Skip to content

Instantly share code, notes, and snippets.

@joaociocca
Last active March 18, 2020 02:25
Show Gist options
  • Save joaociocca/d45c68af3e0f7cb78f0be3946a5f3d3e to your computer and use it in GitHub Desktop.
Save joaociocca/d45c68af3e0f7cb78f0be3946a5f3d3e to your computer and use it in GitHub Desktop.
Logstash dictionary for RRAS VPN logs
input {
elasticsearch {
hosts => ["<server>"]
index => "rras_vpn*"
query => '
{
"query":
{ "range" : {
"@timestamp" : {
"gte" : "2018-11-01", "lte" : "now"
}}},
"sort": [ "@timestamp" ]
}
'
docinfo => true
docinfo_fields => {
"_id" => "document_id"
"_index" => "document_index"
}
}
}
filter {
if ![CallingStationID] {
mutate {
gsub => [ "FQUser", "([\\])", "\1\1" ]
}
elasticsearch {
hosts => ["<server>"]
index => "%{[@metadata][document_index]}"
query_template => "config/reindex_lookup.json"
fields => {
"MSRASClientName" => "Source_MSRASClientName"
"FQUser" => "Source_FQUser"
"UserName" => "Source_UserName"
"TunnelClientEndpt" => "Source_TunnelClientEndpt"
"CallingStationID" => "Source_CallingStationID"
"[@metadata][_id]" => "Source_ID"
"message" => "Source_message"
}
}
mutate {
gsub => [ "FQUser", "[\\]([\\])", "\1" ]
}
ruby {
code => '
sourceUser = event.get("Source_UserName");
sourceFQ = event.get("Source_FQUser");
thisFQ = event.get("FQUser");
if thisFQ.nil?
if !sourceFQ.nil?
nome = sourceFQ.downcase;
elsif !sourceUser.nil?
nome = sourceUser.downcase;
end
else
nome = thisFQ.downcase;
end
event.set("LoginCredential", nome);
sourceCalling = event.get("Source_CallingStationID")
sourceEndpt = event.get("Source_TunnelClientEndpt")
if !sourceCalling.nil?
source = sourceCalling.to_s;
elsif !sourceEndpt.nil?
source = sourceEndpt.to_s;
end
event.set("SourceIP", source);
'
}
} else {
ruby {
code => '
thisFQ = event.get("FQUser");
thisUser = event.get("UserName");
if thisFQ.nil?
if !thisUser.nil?
nome = thisUser.downcase;
end
else
nome = thisFQ.downcase;
end
event.set("LoginCredential", nome);
event.set("SourceIP", event.get("CallingStationID"));
'
}
}
mutate {
convert => {
"@version" => "integer"
"AcctAuthentic" => "integer"
"AcctDelayTime" => "integer"
"AcctInputOctets" => "integer"
"AcctInputPackets" => "integer"
"AcctLinkCount" => "integer"
"AcctMultiSsnID" => "integer"
"AcctOutputOctets" => "integer"
"AcctOutputPackets" => "integer"
"AcctSessionID" => "integer"
"AcctSessionTime" => "integer"
"AcctStatusType" => "integer"
"AcctTerminateCause" => "integer"
"AuthenticationType" => "integer"
"EventTimestamp" => "integer"
"FramedProtocol" => "integer"
"IdleTimeout" => "integer"
"MSMPPEEncryptionTypes" => "integer"
"MSMPPEEncryptionPolicy" => "integer"
"MSRASVendor" => "integer"
"NASPort" => "integer"
"NASPortType" => "integer"
"PacketType" => "integer"
"ProviderType" => "integer"
"ReasonCode" => "integer"
"ServiceType" => "integer"
"TunnelMediumType" => "integer"
"TunnelType" => "integer"
}
}
ruby {
code => '
code = event.get("ReasonCode");
packet = event.get("PacketType");
acctype = event.get("AcctStatusType");
time = event.get("AcctSessionTime");
termCause = event.get("AcctTerminateCause");
if ! time.nil?
if time == 0
sessionTime = "Nao disponivel";
elsif time > 3600
sessionTime = (time / 60 / 60).to_s + " horas, " + (time / 60 % 60).to_s + " minutos e " + (time % 60).to_s + " segundos";
elsif time > 60
sessionTime = (time / 60 % 60).to_s + " minutos e " + (time % 60).to_s + " segundos";
else
sessionTime = time.to_s + " segundos";
end
end
case code
when 0
if packet == 1
connectionInfo = "Solicitação de Conexão";
else
if acctype == 1
connectionInfo = "Início de Conexão";
elsif acctype == 2
case termCause
when 1
termCauseDesc = "Solicitação do Usuário";
when 2
termCauseDesc = "Perda de Sinal";
when 3
termCauseDesc = "Perda de Serviço";
when 4
termCauseDesc = "Tempo Limite de Inatividade";
when 5
termCauseDesc = "Tempo Limite da Sessão";
when 6
termCauseDesc = "Reset Administrativo";
when 7
termCauseDesc = "Reboot Administrativo";
when 8
termCauseDesc = "Erro de Porta";
when 9
termCauseDesc = "Erro do NAS";
when 10
termCauseDesc = "Solicitação do NAS";
when 11
termCauseDesc = "Reboot do NAS";
when 12
termCauseDesc = "Porta Desnecessária";
when 13
termCauseDesc = "Porta Preemptada";
when 14
termCauseDesc = "Porta Suspensa";
when 15
termCauseDesc = "Serviço Indisponível";
when 16
termCauseDesc = "Chamada de Retorno";
when 17
termCauseDesc = "Erro do Usário";
when 18
termCauseDesc = "Solciitado pelo Host";
end
connectionInfo = "Fim da Conexão. Causa: " + termCauseDesc + " | Tempo de Sessão: " + sessionTime;
else
connectionInfo = "Início de Conexão com Sucesso";
end
end
when 1
connectionInfo = "REFUSED: INTERNAL_ERROR";
when 2
connectionInfo = "REFUSED: ACCESS_DENIED";
when 3
connectionInfo = "REFUSED: MALFORMED_REQUEST";
when 4
connectionInfo = "REFUSED: GLOBAL_CATALOG_UNAVAILABLE";
when 5
connectionInfo = "REFUSED: DOMAIN_UNAVAILABLE";
when 6
connectionInfo = "REFUSED: SERVER_UNAVAILABLE";
when 7
connectionInfo = "REFUSED: NO_SUCH_DOMAIN";
when 8
connectionInfo = "REFUSED: NO_SUCH_USER";
when 9
connectionInfo = "REFUSED: EXTENSION_DISCARD";
when 16
connectionInfo ="REFUSED: AUTH_FAILURE";
when 17
connectionInfo ="REFUSED: CHANGE_PASSWORD_FAILURE";
when 18
connectionInfo ="REFUSED: UNSUPPORTED_AUTH_TYPE";
when 19
connectionInfo ="REFUSED: NO_CLEARTEXT_PASSWORD";
when 20
connectionInfo ="REFUSED: LM_NOT_ALLOWED";
when 21
connectionInfo ="REFUSED: EXTENSION_REJECT";
when 22
connectionInfo ="REFUSED: EAP_NEGOTIATION_FAILED";
when 23
connectionInfo ="REFUSED: UNEXPECTED_EAP_ERROR";
when 32
connectionInfo ="REFUSED: LOCAL_USERS_ONLY";
when 33
connectionInfo ="REFUSED: PASSWORD_MUST_CHANGE";
when 34
connectionInfo ="REFUSED: ACCOUNT_DISABLED";
when 35
connectionInfo ="REFUSED: ACCOUNT_EXPIRED";
when 36
connectionInfo ="REFUSED: ACCOUNT_LOCKED_OUT";
when 37
connectionInfo ="REFUSED: INVALID_LOGON_HOURS";
when 38
connectionInfo ="REFUSED: ACCOUNT_RESTRICTION";
when 48
connectionInfo ="REFUSED: NO_POLICY_MATCH";
when 49
connectionInfo ="REFUSED: NO_CONNECTION_REQUEST_POLICY_MATCH";
when 64
connectionInfo ="REFUSED: DIALIN_LOCKED_OUT";
when 65
connectionInfo ="REFUSED: DIALIN_DISABLED";
when 66
connectionInfo ="REFUSED: INVALID_AUTH_TYPE";
when 67
connectionInfo ="REFUSED: INVALID_CALLING_STATION";
when 68
connectionInfo ="REFUSED: INVALID_DIALIN_HOURS";
when 69
connectionInfo ="REFUSED: INVALID_CALLED_STATION";
when 70
connectionInfo ="REFUSED: INVALID_PORT_TYPE";
when 71
connectionInfo ="REFUSED: DIALIN_RESTRICTION";
when 72
connectionInfo ="REFUSED: CPW_NOT_ALLOWED";
when 73
connectionInfo ="REFUSED: INVALID_CERT_EKU";
when 80
connectionInfo ="REFUSED: NO_RECORD";
when 96
connectionInfo ="REFUSED: SESSION_TIMEOUT";
when 97
connectionInfo ="REFUSED: UNEXPECTED_REQUEST";
when 112
connectionInfo = "REFUSED: PROXY_REJECT";
when 113
connectionInfo = "REFUSED: PROXY_UNKNOWN_GROUP";
when 114
connectionInfo = "REFUSED: PROXY_UNKNOWN_SERVER";
when 115
connectionInfo = "REFUSED: PROXY_PACKET_TOO_LONG";
when 116
connectionInfo = "REFUSED: PROXY_SEND_ERROR";
when 117
connectionInfo = "REFUSED: PROXY_TIMEOUT";
when 118
connectionInfo = "REFUSED: PROXY_MALFORMED_RESPONSE";
when 256
connectionInfo = "REFUSED: CRYPT_E_REVOKED";
when 257
connectionInfo = "REFUSED: CRYPT_E_NO_REVOCATION_DLL";
when 258
connectionInfo = "REFUSED: CRYPT_E_NO_REVOCATION_CHECK";
when 259
connectionInfo = "REFUSED: CRYPT_E_REVOCATION_OFFLINE";
when 260
connectionInfo = "REFUSED: SEC_E_MESSAGE_ALTERED";
when 261
connectionInfo = "REFUSED: SEC_E_NO_AUTHENTICATING_AUTHORITY";
when 262
connectionInfo = "REFUSED: SEC_E_INCOMPLETE_MESSAGE";
when 263
connectionInfo = "REFUSED: SEC_E_INCOMPLETE_CREDENTIALS";
when 264
connectionInfo = "REFUSED: SEC_E_TIME_SKEW";
when 265
connectionInfo = "REFUSED: SEC_E_UNTRUSTED_ROOT";
when 266
connectionInfo = "REFUSED: SEC_E_ILLEGAL_MESSAGE";
when 267
connectionInfo = "REFUSED: SEC_E_CERT_WRONG_USAGE";
when 268
connectionInfo = "REFUSED: SEC_E_CERT_EXPIRED";
when 269
connectionInfo = "REFUSED: SEC_E_ALGORITHM_MISMATCH";
when 270
connectionInfo = "REFUSED: SEC_E_SMARTCARD_LOGON_REQUIRED";
when 271
connectionInfo = "REFUSED: SEC_E_SHUTDOWN_IN_PROGRESS";
when 272
connectionInfo = "REFUSED: SEC_E_MULTIPLE_ACCOUNTS";
when 273
connectionInfo = "REFUSED: TRUST_E_PROVIDER_UNKNOWN";
when 274
connectionInfo = "REFUSED: TRUST_E_ACTION_UNKNOWN";
when 275
connectionInfo = "REFUSED: TRUST_E_SUBJECT_FORM_UNKNOWN";
when 276
connectionInfo = "REFUSED: TRUST_E_SUBJECT_NOT_TRUSTED";
when 277
connectionInfo = "REFUSED: TRUST_E_NOSIGNATURE";
when 278
connectionInfo = "REFUSED: CERT_E_EXPIRED";
when 279
connectionInfo = "REFUSED: CERT_E_VALIDITYPERIODNESTING";
when 280
connectionInfo = "REFUSED: CERT_E_ROLE";
when 281
connectionInfo = "REFUSED: CERT_E_PATHLENCONST";
when 282
connectionInfo = "REFUSED: CERT_E_CRITICAL";
when 283
connectionInfo = "REFUSED: CERT_E_PURPOSE";
when 284
connectionInfo = "REFUSED: CERT_E_ISSUERCHAINING";
when 285
connectionInfo = "REFUSED: CERT_E_MALFORMED";
when 286
connectionInfo = "REFUSED: CERT_E_UNTRUSTEDROOT";
when 287
connectionInfo = "REFUSED: CERT_E_CHAINING";
when 288
connectionInfo = "REFUSED: TRUST_E_FAIL";
when 289
connectionInfo = "REFUSED: CERT_E_REVOKED";
when 290
connectionInfo = "REFUSED: CERT_E_UNTRUSTEDTESTROOT";
when 291
connectionInfo = "REFUSED: CERT_E_REVOCATION_FAILURE";
when 292
connectionInfo = "REFUSED: CERT_E_CN_NO_MATCH";
when 293
connectionInfo = "REFUSED: CERT_E_WRONG_USAGE";
when 294
connectionInfo = "REFUSED: TRUST_E_EXPLICIT_DISTRUST";
when 295
connectionInfo = "REFUSED: CERT_E_UNTRUSTEDCA";
when 296
connectionInfo = "REFUSED: CERT_E_INVALID_POLICY";
when 297
connectionInfo = "REFUSED: CERT_E_INVALID_NAME";
when 298
connectionInfo = "REFUSED: SEC_E_PKINIT_NAME_MISMATCH";
when 299
connectionInfo = "REFUSED: SEC_E_OUT_OF_SEQUENCE";
when 300
connectionInfo = "REFUSED: SEC_E_NO_CREDENTIALS";
else
connectionInfo = code;
end
event.set("ConnectionInfo", connectionInfo);
'
}
fingerprint {
id => "Duplicate Protection"
source => "message"
target => "[@metadata][fingerprint]"
method => "MURMUR3"
remove_field => ["index"]
}
}
output {
elasticsearch {
hosts => ["<server>"]
index => "vpn_reindex-%{+YYYY.MM}"
document_id => "%{[@metadata][fingerprint]}"
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment