Kashif Mohammad kashif74

## Logstash ssh filter
filter {
  if [type] == "logstash-bro" and [logtype] == "brossh" {
    grok {
      patterns_dir => ["/etc/logstash/patterns"]
      match => { "message" => "%{LOG_HEADER}" }
    }
    if [bro_message] {
      grok {
        patterns_dir => ["/etc/logstash/patterns"]
        match => { "bro_message" => "%{SSH}" }

## bro_pattern
### Bro
LOG_HEADER %{BASE16FLOAT:bro_ts}\t(-|%{DATA:cuid})\t(-|%{IP:src_ip})\t(-|%{INT:src_port})\t(-|%{IP:dst_ip})\t(-|%{INT:dst_port})\t%{GREEDYDATA:bro_message}

CONN (-|%{DATA:proto})\t(-|%{DATA:service})\t(-|%{BASE16FLOAT:conn_duration})\t(-|%{INT:bytes_sent})\t(-|%{INT:bytes_received})\t(-|%{DATA:conn_state})\t(-|%{DATA:local_orig})\t(-|%{DATA:local_resp})\t(-|%{INT:missing_bytes})\t(-|%{DATA:conn_history})\t(-|%{INT:orig_pkts})\t(-|%{INT:orig_ip_bytes})\t(-|%{INT:resp_pkts})\t(-|%{INT:resp_ip_bytes})\t%{GREEDYDATA:tunnel_parents}

HTTP %{INT:transport_depth}\t(-|%{DATA:http_method})\t(-|%{DATA:domain})\t(-|%{DATA:http_uri})\t(-|%{DATA:referer})\t(-|%{DATA:http_version})\t(-|%{DATA:user_agent})\t(-|%{INT:bytes_sent})\t(-|%{INT:bytes_received})\t(-|%{INT:http_resp_code})\t(-|%{DATA:http_resp_msg})\t(-|%{INT:http_info_code})\t(-|%{DATA:http_info_msg})\t(-|%{DATA:http_tags})\t(-|%{DATA:username})\t(-|%{DATA:http_pwd})\t(-|%{DATA:http_proxied})\t(-|%{DATA:sent_fuids})\t(-|%{DATA:sent_file_name})\t(-|%{DATA:

## gist:3b1a941933bc3688c896fc965859c011
#
# This is an example configuration for a DPM Disk Node.
#
# You can check the puppet module 'lcgdm' and 'dmlite' for any additional options available.
# !! Please replace the placeholders for usernames and passwords !!
#

#
# The standard variables are collected here:
#

## gist:499fc3678b82fbcab2229b8bbec9188e
$token_password    = "**"

#The Mysql root pass ( if Mysql is installed locally), it has the same value as the  YAIM var MYSQL_PASSWORD
$mysql_root_pass   = "**"

#the DPM DB user, it has the same value as the YAIM var DPM_DB_USER
$db_user           = "dpmmgr"

#the DPM DB user password, it has the same value as the YAIM var DPM_DB_PASSWORD
$db_pass           = "**"

## 0.5.0.alpha4error
bundle exec veewee kvm build ubuntu14041  --debug --force
warning: ignoring extraneous `ruby-' prefix in version `ruby-1.9.3-p547'
         (set by /home/mohammad/newvee/veewee/.ruby-version)
2015-02-02 12:12:43 +0000 - environment - [veewee] Loading configuration...
2015-02-02 12:12:43 +0000 -  - [veewee] Initializing veewee config object
2015-02-02 12:12:43 +0000 -  - [veewee] No configfile found
2015-02-02 12:12:43 +0000 - environment - [veewee] Environment initialized (#<Veewee::Environment:0x000000037fff50>)
2015-02-02 12:12:43 +0000 - environment - [veewee]  - cwd : /home/mohammad/newvee/veewee
2015-02-02 12:12:43 +0000 - environment - [veewee]  - veewee_filename : Veeweefile
2015-02-02 12:12:43 +0000 - environment - [veewee]  - template_path : ["templates"]
	filter {
	if [type] == "logstash-bro" and [logtype] == "brossh" {
	grok {
	patterns_dir => ["/etc/logstash/patterns"]
	match => { "message" => "%{LOG_HEADER}" }
	}
	if [bro_message] {
	grok {
	patterns_dir => ["/etc/logstash/patterns"]
	match => { "bro_message" => "%{SSH}" }
	### Bro
	LOG_HEADER %{BASE16FLOAT:bro_ts}\t(-\|%{DATA:cuid})\t(-\|%{IP:src_ip})\t(-\|%{INT:src_port})\t(-\|%{IP:dst_ip})\t(-\|%{INT:dst_port})\t%{GREEDYDATA:bro_message}

	CONN (-\|%{DATA:proto})\t(-\|%{DATA:service})\t(-\|%{BASE16FLOAT:conn_duration})\t(-\|%{INT:bytes_sent})\t(-\|%{INT:bytes_received})\t(-\|%{DATA:conn_state})\t(-\|%{DATA:local_orig})\t(-\|%{DATA:local_resp})\t(-\|%{INT:missing_bytes})\t(-\|%{DATA:conn_history})\t(-\|%{INT:orig_pkts})\t(-\|%{INT:orig_ip_bytes})\t(-\|%{INT:resp_pkts})\t(-\|%{INT:resp_ip_bytes})\t%{GREEDYDATA:tunnel_parents}

	HTTP %{INT:transport_depth}\t(-\|%{DATA:http_method})\t(-\|%{DATA:domain})\t(-\|%{DATA:http_uri})\t(-\|%{DATA:referer})\t(-\|%{DATA:http_version})\t(-\|%{DATA:user_agent})\t(-\|%{INT:bytes_sent})\t(-\|%{INT:bytes_received})\t(-\|%{INT:http_resp_code})\t(-\|%{DATA:http_resp_msg})\t(-\|%{INT:http_info_code})\t(-\|%{DATA:http_info_msg})\t(-\|%{DATA:http_tags})\t(-\|%{DATA:username})\t(-\|%{DATA:http_pwd})\t(-\|%{DATA:http_proxied})\t(-\|%{DATA:sent_fuids})\t(-\|%{DATA:sent_file_name})\t(-\|%{DATA:
	#
	# This is an example configuration for a DPM Disk Node.
	#
	# You can check the puppet module 'lcgdm' and 'dmlite' for any additional options available.
	# !! Please replace the placeholders for usernames and passwords !!
	#

	#
	# The standard variables are collected here:
	#
	$token_password = "**"

	#The Mysql root pass ( if Mysql is installed locally), it has the same value as the YAIM var MYSQL_PASSWORD
	$mysql_root_pass = "**"

	#the DPM DB user, it has the same value as the YAIM var DPM_DB_USER
	$db_user = "dpmmgr"

	#the DPM DB user password, it has the same value as the YAIM var DPM_DB_PASSWORD
	$db_pass = "**"
	bundle exec veewee kvm build ubuntu14041 --debug --force
	warning: ignoring extraneous `ruby-' prefix in version `ruby-1.9.3-p547'
	(set by /home/mohammad/newvee/veewee/.ruby-version)
	2015-02-02 12:12:43 +0000 - environment - [veewee] Loading configuration...
	2015-02-02 12:12:43 +0000 - - [veewee] Initializing veewee config object
	2015-02-02 12:12:43 +0000 - - [veewee] No configfile found
	2015-02-02 12:12:43 +0000 - environment - [veewee] Environment initialized (#<Veewee::Environment:0x000000037fff50>)
	2015-02-02 12:12:43 +0000 - environment - [veewee] - cwd : /home/mohammad/newvee/veewee
	2015-02-02 12:12:43 +0000 - environment - [veewee] - veewee_filename : Veeweefile
	2015-02-02 12:12:43 +0000 - environment - [veewee] - template_path : ["templates"]