Skip to content

Instantly share code, notes, and snippets.

@coolacid
Created April 20, 2015 04:59
Show Gist options
  • Save coolacid/158eee28112cfad787c1 to your computer and use it in GitHub Desktop.
Save coolacid/158eee28112cfad787c1 to your computer and use it in GitHub Desktop.
Logstash, DNS, GeoIP and CIFv2 Augments.
NOTE:: The IPs were taken from the CIF DB for testing. Not actual events.
Logstash startup completed
{
"message" => "2015-04-19 05:46:59,798 fail2ban.actions: WARNING [asterisk-iptables] Ban 141.101.113.108",
"@version" => "1",
"@timestamp" => "2015-04-19T09:46:59.798Z",
"type" => "fail2ban",
"host" => "homer",
"path" => "/srv/Logs/f2b/fail2ban",
"fail2ban.type" => "actions",
"message.level" => "WARNING",
"fail2ban.app" => "asterisk-iptables",
"fail2ban.action" => "Ban",
"Net.IP.SRC" => "141.101.113.108",
"Net.IP.SRC.GEO" => {
"ip" => "141.101.113.108",
"country_code2" => "EU",
"country_code3" => "EU",
"country_name" => "Europe",
"continent_code" => "EU",
"latitude" => 47.0,
"longitude" => 8.0,
"location" => [
[0] 8.0,
[1] 47.0
]
},
"CIF.Tags" => [
[0] "whitelist",
[1] "rdata"
],
"CIF.Tlp" => "green",
"CIF.Confidence" => 12.949
}
{
"message" => "2015-04-19 05:46:59,798 fail2ban.actions: WARNING [asterisk-iptables] Ban 193.189.117.215",
"@version" => "1",
"@timestamp" => "2015-04-19T09:46:59.798Z",
"type" => "fail2ban",
"host" => "homer",
"path" => "/srv/Logs/f2b/fail2ban",
"fail2ban.type" => "actions",
"message.level" => "WARNING",
"fail2ban.app" => "asterisk-iptables",
"fail2ban.action" => "Ban",
"Net.IP.SRC" => "193.189.117.215",
"Net.Host.SRC" => "193.189.117.215.host.e-ring.pl",
"Net.IP.SRC.GEO" => {
"ip" => "193.189.117.215",
"country_code2" => "PL",
"country_code3" => "POL",
"country_name" => "Poland",
"continent_code" => "EU",
"latitude" => 52.0,
"longitude" => 20.0,
"timezone" => "Europe/Warsaw",
"location" => [
[0] 20.0,
[1] 52.0
]
},
"CIF.Tags" => [
[0] "botnet"
],
"CIF.Tlp" => "amber",
"CIF.Confidence" => 65
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment