Skip to content

Instantly share code, notes, and snippets.

@gt2847c

gt2847c/DaemonIndex

Last active February 8, 2023 19:39
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save gt2847c/fde4e5fe812d7b3a741cf274fc782d90 to your computer and use it in GitHub Desktop.
Save gt2847c/fde4e5fe812d7b3a741cf274fc782d90 to your computer and use it in GitHub Desktop.
Download ZIP
ElasticSearch Logstash Cisco Syslog
Raw
cisco.conf
input {
udp {
host => "10.x.x.x"
port => 5144
tags => [ "network" ]
}
tcp {
host => "10.x.x.x"
port => 5144
tags => [ "network" ]
}
}
filter {
syslog_pri {}
if "network" in [tags] {
if [message] =~ /%\S+-[0-9]-\S+:/ {
mutate {
add_tag => [ "cisco" ]
add_field => { "[@metadata][target_index]" => "cisco-ios" }
}
}
}
else {
mutate {
add_tag => [ "unknown_log" ]
}
}
if "cisco" in [tags] {
syslog_pri {}
mutate {
rename => { "[host][ip]" => "[observer][ip]" }
}
grok {
patterns_dir => "/etc/logstash/patterns"
match => {"message" => [
"%{POSINT:[cisco][sequence]}: %{SYSLOGTIMESTAMP:[cisco][timestamp]} %{WORD:tz}: %%{CISCOFACILITY:[cisco][facility]}-%{POSINT:[cisco][severity]}-%{CISCOMNEMONIC:[cisco][mnemonic]}: %{GREEDYDATA:[cisco][message]}",
"%{POSINT:[cisco][sequence]}: %{DATA:[observer][hostname]}: %{SYSLOGTIMESTAMP:[cisco][timestamp]} %{WORD:tz}: %%{CISCOFACILITY:[cisco][facility]}-%{POSINT:[cisco][severity]}-%{CISCOMNEMONIC:[cisco][mnemonic]}: %{GREEDYDATA:[cisco][message]}"
]
}
}
date {
match => [ "[cisco][timestamp]",
"MMM dd HH:mm:ss.SSS",
"MMM dd HH:mm:ss",
"MMM d HH:mm:ss.SSS",
"MMM d HH:mm:ss"
]
target => "@timestamp"
locale => "en"
timezone => "%{tz}"
}
mutate {
convert => {
"[cisco][sequence]" => "integer"
"[cisco][severity]" => "integer"
}
}
if [cisco][mnemonic] =~ /LOGIN_FAILED/ {
grok {
match => {"[cisco][message]" => "Login failed \[user: %{DATA:[user][name]}\] \[Source: %{DATA:[client][ip]}\] \[localport: %{POSINT:[client][port]}\]%{GREEDYDATA:remainder}"}
}
mutate {
remove_field => [ "remainder" ]
convert => { "[client][port]" => "integer" }
add_field => {
"[event][category]" => "authentication"
"[event][outcome]" => "failure"
}
}
}
if [cisco][mnemonic] =~ /LOGIN_SUCCESS/ {
grok {
match => {"[cisco][message]" => "Login Success \[user: %{DATA:[user][name]}\] \[Source: %{DATA:[client][ip]}\] \[localport: %{POSINT:[client][port]}\]%{GREEDYDATA:remainder}"}
}
mutate {
remove_field => [ "remainder" ]
convert => { "[client][port]" => "integer" }
add_field => {
"[event][category]" => "authentication"
"[event][outcome]" => "success"
}
}
}
if [cisco][mnemonic] =~ /LOGOUT/ {
grok {
match => {"[cisco][message]" => "User %{DATA:[user][name]} has exited tty session %{POSINT:[cisco][tty]}\(%{DATA:[client][ip]}\)"}
}
}
if [cisco][mnemonic] =~ /CFGLOG_LOGGEDCMD/ {
grok {
match => {"[cisco][message]" => "User:%{DATA:[user][name]}\s+logged command:%{GREEDYDATA:[cisco][command]}"}
}
mutate {
remove_field => [ "[cisco][message]" ]
add_field => {
"[event][category]" => "configuration"
"[event][outcome]" => "success"
}
}
}
if [cisco][mnemonic] =~ /CONFIG_I/ {
mutate {
add_field => {
"[event][category]" => "configuration"
"[event][outcome]" => "success"
}
}
}
if [cisco][mnemonic] =~/IPACCESSLOG/ {
grok {
match => {"[cisco][message]" => "list %{WORD:[cisco][acl]} %{WORD:[cisco][aclresult]} %{WORD:[network][transport]} %{DATA:[source][ip]} -> %{DATA:[destination][ip]}, %{POSINT:[network][packets]} %{GREEDYDATA}"
}
}
geoip {
ecs_compatibility => "v8"
source => "[source][ip]"
tag_on_failure => ["_geoip_lookup_failure_src"]
}
mutate {
convert => {
"[network][packets]" => "integer"
}
remove_field => [
"[source][mmdb]"
]
}
}
if ("_grokparsefailure" not in [tags]) and ("_dateparsefailure" not in [tags]){
mutate {
remove_field => [
"message",
"tz",
"@version",
"[event][original]",
"[cisco][timestamp]",
"host"
]
}
}
mutate {
remove_field => [ "log" ]
}
}
}
output {
if("cisco" in [tags]) {
stdout {}
elasticsearch {
hosts => ["https://localhost:9200"]
index => "%{[@metadata][target_index]}"
user => "<USERNAME>"
password => "<PASSWORD>"
ssl => true
cacert => "/etc/logstash/certs/http_ca.crt"
action => "create"
}
}
else {
file {
path => "/var/log/ciscologunknowntype.log"
}
}
}
Raw
DaemonIndex
{
"_index": ".ds-cisco-ios-2023.02.08-000001",
"_id": "REDACTED",
"_version": 1,
"_score": 0,
"_source": {
"event": {},
"tags": [
"network",
"cisco"
],
"observer": {
"ip": "REDACTED",
"hostname": "REDACTED"
},
"destination": {
"ip": "REDACTED"
},
"network": {
"transport": "0",
"packets": 1
},
"log": {
"syslog": {
"severity": {
"name": "notice",
"code": 5
},
"facility": {
"name": "user-level",
"code": 1
}
}
},
"@timestamp": "2023-02-08T19:27:55.000Z",
"cisco": {
"facility": "SEC",
"aclresult": "denied",
"mnemonic": "IPACCESSLOGNP",
"sequence": 813,
"message": "REDACTED",
"severity": 6,
"acl": "REDACTED"
},
"source": {
"ip": "REDACTED",
"geo": {
"region_name": "REDACTED",
"region_iso_code": "REDACTED",
"continent_code": "REDACTED",
"city_name": "REDACTED",
"country_iso_code": "REDACTED",
"location": {
"lon": 00.0000,
"lat": 00.0000
},
"country_name": "REDACTED",
"postal_code": "REDACTED",
"timezone": "REDACTED"
}
}
},
"fields": {
"source.geo.continent_code": [
"REDACTED"
],
"cisco.sequence": [
813
],
"tags.keyword": [
"network",
"cisco"
],
"source.geo.location": [
{
"coordinates": [
00.0000,
00.0000
],
"type": "Point"
}
],
"cisco.severity": [
6
],
"log.syslog.facility.name": [
"user-level"
],
"source.geo.region_name": [
"REDACTED"
],
"cisco.mnemonic": [
"IPACCESSLOGNP"
],
"source.geo.country_iso_code": [
"REDACTED"
],
"log.syslog.severity.name": [
"notice"
],
"source.ip": [
"REDACTED"
],
"cisco.message.text": [
"REDACTED"
],
"source.geo.region_iso_code": [
"REDACTED"
],
"source.geo.city_name": [
"REDACTED"
],
"cisco.aclresult": [
"denied"
],
"log.syslog.severity.code": [
5
],
"network.packets": [
1
],
"cisco.message": [
"REDACTED"
],
"observer.hostname": [
"REDACTED"
],
"destination.ip": [
"REDACTED"
],
"tags": [
"network",
"cisco"
],
"network.transport": [
"0"
],
"source.geo.postal_code": [
"REDACTED"
],
"@timestamp": [
"2023-02-08T19:27:55.000Z"
],
"cisco.acl": [
"REDACTED"
],
"source.geo.timezone": [
"REDACTED"
],
"log.syslog.facility.name.keyword": [
"user-level"
],
"cisco.facility": [
"SEC"
],
"source.geo.country_name": [
"REDACTED"
],
"log.syslog.severity.name.keyword": [
"notice"
],
"log.syslog.facility.code": [
1
],
"observer.ip": [
"REDACTED"
]
}
}
Raw
patterns
CISCOFACILITY ([A-Z0-9]*[_]{0,1}[A-Z0-9]*)+
CISCOMNEMONIC ([A-Z0-9]*[_]{0,1}[A-Z0-9]*)+
CISCOTIMESTAMPTZ %{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME} %{TZ}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment