Alex-Devera/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-07-02 04:52:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

add medpot to ELK

Browse source
This commit is contained in:
t3chn0m4g3 2018-09-10 01:15:21 +00:00
parent 8b4a233b7a
commit f0f6981f34
1 changed files with 31 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
docker/elk/logstash/dist/logstash.conf vendored
View file

@ -88,6 +88,13 @@ input {
type => "Mailoney" type => "Mailoney"
} }
# Medpot
file {
path => ["/data/medpot/log/medpot.log"]
codec => json
type => "Medpot"
}
# Rdpy # Rdpy
file { file {
path => ["/data/rdpy/log/rdpy.log"] path => ["/data/rdpy/log/rdpy.log"]
@ -170,12 +177,12 @@ filter {
date { date {
match => [ "timestamp", "ISO8601" ] match => [ "timestamp", "ISO8601" ]
} }
mutate { mutate {
rename => { rename => {
"dst_port" => "dest_port" "dst_port" => "dest_port"
"dst_ip" => "dest_ip" "dst_ip" => "dest_ip"
} }
} }
} }
# Cowrie # Cowrie
@ -295,6 +302,24 @@ filter {
} }
} }
# Medpot
if [type] == "Medpot" {
mutate {
add_field => {
"dest_port" => "2575"
"dest_ip" => "${MY_EXTIP}"
}
rename => {
"port" => "src_port"
"ip" => "src_ip"
}
}
date {
match => [ "time", "yyyy.MM.dd HH:mm:ss" ]
remove_field => ["time"]
}
}
# Rdpy # Rdpy
if [type] == "Rdpy" { if [type] == "Rdpy" {
grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp},domain:%{CISCO_REASON:domain},username:%{CISCO_REASON:username},password:%{CISCO_REASON:password},hostname:%{GREEDYDATA:hostname}", "\A%{TIMESTAMP_ISO8601:timestamp},Connection from %{IPV4:src_ip}:%{INT:src_port:integer}" ] } } grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp},domain:%{CISCO_REASON:domain},username:%{CISCO_REASON:username},password:%{CISCO_REASON:password},hostname:%{GREEDYDATA:hostname}", "\A%{TIMESTAMP_ISO8601:timestamp},Connection from %{IPV4:src_ip}:%{INT:src_port:integer}" ] } }