From bbf226aeda4aa5f7d4c7bfe920c664e84ce68373 Mon Sep 17 00:00:00 2001 From: t3chn0m4g3 Date: Mon, 3 Jun 2019 19:57:50 +0000 Subject: [PATCH] remove glastopf --- docker/elk/logstash/dist/logstash.conf | 19 +------------------ 1 file changed, 1 insertion(+), 18 deletions(-) diff --git a/docker/elk/logstash/dist/logstash.conf b/docker/elk/logstash/dist/logstash.conf index 280540e5..44575a7e 100644 --- a/docker/elk/logstash/dist/logstash.conf +++ b/docker/elk/logstash/dist/logstash.conf @@ -64,12 +64,6 @@ input { type => "ElasticPot" } -# Glastopf - file { - path => ["/data/glastopf/log/glastopf.log"] - type => "Glastopf" - } - # Glutton file { path => ["/data/glutton/log/glutton.log"] @@ -271,17 +265,6 @@ filter { } } -# Glastopf - if [type] == "Glastopf" { - grok { - match => [ "message", "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{NOTSPACE}%{SPACE}%{IP:src_ip}%{SPACE}%{WORD}%{SPACE}%{URIPROTO:http_method}%{SPACE}%{NOTSPACE:http_uri}%{SPACE}%{NOTSPACE}%{SPACE}%{HOSTNAME}:%{NUMBER:dest_port:integer}" ] - } - date { - match => [ "timestamp", "yyyy-MM-dd HH:mm:ss,SSS" ] - remove_field => ["timestamp"] - } - } - # Glutton if [type] == "Glutton" { date { @@ -434,7 +417,7 @@ if "_grokparsefailure" in [tags] { drop {} } } # Add T-Pot hostname and external IP - if [type] == "Adbhoney" or [type] == "Ciscoasa" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "Fatt" or [type] == "Glastopf" or [type] == "Glutton" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Honeypy" or [type] == "Mailoney" or [type] == "Medpot" or [type] == "P0f" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" { + if [type] == "Adbhoney" or [type] == "Ciscoasa" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "Fatt" or [type] == "Glutton" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Honeypy" or [type] == "Mailoney" or [type] == "Medpot" or [type] == "P0f" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" { mutate { add_field => { "t-pot_ip_ext" => "${MY_EXTIP}"