Skip to content

Instantly share code, notes, and snippets.

View VAdamec's full-sized avatar

Vaclav Adamec VAdamec

28 followers · 0 following
View GitHub Profile
@VAdamec
VAdamec / ossec_logstash.conf
Created January 21, 2014 21:25
Logstash OSSEC parsing
input {
zeromq {
type => 'zmq'
topology => 'pushpull'
address => 'tcp://*:5556'
mode => 'server'
}
}
output {
@VAdamec
VAdamec / ossec_kibana3.dashboard
Created January 21, 2014 21:29
Kibana3 dashboard for OSSEC (using fields from logstash basic parsing)
{
"title": "OSSEC",
"services": {
"query": {
"idQueue": [
0,
1
],
"list": {
"2": {
@VAdamec
VAdamec / ossec_elasticsearch_index
Created January 21, 2014 21:33
Set @fields to not analyzed (to get full alert description not exploded parts)
curl -XPUT http://localhost:9200/_template/logstash_ossec -d '{
"template" : "*ossec*",
"settings": {
"number_of_shards": 12,
"number_of_replicas": 1
},
"mappings": {
"ossec": {
"_all": {
"enabled": false
@VAdamec
VAdamec / gist:8582165
Created January 23, 2014 16:48
beaver_ossec.conf
[beaver]
transport: redis
redis_url: redis://localhost:6380/0
redis_namespace: logstash:cache:ossec
ssh_key_file: /etc/beaver/id_rsa
ssh_tunnel: beaver@<dc_server_redis>
ssh_tunnel_port: 6380
ssh_remote_host: <dc_server_redis>
ssh_remote_port: 6379
@VAdamec
VAdamec / histogram_query_with_marks
Created February 7, 2014 09:50
Ossec histogram query
curl -XGET 'http://localhost:9200/ossec-logstash-2014.02.07,ossec-logstash-2014.02.06,ossec-logstash-2014.02.05,ossec-logstash-2014.02.04,ossec-logstash-2014.02.03,ossec-logstash-2014.02.02,ossec-logstash-2014.02.01,ossec-logstash-2014.01.31/deploy/_search?pretty' '{
"facets": {
"0": {
"date_histogram": {
"field": "@timestamp",
"interval": "1h"
},
"global": true,
"facet_filter": {
"fquery": {
@VAdamec
VAdamec / s3backup_cloudtrail.sh
Created March 6, 2014 11:41
Amazon CloudTrail
#
# https://github.com/xme/toolbox/blob/master/getawslog.py
#
# */5 * * * * aws ~aws/bin/s3backup_cloudtrail.sh /var/log/aws_backup.log
#
#!/bin/bash
trap control_c SIGINT
@VAdamec
VAdamec / cloudtrail_logstash.conf
Last active August 29, 2015 13:57
Logstash grok for CloudTrail
#
# Cloudtrail
#
grep {
tags => ["awsaudit"]
add_tag => ["awsauditproc"]
}
grok {
@VAdamec
VAdamec / CloudTrail
Last active August 29, 2015 13:57
CloudTrail Kibana3
{
"title": "CloudTrail",
"services": {
"query": {
"list": {
"0": {
"query": "@message:*UnauthorizedOperation*",
"alias": "",
"color": "#E0752D",
"id": 0,
@VAdamec
VAdamec / freeipa-403-debug.log
Created October 17, 2014 00:19
FreeIPA testing
/etc/nslcd.conf
# Connect to IPA
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=test
bindpw XXXX
ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes
@VAdamec
VAdamec / logstash.conf
Created December 23, 2014 05:54
Nagios simple log parsing
input {
zeromq {
type => 'zmq'
topology => 'pushpull'
address => 'tcp://*:5556'
mode => 'server'
}
}
output {