Skip to content

Instantly share code, notes, and snippets.

@VGostyuzhov
Last active April 3, 2018 14:21
Show Gist options
  • Save VGostyuzhov/3374e7477bf568504c65b1520b552fc1 to your computer and use it in GitHub Desktop.
Save VGostyuzhov/3374e7477bf568504c65b1520b552fc1 to your computer and use it in GitHub Desktop.
input {
beats {
port => 5044
type => "beats"
}
}
filter {
if [source] == "/var/log/secure" {
grok {
match => {
"message" => [
"%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} sshd(?:\[%{POSINT:system.auth.pid}\])?: %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:system.auth.user} from %{IPORHOST:system.auth.ip} port %{NUMBER:system.auth.port} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?",
"%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} sshd(?:\[%{POSINT:system.auth.pid}\])?: %{DATA:system.auth.ssh.event} user %{DATA:system.auth.user} from %{IPORHOST:system.auth.ip}"
]}
add_tag => "ssh"
}
}
if [source] == "/var/log/httpd/access_log" {
grok {
match => { "message" => ["%{HTTPD_COMBINEDLOG}"] }
add_tag => "httpd"
}
geoip {
source => "clientip"
}
}
}
output {
if "secure" in [tags] {
elasticsearch {
hosts => ["192.168.56.105:9200"]
manage_template => false
index => "security"
document_type => "security"
}
}
if "httpd" in [tags] {
elasticsearch {
hosts => ["192.168.56.105:9200"]
manage_template => true
index => "httpd"
document_type => "httpd"
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment