "Sports",
- "66", "Travel",
- "67", "Vehicles",
- "68", "Humor",
- "69", "Streaming Media/MP3",
- "70", "Ringtones/Mobile Phone Downloads",
- "71", "Software Downloads",
- "72", "Pay to Surf",
- "73", "Potentially Malicious Software",
- "74", "Spyware",
- "75", "Phishing",
- "76", "Spam",
- "77", "Adware",
- "78", "Malware Accomplice",
- "79", "Disease Vector",
- "80", "Cookies",
- "81", "Dialers",
- "82", "Hacking",
- "83", "Joke Program",
- "84", "Password Cracking",
- "85", "Remote Access Program",
- "86", "Made for AdSense",
- "87", "For Kids",
- "88", "Web Advertisement",
- "89", "Web Hosting",
- "90", "Untested"
- ]
- }
- mutate {
- convert => ["tk_size", "integer"]
- remove_field => ["host", "priority", "severity", "facility", "facility_label", "severity_label", "data_kv", "message", "tk_server", "program", "logsource", "event_type" ]
- }
- }
- # Seta o timestamp para o do ASH, não o atual timestamp (do servidor).
- if [type] == "ash_oracle" {
- mutate { convert => [ "extended_timestamp" , "string" ]}
- date { match => ["extended_timestamp", "ISO8601"]}
- }
- }
- ## Output para Elasticsearch nos dois servidores
- output {
- if [type] == "rsyslog" {
- elasticsearch {
- user => "aaaaa"
- password => "xxxxxx"
- ssl => true
- ssl_certificate_verification => true
- truststore => "/etc/logstash/truststore.jks"
- truststore_password => "aaaaaa"
- manage_template => false
- # template => "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-6.3.0-java/lib/logstash/outputs/elasticsearch/elasticsearch-template-es2x.json"
- # template_overwrite => false
- hosts => [ "localhost:9200", "ccccc.yuuuuu.com.br:9200" ]
- index => "logstash-%{+YYYY.MM.dd}"
- }
- }
- if [type] == "proxy_fwd_iwsva" {
- elasticsearch {
- user => "aaaaa"
- password => "xxxxxx"
- ssl => true
- ssl_certificate_verification => true
- truststore => "/etc/logstash/truststore.jks"
- truststore_password => "aaaaaa"
- manage_template => false
- template_overwrite => false
- index => "logstash-%{[type]}-%{+YYYY.MM.dd}"
- hosts => [ "localhost:9200", "ccccc.yuuuuu.com.br:9200" ]
- }
- }
- if [@metadata][beat] == "winlogbeat" or [@metadata][beat] == "filebeat" {
- elasticsearch {
- user => "aaaaa"
- password => "xxxxxx"
- ssl => true
- ssl_certificate_verification => true
- truststore => "/etc/logstash/truststore.jks"
- truststore_password => "aaaaaa"
- hosts => [ "localhost:9200", "ccccc.yuuuuu.com.br:9200" ]
- manage_template => false
- index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
- document_type => "%{[@metadata][type]}"
- }
- }
- if [@metadata][beat] == "ossec" {
- elasticsearch {
- user => "aaaaa"
- password => "xxxxxx"
- ssl => true
- ssl_certificate_verification => true
- truststore => "/etc/logstash/truststore.jks"
- truststore_password => "aaaaaa"
- hosts => [ "localhost:9200", "ccccc.yuuuuu.com.br:9200" ]
- manage_template => false
- index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
- document_type => "%{[@metadata][type]}"
- }
- }
- if [type] == "ash_oracle" {
- elasticsearch {
- user => "aaaaa"
- password => "xxxxxx"
- ssl => true
- ssl_certificate_verification => true
- truststore => "/etc/logstash/truststore.jks"
- truststore_password => "aaaaaa"
- hosts => [ "localhost:9200", "ccccc.yuuuuu.com.br:9200" ]
- index => "ash-oracle-%{+YYYY.MM.dd}"
- # stdout { codec => rubydebug }
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement