diff --git a/docker/elk/logstash/dist/http_output.conf b/docker/elk/logstash/dist/http_output.conf index 7ba380c2..37f23e30 100644 --- a/docker/elk/logstash/dist/http_output.conf +++ b/docker/elk/logstash/dist/http_output.conf @@ -1,12 +1,12 @@ # Input section input { -# Fatt - file { +# Fatt + file { path => ["/data/fatt/log/fatt.log"] - codec => json + codec => json type => "Fatt" - } + } # Suricata file { @@ -279,13 +279,13 @@ filter { # CitrixHoneypot if [type] == "CitrixHoneypot" { - grok { - match => { - "message" => [ "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{JAVAMETHOD:http.http_method:string}%{SPACE}%{CISCO_REASON:fileinfo.state:string}: %{UNIXPATH:fileinfo.filename:string}", - "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{JAVAMETHOD:http.http_method:string}%{SPACE}%{CISCO_REASON:fileinfo.state:string}: %{GREEDYDATA:payload:string}", + grok { + match => { + "message" => [ "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{JAVAMETHOD:http.http_method:string}%{SPACE}%{CISCO_REASON:fileinfo.state:string}: %{UNIXPATH:fileinfo.filename:string}", + "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{JAVAMETHOD:http.http_method:string}%{SPACE}%{CISCO_REASON:fileinfo.state:string}: %{GREEDYDATA:payload:string}", "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{S3_REQUEST_LINE:msg:string} %{CISCO_REASON:fileinfo.state:string}: %{GREEDYDATA:payload:string:string}", - "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{GREEDYDATA:msg:string}" ] - } + "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{GREEDYDATA:msg:string}" ] + } } date { match => [ "asctime", "ISO8601" ] @@ -301,18 +301,18 @@ filter { } } } - + # Conpot if [type] == "ConPot" { date { match => [ "timestamp", "ISO8601" ] } - mutate { - rename => { - "dst_port" => "dest_port" - "dst_ip" => "dest_ip" - } - } + mutate { + rename => { + "dst_port" => "dest_port" + "dst_ip" => "dest_ip" + } + } } # Cowrie @@ -439,7 +439,7 @@ filter { # Example: 2021-10-29T21:08:31.026Z CLOSE host=1.2.3.4 port=12345 fd=4 time=20.015 bytes=24 # Example: 2021-10-29T21:08:11.011Z ACCEPT host=1.2.3.4 port=12346 fd=4 n=1/4096 if [type] == "Endlessh" { - grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:reason}%{SPACE}host=%{IPV4:src_ip}%{SPACE}port=%{INT:src_port}%{SPACE}fd=%{INT}%{SPACE}time=%{SECOND:duration}%{SPACE}bytes=%{NUMBER:bytes}", "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:reason}%{SPACE}host=%{IPV4:src_ip}%{SPACE}port=%{INT:src_port}%{SPACE}fd=%{INT}%{SPACE}n=%{INT}/%{INT}" ] } } + grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:reason}%{SPACE}host=%{IPV4:src_ip}%{SPACE}port=%{INT:src_port}%{SPACE}fd=%{INT}%{SPACE}time=%{SECOND:duration}%{SPACE}bytes=%{NUMBER:bytes}", "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:reason}%{SPACE}host=%{IPV4:src_ip}%{SPACE}port=%{INT:src_port}%{SPACE}fd=%{INT}%{SPACE}n=%{INT}/%{INT}" ] } } date { match => [ "timestamp", "ISO8601" ] remove_field => ["timestamp"] @@ -534,7 +534,7 @@ filter { mutate { remove_field => "[data]" } - } + } } # Honeytrap @@ -578,6 +578,7 @@ filter { } mutate { rename => { + "request" => "request_uri" "server_port" => "dest_port" "port" => "src_port" "client" => "src_ip" @@ -629,8 +630,8 @@ filter { } mutate { split => { "addr" => ":" } - add_field => { - "src_ip" => "%{[addr][0]}" + add_field => { + "src_ip" => "%{[addr][0]}" "src_port" => "%{[addr][1]}" "dest_port" => "6379" "dest_ip" => "${MY_EXTIP}" @@ -644,6 +645,11 @@ filter { date { match => [ "timestamp", "ISO8601" ] } + mutate { + rename => { + "request" => "request_data" + } + } } # Tanner diff --git a/docker/elk/logstash/dist/logstash.conf b/docker/elk/logstash/dist/logstash.conf index 48ccce1a..d02095f3 100644 --- a/docker/elk/logstash/dist/logstash.conf +++ b/docker/elk/logstash/dist/logstash.conf @@ -578,6 +578,7 @@ filter { } mutate { rename => { + "request" => "request_uri" "server_port" => "dest_port" "port" => "src_port" "client" => "src_ip" @@ -644,6 +645,11 @@ filter { date { match => [ "timestamp", "ISO8601" ] } + mutate { + rename => { + "request" => "request_data" + } + } } # Tanner