Created
October 1, 2020 20:00
-
-
Save lksnyder0/10bf0568f714753379e66d87852fb8aa to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
input { | |
beats { | |
port => 5044 | |
id => "beats-5044" | |
} | |
} | |
filter { | |
# Metadata | |
if [@metadata][beat] { | |
mutate { | |
add_field => { | |
"[@metadata][index]" => "%{[@metadata][beat]}-%{[@metadata][version]}" | |
} | |
id => "filter-mutate-add-beat-index" | |
} | |
} | |
if "cowrie" in [tags] { | |
if [host][hostname] == "honeytest1" { | |
mutate { | |
replace => { | |
"[@metadata][index]" => "cowrie-test" | |
} | |
id => "filter-mutate-add-cowrie-test-index" | |
} | |
} | |
else { | |
mutate { | |
replace => { | |
"[@metadata][index]" => "cowrie-ilm" | |
} | |
id => "filter-mutate-add-cowrie-index" | |
} | |
} | |
} | |
# Cowrie | |
if "cowrie" in [tags] { | |
mutate { | |
add_field => { | |
"[event][kind]" => "event" | |
"[ecs][version]" => "1.5.0" | |
"[event][provider]" => "cowrie" | |
"[event][dataset]" => "cowrie.cowrie" | |
} | |
id => "cowrie-ecs-fields-1" | |
} | |
mutate { | |
rename => { | |
"@timestamp" => "[event][created]" | |
"arch" => "[source][os][architecture]" | |
"compCS" => "[source][comp_cs]" | |
"destfile" => "[file][path]" | |
"dst_ip" => "[destination][ip]" | |
"dst_port" => "[destination][port]" | |
"duplicate" => "[file][duplicate]" | |
"duration" => "[event][duration]" | |
"encCS" => "[source][enc_cs]" | |
"eventid" => "[event][code]" | |
"filename" => "[file][name]" | |
"hassh" => "[source][hassh_fingerprint]" | |
"hasshAlgorithms" => "[source][hassh_algorithms]" | |
"input" => "[process][command_line]" | |
"kexAlgs" => "[source][key_exchange_algorithms]" | |
"keyAlgs" => "[source][key_algorithms]" | |
"langCS" => "[source][lang_cs]" | |
"macCS" => "[source][mac_cs]" | |
"name" => "[source][environment][name]" | |
"outfile" => "[file][target_path]" | |
"password" => "[user][password]" | |
"protocol" => "[service][type]" | |
"sensor" => "[observer][hostname]" | |
"session" => "[transaction][id]" | |
"shasum" => "[file][hash][sha256]" | |
"size" => "[file][size]" | |
"src_ip" => "[source][ip]" | |
"src_port" => "[source][port]" | |
"ttylog" => "[file][path]" | |
"url" => "[url][full]" | |
"username" => "[user][name]" | |
"value" => "[source][environment][value]" | |
"version" => "[source][version]" | |
} | |
id => "cowrie-rename-ecs" | |
} | |
date { | |
match => ["timestamp", "ISO8601"] | |
target => "@timestamp" | |
id => "cowrie-timestamp-convert" | |
} | |
mutate { | |
remove_field => ["timestamp"] | |
id => "cowrie-remove-timestamp" | |
} | |
translate { | |
field => "[event][code]" | |
destination => "[event][outcome]" | |
dictionary => { | |
"cowrie.login.success" => "success" | |
"cowrie.session.file_download" => "success" | |
"cowrie.session.file_upload" => "success" | |
"cowrie.command.input" => "success" | |
"cowrie.login.failed" => "failure" | |
"cowrie.command.failed" => "failure" | |
"cowrie.session.file_download.failed" => "failure" | |
} | |
fallback => "unknown" | |
id => "cowrie-event-code-ecs" | |
} | |
if [event][code] == "cowrie.session.connect" { | |
aggregate { | |
task_id => "%{[transaction][id]}" | |
map_action => "create" | |
code => " | |
map['total_events'] = 1 | |
map['files_downloaded'] = 0 | |
map['files_failed_download'] = 0 | |
map['files_uploaded'] = 0 | |
map['total_files'] = 0 | |
map['total_commands'] = 0 | |
map['commands_success'] = 0 | |
map['commands_failure'] = 0 | |
" | |
id => "cowrie-aggregate-session-connect" | |
} | |
} | |
else if [event][code] == "cowrie.session.file_download" { | |
mutate { | |
copy => {"[file][path]" => "[temp][file_path]"} | |
} | |
mutate { | |
split => ["[temp][file_path]" , "/"] | |
add_field => { | |
"[file][name]" => "%{[temp][file_path][-1]}" | |
} | |
} | |
aggregate { | |
task_id => "%{[transaction][id]}" | |
map_action => "update" | |
code => " | |
map['files_downloaded'] += 1 | |
map['total_files'] += 1 | |
map['total_events'] += 1 | |
" | |
id => "cowrie-aggregate-session.file_download" | |
} | |
} | |
else if [event][code] == "cowrie.session.file_download.failed" { | |
aggregate { | |
task_id => "%{[transaction][id]}" | |
map_action => "update" | |
code => " | |
map['files_failed_download'] += 1 | |
map['total_events'] += 1 | |
" | |
id => "cowrie-aggregate-session.file_download_failed" | |
} | |
} | |
else if [event][code] == "cowrie.session.file_upload" { | |
aggregate { | |
task_id => "%{[transaction][id]}" | |
map_action => "update" | |
code => " | |
map['files_uploaded'] += 1 | |
map['total_files'] += 1 | |
map['total_events'] += 1 | |
" | |
id => "cowrie-aggregate-session-file_upload" | |
} | |
} | |
else if [event][code] == "cowrie.command.input" { | |
aggregate { | |
task_id => "%{[transaction][id]}" | |
map_action => "update" | |
code => " | |
map['commands_success'] += 1 | |
map['total_commands'] += 1 | |
map['total_events'] += 1 | |
" | |
id => "cowrie-aggregate-command-input" | |
} | |
} | |
else if [event][code] == "cowrie.command.failed" { | |
aggregate { | |
task_id => "%{[transaction][id]}" | |
map_action => "update" | |
code => " | |
map['commands_failure'] += 1 | |
map['total_commands'] += 1 | |
map['total_events'] += 1 | |
" | |
id => "cowrie-aggregate-command-failed" | |
} | |
} | |
else if [event][code] == "cowrie.session.closed" { | |
aggregate { | |
task_id => "%{[transaction][id]}" | |
map_action => "update" | |
code => " | |
event.set('metrics', { | |
'events': { | |
'total': map['total_events'] + 1 | |
}, | |
'files': { | |
'total': map['total_files'], | |
'downloaded': map['files_downloaded'], | |
'uploaded': map['files_uploaded'] | |
}, | |
'commands': { | |
'total': map['total_commands'], | |
'success': map['commands_success'], | |
'failure': map['commands_failure'] | |
} | |
}) | |
" | |
end_of_task => true | |
id => "cowrie-aggregate-session-closed" | |
} | |
} | |
else { | |
aggregate { | |
task_id => "%{[transaction][id]}" | |
map_action => "update" | |
code => "map['total_events'] += 1" | |
id => "cowrie-aggregate-all-other-events" | |
} | |
} | |
if [temp] { | |
mutate { | |
remove_field => [ "temp" ] | |
id => "remove-temp" | |
} | |
} | |
} | |
# GeoIP | |
if [source][ip] { | |
geoip { | |
database => "{{ maxmind_db_location }}/{{ logstash_maxmind_db_name }}" | |
source => "[source][ip]" | |
target => "[source][geo]" | |
id => "source-ip-geoip-lookup" | |
} | |
} | |
if [destination][ip] { | |
geoip { | |
database => "{{ maxmind_db_location }}/{{ logstash_maxmind_db_name }}" | |
source => "[destination][ip]" | |
target => "[destination][geo]" | |
id => "destination-ip-geoip-lookup" | |
} | |
} | |
if [client][ip] { | |
geoip { | |
database => "{{ maxmind_db_location }}/{{ logstash_maxmind_db_name }}" | |
source => "[client][ip]" | |
target => "[client][geo]" | |
id => "client-ip-geoip-lookup" | |
} | |
} | |
if [server][ip] { | |
geoip { | |
database => "{{ maxmind_db_location }}/{{ logstash_maxmind_db_name }}" | |
source => "[server][ip]" | |
target => "[server][geo]" | |
id => "server-ip-geoip-lookup" | |
} | |
} | |
if [host][ip] { | |
geoip { | |
database => "{{ maxmind_db_location }}/{{ logstash_maxmind_db_name }}" | |
source => "[host][ip]" | |
target => "[host][geo]" | |
id => "host-ip-geoip-lookup" | |
} | |
} | |
# Fill ECS Fields | |
if [destination][domain] { | |
mutate { | |
add_field => { | |
"[destination][address]" => "%{[destination][domain]}" | |
} | |
} | |
} | |
else if [destination][ip] { | |
mutate { | |
add_field => { | |
"[destination][address]" => "%{[destination][ip]}" | |
} | |
} | |
} | |
if [source][domain] { | |
mutate { | |
add_field => { | |
"[source][address]" => "%{[source][domain]}" | |
} | |
} | |
} | |
else if [source][ip] { | |
mutate { | |
add_field => { | |
"[source][address]" => "%{[source][ip]}" | |
} | |
} | |
} | |
if [client][domain] { | |
mutate { | |
add_field => { | |
"[client][address]" => "%{[client][domain]}" | |
} | |
} | |
} | |
else if [client][ip] { | |
mutate { | |
add_field => { | |
"[client][address]" => "%{[client][ip]}" | |
} | |
} | |
} | |
if [server][domain] { | |
mutate { | |
add_field => { | |
"[server][address]" => "%{[server][domain]}" | |
} | |
} | |
} | |
else if [server][ip] { | |
mutate { | |
add_field => { | |
"[server][address]" => "%{[server][ip]}" | |
} | |
} | |
} | |
if [process][command_line] and ![process][args] { | |
mutate { | |
copy => { | |
"[process][command_line]" => "[process][args]" | |
} | |
} | |
mutate { | |
split => { | |
"[process][args]" => " " | |
} | |
} | |
} | |
} | |
output { | |
if "cowrie" in [tags] { | |
elasticsearch { | |
hosts => ["{{ elastic_ingest_endpoints | join(',') }}"] | |
user => "logstash_shipper" | |
password => "{{ vault_logstash_shipper_password }}" | |
ssl_certificate_verification => false | |
index => "logs-cowrie" | |
action => "create" | |
pipeline => "ingest_time" | |
id => "output-elasticsearch-cowrie" | |
} | |
} | |
else if [@metadata][index] { | |
elasticsearch { | |
hosts => ["{{ elastic_ingest_endpoints | join(',') }}"] | |
ssl_certificate_verification => false | |
user => "logstash_shipper" | |
password => "{{ vault_logstash_shipper_password }}" | |
index => "%{[@metadata][index]}" | |
pipeline => "ingest_time" | |
id => "output-elasticsearch" | |
} | |
} | |
else { | |
file { | |
path => "/var/log/logstash/unparsed.txt" | |
id => "output-file-unparsed" | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment