From 602d1cc673b28b848b372555f035ce3d34b3cff2 Mon Sep 17 00:00:00 2001 From: t3chn0m4g3 Date: Thu, 20 Jan 2022 10:32:10 +0000 Subject: [PATCH] bump Elastic Stack to 7.16.3, change deprecated fields --- docker/elk/elasticsearch/Dockerfile | 4 ++-- docker/elk/kibana/Dockerfile | 2 +- docker/elk/logstash/Dockerfile | 4 ++-- docker/elk/logstash/dist/http_output.conf | 18 +++++++++--------- docker/elk/logstash/dist/logstash.conf | 18 +++++++++--------- 5 files changed, 23 insertions(+), 23 deletions(-) diff --git a/docker/elk/elasticsearch/Dockerfile b/docker/elk/elasticsearch/Dockerfile index f828dcc4..585f5196 100644 --- a/docker/elk/elasticsearch/Dockerfile +++ b/docker/elk/elasticsearch/Dockerfile @@ -1,7 +1,7 @@ -FROM alpine:3.14 +FROM alpine:3.15 # # VARS -ENV ES_VER=7.16.2 \ +ENV ES_VER=7.16.3 \ ES_JAVA_HOME=/usr/lib/jvm/java-16-openjdk # Include dist diff --git a/docker/elk/kibana/Dockerfile b/docker/elk/kibana/Dockerfile index 7c25612a..1b28ebd6 100644 --- a/docker/elk/kibana/Dockerfile +++ b/docker/elk/kibana/Dockerfile @@ -1,7 +1,7 @@ FROM node:16.13.0-alpine3.14 # # VARS -ENV KB_VER=7.16.2 +ENV KB_VER=7.16.3 # # Include dist ADD dist/ /root/dist/ diff --git a/docker/elk/logstash/Dockerfile b/docker/elk/logstash/Dockerfile index 94480f06..3cde66a8 100644 --- a/docker/elk/logstash/Dockerfile +++ b/docker/elk/logstash/Dockerfile @@ -1,7 +1,7 @@ -FROM alpine:3.14 +FROM alpine:3.15 # # VARS -ENV LS_VER=7.16.2 +ENV LS_VER=7.16.3 # Include dist ADD dist/ /root/dist/ # diff --git a/docker/elk/logstash/dist/http_output.conf b/docker/elk/logstash/dist/http_output.conf index 918ca732..ff58b1c8 100644 --- a/docker/elk/logstash/dist/http_output.conf +++ b/docker/elk/logstash/dist/http_output.conf @@ -221,8 +221,8 @@ filter { } translate { refresh_interval => 86400 - field => "[alert][signature_id]" - destination => "[alert][cve_id]" + source => "[alert][signature_id]" + target => "[alert][cve_id]" dictionary_path => "/etc/listbot/cve.yaml" # fallback => "-" } @@ -657,21 +657,21 @@ if "_jsonparsefailure" in [tags] { drop {} } } # Add geo coordinates / ASN info / IP rep. - if [src_ip] { + if [src_ip] { geoip { cache_size => 10000 source => "src_ip" - database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.8-java/vendor/GeoLite2-City.mmdb" + database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.9-java/vendor/GeoLite2-City.mmdb" } geoip { cache_size => 10000 source => "src_ip" - database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.8-java/vendor/GeoLite2-ASN.mmdb" + database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.9-java/vendor/GeoLite2-ASN.mmdb" } translate { refresh_interval => 86400 - field => "src_ip" - destination => "ip_rep" + source => "src_ip" + target => "ip_rep" dictionary_path => "/etc/listbot/iprep.yaml" } } @@ -680,13 +680,13 @@ if "_jsonparsefailure" in [tags] { drop {} } cache_size => 10000 source => "t-pot_ip_ext" target => "geoip_ext" - database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.8-java/vendor/GeoLite2-City.mmdb" + database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.9-java/vendor/GeoLite2-City.mmdb" } geoip { cache_size => 10000 source => "t-pot_ip_ext" target => "geoip_ext" - database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.8-java/vendor/GeoLite2-ASN.mmdb" + database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.9-java/vendor/GeoLite2-ASN.mmdb" } } diff --git a/docker/elk/logstash/dist/logstash.conf b/docker/elk/logstash/dist/logstash.conf index 8af575c2..3e1e4b5d 100644 --- a/docker/elk/logstash/dist/logstash.conf +++ b/docker/elk/logstash/dist/logstash.conf @@ -221,8 +221,8 @@ filter { } translate { refresh_interval => 86400 - field => "[alert][signature_id]" - destination => "[alert][cve_id]" + source => "[alert][signature_id]" + target => "[alert][cve_id]" dictionary_path => "/etc/listbot/cve.yaml" # fallback => "-" } @@ -657,21 +657,21 @@ if "_jsonparsefailure" in [tags] { drop {} } } # Add geo coordinates / ASN info / IP rep. - if [src_ip] { + if [src_ip] { geoip { cache_size => 10000 source => "src_ip" - database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.8-java/vendor/GeoLite2-City.mmdb" + database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.9-java/vendor/GeoLite2-City.mmdb" } geoip { cache_size => 10000 source => "src_ip" - database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.8-java/vendor/GeoLite2-ASN.mmdb" + database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.9-java/vendor/GeoLite2-ASN.mmdb" } translate { refresh_interval => 86400 - field => "src_ip" - destination => "ip_rep" + source => "src_ip" + target => "ip_rep" dictionary_path => "/etc/listbot/iprep.yaml" } } @@ -680,13 +680,13 @@ if "_jsonparsefailure" in [tags] { drop {} } cache_size => 10000 source => "t-pot_ip_ext" target => "geoip_ext" - database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.8-java/vendor/GeoLite2-City.mmdb" + database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.9-java/vendor/GeoLite2-City.mmdb" } geoip { cache_size => 10000 source => "t-pot_ip_ext" target => "geoip_ext" - database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.8-java/vendor/GeoLite2-ASN.mmdb" + database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.9-java/vendor/GeoLite2-ASN.mmdb" } }