bornatalebi

[2021-01-25T10:24:47,485][WARN ][o.e.h.AbstractHttpServerTransport] [siem-main.XXXXX.local] caught exception while handling client http traffic
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16)
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:471) ~[netty-codec-4.1.49.Final.jar:4.1.49.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276) ~[netty-codec-4.1.49.Final.jar:4.1.49.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transpo

bornatalebi

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/*.log
    #- c:\programdata\elasticsearch\logs\*
- type: syslog
  protocol.udp:
    host: "node-1:515"
filebeat.config.modules:

bornatalebi

{
  "_index": "mikrotik-log-2020.11",
  "_type": "_doc",
  "_id": "f9yFgnUBAnhF-USAF3ck",
  "_version": 1,
  "_score": null,
  "_source": {
    "topic1": "system",
    "topic2": "error",
    "agent": {

bornatalebi

{
  "mappings": {
    "_doc": {
      "properties": {
        "@timestamp": {
          "type": "date"
        },
        "@version": {
          "type": "keyword"
        },

bornatalebi

PUT _watcher/watch/winlogs
{
  "metadata": {
    "window_period": "15m"
  },
  "trigger": {
    "schedule": {
      "interval": "5m"
    }
  },

bornatalebi

{
  "_id" : "winlogs_ca23891f-7176-461c-bb9e-3843a634dfc1-2020-09-22T08:56:59.856268Z",
  "watch_record" : {
    "watch_id" : "winlogs",
    "node" : "eXtEY0w5QVeHHEL_ZYk9Cg",
    "state" : "executed",
    "user" : "elastic",
    "status" : {
      "state" : {
        "active" : true,

bornatalebi

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/*.log
    #- c:\programdata\elasticsearch\logs\*
  scan_frequency: 6s
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false

bornatalebi

-- Logs begin at Mon 2020-09-07 08:31:42 +0430, end at Wed 2020-09-09 12:37:05 +0430. --
Sep 09 04:13:00 TestSIEM filebeat[26565]: 2020-09-09T04:13:00.270+0430        ERROR        [publisher_pipeline_output]        pipeline/output.go:181        failed to publish events: temporary bulk send failure
Sep 09 04:13:00 TestSIEM filebeat[26565]: 2020-09-09T04:13:00.270+0430        INFO        [publisher_pipeline_output]        pipeline/output.go:144        Connecting to backoff(elasticsearch(https://node-1:9200))
Sep 09 04:13:00 TestSIEM filebeat[26565]: 2020-09-09T04:13:00.270+0430        INFO        [publisher]        pipeline/retry.go:221        retryer: send unwait signal to consumer
Sep 09 04:13:00 TestSIEM filebeat[26565]: 2020-09-09T04:13:00.270+0430        INFO        [publisher]        pipeline/retry.go:225          done
Sep 09 04:13:00 TestSIEM filebeat[26565]: 2020-09-09T04:13:00.271+0430        INFO        [esclientleg]        eslegclient/connection.go:306        Attempting to connect to Elasticsearch ve

bornatalebi

PUT _watcher/watch/ciscoioswatcher
{
  "trigger" : { "schedule" : { "interval" : "5m" }},
  "input" : {
    "search" : {
      "request" : {
        "indices" : [ "filebeat-*" ],
        "body" : {
          "query" : {
             "bool" : {

bornatalebi

{
  "_index": "cisco-beat-2020.09",
  "_type": "_doc",
  "_id": "NsrlXXQB5DC9Olmvu0ry",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "hostname": "FortressSIEM",
      "name": "FortressSIEM",