install_logstash.sh

#!/bin/bash

set -e

ENDPOINT=

# install java 8
add-apt-repository ppa:openjdk-r/ppa
apt-get update
apt-get install -y openjdk-8-jdk

# add elastic repository
wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | apt-key add -
echo "deb https://packages.elastic.co/logstash/2.3/debian stable main" | tee -a /etc/apt/sources.list

# install logstash
sudo apt-get update && sudo apt-get install -y logstash

# create configuration file
cat <<EOF >/etc/logstash/conf.d/snort-alert.conf
input {
    file {
        path => "/var/log/snort/alert"
        start_position => beginning
        ignore_older => 0
    }
}
filter {
    grok {
        match => { "message" => "%{DATA:timestamp}\s+\[.*?\]\s+\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s+%{DATA:alert}\s+\[.*?\]\s+(\[Classification:\s+%{DATA:classification}\]\s+)?\[Priority:\s+%{INT:priority}\]\s+\{%{DATA:protocol}\}\s+%{IPV4:SrcIp}(:%{INT:SrcPort})?\s+->\s+%{IPV4:DstIp}(:%{INT:DstPort})?"}
    }
    geoip {
        source => "[SrcIp]"
        target => "SrcGeo"
    }
    geoip {
        source => "[DstIp]"
        target => "DstGeo"
    }
    mutate {
        convert => [ "SrcPort", "integer" ]
        convert => [ "DstPort", "integer" ]
    }
}
output {
    elasticsearch {
        hosts => "http://${ENDPOINT}:80/"
        index => "snort-alert"
    }
    stdout {}
}
EOF

service logstash start