Created
February 27, 2019 03:07
-
-
Save Budman17r/76df8530aaab5f69bfa1b5fe0f16cf61 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| input { | |
| udp { | |
| type => "syslog" | |
| port => 5515 | |
| } | |
| } | |
| filter { | |
| grok { | |
| match => { "message" => "%{GREEDYDATA:raw_message}" } | |
| } | |
| ##Breaks down the beginning of the message from UDP input | |
| grok { | |
| match => { "message" => "%{SYSLOG5424PRI}(\s+)?%{CISCOTIMESTAMP:timestamp}\s+%{GREEDYDATA:message}" } | |
| overwrite => ["message"] | |
| } | |
| ###Router Section | |
| if [message] =~ "^router" { | |
| ###Remove Router Kernel: | |
| grok { | |
| match => { "message" => "router kernel:\s+%{GREEDYDATA:message}" | |
| } | |
| add_tag => ["unifiRouter"] | |
| overwrite => ["message"] | |
| } | |
| ###Iptables Rules | |
| if [message] =~ "^\[[a-zA-Z]" { | |
| grok { | |
| patterns_dir => [ "/etc/logstash/conf.d/patterns" ] | |
| match => { "message" => "\[%{UBIQUITI_LABEL}\]%{IPTABLES}%{SPACE}" } | |
| add_tag => [ "unifiIPtables"] | |
| } | |
| dissect { | |
| "mapping" => { | |
| "iptables.ubiquiti.rule_set" => '%{iptables.ubiquiti.input_zone}_%{iptables.ubiquiti.output_zone}' | |
| } | |
| } | |
| geoip { | |
| source => "source.ip" | |
| target => "source.geo" | |
| } | |
| geoip { | |
| source => "destination.ip" | |
| target => "destination.geo" | |
| } | |
| mutate { | |
| gsub => [ | |
| "event.outcome", "A", "allow", | |
| "event.outcome", "D", "deny" | |
| ] | |
| } | |
| } | |
| } | |
| ####Switch Section | |
| if [message] =~ "^\(" { | |
| dissect { | |
| "mapping" => { | |
| "message" => '("%{ubiquiti.switch.model},%{ubiquiti.switch.mac},%{ubiquiti.switch.version}") %{}: %{ubiquiti.switch.prog}: %{msg}' | |
| } | |
| } | |
| mutate { | |
| remove_field => [ "message" ] | |
| } | |
| mutate { | |
| rename => { "msg" => "message" } | |
| } | |
| mutate { | |
| add_tag => ["unifiSwitch"] | |
| } | |
| } | |
| date { | |
| match => ["timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss"] | |
| remove_field => ["timestamp"] | |
| } | |
| } | |
| output { | |
| elasticsearch { | |
| hosts => ["https://hostname:9200", "https://hostname2:9200", "https://hostname3:9200"] | |
| cacert => "/etc/logstash/certs/chain.pem" | |
| manage_template => false | |
| index => "unifisyslog-%{+xxxx.ww}" | |
| user => "theadminuser" | |
| password => "t0p.s3cr3t" | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment