lionaneesh/goaudit_logstash.conf

## goaudit_logstash.conf
input {
  tcp {
    port => 15530
    type => syslog
  }
  udp {
    port => 15530
    type => syslog
  }
}

filter {
  json { source => "message" }
  if [messages] {
       ruby {
            code => "
            def extract_json_key_values(events)
                detail = {}
                events.each do |x|
                    val = x['data']
                    detail[x['type']] = val
                end
                detail
            end
            event.set('[detail]', extract_json_key_values(event.get('[messages]')))
            "
            remove_field => "[messages]"
      }
  }
  # parse 1300, syscall event
  # XXX: assuming syscall to be always execve, coz we just monitoring that for now.
  if [detail][1300] {
      grok {
        match => {
          "[detail][1300]" => "arch=%{BASE16NUM:arch} syscall=%{INT:syscall} success=%{WORD:success} %{GREEDYDATA} uid=%{INT:uid} %{GREEDYDATA} comm=\"%{NOTSPACE:comm}\" exe=\"%{NOTSPACE:exe}\""
        }
        remove_field => ["[detail][1300]"]
      }
  }
  # parse 1309, arguments event
  if [detail][1309] {
      kv {
        source => "[detail][1309]"
        target => "[args]"
      }
      # we have argc and a<argn> in document, lets combine them into one command
       ruby {
            code => "
               command = event.get('[comm]')
               argc = event.get('[args][argc]').to_i
               i = 1
               while i < argc do
                    argname = '[args][a' + i.to_s + ']'
                    command += ' ' + event.get(argname)
                    i += 1
               end
            event.set('command', command)
            "
            remove_field => ["args", "[detail][1309]"]
      }
  } else {
    mutate {
        copy => {"comm" => "commmand"}
    }
  }
   # parse 1307, directory event
  if [detail][1307] {
      grok {
        match => {
          "[detail][1307]" => "cwd=\"%{DATA:directory}\""
        }
        remove_field => ["[detail][1307]"]
      }
  }

  # parse 1327, proctitle event
  if [detail][1327] {
      grok {
        match => {
          "[detail][1327]" => "proctitle=%{DATA:proctitle}"
        }
        remove_field => ["[detail][1327]"]
      }
      if [proctitle] {
        ruby {
            code => "
                proctitle = event.get('[proctitle]')
                proctitle = [proctitle].pack('H*')
                event.set('[proctitle]', proctitle)
            "
        }
      }
  }

  # parse 1302, capabilities
  if [detail][1302] {
    mutate {
    remove_field => ["[detail][1302]"]
    }
  }


  # parse uid to show user.
  if [uid] {
    ruby {
        code => "
           uid = event.get('[uid]')
           uid_map = event.get('[uid_map]')
           username = uid_map[uid]
           event.set('username', username)
        "
        remove_field => ["uid_map"]
    }
  }
}


# remove noisy/useless fields
filter {
    # set correct timestamp
    date {
        match => ["timestamp", "UNIX"]
    }
    mutate {
        remove_field => ["message", "arch", "sequence", "syscall"]
    }
}


output {
stdout {}
}
	input {
	tcp {
	port => 15530
	type => syslog
	}
	udp {
	port => 15530
	type => syslog
	}
	}

	filter {
	json { source => "message" }
	if [messages] {
	ruby {
	code => "
	def extract_json_key_values(events)
	detail = {}
	events.each do \|x\|
	val = x['data']
	detail[x['type']] = val
	end
	detail
	end
	event.set('[detail]', extract_json_key_values(event.get('[messages]')))
	"
	remove_field => "[messages]"
	}
	}
	# parse 1300, syscall event
	# XXX: assuming syscall to be always execve, coz we just monitoring that for now.
	if [detail][1300] {
	grok {
	match => {
	"[detail][1300]" => "arch=%{BASE16NUM:arch} syscall=%{INT:syscall} success=%{WORD:success} %{GREEDYDATA} uid=%{INT:uid} %{GREEDYDATA} comm=\"%{NOTSPACE:comm}\" exe=\"%{NOTSPACE:exe}\""
	}
	remove_field => ["[detail][1300]"]
	}
	}
	# parse 1309, arguments event
	if [detail][1309] {
	kv {
	source => "[detail][1309]"
	target => "[args]"
	}
	# we have argc and a<argn> in document, lets combine them into one command
	ruby {
	code => "
	command = event.get('[comm]')
	argc = event.get('[args][argc]').to_i
	i = 1
	while i < argc do
	argname = '[args][a' + i.to_s + ']'
	command += ' ' + event.get(argname)
	i += 1
	end
	event.set('command', command)
	"
	remove_field => ["args", "[detail][1309]"]
	}
	} else {
	mutate {
	copy => {"comm" => "commmand"}
	}
	}
	# parse 1307, directory event
	if [detail][1307] {
	grok {
	match => {
	"[detail][1307]" => "cwd=\"%{DATA:directory}\""
	}
	remove_field => ["[detail][1307]"]
	}
	}

	# parse 1327, proctitle event
	if [detail][1327] {
	grok {
	match => {
	"[detail][1327]" => "proctitle=%{DATA:proctitle}"
	}
	remove_field => ["[detail][1327]"]
	}
	if [proctitle] {
	ruby {
	code => "
	proctitle = event.get('[proctitle]')
	proctitle = [proctitle].pack('H*')
	event.set('[proctitle]', proctitle)
	"
	}
	}
	}

	# parse 1302, capabilities
	if [detail][1302] {
	mutate {
	remove_field => ["[detail][1302]"]
	}
	}



	# parse uid to show user.
	if [uid] {
	ruby {
	code => "
	uid = event.get('[uid]')
	uid_map = event.get('[uid_map]')
	username = uid_map[uid]
	event.set('username', username)
	"
	remove_field => ["uid_map"]
	}
	}
	}


	# remove noisy/useless fields
	filter {
	# set correct timestamp
	date {
	match => ["timestamp", "UNIX"]
	}
	mutate {
	remove_field => ["message", "arch", "sequence", "syscall"]
	}
	}


	output {
	stdout {}
	}