From 1d0aad3b34f31308b27f010381059b393b09041b Mon Sep 17 00:00:00 2001 From: t3chn0m4g3 Date: Thu, 16 Jan 2020 18:04:29 +0000 Subject: [PATCH] tweak logstash.conf for citrixhoneypot --- docker/elk/logstash/dist/logstash.conf | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/docker/elk/logstash/dist/logstash.conf b/docker/elk/logstash/dist/logstash.conf index f378424b..bfffb463 100644 --- a/docker/elk/logstash/dist/logstash.conf +++ b/docker/elk/logstash/dist/logstash.conf @@ -217,10 +217,10 @@ filter { if [type] == "CitrixHoneypot" { grok { match => { - "message" => [ "\A\(%{IPV4:src_ip}:%{INT:src_port:integer}\): %{JAVAMETHOD:method}%{SPACE}%{CISCO_REASON:fileinfo.state}: %{UNIXPATH:filename}", - "\A\(%{IPV4:src_ip}:%{INT:src_port:integer}\): %{JAVAMETHOD:method}%{SPACE}%{CISCO_REASON:fileinfo.state}: %{GREEDYDATA:payload}", - "\A\(%{IPV4:src_ip}:%{INT:src_port:integer}\): %{S3_REQUEST_LINE:msg} %{CISCO_REASON:filename.state}: %{GREEDYDATA:payload}", - "\A\(%{IPV4:src_ip}:%{INT:src_port:integer}\): %{GREEDYDATA:msg}" ] + "message" => [ "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{JAVAMETHOD:http.http_method:string}%{SPACE}%{CISCO_REASON:fileinfo.state:string}: %{UNIXPATH:fileinfo.filename:string}", + "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{JAVAMETHOD:http.http_method:string}%{SPACE}%{CISCO_REASON:fileinfo.state:string}: %{GREEDYDATA:payload:string}", + "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{S3_REQUEST_LINE:msg:string} %{CISCO_REASON:fileinfo.state:string}: %{GREEDYDATA:payload:string:string}", + "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{GREEDYDATA:msg:string}" ] } } date { @@ -231,11 +231,13 @@ filter { mutate { add_field => { "dest_port" => "443" - + } + rename => { + "levelname" => "level" } } } - + # Conpot if [type] == "ConPot" { date {