linuxmalaysia/logstash-config-example-searching-filebeat-index.txt

## logstash-config-example-searching-filebeat-index.txt
### Terima Kasih Kepada Amir Haris Ahmad, Localhost Sdn Bhd
### kerana izinkan saya gunakan servers ujian mereka di Digital Ocean
### dan team beliau dengan berkongsi pengalaman dan pandangan mereka.
###
### Untuk saya menguji bruteforce attack log kepada syslog dengan fail2ban
###
### Server telah dipasang dengan fail2ban dan SSH dibuka dengan port 22.
### SSH tidak membenarkan module password dan hanya digital cert.
###
### Filebeat telah digunakan untuk mengumpulkan log.
### Harisfazillah Jamel - 13102019 (13 Oct 2019)


### ---- Logstash ---- #####
## Start Of LOGSTASH Input

input {
  elasticsearch {
    hosts => "localhost"
    schedule => "1 */4 * * *"
##    user => xxxxxx
##    password => xxxxxx
    tags => "siem"
    index => "filebeat-*"
query => '{
	   "query" : {
	    "query_string": { "query": "event.type:authentication_failure" }},
    "sort": [
        { "@timestamp": {"order":"asc"}}
    ]
}'


  }
}

## End Of LOGSTASH Input

### Start Of LOGSTASH Filter

filter {

### process_time Put this at the beginning of filter
### To record process time. Make sure you copy the end script.

ruby {
    code => "event.set('[@metadata][task_start]', Time.now.to_f)"
 }


## For all index to have a field called IP.

mutate {
    add_field => { "ip" => "%{[source][ip]}" }
    }

##


if [ip] and "siem" in [tags] {
   fingerprint {
   source => "ip"
       target => "iocipfingerprint"
       method => "MURMUR3"
       add_tag => [ "siemip" ]
     }
}


## start for blueliv check
## More info https://github.com/Blueliv/elk-config-examples

if [ip] {

    elasticsearch {
    hosts => ["localhost:9200"]
    user => xxxxxxx
    password => xxxxxx
    index => "crimeservers*"
    query => "ip:%{ip}"
    fields => {
     "type" => "blueliv_type"
     "firstSeenAt" => "blueliv_firstSeenAt"
     "lastSeenAt" => "blueliv_lastSeenAt"
     "url" => "blueliv_url"
    }
    result_size => 1
    enable_sort => false
    add_tag => [ "blueliv" ]
  }

}

## end of blueliv check

### start for lisbot check
### https://gist.github.com/linuxmalaysia/5910941698f851947ed4aa2d9e44cf49
### change the dictionary_path with your own path

if [ip] and ![ip_rep] {

    translate {
      refresh_interval => 86400
      field => "ip"
      destination => "ip_rep"
      dictionary_path => "/etc/logstash/tools/listbot/iprep.yaml"
      add_tag => [ "listbot" ]
    }
}

### end of lisbot check

### process_time this will be at the end of whole ioc filter
###

    ruby {
    code => "event.set('[@metadata][task_end]', Time.now.to_f)"
    }

    ruby {
    code => "event.set('process_time', (event.get('[@metadata][task_end]') - event.get('[@metadata][task_start]')))"
    }

### End of process_time

}

### end of LOGSTASH filter

### Start of LOGSTASH output

output {

  if "siem" in [tags] {

elasticsearch {

    id => "server1-output"
    hosts => ["localhost:9200"]
    document_id => "%{iocipfingerprint}"
    sniffing => true
    index => "authentications-v1"
    user => xxxxxx
    password => xxxxxx
}

##end if
  }

}

### end of LOGSTASH output

### Mula Template
### https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-templates.html
##### Template to be loaded
##### Namakan fail autentications-template.json dan gunakan arahan curl ini
# curl -uxxxxxx:XXXXXX -sS -i --insecure -XPUT "localhost:9200/_template/authentications" -H 'Content-Type: application/json' -d @autentications-template.json
###

{
    "index_patterns": "authentications-*",
        "order" : 0,
    "version" : 1,
    "settings" : {
      "index" : {
        "number_of_shards" : "1",
        "refresh_interval" : "5s"
      }
    },
    "mappings" : {
      "dynamic_templates" : [
        {
          "message_field" : {
            "path_match" : "message",
            "mapping" : {
              "norms" : false,
              "type" : "text"
            },
            "match_mapping_type" : "string"
          }
        },
        {
          "string_fields" : {
            "mapping" : {
              "norms" : false,
              "type" : "text",
              "fields" : {
                "keyword" : {
                  "ignore_above" : 256,
                  "type" : "keyword"
                }
              }
            },
            "match_mapping_type" : "string",
            "match" : "*"
          }
        }
      ],
      "properties" : {
        "@timestamp" : {
          "type" : "date"
        },
        "suricata.eve.timestamp" : {
          "type" : "date"
        },
        "geoip" : {
          "dynamic" : true,
          "properties" : {
            "ip" : {
              "type" : "ip"
            },
            "latitude" : {
              "type" : "half_float"
            },
            "location" : {
              "type" : "geo_point"
            },
            "longitude" : {
              "type" : "half_float"
            }
          }
        },
        "location": {
             "type": "geo_point"
        },
        "source.ip": {
             "type": "ip"
        },
        "ip": {
             "type": "ip"
        },
       "@version" : {
          "type" : "keyword"
        }
      }
    },
    "aliases" : { }
}

#### Tamat template
	### Terima Kasih Kepada Amir Haris Ahmad, Localhost Sdn Bhd
	### kerana izinkan saya gunakan servers ujian mereka di Digital Ocean
	### dan team beliau dengan berkongsi pengalaman dan pandangan mereka.
	###
	### Untuk saya menguji bruteforce attack log kepada syslog dengan fail2ban
	###
	### Server telah dipasang dengan fail2ban dan SSH dibuka dengan port 22.
	### SSH tidak membenarkan module password dan hanya digital cert.
	###
	### Filebeat telah digunakan untuk mengumpulkan log.
	### Harisfazillah Jamel - 13102019 (13 Oct 2019)


	### ---- Logstash ---- #####
	## Start Of LOGSTASH Input

	input {
	elasticsearch {
	hosts => "localhost"
	schedule => "1 /4 * *"
	## user => xxxxxx
	## password => xxxxxx
	tags => "siem"
	index => "filebeat-*"
	query => '{
	"query" : {
	"query_string": { "query": "event.type:authentication_failure" }},
	"sort": [
	{ "@timestamp": {"order":"asc"}}
	]
	}'


	}
	}

	## End Of LOGSTASH Input

	### Start Of LOGSTASH Filter

	filter {

	### process_time Put this at the beginning of filter
	### To record process time. Make sure you copy the end script.

	ruby {
	code => "event.set('[@metadata][task_start]', Time.now.to_f)"
	}


	## For all index to have a field called IP.

	mutate {
	add_field => { "ip" => "%{[source][ip]}" }
	}

	##


	if [ip] and "siem" in [tags] {
	fingerprint {
	source => "ip"
	target => "iocipfingerprint"
	method => "MURMUR3"
	add_tag => [ "siemip" ]
	}
	}


	## start for blueliv check
	## More info https://github.com/Blueliv/elk-config-examples

	if [ip] {

	elasticsearch {
	hosts => ["localhost:9200"]
	user => xxxxxxx
	password => xxxxxx
	index => "crimeservers*"
	query => "ip:%{ip}"
	fields => {
	"type" => "blueliv_type"
	"firstSeenAt" => "blueliv_firstSeenAt"
	"lastSeenAt" => "blueliv_lastSeenAt"
	"url" => "blueliv_url"
	}
	result_size => 1
	enable_sort => false
	add_tag => [ "blueliv" ]
	}

	}

	## end of blueliv check

	### start for lisbot check
	### https://gist.github.com/linuxmalaysia/5910941698f851947ed4aa2d9e44cf49
	### change the dictionary_path with your own path

	if [ip] and ![ip_rep] {

	translate {
	refresh_interval => 86400
	field => "ip"
	destination => "ip_rep"
	dictionary_path => "/etc/logstash/tools/listbot/iprep.yaml"
	add_tag => [ "listbot" ]
	}
	}

	### end of lisbot check

	### process_time this will be at the end of whole ioc filter
	###

	ruby {
	code => "event.set('[@metadata][task_end]', Time.now.to_f)"
	}

	ruby {
	code => "event.set('process_time', (event.get('[@metadata][task_end]') - event.get('[@metadata][task_start]')))"
	}

	### End of process_time

	}

	### end of LOGSTASH filter

	### Start of LOGSTASH output

	output {

	if "siem" in [tags] {

	elasticsearch {

	id => "server1-output"
	hosts => ["localhost:9200"]
	document_id => "%{iocipfingerprint}"
	sniffing => true
	index => "authentications-v1"
	user => xxxxxx
	password => xxxxxx
	}

	##end if
	}

	}

	### end of LOGSTASH output

	### Mula Template
	### https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-templates.html
	##### Template to be loaded
	##### Namakan fail autentications-template.json dan gunakan arahan curl ini
	# curl -uxxxxxx:XXXXXX -sS -i --insecure -XPUT "localhost:9200/_template/authentications" -H 'Content-Type: application/json' -d @autentications-template.json
	###

	{
	"index_patterns": "authentications-*",
	"order" : 0,
	"version" : 1,
	"settings" : {
	"index" : {
	"number_of_shards" : "1",
	"refresh_interval" : "5s"
	}
	},
	"mappings" : {
	"dynamic_templates" : [
	{
	"message_field" : {
	"path_match" : "message",
	"mapping" : {
	"norms" : false,
	"type" : "text"
	},
	"match_mapping_type" : "string"
	}
	},
	{
	"string_fields" : {
	"mapping" : {
	"norms" : false,
	"type" : "text",
	"fields" : {
	"keyword" : {
	"ignore_above" : 256,
	"type" : "keyword"
	}
	}
	},
	"match_mapping_type" : "string",
	"match" : "*"
	}
	}
	],
	"properties" : {
	"@timestamp" : {
	"type" : "date"
	},
	"suricata.eve.timestamp" : {
	"type" : "date"
	},
	"geoip" : {
	"dynamic" : true,
	"properties" : {
	"ip" : {
	"type" : "ip"
	},
	"latitude" : {
	"type" : "half_float"
	},
	"location" : {
	"type" : "geo_point"
	},
	"longitude" : {
	"type" : "half_float"
	}
	}
	},
	"location": {
	"type": "geo_point"
	},
	"source.ip": {
	"type": "ip"
	},
	"ip": {
	"type": "ip"
	},
	"@version" : {
	"type" : "keyword"
	}
	}
	},
	"aliases" : { }
	}

	#### Tamat template