From f0f6981f342f55735979b35aaa38d0a739a2e488 Mon Sep 17 00:00:00 2001 From: t3chn0m4g3 Date: Mon, 10 Sep 2018 01:15:21 +0000 Subject: [PATCH] add medpot to ELK --- docker/elk/logstash/dist/logstash.conf | 37 +++++++++++++++++++++----- 1 file changed, 31 insertions(+), 6 deletions(-) diff --git a/docker/elk/logstash/dist/logstash.conf b/docker/elk/logstash/dist/logstash.conf index 6178f044..38a247ac 100644 --- a/docker/elk/logstash/dist/logstash.conf +++ b/docker/elk/logstash/dist/logstash.conf @@ -88,6 +88,13 @@ input { type => "Mailoney" } +# Medpot + file { + path => ["/data/medpot/log/medpot.log"] + codec => json + type => "Medpot" + } + # Rdpy file { path => ["/data/rdpy/log/rdpy.log"] @@ -170,12 +177,12 @@ filter { date { match => [ "timestamp", "ISO8601" ] } - mutate { - rename => { - "dst_port" => "dest_port" - "dst_ip" => "dest_ip" - } - } + mutate { + rename => { + "dst_port" => "dest_port" + "dst_ip" => "dest_ip" + } + } } # Cowrie @@ -295,6 +302,24 @@ filter { } } +# Medpot + if [type] == "Medpot" { + mutate { + add_field => { + "dest_port" => "2575" + "dest_ip" => "${MY_EXTIP}" + } + rename => { + "port" => "src_port" + "ip" => "src_ip" + } + } + date { + match => [ "time", "yyyy.MM.dd HH:mm:ss" ] + remove_field => ["time"] + } + } + # Rdpy if [type] == "Rdpy" { grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp},domain:%{CISCO_REASON:domain},username:%{CISCO_REASON:username},password:%{CISCO_REASON:password},hostname:%{GREEDYDATA:hostname}", "\A%{TIMESTAMP_ISO8601:timestamp},Connection from %{IPV4:src_ip}:%{INT:src_port:integer}" ] } }