-
-
Save german23/2bfcadc2c719f651cf3fb3903104d2f6 to your computer and use it in GitHub Desktop.
Logstash CPU Utilization Config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Input | |
input { | |
tcp { | |
port => 560 | |
type => winevent | |
codec => json_lines | |
} | |
} | |
################################################################# | |
filter { | |
grok { | |
match => [ "message", "%{DATA:xyz}\t%{DATA:xyz}\ttimezone:%{DATA:xyz}\t%{GREEDYDATA:NZeit}\t %{DATA:PID}\t%{DATA:TID}\t%{DATA:Komponente}\t%{DATA:Event}$" ] | |
tag_on_failure => [] | |
} | |
prune { | |
blacklist_names => [ "<[0-9]{1,3}>ntpdate[[0-9]{1,7}]", "xyz"] | |
} | |
grok | |
{ | |
tag_on_failure => [] | |
match => [ "Message", "timezone:%{DATA:timezone}\n.*$" ] | |
} | |
if [EventID] != 4656 { | |
grok { | |
match => [ "Message", "Accesses\:\t%{DATA:Accesses}\r.*$" ] | |
tag_on_failure => [] | |
} | |
grok { | |
match => [ "Message", "Accesses\:.*\).*\t%{DATA:Accesses} \(.*$" ] | |
tag_on_failure => [] | |
} | |
grok { | |
match => [ "Message", "Accesses\:\t%{DATA:acc2}\r\n\t\t\t\t%{DATA:Accesses}\r.*$" ] | |
tag_on_failure => [] | |
} | |
} | |
mutate { | |
rename => [ "\tReadData (or ListDirectory)", "ReadData (or ListDirectory)" ] | |
} | |
grok { | |
match => [ "message", ":[0-9][0-9]\t%{DATA:logsource}\t.*$" ] | |
tag_on_failure => [] | |
} | |
grok | |
{ | |
tag_on_failure => [] | |
match => [ "message", "timezone:%{DATA:timezone}\t.*$" ] | |
} | |
grok { | |
match => [ "message", "%{DATA:date}\t[s|S][r|R][v|V].*$" ] | |
tag_on_failure => [] | |
} | |
mutate { | |
rename => ["name","logsource"] | |
} | |
mutate { | |
rename => [ "EventID", "EventCode" ] | |
} | |
mutate { | |
rename => [ "EventType", "Type" ] | |
} | |
mutate { | |
rename => [ "Status", "ErrorCode" ] | |
} | |
grok { | |
match => [ "message", "Import" ] | |
add_tag => "import" | |
tag_on_failure => [] | |
} | |
grok { | |
match => [ "logsource", "srv78" ] | |
match => [ "logsource", "srv54" ] | |
add_tag => "prog" | |
tag_on_failure => [] | |
} | |
if "prog" in [tags] { | |
grok { | |
match => ["message", "\:[0-9]{2} %{DATA:schnittstelle} %{DATA:level} %{DATA:log}$"] | |
tag_on_failure => [] | |
} | |
grok { | |
match => ["message", "Berechtigung %{DATA:permision} .* User %{DATA:user} auf dem Pfad %{DATA:path} wurde.*$"] | |
tag_on_failure => [] | |
} | |
grok { | |
match => ["message", "Berechtigung %{DATA:permision} .* User %{DATA:user} wurde.*Ordner %{DATA:path} en.*$"] | |
tag_on_failure => [] | |
} | |
} | |
grok { | |
match => [ "message", "dnslog" ] | |
add_tag => "dns" | |
tag_on_failure => [] | |
} | |
if [logsource] == "SRV92" { | |
kv { | |
field_split => ";" | |
trimkey => "\ " | |
value_split => "=" | |
add_tag => ["virus"] | |
} | |
prune { | |
blacklist_names => [".*InsertedAt","[0-9]{4}-[0-9]{1,2}-[0-9]{2,4}:[0-9]{1,2}:[0-9]{1,2}\\tSRV92.*"] | |
add_tag => "prune" | |
} | |
if "virus" in [tags] { | |
mutate { | |
rename => {"ThreatName" => "Name" } | |
} | |
} | |
} | |
if "virus" in [tags] { | |
if [Name] { | |
} | |
else { | |
mutate { | |
add_field => {"Name" => "%{ReportingName}" } | |
} | |
} | |
} | |
if "virus" in [tags] { | |
if [EventType] { | |
} | |
else { | |
mutate { | |
add_field => {"EventType" => "null" } | |
} | |
} | |
} | |
if "dns" in [tags] { | |
grok { | |
match => [ "message", "10.XX.XX.XX" ] | |
add_tag => "drop" | |
tag_on_failure => [] | |
} | |
} | |
if "drop" in [tags] { | |
drop { | |
} | |
} | |
grok { | |
match => [ "message", "Dropped" ] | |
add_tag => "auditerror" | |
tag_on_failure => [] | |
} | |
grok { | |
match => [ "message", "IISServer" ] | |
add_tag => "IIS" | |
tag_on_failure => [] | |
} | |
if [SourceModuleType] == "im_msvistalog" { | |
mutate { | |
rename => ["Message","message"] | |
} | |
mutate { | |
rename => ["IpPort","s_port"] | |
} | |
} | |
grok { | |
match => [ "message", "Connect_new"] | |
add_tag => "drop" | |
tag_on_failure => [] | |
} | |
if "IIS" in [tags] { | |
grok { | |
match => [ "message", "%{DATA:date2}\t%{DATA:logsource2}\ttimezone:%{DATA:timezone2}\t%{DATA:src}[ ]%{DATA:method}[ ]%{DATA:uri_steam}[ ]%{DATA:uri_query}[ ]%{DATA:s_port}[ ]%{DATA:username}[ ]%{IPV4:dst}[ ]%{DATA:user_agent}[ ]%{DATA:referer}[ ]%{DATA:status}[ ]%{DATA:substatus}[ ]%{DATA:win32_status}[ ]%{DATA:snd_bytes}[ ]%{DATA:rcv_bytes}\n.*$" ] | |
tag_on_failure => [] | |
} | |
grok { | |
match => [ "message", "(IISServer\t::1[ ]|IISServer\t)%{DATA:method}[ ]%{DATA:request}[ ]%{DATA:query}[ ]%{DATA:s_port}[ ]%{DATA:SubjectUserName}[ ]%{DATA:src}[ ]%{DATA:user_agent}[ ]%{DATA:referer}[ ]%{DATA:server_name}[ ]%{DATA:status}[ ]%{DATA:substatus}[ ]%{DATA:win32Status}[ ]%{DATA:snd_bytes}[ ]%{DATA:rcv_bytes}[ ]%{DATA:takentime}$" ] | |
tag_on_failure => [] | |
} | |
mutate { | |
add_tag => ["webserver"] | |
} | |
if [status] == "200" { | |
mutate { | |
add_field => { "status_description" => "OK (200)" } | |
} | |
} | |
if [status] == "201" { | |
mutate { | |
add_field => { "status_description" => "Request successfully created (201)" } | |
} | |
} | |
if [status] == "204" { | |
mutate { | |
add_field => { "status_description" => "No Content in Response (204)" } | |
} | |
} | |
if [status] == "206" { | |
mutate { | |
add_field => { "status_description" => "Partial Content sent (206)" } | |
} | |
} | |
if [status] == "301" { | |
mutate { | |
add_field => { "status_description" => "Moved Permanently (301)" } | |
} | |
} | |
if [status] == "302" { | |
mutate { | |
add_field => { "status_description" => "Found in Location Header Field (302)" } | |
} | |
} | |
if [status] == "304" { | |
mutate { | |
add_field => { "status_description" => "Resource not Modified (304)" } | |
} | |
} | |
if [status] == "400" { | |
mutate { | |
add_field => { "status_description" => "Bad Request (400)" } | |
} | |
} | |
if [status] == "401" { | |
mutate { | |
add_field => { "status_description" => "Unauthorized Request (401)" } | |
} | |
} | |
if [status] == "403" { | |
mutate { | |
add_field => { "status_description" => "Forbidden Request (403)" } | |
} | |
} | |
if [status] == "404" { | |
mutate { | |
add_field => { "status_description" => "Ressource not found (404)" } | |
} | |
} | |
if [status] == "405" { | |
mutate { | |
add_field => { "status_description" => "Method not allowed (405)" } | |
} | |
} | |
if [status] == "408" { | |
mutate { | |
add_field => { "status_description" => "Request Timeout (408)" } | |
} | |
} | |
if [status] == "409" { | |
mutate { | |
add_field => { "status_description" => "Conflict (409)" } | |
} | |
} | |
if [status] == "500" { | |
mutate { | |
add_field => { "status_description" => "Internal Server Error (500)" } | |
} | |
} | |
if [status] == "502" { | |
mutate { | |
add_field => { "status_description" => "Bad Gateway (502)" } | |
} | |
} | |
if [status] == "503" { | |
mutate { | |
add_field => { "status_description" => "Service Unavailable (503)" } | |
} | |
} | |
if [src] == "cs-" { | |
drop { | |
} | |
} | |
useragent { | |
source => "user_agent" | |
target => "useragent" | |
} | |
if [src] =~ /(^127\.)|(^192\.168\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^::1$)/ { | |
if [src] != "%a" { | |
ruby { | |
code => " ip = event['src'] | |
begin | |
event['src'] = Resolv.getname(ip) | |
rescue => ex | |
event['src'] = 'unknown' | |
end | |
" | |
#add_tag => ["netbios"] | |
} | |
if [src] == "%{srcreplace}" { | |
mutate { | |
remove_field => ["src"] | |
remove_tag => ["netbios"] | |
} | |
ruby { | |
code => " ip = event['src'] | |
begin | |
event['name'] = `nmblookup -A #{ip} & WPID=$!; sleep 0.1 && kill $WPID > /dev/null 2>&1` | |
rescue => ex | |
event['name'] = 'unknown' | |
end | |
" | |
} | |
} | |
grok { | |
match => ["name", "<ACTIVE> \n\t%{DATA:src} .*$"] | |
add_tag => "netbios" | |
tag_on_failure => [] | |
} | |
if [src] == DOMAINT" or [src] == "DOMAIN2" { | |
mutate { | |
remove_field => ["src"] | |
} | |
grok { | |
match => [ "name", "\n\t%{DATA:src} .*$" ] | |
add_tag => "netbios" | |
tag_on_failure => [] | |
} | |
} | |
if [src] == "DOMAIN" or [src] == "DOMAIN2" { | |
mutate { | |
remove_field => ["src"] | |
} | |
grok { | |
match => [ "name", "1c> - <GROUP> [B|M] <ACTIVE> \n\t%{DATA:src} .*$" ] | |
add_tag => "netbios" | |
tag_on_failure => [] | |
} | |
} | |
if "netbios" in [tags] { | |
mutate { | |
lowercase => [ "src" ] | |
} | |
} | |
#if "netbios" not in [tags] { | |
#mutate { | |
# add_field => {"src" => "unknown" } | |
#} | |
#} | |
if [src] !~ ".*" { | |
mutate { | |
add_field => {"src" => "unknown" } | |
} | |
} | |
} | |
#2ter Versuch zum aufloesen | |
if [src] == "unknown" { | |
#Aufloesen ueber DNS PTR Eintrag | |
ruby { | |
code => " ip = event['src'] | |
begin | |
event['src'] = Resolv.getname(ip) | |
rescue => ex | |
event['src'] = 'unknown' | |
end | |
" | |
#add_tag => ["netbios"] | |
} | |
if [src] == "%{srcreplace}" { | |
mutate { | |
remove_field => ["src"] | |
remove_tag => ["netbios"] | |
} | |
# Aufloesen ueber Netbios | |
ruby { | |
code => " ip = event['src'] | |
begin | |
event['name'] = `nmblookup -A #{ip} & WPID=$!; sleep 0.2 && kill $WPID > /dev/null 2>&1` | |
rescue => ex | |
event['name'] = 'unknown' | |
end | |
" | |
} | |
} | |
#Herausfiltern des eigentlichen namens | |
grok { | |
match => ["name", "<ACTIVE> \n\t%{DATA:src} .*$"] | |
add_tag => "netbios" | |
tag_on_failure => "" | |
} | |
#Abdecken von s welche aus anderen Domaenen kommen | |
if [src] == "DOMAIN" or [src] == "DOMAIN2" { | |
mutate { | |
remove_field => ["src"] | |
} | |
grok { | |
match => [ "name", "\n\t%{DATA:src} .*$" ] | |
add_tag => "netbios" | |
tag_on_failure => "" | |
} | |
} | |
if [src] == "DOMAIN" or [src] == "DOMAIN2" { | |
mutate { | |
remove_field => ["src"] | |
} | |
grok { | |
match => [ "name", "1c> - <GROUP> [B|M] <ACTIVE> \n\t%{DATA:src} .*$" ] | |
add_tag => "netbios" | |
tag_on_failure => "" | |
} | |
} | |
#namen in Kleinschreibung machen | |
if "netbios" in [tags] { | |
mutate { | |
lowercase => [ "src" ] | |
} | |
} | |
if [src] !~ ".*" { | |
mutate { | |
add_field => {"src" => "unknown" } | |
} | |
} | |
} | |
#Ende 2ter Versuch | |
} | |
} | |
if [Channel] == "Cyberarms" { | |
mutate { | |
add_tag => "cyberarms" | |
} | |
grok { | |
match => ["message", "\n%{DATA:action}:[ ].*address[ ]%{DATA:src}[ ]ex.*$" ] | |
tag_on_failure => [] | |
} | |
} | |
if [Channel] == "Microsoft-Windows-DNSServer/Audit" { | |
mutate { | |
add_tag => "dnsaudit" | |
} | |
mutate { | |
rename => ["Source","src"] | |
rename => ["RDATA","rdata"] | |
rename => ["NAME","name"] | |
rename => ["TTL","ttl"] | |
} | |
grok { | |
match => ["message", "type %{DATA:typ}, name" ] | |
} | |
} | |
if "dns" in [tags] { | |
grok { | |
match => ["message", "timezone%{DATA:dsf}\t%{DATA:dsf}[ ]%{BASE16NUM:thread}[ ]%{WORD:context}[ ]{1,9}%{BASE16NUM:indentifier}[ ]%{WORD:prot}[ ]%{WORD:direction}[ ]%{IPV4:src}[ ]{1,10}%{BASE16NUM:hex}([ ]{1,9}|[ ]%{NOTSPACE:query})[ ]%{NOTSPACE:opcode}[ ]\[%{BASE16NUM:hexflags}([ ]{1,10}|[ ]{2,9}%{WORD:charcodes}[ ]{2,9}|[ ]%{WORD:charcodes}[ ]%{WORD:charcodes}[ ]{1,4})%{WORD:ResponseCode}\][ ]%{WORD:questiontype}[ ]{1,15}%{GREEDYDATA:questionname}$"] | |
tag_on_failure => [] | |
} | |
if [src] { | |
} | |
else { | |
grok { | |
match => ["message", "timezone%{DATA:dsf}\t%{DATA:dsf}[ ]%{DATA:dsf}[ ]%{BASE16NUM:thread}[ ]%{WORD:context}[ ]{1,9}%{BASE16NUM:indentifier}[ ]%{WORD:prot}[ ]%{WORD:direction}[ ]%{IPV4:src}[ ]{1,10}%{BASE16NUM:hex}([ ]{1,9}|[ ]%{NOTSPACE:query})[ ]%{NOTSPACE:opcode}[ ]\[%{BASE16NUM:hexflags}([ ]{1,10}|[ ]{2,9}%{WORD:charcodes}[ ]{2,9}|[ ]%{WORD:charcodes}[ ]%{WORD:charcodes}[ ]{1,4})%{WORD:ResponseCode}\][ ]%{WORD:questiontype}[ ]{1,15}%{GREEDYDATA:questionname}$"] | |
tag_on_failure => [] | |
} | |
} | |
mutate { | |
gsub => [ "questionname", "(?m)\([0-9]{1,3}\)", "." ] | |
} | |
grok { | |
match => [ "questionname", "(\.%{IPV4:TLD}\.|.*\.%{DATA:website}\.%{DATA:TLD}\.$)" ] | |
tag_on_failure => [] | |
} | |
if [website] == "co" { | |
mutate { | |
remove_field => ["website"] | |
} | |
grok { | |
match => ["questionname" , ".*\.%{DATA:website}.co.%{DATA:TLD}.$" ] | |
tag_on_failure => [] | |
} | |
} | |
if [website] == "com" { | |
mutate { | |
remove_field => ["website"] | |
} | |
grok { | |
match => ["questionname" , ".*\.%{DATA:website}.com.%{DATA:TLD}.$" ] | |
tag_on_failure => [] | |
} | |
} | |
if [website] == "live" { | |
mutate { | |
remove_field => ["website"] | |
} | |
grok { | |
match => ["questionname" , ".*\.%{DATA:website}.live.%{DATA:TLD}.$" ] | |
tag_on_failure => [] | |
} | |
} | |
if [website] == "int" { | |
mutate { | |
remove_field => ["website"] | |
} | |
grok { | |
match => ["questionname" , ".*\.%{DATA:website}.domain2%{DATA:TLD}.$" ] | |
tag_on_failure => [] | |
} | |
} | |
if [website] == "qq" { | |
mutate { | |
remove_field => ["website"] | |
} | |
grok { | |
match => ["questionname" , ".*\.%{DATA:website}.qq.%{DATA:TLD}.$" ] | |
tag_on_failure => [] | |
} | |
} | |
if [website] == "gov" { | |
mutate { | |
remove_field => ["website"] | |
} | |
grok { | |
match => ["questionname" , ".*\.%{DATA:website}.gov.%{DATA:TLD}.$" ] | |
tag_on_failure => [] | |
} | |
} | |
if [website] == "net" { | |
mutate { | |
remove_field => ["website"] | |
} | |
grok { | |
match => ["questionname" , ".*\.%{DATA:website}.net.%{DATA:TLD}.$" ] | |
tag_on_failure => [] | |
} | |
} | |
if [website] == "org" { | |
mutate { | |
remove_field => ["website"] | |
} | |
grok { | |
match => ["questionname" , ".*\.%{DATA:website}.org.%{DATA:TLD}.$" ] | |
tag_on_failure => [] | |
} | |
} | |
if [website] == "co" { | |
mutate { | |
remove_field => ["website"] | |
} | |
grok { | |
match => ["questionname" , ".*\.%{DATA:website}.(CO|co).%{DATA:TLD}.$" ] | |
tag_on_failure => [] | |
} | |
} | |
if [website] == "ac" { | |
mutate { | |
remove_field => ["website"] | |
} | |
grok { | |
match => ["questionname" , ".*\.%{DATA:website}.ac.%{DATA:TLD}.$" ] | |
tag_on_failure => [] | |
} | |
} | |
} | |
# EventCode 299 Start | |
if [EventCode] == 299 { | |
grok { | |
match => ["message" , "Instance[ ]ID:[ ]%{DATA:InstanceID}[ ]\r.*$"] | |
tag_on_failure => [] | |
} | |
grok { | |
match => ["message" , "Relying party:[ ]%{GREEDYDATA:RelyingParty}"] | |
tag_on_failure => [] | |
} | |
} | |
# EventCode 299 Ende | |
# EventCoe 364 Start | |
if [EventCode] == 364 { | |
grok { | |
match => ["message" , "Party: \r\n%{DATA:website}[ ]\r.*$"] | |
tag_on_failure => [] | |
} | |
# grok { | |
# match => ["message", "timezone:%{DATA:timezone}\n.*$" ] | |
#} | |
grok { | |
match => ["message", "\n%{DATA:FailureReason} \r.*$" ] | |
tag_on_failure => [] | |
} | |
grok { | |
match => ["message", "domain\\%{DATA:TargetUserName}-.*$" ] | |
tag_on_failure => [] | |
} | |
grok { | |
match => ["message", "MSIS%{DATA:msis}:.*$" ] | |
tag_on_failure => [] | |
} | |
grok { | |
match => ["message", "\\[A-z]{1,20}-%{DATA:ErrorMessage}[ ]{0,15}--->.*$" ] | |
tag_on_failure => [] | |
} | |
grok { | |
match => ["TargetUserName", "has expired" ] | |
add_tag => "bad" | |
} | |
if "bad" in [tags] { | |
mutate { | |
remove_field => ["TargetUserName"] | |
} | |
grok { | |
match => ["message", "domain\\%{DATA:TargetUserName} .*$"] | |
} | |
} | |
if [msis] == "7042" or "7055" or "3173" or "7065" { | |
grok { | |
match => ["message", "MSIS[0-9]{4}.[ ]%{DATA:ErrorMessage}\..*$"] | |
tag_on_failure => [] | |
} | |
} | |
} | |
# EventCode 364 Ende | |
# EventCode 500 Start | |
if [EventCode] == 500 { | |
grok { | |
match => ["message", "Instance[ ]ID:[ ]{1,3}\r\n%{DATA:InstanceID}[ ]\r"] | |
tag_on_failure => [] | |
} | |
grok { | |
match => ["message", "nameidentifier[ ]\r\n%{DATA:email}[ ]\r\n"] | |
tag_on_failure => [] | |
} | |
grok { | |
match => ["message", "windowsaccountname[ ]\r\nDOMAIN\\%{DATA:user}[ ].*$"] | |
tag_on_failure => [] | |
} | |
#grok { | |
# match => ["message", "implicitupn[ ]\r\n%{DATA:user}@domain[ ]\r\n"] | |
# tag_on_failure => [] | |
#} | |
grok { | |
match => ["message", "groupsid[ ]\r\n%{DATA:groupsid}[ ]\r\n"] | |
tag_on_failure => [] | |
} | |
} | |
if [EventCode] == 501 { | |
grok { | |
match => ["message", "Instance[ ]ID:[ ]{1,3}\r\n%{DATA:InstanceID}[ ]\r"] | |
tag_on_failure => [] | |
} | |
grok { | |
match => ["message", "implicitupn[ ]\r\n%{DATA:user}@domain[ ]\r\n"] | |
tag_on_failure => [] | |
} | |
grok { | |
match => ["message", "groupsid[ ]\r\n%{DATA:groupsid}[ ]\r\n"] | |
tag_on_failure => [] | |
} | |
grok { | |
match => ["message", "(forwarded-client-ip[ ]\r\n%{DATA:src}\"$|forwarded-client-ip[ ]\r\n%{DATA:src}[ ]\r\n)"] | |
tag_on_failure => [] | |
} | |
#grok { | |
# match => ["message", "client-user-agent[ ]\r\n%{DATA:useragent}[ ]\r\n"] | |
# tag_on_failure => [] | |
#} | |
} | |
#EventCode 500 Ende | |
#EventCode 1033 Start | |
if [EventCode] == 1033 { | |
grok { | |
match => ["message","Product Name: %{DATA:ProductName}. Product Version.*$"] | |
tag_on_failure => [] | |
} | |
} | |
#EventCode 1102 Start | |
if [EventCode] == 1102 { | |
if "AD FS Auditing" not in [SourceName] { | |
grok { | |
match => ["logsource", "%{DATA:zabbix}.domain.*$"] | |
tag_on_failure => [] | |
} | |
mutate { | |
replace => { "zabbix" => "domain__%{zabbix}" } | |
add_field => { "Zabbixkey" => "ITEM5" } | |
add_field => { "Zabbixvalue" => "1" } | |
} | |
} | |
} | |
#EventCode 1102 Ende | |
#ErrorCode_description anfang | |
if [EventCode] == 4776 or [EventCode] == 4625 { | |
if [ErrorCode] == "0xc000005e" { | |
mutate { | |
add_field => { "ErrorCode_description" => "No_LogonServers_Available" } | |
} | |
} | |
if [ErrorCode] == "0xc000006a" { | |
mutate { | |
add_field => { "ErrorCode_description" => "Wrong_PW" } | |
} | |
} | |
if [ErrorCode] == "0xc000006d" { | |
mutate { | |
add_field => { "ErrorCode_description" => "Bad_Acc_or_PW" } | |
} | |
} | |
if [EventCode] == 4625 { | |
if [ErrorCode] == "0xc000006e" { | |
mutate { | |
add_field => { "ErrorCode_description" => "UnknownAcc_or_BadPW" } | |
} | |
} | |
} | |
if [EventCode] == 4776 { | |
if [ErrorCode] == "0xc000006e" { | |
mutate { | |
add_field => { "ErrorCode_description" => "LogonAttempt_outside_GrantedLogonHours" } | |
} | |
} | |
} | |
if [EventCode] == 4625 { | |
if [ErrorCode] == "0xC000018b" { | |
mutate { | |
add_field => { "ErrorCode_description" => "NO_TRUST_SAM_ACCOUNT" } | |
} | |
} | |
} | |
if [ErrorCode] == "0xc0000022" { | |
mutate { | |
add_field => { "ErrorCode_description" => "Access_Denied" } | |
} | |
} | |
if [ErrorCode] == "0xc0000064" { | |
mutate { | |
add_field => { "ErrorCode_description" => "NonExistent_Acc" } | |
} | |
} | |
if [ErrorCode] == "0xc0000071" { | |
mutate { | |
add_field => { "ErrorCode_description" => "Expired_PW" } | |
} | |
} | |
if [ErrorCode] == "0xc0000072" { | |
mutate { | |
add_field => { "ErrorCode_description" => "Disabled_Acc" } | |
} | |
} | |
if [ErrorCode] == "0xc00000dc" { | |
mutate { | |
add_field => { "ErrorCode_description" => "Invalid_ServerState" } | |
} | |
} | |
if [ErrorCode] == "0xc00000fe" { | |
mutate { | |
add_field => { "ErrorCode_description" => "AuthPackage_unkown" } | |
} | |
} | |
if [ErrorCode] == "0xc0000133" { | |
mutate { | |
add_field => { "ErrorCode_description" => "ClientTime_OutOfSync" } | |
} | |
} | |
if [ErrorCode] == "0xc0000193" { | |
mutate { | |
add_field => { "ErrorCode_description" => "Expired_Acc" } | |
} | |
} | |
if [ErrorCode] == "0xc000015b" { | |
mutate { | |
add_field => { "ErrorCode_description" => "Logon_not_Granted" } | |
} | |
} | |
if [ErrorCode] == "0xc0000224" { | |
mutate { | |
add_field => { "ErrorCode_description" => "PWChange_at_next_Logon" } | |
} | |
} | |
if [ErrorCode] == "0xc0000234" { | |
mutate { | |
add_field => { "ErrorCode_description" => "LockedOut_Acc" } | |
} | |
} | |
if [ErrorCode] == "0xc00002ee" { | |
mutate { | |
add_field => { "ErrorCode_description" => "Cancelled_Request" } | |
} | |
} | |
if [ErrorCode] == "0xc0000371" { | |
mutate { | |
add_field => { "ErrorCode_description" => "RODC_NotCached" } | |
} | |
} | |
if [ErrorCode_description] { | |
} | |
else { | |
if [ErrorCode] { | |
mutate { | |
add_field => { "ErrorCode_description" => "-" } | |
} | |
} | |
} | |
} | |
if [EventCode] == 4768 or [EventCode] == 4771 { | |
if [ErrorCode] == "0x6" { | |
mutate { | |
add_field => { "ErrorCode_description" => "NotInKrbDB(TypoInUserName/?)" } | |
} | |
} | |
if [ErrorCode] == "0x12" { | |
mutate { | |
add_field => { "ErrorCode_description" => "Revoked(Acc_Lockout/Disabled/?)" } | |
} | |
} | |
if [ErrorCode] == "0x17" { | |
mutate { | |
add_field => { "ErrorCode_description" => "Expired_PW" } | |
} | |
} | |
if [ErrorCode] == "0x18" { | |
mutate { | |
add_field => { "ErrorCode_description" => "Wrong_PW" } | |
} | |
} | |
if [ErrorCode] == "0x1d" { | |
mutate { | |
add_field => { "ErrorCode_description" => "KDC-SVC_Unavailable" } | |
} | |
} | |
if [ErrorCode] == "0x25" { | |
mutate { | |
add_field => { "ErrorCode_description" => "ClientTime_OutOfSync" } | |
} | |
} | |
if [ErrorCode_description] { | |
} | |
else { | |
if [ErrorCode] { | |
mutate { | |
add_field => { "ErrorCode_description" => "-" } | |
} | |
} | |
} | |
} | |
#ErrorCode Ende | |
#LogonType description anfang | |
if [EventCode] == 4624 or [EventCode] == 4625 or [EventCode] == 4634 { | |
if [LogonType] == "2" { | |
mutate { | |
add_field => { "LogonType_description" => "Console" } | |
} | |
} | |
if [LogonType] == "3" { | |
mutate { | |
add_field => { "LogonType_description" => "Network" } | |
} | |
} | |
if [LogonType] == "4" { | |
mutate { | |
add_field => { "LogonType_description" => "Batch" } | |
} | |
} | |
if [LogonType] == "5" { | |
mutate { | |
add_field => { "LogonType_description" => "Service" } | |
} | |
} | |
if [LogonType] == "7" { | |
mutate { | |
add_field => { "LogonType_description" => "UnlockWorkstation" } | |
} | |
} | |
if [LogonType] == "8" { | |
mutate { | |
add_field => { "LogonType_description" => "NetworkClearText" } | |
} | |
} | |
if [LogonType] == "9" { | |
mutate { | |
add_field => { "LogonType_description" => "NewCredentials" } | |
} | |
} | |
if [LogonType] == "10" { | |
mutate { | |
add_field => { "LogonType_description" => "Remote(RDS/TS)" } | |
} | |
} | |
if [LogonType] == "11" { | |
mutate { | |
add_field => { "LogonType_description" => "CachedCredentials" } | |
} | |
} | |
if [LogonType_description] { | |
} | |
else { | |
if [LogonType] { | |
mutate { | |
add_field => { "LogonType_description" => "-" } | |
} | |
} | |
} | |
} | |
#LogonType description ende | |
#EventCode 4656 Start | |
if [EventCode] == 4656 { | |
grok { | |
match => [ "message", "Access Reasons:%{DATA:Accesses}Access.*$" ] | |
} | |
mutate { | |
gsub => [ "Accesses", "\\t\\t", "\\t" ] | |
} | |
} | |
#EventCode 4663 Start | |
if [EventCode] == 4663 { | |
grok { | |
match => [ "ObjectName", "\\%{DATA:path1}\\(%{DATA:path2}\\%{DATA:path3}\\%{DATA:path4}\\%{DATA:path5}\\%{DATA:path6}\\%{DATA:path7}\\%{DATA:path8}\\%{DATA:path9}\\%{DATA:path10}\\%{DATA:path11}\\%{DATA:path12}\\%{DATA:path13}\\%{DATA:path14}$|%{DATA:path2}\\%{DATA:path3}\\%{DATA:path4}\\%{DATA:path5}\\%{DATA:path6}\\%{DATA:path7}\\%{DATA:path8}\\%{DATA:path9}\\%{DATA:path10}\\%{DATA:path11}\\%{DATA:path12}\\%{DATA:path13}$|%{DATA:path2}\\%{DATA:path3}\\%{DATA:path4}\\%{DATA:path5}\\%{DATA:path6}\\%{DATA:path7}\\%{DATA:path8}\\%{DATA:path9}\\%{DATA:path10}\\%{DATA:path11}\\%{DATA:path12}$|%{DATA:path2}\\%{DATA:path3}\\%{DATA:path4}\\%{DATA:path5}\\%{DATA:path6}\\%{DATA:path7}\\%{DATA:path8}\\%{DATA:path9}\\%{DATA:path10}\\%{DATA:path11}$|%{DATA:path2}\\%{DATA:path3}\\%{DATA:path4}\\%{DATA:path5}\\%{DATA:path6}\\%{DATA:path7}\\%{DATA:path8}\\%{DATA:path9}\\%{DATA:path10}$|%{DATA:path2}\\%{DATA:path3}\\%{DATA:path4}\\%{DATA:path5}\\%{DATA:path6}\\%{DATA:path7}\\%{DATA:path8}\\%{DATA:path9}$|%{DATA:path2}\\%{DATA:path3}\\%{DATA:path4}\\%{DATA:path5}\\%{DATA:path6}\\%{DATA:path7}\\%{DATA:path8}$|%{DATA:path2}\\%{DATA:path3}\\%{DATA:path4}\\%{DATA:path5}\\%{DATA:path6}\\%{DATA:path7}$|%{DATA:path2}\\%{DATA:path3}\\%{DATA:path4}\\%{DATA:path5}\\%{DATA:path6}$|%{DATA:path2}\\%{DATA:path3}\\%{DATA:path4}\\%{DATA:path5}$|%{DATA:path2}\\%{DATA:path3}\\%{DATA:path4}$|%{DATA:path2}\\%{DATA:path3}$|%{DATA:path2}$|$)" ] | |
tag_on_failure => [] | |
} | |
mutate { | |
convert => { "path14" => "string" } | |
} | |
mutate { | |
convert => { "path13" => "string" } | |
} | |
mutate { | |
convert => { "path12" => "string" } | |
} | |
mutate { | |
convert => { "path11" => "string" } | |
} | |
grok { | |
match => [ "logsource", "srvar0033.*" ] | |
match => [ "logsource", "SRVAR0033.*" ] | |
match => [ "logsource", "srvar0032.*" ] | |
match => [ "logsource", "SRVAR0032.*" ] | |
add_tag => "prm" | |
tag_on_failure => [] | |
} | |
if [AccessMask] == "0x1" { | |
mutate { | |
add_field => { "AccessMask_description" => "ReadFile/ListDir" } | |
} | |
} | |
if [AccessMask] == "0x2" { | |
mutate { | |
add_field => { "AccessMask_description" => "WriteFile/AddFile" } | |
} | |
} | |
if [AccessMask] == "0x4" { | |
mutate { | |
add_field => { "AccessMask_description" => "AppendData/CreateDir" } | |
} | |
} | |
if [AccessMask] == "0x8" { | |
mutate { | |
add_field => { "AccessMask_description" => "ReadExtendedAttrib" } | |
} | |
} | |
if [AccessMask] == "0x10" { | |
mutate { | |
add_field => { "AccessMask_description" => "WriteExtendedAttrib" } | |
} | |
} | |
if [AccessMask] == "0x20" { | |
mutate { | |
add_field => { "AccessMask_description" => "ExecuteFile/OpenDir" } | |
} | |
} | |
if [AccessMask] == "0x40" { | |
mutate { | |
add_field => { "AccessMask_description" => "Delete" } | |
} | |
} | |
if [AccessMask] == "0x80" { | |
mutate { | |
add_field => { "AccessMask_description" => "ReadFileAttrib" } | |
} | |
} | |
if [AccessMask] == "0x100" { | |
mutate { | |
add_field => { "AccessMask_description" => "WriteFileAttrib" } | |
} | |
} | |
if [AccessMask] == "0x10000" { | |
mutate { | |
add_field => { "AccessMask_description" => "GrantDeletion" } | |
} | |
} | |
if [AccessMask] == "0x20000" { | |
mutate { | |
add_field => { "AccessMask_description" => "GrantSecDescrRead" } | |
} | |
} | |
if [AccessMask] == "0x40000" { | |
mutate { | |
add_field => { "AccessMask_description" => "GrantDACLWrite" } | |
} | |
} | |
if [AccessMask] == "0x80000" { | |
mutate { | |
add_field => { "AccessMask_description" => "GrantOwnerChange" } | |
} | |
} | |
if [AccessMask] == "0x100000" { | |
mutate { | |
add_field => { "AccessMask_description" => "GrantSynchronisation" } | |
} | |
} | |
} | |
#EventCode 4663 Ende | |
#EventCode 4698 Start | |
if [EventCode] == 4698 { | |
grok { | |
match => ["logsource", "%{DATA:zabbix}.domain.*$"] | |
tag_on_failure => [] | |
} | |
mutate { | |
replace => { "zabbix" => "domain__%{zabbix}" } | |
add_field => { "Zabbixkey" => "ITem" } | |
add_field => { "Zabbixvalue" => "1" } | |
} | |
} | |
#EventCode 4688 | |
if [EventCode] == 4688 { | |
grok { | |
match => ["NewProcessName", ".*\\%{DATA:program}$" ] | |
tag_on_failure => [] | |
} | |
} | |
#EventCode 4688 | |
#EventCode 4698 | |
if [EventCode] == 4698 { | |
grok { | |
match => ["message", "<Command>%{DATA:command}</Command>.*$" ] | |
tag_on_failure => [] | |
} | |
grok { | |
match => ["message", "<Arguments>%{DATA:arguments}</Arguments>.*$" ] | |
tag_on_failure => [] | |
} | |
} | |
#EventCode 4698 | |
#EventCode 4719 Start | |
if [EventCode] == 4719 { | |
grok { | |
match => ["logsource", "%{DATA:zabbix}.domain.*$"] | |
tag_on_failure => [] | |
} | |
mutate { | |
replace => { "zabbix" => "domain__%{zabbix}" } | |
add_field => { "Zabbixkey" => "ITEM2" } | |
add_field => { "Zabbixvalue" => "1" } | |
} | |
} | |
#EventCode 4719 Ende | |
#EventCode 4720 Start | |
if [EventCode] == 4720 { | |
grok { | |
match => [ "TargetUserName", "\$" ] | |
add_tag => "zabbix" | |
tag_on_failure => [] | |
} | |
if "zabbix" in [tags] { | |
grok { | |
match => ["logsource", "%{DATA:zabbix}.domain.*$"] | |
tag_on_failure => [] | |
} | |
mutate { | |
replace => { "zabbix" => "domain__%{zabbix}" } | |
add_field => { "Zabbixkey" => "ITEM3" } | |
add_field => { "Zabbixvalue" => "1" } | |
} | |
} | |
} | |
#EventCode 4720 Ende | |
#EventCode 4778 Start | |
if [EventCode] == 4778 { | |
mutate { | |
rename => { "AccountName" => "TargetUserName" } | |
rename => { "ClientAddress" => "IpAddress" } | |
} | |
} | |
#EventCode 4778 Ende | |
#EventCode 4781 | |
if [EventCode] == 4781 { | |
grok { | |
match => [ "NewTargetUserName", "\$" ] | |
add_tag => "zabbix" | |
tag_on_failure => [] | |
} | |
grok { | |
match => [ "OldTargetUserName", "\$" ] | |
add_tag => "zabbixold" | |
tag_on_failure => [] | |
} | |
if "zabbix" in [tags] and "zabbixold" not in [tags] { | |
grok { | |
match => ["logsource", "%{DATA:zabbix}.domain.*$"] | |
tag_on_failure => [] | |
} | |
mutate { | |
replace => { "zabbix" => "domain__%{zabbix}" } | |
add_field => { "Zabbixkey" => "Item4" } | |
add_field => { "Zabbixvalue" => "1" } | |
} | |
} | |
} | |
#EventCode 4781 Ende | |
#EventCode 5136 Start | |
if [EventCode] == 5136 { | |
grok { | |
match => ["message", "Operation:\r\n\tType:\t%{DATA:action}\r.*$"] | |
} | |
} | |
#EventCode 5136 Ende | |
# EventCode 5145 Start | |
if [EventCode] == 5145 { | |
grok { | |
match => ["message", "connect_new.bat"] | |
add_tag => "drop" | |
tag_on_failure => [] | |
} | |
grok { | |
match => [ "ShareName", "\\\\.*\\%{GREEDYDATA:Share}" ] | |
tag_on_failure => [] | |
} | |
mutate { | |
add_field => { "ShareFullPath" => "\\%{logsource}\%{Share}\%{RelativeTargetName}" } | |
} | |
grok { | |
match => [ "ShareLocalPath", "\\\?\?\\%{DATA:LocalPath}(\\)?$" ] | |
tag_on_failure => [] | |
} | |
mutate { | |
add_field => { "LocalFullPath" => "%{LocalPath}\%{RelativeTargetName}" } | |
} | |
} | |
# EventCode 5145 Ende | |
# EventCode 5140 Start | |
if [EventCode] == 5140 { | |
grok { | |
match => ["message", "connect_new.bat"] | |
add_tag => "drop" | |
tag_on_failure => [] | |
} | |
grok { | |
match => [ "ShareName", "\\\\.*\\%{GREEDYDATA:Share}" ] | |
tag_on_failure => [] | |
} | |
mutate { | |
add_field => { "ShareFullPath" => "\\%{logsource}\%{Share}" } | |
} | |
} | |
# EventCode 5140 Ende | |
# RDS Authentification Events Start | |
if [EventCode] == 200 or 300 or 302 or 303 or 312 or 313 { | |
grok { | |
match => ["message", "The user \"DOMAIN\\%{DATA:username}\".*$"] | |
tag_on_failure => [] | |
} | |
grok { | |
match => ["message", "client computer \"%{DATA:src}(\:[0-9]{0,6}\"|\").*$"] | |
tag_on_failure => [] | |
} | |
#grok { | |
# match => ["clientaddr", "%{DATA:temp}\:"] | |
# tag_on_failure => [] | |
# } | |
#mutate { | |
# replace => ["clientaddr", "temp"] | |
#} | |
} | |
if [EventCode] == 18453 { | |
mutate { | |
rename => { "UserID" => "TargetUserName" } | |
} | |
} | |
if [EventCode] == 18454 { | |
grok { | |
match => ["message", "user \'%{DATA:TargetUserName}\'.*$" ] | |
tag_on_failure => [] | |
} | |
} | |
if [EventCode] == 18456 { | |
mutate { | |
rename => { "AccountName" => "TargetUserName" } | |
} | |
} | |
# domain ENDE: Weitere Windows IF - Abfragen | |
prune { | |
blacklist_names => [ "date2" , "logsource2" , "timezone2", "acc2", "dsf" ] | |
} | |
if [EventCode] != 4656 { | |
grok { | |
match => [ "message", "Accesses:%{DATA:Accesses}Access.*$" ] | |
tag_on_failure => [] | |
} | |
} | |
#WINEVENT ENDE | |
if [src] == "cs-uri-stem" { | |
mutate { | |
add_tag => "dropped" | |
} | |
} | |
if [src] { | |
if "double" not in [tags] { | |
mutate { | |
add_field => {"src_iptype" => "%{src}" } | |
} | |
grok { | |
match => ["src","%{DATA:src_classA}\..*$"] | |
} | |
grok { | |
match => ["src","%{DATA:src_classB}.[0-9]{1,3}.[0-9]{1,3}$"] | |
} | |
grok { | |
match => ["src","%{DATA:src_classC}.[0-9]{1,3}$"] | |
} | |
} | |
} | |
if [dst] { | |
if "double" not in [tags] { | |
mutate { | |
add_field => {"dst_iptype" => "%{dst}" } | |
} | |
grok { | |
match => ["dst","%{DATA:dst_classA}\..*$"] | |
} | |
grok { | |
match => ["dst","%{DATA:dst_classB}.[0-9]{1,3}.[0-9]{1,3}$"] | |
} | |
grok { | |
match => ["dst","%{DATA:dst_classC}.[0-9]{1,3}$"] | |
} | |
} | |
} | |
if [src] !~ /(^127\.)|(^192\.168\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^::1$)/ { | |
geoip { | |
source => "src" | |
target => "geoip" | |
database => "/etc/logstash/GeoLiteCity.dat" | |
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ] | |
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ] | |
} | |
mutate { | |
convert => [ "[geoip][coordinates]", "float" ] | |
} | |
geoip { | |
source => "src" | |
target => "geoip" | |
database => "/etc/logstash/GeoIPASNum.dat" | |
} | |
} | |
if [timezone] == "-5" { | |
date { | |
match => [ "EventTime", "YYYY-MM-dd HH:mm:ss" ] | |
timezone => "America/Detroit" | |
} | |
date { | |
match => [ "date", "YYYY-MM-dd HH:mm:ss" ] | |
timezone => "America/Detroit" | |
} | |
} | |
if [timezone] == "+0" { | |
date { | |
match => [ "EventTime", "YYYY-MM-dd HH:mm:ss" ] | |
timezone => "Europe/London" | |
} | |
date { | |
match => [ "date", "YYYY-MM-dd HH:mm:ss" ] | |
timezone => "Europe/London" | |
} | |
} | |
if [timezone] == "+1" { | |
date { | |
match => [ "EventTime", "YYYY-MM-dd HH:mm:ss" ] | |
timezone => "Europe/Berlin" | |
} | |
date { | |
match => [ "date", "YYYY-MM-dd HH:mm:ss" ] | |
timezone => "Europe/Berlin" | |
} | |
} | |
if [timezone] == "+2" { | |
date { | |
match => [ "EventTime", "YYYY-MM-dd HH:mm:ss" ] | |
timezone => "Europe/Bucharest" | |
} | |
date { | |
match => [ "date", "YYYY-MM-dd HH:mm:ss" ] | |
timezone => "Europe/Bucharest" | |
} | |
} | |
if [timezone] == "+3" { | |
date { | |
match => [ "EventTime", "YYYY-MM-dd HH:mm:ss" ] | |
timezone => "Europe/Moscow" | |
} | |
date { | |
match => [ "date", "YYYY-MM-dd HH:mm:ss" ] | |
timezone => "Europe/Moscow" | |
} | |
} | |
if [timezone] == "+4" { | |
date { | |
match => [ "EventTime", "YYYY-MM-dd HH:mm:ss" ] | |
timezone => "Asia/Baku" | |
} | |
date { | |
match => [ "date", "YYYY-MM-dd HH:mm:ss" ] | |
timezone => "Asia/Baku" | |
} | |
} | |
if [timezone] == "+8" { | |
date { | |
match => [ "EventTime", "YYYY-MM-dd HH:mm:ss" ] | |
timezone => "Asia/Shanghai" | |
} | |
date { | |
match => [ "date", "YYYY-MM-dd HH:mm:ss" ] | |
timezone => "Asia/Shanghai" | |
} | |
} | |
mutate { | |
rename => [" attack","attack"] | |
} | |
if "_jsonparsefailure" in [tags] { | |
mutate { | |
remove_tag => ["_jsonparsefailure"] | |
} | |
} | |
ruby { | |
code => "event['unix'] = Time.now.to_i" | |
} | |
} | |
################################################################# | |
# Definieren der Ausgabe(Hier Local da Apache auf dem Server laeuft) | |
output { | |
elasticsearch { | |
hosts => "XX.xx.xx.xx:9200" | |
} | |
if [EventCode] == 4719 or [EventCode] == 1102 or [EventCode] == 4698 or [EventCode] == 4720 or [EventCode] == 4781{ | |
zabbix { | |
zabbix_server_ => "serverip" | |
zabbix_ => "zabbix" | |
zabbix_key => "Zabbixkey" | |
zabbix_value => "Zabbixvalue" | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment