Skip to content

Instantly share code, notes, and snippets.

@kbf09

kbf09/gist:6c1d330edb96a2d4bf4dbc4ab011b397

Created November 19, 2018 21:16
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save kbf09/6c1d330edb96a2d4bf4dbc4ab011b397 to your computer and use it in GitHub Desktop.
Save kbf09/6c1d330edb96a2d4bf4dbc4ab011b397 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
input {
s3 {
"access_key_id" => ""
"secret_access_key" => ""
"bucket" => "birahoneypot"
"interval" => 1440
"sincedb_path" => "/var/lib/logstash/sincedb/ufw.db"
"prefix" => "ufw/ufw.log."
"delete" => true
}
}
filter {
grok {
match => { "message" => "%{DATA:timestamp} %{SYSLOGHOST:hostname} %{DATA:program}(?:\[%{POSINT:pid}\])?: %{GREEDYDATA:ufw_message}" }
}
grok {
patterns_dir => ["/etc/logstash/conf.d"]
patterns_files_glob => "iptables.pat"
match => { "ufw_message" => "\[%{DATA}\] \[UFW %{WORD:action}\] IN=%{DATA:i_int} OUT=%{DATA:o_int} %{GREEDYDATA:data}"}
remove_field => ["ufw_message"]
}
if [i_int] == "eth0" {
grok {
patterns_dir => ["/etc/logstash/conf.d"]
patterns_files_glob => "*.pat"
match => { "data" => "%{IPTABLES}"}
remove_field => ["data"]
}
}
if [o_int] == "eth0" {
grok {
match => {"data" => "SRC=%{IP:src_ip} DST=%{IP:dest_ip} %{GREEDYDATA:tcp_opts} PROTO=%{WORD:protocol} SPT=%{INT:src_port} DPT=%{INT:dst_port} %{GREEDYDATA:tcp_opts}"}
remove_field => ["data"]
}
}
date {
match => ["timestamp" , "ISO8601"]
remove_field => ["timestamp"]
}
geoip {
source => ["src_ip"]
}
mutate {
copy => {"src_ip" => "src_reverse_dns"}
}
dns {
reverse => ["src_reverse_dns"]
action => replace
}
mutate {
remove_field => [ "message", "ufw_message"]
}
}
output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "honeypot-ufw-%{+YYYY.MM.dd}"
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment