I hereby claim:
- I am linuxmalaysia on github.
- I am linuxmalaysia (https://keybase.io/linuxmalaysia) on keybase.
- I have a public key whose fingerprint is D10A 7BC3 6E37 4688 3025 F23A E674 713A 5CA7 60C8
To claim this, I am signing this object:
I hereby claim:
To claim this, I am signing this object:
Make sure these boxes are checked before submitting/approving the PR
input { | |
file { | |
path => "/data/ujian/fortigate*.txt" | |
start_position => beginning | |
sincedb_path => "/dev/null" | |
type => "fortigate" | |
} | |
} | |
filter { |
Config Untuk Listbot | |
Contoh diambil dari | |
https://github.com/dtag-dev-sec/listbot | |
1) Git clone masukkan dalam /etc/logstash |
## https://github.com/minyk/morphline-mr/wiki/DictionariesOfGrok | |
## https://serverfault.com/questions/735230/why-cant-the-logstash-syslog-pri-filter-see-the-priority-in-syslog-messages | |
filter { | |
if "syslog" in [tags] { | |
grok { | |
match => { | |
"message" => [ "%{SYSLOG5424PRI}%{SYSLOGBASE2}", "%{SYSLOGBASE2}", "%{SYSLOGPAMSESSION}", "%{CRONLOG}", "%{SYSLOGLINE}" ] | |
} | |
tag_on_failure => [ "failedPattern_syslog" ] |
# %{URI:uri} | |
# | |
# %{URIPROTO:uriproto}://(?:%{USER:user}(?::[^@]*)?@)?(?:%{URIHOST:urihost})?(?:%{URIPATHPARAM:uripathparam})? | |
# | |
# %{EMAILLOCALPART:emaillocalpart}@%{HOSTNAME:emailhostname} | |
# | |
# %{EMAILADDRESS:emailaddress} | |
### URI / URL |
# Setup disk assisted queues | |
# Disable rate limit | |
$SystemLogRateLimitInterval 0 | |
$SystemLogRateLimitBurst 0 | |
$WorkDirectory /var/spool/rsyslog # where to place spool files | |
$ActionQueueFileName fwdRule21 # unique name prefix for spool files | |
$ActionQueueMaxDiskSpace 10g # 10gb space limit (use as much as possible) |
### Logstash Grok Pattern for Bind9 input using Filebeat | |
%{BIND9_TIMESTAMP:timestamp}%{SPACE}%{LOGLEVEL:loglevel}:%{SPACE}client%{SPACE}%{IP:clientip}#%{POSINT:clientport}%{SPACE}\(%{DATA:query}\):%{SPACE}view%{SPACE}internal:%{SPACE}query:%{SPACE}%{DATA:query2} %{DATA:queryclass} %{DATA:querytype} %{DATA:queryflag} \(%{IP:dnsip}\) | |
#### | |
grok { | |
match => { | |
"message" => [ "%{BIND9_TIMESTAMP:timestamp}%{SPACE}%{LOGLEVEL:loglevel}:%{SPACE}client%{SPACE}%{IP:clientip}#%{POSINT:clientport}%{SPACE}\(%{DATA:query}\):%{SPACE}view%{SPACE}internal:%{SPACE}query:%{SPACE}%{DATA:query2} %{DATA:queryclass} %{DATA:querytype} %{DATA:queryflag} \(%{IP:dnsip}\)" ] | |
} |
#!/bin/sh | |
# origin https://gist.github.com/erlepereira/c11f4f7a3f60cd2071e79018e895fc8a | |
# logstash yaml "www.google.com": "known search engine" | |
# Choose from here https://github.com/StevenBlack/hosts | |
#HOSTS_RAW=https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | |
##### https://raw.githubusercontent.com/StevenBlack/hosts/master/data/malwaredomainlist.com/hosts | |
### first must using > and others using >> for pipe | |
##### first file |