Skip to content

Instantly share code, notes, and snippets.

@inliniac

inliniac/logstash-forwarder.conf

Created March 25, 2014 16:40
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save inliniac/9765934 to your computer and use it in GitHub Desktop.
Save inliniac/9765934 to your computer and use it in GitHub Desktop.
Download ZIP
Logstash Suricata configs
Raw
logstash-forwarder.conf
{
"network": {
"servers": [ "x.x.x.x:5043" ],
"ssl certificate": "./lumberjack.pub",
"ssl key": "./lumberjack.key",
"ssl ca": "./lumberjack.pub"
},
"files": [
{
"paths": [ "/var/log/suricata/eve.json" ],
"fields": { "type": "suricata" }
}
]
}
Raw
logstash.conf
input {
lumberjack {
# The port to listen on
port => 5043
# The paths to your ssl cert and key
ssl_certificate => "/etc/logstash/pki/lumberjack.pub"
ssl_key => "/etc/logstash/pki/lumberjack.key"
# Set this to whatever you want.
codec => json
}
}
#geoip part
filter {
if [src_ip] {
geoip {
source => "src_ip"
target => "geoip"
database => "/etc/logstash/geoip/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
}
}
output {
elasticsearch { embedded => true }
}
@cerw
Copy link

cerw commented Feb 13, 2015

How I combine lumberjack to receive normals logs and also JSON? Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment