add medpot to ELK

2025-07-01 20:42:11 +00:00 · 2018-09-10 01:15:21 +00:00 · 2018-09-10 01:15:21 +00:00 · f0f6981f34
commit f0f6981f34
parent 8b4a233b7a
1 changed files with 31 additions and 6 deletions
--- a/docker/elk/logstash/dist/logstash.conf
+++ b/docker/elk/logstash/dist/logstash.conf
@ -88,6 +88,13 @@ input {
    type => "Mailoney"
  }

+# Medpot
+  file {
+    path => ["/data/medpot/log/medpot.log"]
+    codec => json
+    type => "Medpot"
+  }
+
 # Rdpy
  file {
    path => ["/data/rdpy/log/rdpy.log"]
@ -170,12 +177,12 @@ filter {
    date {
      match => [ "timestamp", "ISO8601" ]
    }
-    mutate {                                                                                                                                                                                                                                                              
-      rename => {                                                                                                                                                                                                                                                         
-        "dst_port" => "dest_port"                                                                                                                                                                                                                                         
-        "dst_ip" => "dest_ip"                                                                                                                                                                                                                                             
-      }                                                                                                                                                                                                                                                                   
-    }                                                                                                                                                                                                                                                                     
+    mutate { 
+      rename => { 
+        "dst_port" => "dest_port" 
+        "dst_ip" => "dest_ip" 
+      } 
+    } 
  }

 # Cowrie
@ -295,6 +302,24 @@ filter {
    }
  }

+# Medpot
+  if [type] == "Medpot" {
+    mutate {
+      add_field => {
+        "dest_port" => "2575"
+        "dest_ip" => "${MY_EXTIP}"
+      }
+      rename => {
+        "port" => "src_port"
+        "ip" => "src_ip"
+      }
+    }
+    date {
+      match => [ "time", "yyyy.MM.dd HH:mm:ss" ]
+      remove_field => ["time"]
+    }
+  }
+
 # Rdpy
  if [type] == "Rdpy" {
    grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp},domain:%{CISCO_REASON:domain},username:%{CISCO_REASON:username},password:%{CISCO_REASON:password},hostname:%{GREEDYDATA:hostname}", "\A%{TIMESTAMP_ISO8601:timestamp},Connection from %{IPV4:src_ip}:%{INT:src_port:integer}" ] } }