From a396356785e11ebe730f6edb67fc99f031b5f878 Mon Sep 17 00:00:00 2001
From: t3chn0m4g3 <t3chn0m4g3@gmail.com>
Date: Fri, 19 Jun 2020 22:53:56 +0000
Subject: [PATCH] add honeysap logstash config

---
 docker/elk/logstash/dist/logstash.conf | 36 ++++++++++++++++++++++++--
 1 file changed, 34 insertions(+), 2 deletions(-)

diff --git a/docker/elk/logstash/dist/logstash.conf b/docker/elk/logstash/dist/logstash.conf
index c7e251f5..bdddcbbc 100644
--- a/docker/elk/logstash/dist/logstash.conf
+++ b/docker/elk/logstash/dist/logstash.conf
@@ -91,6 +91,13 @@ input {
     type => "Honeypy"
   }
 
+# Honeysap
+  file {
+    path => ["/data/honeysap/log/honeysap-external.log"]
+    codec => json
+    type => "Honeysap"
+  }
+
 # Honeytrap
   file {
     path => ["/data/honeytrap/log/attackers.json"]
@@ -328,7 +335,7 @@ filter {
     }
   }
 
-# Honeypy 
+# Honeypy
   if [type] == "Honeypy" {
     date {
       match => [ "timestamp", "ISO8601" ]
@@ -339,6 +346,31 @@ filter {
     }
   }
 
+# Honeysap
+  if [type] == "Honeysap" {
+    date {
+      match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSS" ]
+      remove_field => ["timestamp"]
+    }
+    mutate {
+      rename => {
+        "[data][error_msg]" => "event_type"
+        "service" => "sensor"
+        "source_port" => "src_port"
+        "source_ip" => "src_ip"
+        "target_port" => "dest_port"
+        "target_ip" => "dest_ip"
+      }
+      remove_field => "event"
+      remove_field => "return_code"
+    }
+    if [data] {
+      mutate {
+	remove_field => "[data]"
+      }
+    }    
+  }
+
 # Honeytrap
   if [type] == "Honeytrap" {
     date {
@@ -457,7 +489,7 @@ if "_grokparsefailure" in [tags] { drop {} }
   }
 
 # Add T-Pot hostname and external IP
-  if [type] == "Adbhoney" or [type] == "Ciscoasa" or [type] == "CitrixHoneypot" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "Fatt" or [type] == "Glutton" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Honeypy" or [type] == "Mailoney" or [type] == "Medpot" or [type] == "P0f" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" {
+  if [type] == "Adbhoney" or [type] == "Ciscoasa" or [type] == "CitrixHoneypot" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dicompot" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "Fatt" or [type] == "Glutton" or [type] == "Honeysap" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Honeypy" or [type] == "Mailoney" or [type] == "Medpot" or [type] == "P0f" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" {
     mutate {
       add_field => {
         "t-pot_ip_ext" => "${MY_EXTIP}"