finetuning logstash.conf for new honeypots

docker/elk/logstash/dist/logstash.conf

@@ -421,6 +421,23 @@ filter {
     }
   }
 
+# Endlessh
+# Example: 2021-10-29T21:08:31.026Z CLOSE host=1.2.3.4 port=12345 fd=4 time=20.015 bytes=24
+# Example: 2021-10-29T21:08:11.011Z ACCEPT host=1.2.3.4 port=12346 fd=4 n=1/4096
+  if [type] == "Endlessh" {
+    grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:reason}%{SPACE}host=%{IPV4:src_ip}%{SPACE}port=%{INT:src_port}%{SPACE}fd=%{INT}%{SPACE}time=%{SECOND:DURATION}%{SPACE}bytes=%{NUMBER:BYTES}", "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:reason}%{SPACE}host=%{IPV4:src_ip}%{SPACE}port=%{INT:src_port}%{SPACE}fd=%{INT}%{SPACE}n=%{INT}/%{INT}" ] } }    
+    date {
+      match => [ "timestamp", "ISO8601" ]
+      remove_field => ["timestamp"]
+    }
+    mutate {
+      add_field => {
+        "dest_port" => "22"
+        "dest_ip" => "${MY_EXTIP}"
+      }
+    }
+  }
+
 # Glutton
   if [type] == "Glutton" {
     date {
@@ -531,9 +548,7 @@ filter {
       match => [ "timestamp", "ISO8601" ]
     }
     mutate {
-      add_field => {
-        "dest_port" => "25"
-      }
+      add_field => { "dest_port" => "25" }
     }
   }
 
@@ -558,9 +573,7 @@ filter {
       remove_field => ["timestamp"]
     }
     mutate {
-      add_field => {
-        "dest_port" => "3389"
-      }
+      add_field => { "dest_port" => "3389" }
     }
   }
 
@@ -571,6 +584,16 @@ filter {
       remove_field => ["time"]
       remove_field => ["timestamp"]
     }
+    mutate {
+      split => { "addr" => ":" }
+      add_field => { 
+        "src_ip" => "%{[addr][0]}" 
+        "src_port" => "%{[addr][1]}"
+        "dest_port" => "6379"
+        "dest_ip" => "${MY_EXTIP}"
+      }
+      remove_field => ["addr"]
+    }
   }
 
 # NGINX
@@ -590,9 +613,7 @@ filter {
         "[peer][ip]" => "src_ip"
         "[peer][port]" => "src_port"
       }
-      add_field => {
-        "dest_port" => "80"
-      }
+      add_field => { "dest_port" => "80" }
     }
   }