2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								# Input section
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								input {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2019-06-03 10:22:07 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Fatt                                 
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {                                   
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/fatt/log/fatt.log"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    codec => json     
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Fatt"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }  
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								# Suricata
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/suricata/log/eve.json"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    codec => json
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Suricata"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# P0f
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/p0f/log/p0f.json"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    codec => json
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "P0f"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2018-12-05 16:59:08 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Adbhoney
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/adbhoney/log/adbhoney.json"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    codec => json
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Adbhoney"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2018-04-27 23:10:45 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Ciscoasa
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/ciscoasa/log/ciscoasa.log"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    codec => plain
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Ciscoasa"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2020-01-16 15:13:58 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# CitrixHoneypot
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/citrixhoneypot/logs/server.log"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    codec => json
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "CitrixHoneypot"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2018-06-24 01:24:51 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Conpot
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
									
										
										
										
											2018-03-25 18:35:32 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    path => ["/data/conpot/log/*.json"]
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								    codec => json
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "ConPot"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# Cowrie
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/cowrie/log/cowrie.json"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    codec => json
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Cowrie"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# Dionaea
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/dionaea/log/dionaea.json"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    codec => json
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Dionaea"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2020-06-24 13:21:29 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Dicompot
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/dicompot/log/dicompot.log"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    codec => json
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Dicompot"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2021-08-25 15:04:27 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Ddospot
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/ddospot/log/*.log"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    codec => json
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Ddospot"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2020-06-17 18:09:59 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# ElasticPot
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
									
										
										
										
											2020-06-17 18:09:59 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    path => ["/data/elasticpot/log/elasticpot.json"]
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								    codec => json
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "ElasticPot"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2021-08-25 15:04:27 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Endlessh
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/endlessh/log/endlessh.log"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    codec => plain
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Endlessh"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2018-04-16 22:05:16 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Glutton
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/glutton/log/glutton.log"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    codec => json
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Glutton"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2021-08-25 15:04:27 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Hellpot
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/hellpot/log/hellpot.log"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    codec => json
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Hellpot"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2018-03-25 18:35:32 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Heralding
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/heralding/log/auth.csv"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Heralding"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2021-11-19 23:20:13 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Honeypots
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/honeypots/log/*.log"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    codec => json
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Honeypots"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2020-06-19 22:53:56 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Honeysap
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/honeysap/log/honeysap-external.log"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    codec => json
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Honeysap"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								# Honeytrap
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/honeytrap/log/attackers.json"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    codec => json
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Honeytrap"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2020-08-24 21:36:08 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Ipphoney
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/ipphoney/log/ipphoney.json"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    codec => json
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Ipphoney"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2021-12-16 20:25:40 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Log4pot
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/log4pot/log/log4pot.log"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    codec => json
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Log4pot"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2018-06-24 01:24:51 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Mailoney
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/mailoney/log/commands.log"]
							 
						 
					
						
							
								
									
										
										
										
											2020-01-22 12:17:30 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    codec => json
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								    type => "Mailoney"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2018-09-10 01:15:21 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Medpot
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/medpot/log/medpot.log"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    codec => json
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Medpot"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								# Rdpy
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/rdpy/log/rdpy.log"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Rdpy"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2021-08-25 15:04:27 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Redishoneypot
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/redishoneypot/log/redishoneypot.log"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    codec => json
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Redishoneypot"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								# Host NGINX
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
									
										
										
										
											2018-06-24 01:24:51 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    path => ["/data/nginx/log/access.log"]
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								    codec => json
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "NGINX"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2018-06-24 01:24:51 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Tanner
							 
						 
					
						
							
								
									
										
										
										
											2018-05-28 21:46:51 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/tanner/log/tanner_report.json"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    codec => json
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Tanner"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# Filter Section
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								filter {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2019-06-03 10:22:07 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# Fatt
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "Fatt" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "ISO8601" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      rename => {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "sourceIp" => "src_ip"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
									"destinationIp" => "dest_ip"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
									"sourcePort" => "src_port"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
									"destinationPort" => "dest_port"
							 
						 
					
						
							
								
									
										
										
										
											2019-06-03 16:13:58 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								        "gquic" => "fatt_gquic"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "http" => "fatt_http"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "rdp" => "fatt_rdp"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "ssh" => "fatt_ssh"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "tls" => "fatt_tls"
							 
						 
					
						
							
								
									
										
										
										
											2019-06-03 10:22:07 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								# Suricata
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "Suricata" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "ISO8601" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    translate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      refresh_interval => 86400
							 
						 
					
						
							
								
									
										
										
										
											2022-01-20 10:32:10 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								      source => "[alert][signature_id]"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      target => "[alert][cve_id]"
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								      dictionary_path => "/etc/listbot/cve.yaml"
							 
						 
					
						
							
								
									
										
										
										
											2019-02-28 21:00:41 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								#      fallback => "-"
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# P0f
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "P0f" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "yyyy'/'MM'/'dd HH:mm:ss" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      remove_field => ["timestamp"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      rename => {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "server_port" => "dest_port"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "server_ip" => "dest_ip"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "client_port" => "src_port"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "client_ip" => "src_ip"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2018-12-05 16:59:08 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Adbhoney
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "Adbhoney" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "ISO8601" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      remove_field => ["unixtime"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2018-04-27 23:10:45 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Ciscoasa
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "Ciscoasa" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    kv {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      remove_char_key => " '{}"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      remove_char_value => "'{}"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      value_split => ":"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      field_split => ","
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "ISO8601" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2018-05-09 16:43:37 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      add_field => {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dest_ip" => "${MY_EXTIP}"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2018-04-27 23:10:45 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2020-01-16 15:13:58 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# CitrixHoneypot
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "CitrixHoneypot" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    grok { 
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => { 
							 
						 
					
						
							
								
									
										
										
										
											2020-01-16 18:04:29 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								        "message" => [ "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{JAVAMETHOD:http.http_method:string}%{SPACE}%{CISCO_REASON:fileinfo.state:string}: %{UNIXPATH:fileinfo.filename:string}", 
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
									               "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{JAVAMETHOD:http.http_method:string}%{SPACE}%{CISCO_REASON:fileinfo.state:string}: %{GREEDYDATA:payload:string}", 
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
										       "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{S3_REQUEST_LINE:msg:string} %{CISCO_REASON:fileinfo.state:string}: %{GREEDYDATA:payload:string:string}",
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
										       "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{GREEDYDATA:msg:string}" ] 
							 
						 
					
						
							
								
									
										
										
										
											2020-01-16 15:13:58 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								      } 
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "asctime", "ISO8601" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      remove_field => ["asctime"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      remove_field => ["message"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      add_field => {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dest_port" => "443"
							 
						 
					
						
							
								
									
										
										
										
											2020-01-16 18:04:29 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      rename => {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "levelname" => "level"
							 
						 
					
						
							
								
									
										
										
										
											2020-01-16 15:13:58 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
									
										
										
										
											2020-01-16 18:04:29 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								  
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								# Conpot
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "ConPot" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "ISO8601" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2018-09-10 01:15:21 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    mutate { 
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      rename => { 
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dst_port" => "dest_port" 
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dst_ip" => "dest_ip" 
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      } 
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    } 
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# Cowrie
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "Cowrie" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "ISO8601" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      rename => {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dst_port" => "dest_port"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dst_ip" => "dest_ip"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2021-09-15 15:58:44 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Ddospot
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "Ddospot" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "time", "yyyy-MM-dd HH:mm:ss.SSSSSS" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      remove_field => ["time"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2021-10-28 18:57:55 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    if [path] == "/data/ddospot/log/chargenpot.log" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        add_field => {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
									  "dest_port" => "19"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								          "dest_ip" => "${MY_EXTIP}"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
									}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    if [path] == "/data/ddospot/log/dnspot.log" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        add_field => {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								          "dest_port" => "53"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								          "dest_ip" => "${MY_EXTIP}"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    if [path] == "/data/ddospot/log/ntpot.log" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        add_field => {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								          "dest_port" => "123"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								          "dest_ip" => "${MY_EXTIP}"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    if [path] == "/data/ddospot/log/ssdpot.log" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        add_field => {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								          "dest_port" => "1900"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								          "dest_ip" => "${MY_EXTIP}"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2021-09-15 15:58:44 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								# Dionaea
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "Dionaea" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "ISO8601" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      rename => {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dst_port" => "dest_port"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dst_ip" => "dest_ip"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      gsub => [
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "src_ip", "::ffff:", "",
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dest_ip", "::ffff:", ""
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    if [credentials] {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        add_field => {
							 
						 
					
						
							
								
									
										
										
										
											2018-11-19 11:33:00 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								          "username" => "%{[credentials][username]}"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								          "password" => "%{[credentials][password]}"
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								        }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        remove_field => "[credentials]"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2020-06-24 13:21:29 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Dicompot
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "Dicompot" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "time", "yyyy-MM-dd HH:mm:ss" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      remove_field => ["time"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      remove_field => ["timestamp"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      rename => {
							 
						 
					
						
							
								
									
										
										
										
											2020-10-27 21:30:33 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								        "ID" => "id"
							 
						 
					
						
							
								
									
										
										
										
											2020-06-26 23:48:48 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								        "IP" => "src_ip"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "Port" => "src_port"
							 
						 
					
						
							
								
									
										
										
										
											2020-06-24 13:21:29 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								        "AETitle" => "aetitle"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "Command" => "input"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "Files" => "files"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "Identifier" => "identifier"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "Matches" => "matches"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "Status" => "session"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "Version" => "version"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								# ElasticPot
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "ElasticPot" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "ISO8601" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2020-06-17 18:09:59 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      rename => {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "content_type" => "http.http_content_type"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dst_port" => "dest_port"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dst_ip" => "dest_ip"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "message" => "event_type"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "request" => "request_method"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "user_agent" => "http_user_agent"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
									"url" => "http.url"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2021-10-29 16:28:16 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Endlessh
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# Example: 2021-10-29T21:08:31.026Z CLOSE host=1.2.3.4 port=12345 fd=4 time=20.015 bytes=24
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# Example: 2021-10-29T21:08:11.011Z ACCEPT host=1.2.3.4 port=12346 fd=4 n=1/4096
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "Endlessh" {
							 
						 
					
						
							
								
									
										
										
										
											2021-11-02 19:13:28 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:reason}%{SPACE}host=%{IPV4:src_ip}%{SPACE}port=%{INT:src_port}%{SPACE}fd=%{INT}%{SPACE}time=%{SECOND:duration}%{SPACE}bytes=%{NUMBER:bytes}", "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:reason}%{SPACE}host=%{IPV4:src_ip}%{SPACE}port=%{INT:src_port}%{SPACE}fd=%{INT}%{SPACE}n=%{INT}/%{INT}" ] } }    
							 
						 
					
						
							
								
									
										
										
										
											2021-10-29 16:28:16 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "ISO8601" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      remove_field => ["timestamp"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      add_field => {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dest_port" => "22"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dest_ip" => "${MY_EXTIP}"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2018-04-16 22:05:16 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Glutton
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "Glutton" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "ts", "UNIX" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      remove_field => ["ts"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2021-10-28 18:57:55 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Hellpot
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "Hellpot" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "time", "ISO8601" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      remove_field => ["time"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      remove_field => ["timestamp"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      add_field => {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dest_port" => "80"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dest_ip" => "${MY_EXTIP}"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
									
										
										
										
											2021-11-02 19:13:28 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								      rename => {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "BYTES" => "bytes"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "DURATION" => "duration"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "REMOTE_ADDR" => "src_ip"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "URL" => "url"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "USERAGENT" => "http_user_agent"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "message" => "reason"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
									
										
										
										
											2021-10-28 18:57:55 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2018-03-25 18:35:32 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Heralding
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "Heralding" {
							 
						 
					
						
							
								
									
										
										
										
											2018-06-24 01:24:51 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    csv {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      columns => ["timestamp","auth_id","session_id","src_ip","src_port","dest_ip","dest_port","proto","username","password"] separator => ","
							 
						 
					
						
							
								
									
										
										
										
											2018-03-25 18:35:32 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSS" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      remove_field => ["timestamp"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2021-11-19 23:20:13 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Honeypots
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "Honeypots" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "ISO8601" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2020-06-19 22:53:56 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Honeysap
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "Honeysap" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSS" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      remove_field => ["timestamp"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      rename => {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "[data][error_msg]" => "event_type"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "service" => "sensor"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "source_port" => "src_port"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "source_ip" => "src_ip"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "target_port" => "dest_port"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "target_ip" => "dest_ip"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      remove_field => "event"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      remove_field => "return_code"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    if [data] {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
									remove_field => "[data]"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }    
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								# Honeytrap
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "Honeytrap" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "ISO8601" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      rename => {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "[attack_connection][local_port]" => "dest_port"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "[attack_connection][local_ip]" => "dest_ip"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "[attack_connection][remote_port]" => "src_port"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "[attack_connection][remote_ip]" => "src_ip"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2020-08-24 21:36:08 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Ipphoney
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "Ipphoney" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "ISO8601" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      rename => {
							 
						 
					
						
							
								
									
										
										
										
											2020-08-25 12:25:59 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
									"query" => "ipp_query"
							 
						 
					
						
							
								
									
										
										
										
											2020-08-24 21:36:08 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								        "content_type" => "http.http_content_type"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dst_port" => "dest_port"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dst_ip" => "dest_ip"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "request" => "request_method"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "operation" => "data"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "user_agent" => "http_user_agent"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "url" => "http.url"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2021-12-16 20:25:40 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Log4pot
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "Log4pot" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "ISO8601" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      rename => {
							 
						 
					
						
							
								
									
										
										
										
											2022-01-17 14:50:50 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								        "request" => "request_uri"
							 
						 
					
						
							
								
									
										
										
										
											2021-12-16 20:25:40 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								        "server_port" => "dest_port"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "port" => "src_port"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "client" => "src_ip"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								# Mailoney
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "Mailoney" {
							 
						 
					
						
							
								
									
										
										
										
											2020-01-22 12:17:30 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "ISO8601" ]
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
									
										
										
										
											2021-10-29 16:28:16 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								      add_field => { "dest_port" => "25" }
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2018-09-10 01:15:21 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Medpot
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "Medpot" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      add_field => {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dest_port" => "2575"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dest_ip" => "${MY_EXTIP}"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
									
										
										
										
											2018-09-11 07:59:14 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								      match => [ "timestamp", "ISO8601" ]
							 
						 
					
						
							
								
									
										
										
										
											2018-09-10 01:15:21 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								# Rdpy
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "Rdpy" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp},domain:%{CISCO_REASON:domain},username:%{CISCO_REASON:username},password:%{CISCO_REASON:password},hostname:%{GREEDYDATA:hostname}", "\A%{TIMESTAMP_ISO8601:timestamp},Connection from %{IPV4:src_ip}:%{INT:src_port:integer}" ] } }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "ISO8601" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      remove_field => ["timestamp"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
									
										
										
										
											2021-10-29 16:28:16 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								      add_field => { "dest_port" => "3389" }
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2021-10-27 16:14:52 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Redishoneypot
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "Redishoneypot" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "time", "yyyy-MM-dd HH:mm:ss" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      remove_field => ["time"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      remove_field => ["timestamp"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2021-10-29 16:28:16 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      split => { "addr" => ":" }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      add_field => { 
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "src_ip" => "%{[addr][0]}" 
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "src_port" => "%{[addr][1]}"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dest_port" => "6379"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dest_ip" => "${MY_EXTIP}"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      remove_field => ["addr"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2021-10-27 16:14:52 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								# NGINX
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "NGINX" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "ISO8601" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2018-06-24 01:24:51 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Tanner
							 
						 
					
						
							
								
									
										
										
										
											2018-05-28 21:46:51 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								  if [type] == "Tanner" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "ISO8601" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2018-05-29 12:05:07 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      rename => {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "[peer][ip]" => "src_ip"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "[peer][port]" => "src_port"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
									
										
										
										
											2021-10-29 16:28:16 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								      add_field => { "dest_port" => "80" }
							 
						 
					
						
							
								
									
										
										
										
											2018-05-29 12:05:07 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2018-05-28 21:46:51 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								# Drop if parse fails
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								if "_grokparsefailure" in [tags] { drop {} }
							 
						 
					
						
							
								
									
										
										
										
											2021-09-15 15:58:44 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								if "_jsonparsefailure" in [tags] { drop {} }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2022-01-04 16:16:27 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Add T-Pot hostname and external IP
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    add_field => {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      "t-pot_ip_ext" => "${MY_EXTIP}"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      "t-pot_ip_int" => "${MY_INTIP}"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      "t-pot_hostname" => "${MY_HOSTNAME}"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# Add geo coordinates / ASN info / IP rep.
							 
						 
					
						
							
								
									
										
										
										
											2022-01-20 10:32:10 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								  if [src_ip] {
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								    geoip {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      cache_size => 10000
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      source => "src_ip"
							 
						 
					
						
							
								
									
										
										
										
											2022-02-02 22:57:50 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								      database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.11-java/vendor/GeoLite2-City.mmdb"
							 
						 
					
						
							
								
									
										
										
										
											2018-06-24 01:24:51 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								    geoip {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      cache_size => 10000
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      source => "src_ip"
							 
						 
					
						
							
								
									
										
										
										
											2022-02-02 22:57:50 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								      database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.11-java/vendor/GeoLite2-ASN.mmdb"
							 
						 
					
						
							
								
									
										
										
										
											2018-06-24 01:24:51 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								    translate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      refresh_interval => 86400
							 
						 
					
						
							
								
									
										
										
										
											2022-01-20 10:32:10 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								      source => "src_ip"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      target => "ip_rep"
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								      dictionary_path => "/etc/listbot/iprep.yaml"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2018-06-24 01:24:51 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
									
										
										
										
											2022-01-04 16:16:27 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								  if [t-pot_ip_ext]  {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    geoip {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      cache_size => 10000
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      source => "t-pot_ip_ext"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      target => "geoip_ext"
							 
						 
					
						
							
								
									
										
										
										
											2022-02-02 22:57:50 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								      database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.11-java/vendor/GeoLite2-City.mmdb"
							 
						 
					
						
							
								
									
										
										
										
											2022-01-04 16:16:27 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    geoip {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      cache_size => 10000
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      source => "t-pot_ip_ext"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      target => "geoip_ext"
							 
						 
					
						
							
								
									
										
										
										
											2022-02-02 22:57:50 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								      database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.11-java/vendor/GeoLite2-ASN.mmdb"
							 
						 
					
						
							
								
									
										
										
										
											2022-01-04 16:16:27 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2018-08-28 10:41:11 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# In some rare conditions dest_port, src_port, status are indexed as string, forcing integer for now
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								  if [dest_port] {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        convert => { "dest_port" => "integer" }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [src_port] {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        convert => { "src_port" => "integer" }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
									
										
										
										
											2018-08-28 10:41:11 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								  if [status] {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        convert => { "status" => "integer" }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
									
										
										
										
											2020-10-27 21:30:33 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								  if [id] {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        convert => { "id" => "string" }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
									
										
										
										
											2021-09-15 15:58:44 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								  if [request] {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        convert => { "request" => "string" }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# Output section
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								output {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  elasticsearch {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    hosts => ["elasticsearch:9200"]
							 
						 
					
						
							
								
									
										
										
										
											2022-01-14 15:52:08 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    # With templates now being legacy we need to set the daily index with its template manually. Otherwise a new index might be created with differents settings configured through Kibana.
							 
						 
					
						
							
								
									
										
										
										
											2020-06-23 21:40:38 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    index => "logstash-%{+YYYY.MM.dd}"
							 
						 
					
						
							
								
									
										
										
										
											2020-08-24 10:35:46 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    template => "/etc/logstash/tpot_es_template.json"
							 
						 
					
						
							
								
									
										
										
										
											2022-01-14 15:52:08 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    template_overwrite => "true"
							 
						 
					
						
							
								
									
										
										
										
											2022-01-03 18:24:17 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    #document_type => "doc"
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2019-03-19 11:08:23 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								  #if [type] == "Suricata" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  #    file {
							 
						 
					
						
							
								
									
										
										
										
											2019-05-08 11:16:48 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								  #      file_mode => 0770
							 
						 
					
						
							
								
									
										
										
										
											2019-03-19 11:08:23 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								  #      path => "/data/suricata/log/suricata_ews.log"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  #    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  #}
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								  # Debug output
							 
						 
					
						
							
								
									
										
										
										
											2020-01-16 15:13:58 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								  #if [type] == "CitrixHoneypot" {
							 
						 
					
						
							
								
									
										
										
										
											2018-05-29 12:06:20 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								  #  stdout {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  #    codec => rubydebug
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  #  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  #}
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								  # Debug output
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  #stdout {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  #  codec => rubydebug
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  #}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								}