Created
October 13, 2019 02:33
-
-
Save linuxmalaysia/8edba3f62a7ef5b4ce2351a0775e9de8 to your computer and use it in GitHub Desktop.
Example logstash configuration file. Tested using Logstash 7.4.0 and Filebeat as input and Elasticsearch. Terima Kasih Kepada Amir Haris Ahmad, Localhost Sdn Bhd # kerana izinkan saya gunakan servers ujian mereka di Digital Ocean # dan team beliau dengan berkongsi pengalaman dan pandangan mereka. # Untuk saya menguji bruteforce attack log kepada…
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### Terima Kasih Kepada Amir Haris Ahmad, Localhost Sdn Bhd | |
### kerana izinkan saya gunakan servers ujian mereka di Digital Ocean | |
### dan team beliau dengan berkongsi pengalaman dan pandangan mereka. | |
### | |
### Untuk saya menguji bruteforce attack log kepada syslog dengan fail2ban | |
### | |
### Server telah dipasang dengan fail2ban dan SSH dibuka dengan port 22. | |
### SSH tidak membenarkan module password dan hanya digital cert. | |
### | |
### Filebeat telah digunakan untuk mengumpulkan log. | |
### Harisfazillah Jamel - 13102019 (13 Oct 2019) | |
### ---- Logstash ---- ##### | |
## Start Of LOGSTASH Input | |
input { | |
elasticsearch { | |
hosts => "localhost" | |
schedule => "1 */4 * * *" | |
## user => xxxxxx | |
## password => xxxxxx | |
tags => "siem" | |
index => "filebeat-*" | |
query => '{ | |
"query" : { | |
"query_string": { "query": "event.type:authentication_failure" }}, | |
"sort": [ | |
{ "@timestamp": {"order":"asc"}} | |
] | |
}' | |
} | |
} | |
## End Of LOGSTASH Input | |
### Start Of LOGSTASH Filter | |
filter { | |
### process_time Put this at the beginning of filter | |
### To record process time. Make sure you copy the end script. | |
ruby { | |
code => "event.set('[@metadata][task_start]', Time.now.to_f)" | |
} | |
## For all index to have a field called IP. | |
mutate { | |
add_field => { "ip" => "%{[source][ip]}" } | |
} | |
## | |
if [ip] and "siem" in [tags] { | |
fingerprint { | |
source => "ip" | |
target => "iocipfingerprint" | |
method => "MURMUR3" | |
add_tag => [ "siemip" ] | |
} | |
} | |
## start for blueliv check | |
## More info https://github.com/Blueliv/elk-config-examples | |
if [ip] { | |
elasticsearch { | |
hosts => ["localhost:9200"] | |
user => xxxxxxx | |
password => xxxxxx | |
index => "crimeservers*" | |
query => "ip:%{ip}" | |
fields => { | |
"type" => "blueliv_type" | |
"firstSeenAt" => "blueliv_firstSeenAt" | |
"lastSeenAt" => "blueliv_lastSeenAt" | |
"url" => "blueliv_url" | |
} | |
result_size => 1 | |
enable_sort => false | |
add_tag => [ "blueliv" ] | |
} | |
} | |
## end of blueliv check | |
### start for lisbot check | |
### https://gist.github.com/linuxmalaysia/5910941698f851947ed4aa2d9e44cf49 | |
### change the dictionary_path with your own path | |
if [ip] and ![ip_rep] { | |
translate { | |
refresh_interval => 86400 | |
field => "ip" | |
destination => "ip_rep" | |
dictionary_path => "/etc/logstash/tools/listbot/iprep.yaml" | |
add_tag => [ "listbot" ] | |
} | |
} | |
### end of lisbot check | |
### process_time this will be at the end of whole ioc filter | |
### | |
ruby { | |
code => "event.set('[@metadata][task_end]', Time.now.to_f)" | |
} | |
ruby { | |
code => "event.set('process_time', (event.get('[@metadata][task_end]') - event.get('[@metadata][task_start]')))" | |
} | |
### End of process_time | |
} | |
### end of LOGSTASH filter | |
### Start of LOGSTASH output | |
output { | |
if "siem" in [tags] { | |
elasticsearch { | |
id => "server1-output" | |
hosts => ["localhost:9200"] | |
document_id => "%{iocipfingerprint}" | |
sniffing => true | |
index => "authentications-v1" | |
user => xxxxxx | |
password => xxxxxx | |
} | |
##end if | |
} | |
} | |
### end of LOGSTASH output | |
### Mula Template | |
### https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-templates.html | |
##### Template to be loaded | |
##### Namakan fail autentications-template.json dan gunakan arahan curl ini | |
# curl -uxxxxxx:XXXXXX -sS -i --insecure -XPUT "localhost:9200/_template/authentications" -H 'Content-Type: application/json' -d @autentications-template.json | |
### | |
{ | |
"index_patterns": "authentications-*", | |
"order" : 0, | |
"version" : 1, | |
"settings" : { | |
"index" : { | |
"number_of_shards" : "1", | |
"refresh_interval" : "5s" | |
} | |
}, | |
"mappings" : { | |
"dynamic_templates" : [ | |
{ | |
"message_field" : { | |
"path_match" : "message", | |
"mapping" : { | |
"norms" : false, | |
"type" : "text" | |
}, | |
"match_mapping_type" : "string" | |
} | |
}, | |
{ | |
"string_fields" : { | |
"mapping" : { | |
"norms" : false, | |
"type" : "text", | |
"fields" : { | |
"keyword" : { | |
"ignore_above" : 256, | |
"type" : "keyword" | |
} | |
} | |
}, | |
"match_mapping_type" : "string", | |
"match" : "*" | |
} | |
} | |
], | |
"properties" : { | |
"@timestamp" : { | |
"type" : "date" | |
}, | |
"suricata.eve.timestamp" : { | |
"type" : "date" | |
}, | |
"geoip" : { | |
"dynamic" : true, | |
"properties" : { | |
"ip" : { | |
"type" : "ip" | |
}, | |
"latitude" : { | |
"type" : "half_float" | |
}, | |
"location" : { | |
"type" : "geo_point" | |
}, | |
"longitude" : { | |
"type" : "half_float" | |
} | |
} | |
}, | |
"location": { | |
"type": "geo_point" | |
}, | |
"source.ip": { | |
"type": "ip" | |
}, | |
"ip": { | |
"type": "ip" | |
}, | |
"@version" : { | |
"type" : "keyword" | |
} | |
} | |
}, | |
"aliases" : { } | |
} | |
#### Tamat template |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment