NGINX logs are in /data/nginx/log/

Syslog should be viewed in Cockpit now, storing events of Syslog in ELK
is ineffective

docker/elk/docker-compose.yml

@@ -54,7 +54,6 @@ services:
     image: "dtagdevsec/logstash:1804"
     volumes:
      - /data:/data
-     - /var/log:/data/host/log
      - /root/tpotce/docker/elk/logstash/dist/logstash.conf:/etc/logstash/conf.d/logstash.conf
 
 ## Elasticsearch-head service

docker/elk/logstash/dist/logstash.conf

@@ -94,16 +94,9 @@ input {
     type => "Rdpy"
   }
 
-# Host Syslog
-  file {
-    path => ["/data/host/log/auth.log"]
-    codec => plain
-    type => "Syslog"
-  }
-
 # Host NGINX
   file {
-    path => ["/data/host/log/nginx/access.log"]
+    path => ["/data/nginx/log/access.log"]
     codec => json
     type => "NGINX"
   }
@@ -310,79 +303,6 @@ filter {
     }
   }
 
-# Syslog
-  if [type] == "Syslog" {
-      grok {
-        match => {
-          "message" => ["%{SYSLOGPAMSESSION}", "%{CRONLOG}", "%{SYSLOGLINE}"]
-        }
-        overwrite => "message"
-      }
-      date {
-        match => [ "timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
-        remove_field => ["timestamp"]
-      }
-      date {
-        match => ["timestamp8601", "ISO8601"]
-        remove_field => ["timestamp8601"]
-      }
-      grok {
-        match => { "message" => "Connection closed by %{IP:src_ip}" }
-        add_tag => [ "ssh_connection_closed" ]
-        tag_on_failure => []
-      }
-      grok {
-        match => { "message" => "Received disconnect from %{IP:src_ip}" }
-        add_tag => [ "ssh_connection_disconnect" ]
-        tag_on_failure => []
-      }
-      grok {
-        match => { "message" => "Failed password for invalid user %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2" }
-        add_tag => [ "ssh_failed_password" ]
-        tag_on_failure => []
-      }
-      grok {
-        match => { "message" => "Did not receive identification string from %{IP:src_ip}" }
-        add_tag => [ "ssh_no_id" ]
-        tag_on_failure => []
-      }
-      grok {
-        match => { "message" => "User %{USERNAME:username} from %{IP:src_ip} not allowed because not listed in AllowUsers" }
-        add_tag => [ "ssh_user_not_allowed" ]
-        tag_on_failure => []
-      }
-      grok {
-        match => { "message" => "authentication failure; logname=%{USERNAME:logname} uid=%{BASE10NUM:uid} euid=%{BASE10NUM:euid} tty=%{TTY:tty} ruser=%{USERNAME:ruser} rhost=(?:%{HOSTNAME:remote_host}|\s*) user=%{USERNAME:user}"}
-        add_tag => [ "ssh_auth_failure" ]
-        tag_on_failure => []
-      }
-      grok {
-        match => { "message" => "pam_unix\(sshd:auth\): authentication failure; logname= uid=0 euid=0 tty=%{NOTSPACE:tty} ruser= rhost=(?:%{HOSTNAME:remote_host}|\s*)  user=%{USERNAME:user}"}
-        add_tag => [ "ssh_auth_failure" ]
-        tag_on_failure => []
-      }
-      grok {
-        match => { "message" => "Failed password for %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"}
-        add_tag => [ "ssh_failed_password" ]
-        tag_on_failure => []
-      }
-      grok {
-        match => { "message" => "Accepted password for %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"}
-        add_tag => [ "ssh_accepted_password" ]
-        tag_on_failure => []
-      }
-      grok {
-        match => { "message" => "Accepted publickey for %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"}
-        add_tag => [ "ssh_accepted_pubkey" ]
-        tag_on_failure => []
-      }
-      grok {
-        match => { "message" => "Accepted keyboard-interactive/pam for %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"}
-        add_tag => [ "ssh_accepted_interactive" ]
-        tag_on_failure => []
-      }
-  }
-
 # NGINX
   if [type] == "NGINX" {
     date {

docker/elk/logstash/docker-compose.yml

@@ -15,5 +15,4 @@ services:
     image: "dtagdevsec/logstash:1804"
     volumes:
      - /data:/data
-     - /var/log:/data/host/log
      - /root/tpotce/docker/elk/logstash/dist/logstash.conf:/etc/logstash/conf.d/logstash.conf

etc/compose/collector.yml

@@ -143,7 +143,6 @@ services:
     image: "dtagdevsec/logstash:1804"
     volumes:
      - /data:/data
-     - /var/log:/data/host/log
 
 ## Elasticsearch-head service
   head:
@@ -203,4 +202,3 @@ services:
     image: "dtagdevsec/spiderfoot:1804"
     volumes:
      - /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db
-

etc/compose/experimental.yml

@@ -477,7 +477,6 @@ services:
     image: "dtagdevsec/logstash:1804"
     volumes:
      - /data:/data
-     - /var/log:/data/host/log
 
 ## Elasticsearch-head service
   head:
@@ -537,4 +536,3 @@ services:
     image: "dtagdevsec/spiderfoot:1804"
     volumes:
      - /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db
-

etc/compose/industrial.yml

@@ -296,7 +296,6 @@ services:
     image: "dtagdevsec/logstash:1804"
     volumes:
      - /data:/data
-     - /var/log:/data/host/log
 
 ## Elasticsearch-head service
   head:

etc/compose/legacy.yml

@@ -262,7 +262,6 @@ services:
     image: "dtagdevsec/logstash:1804"
     volumes:
      - /data:/data
-     - /var/log:/data/host/log
 
 ## Elasticsearch-head service
   head:
@@ -322,4 +321,3 @@ services:
     image: "dtagdevsec/spiderfoot:1804"
     volumes:
      - /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db
-

etc/compose/standard.yml

@@ -476,7 +476,6 @@ services:
     image: "dtagdevsec/logstash:1804"
     volumes:
      - /data:/data
-     - /var/log:/data/host/log
 
 ## Elasticsearch-head service
   head:
@@ -536,4 +535,3 @@ services:
     image: "dtagdevsec/spiderfoot:1804"
     volumes:
      - /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db
-