forked from simple-evcorr/rulesets
-
Notifications
You must be signed in to change notification settings - Fork 0
/
elasticsearch.sec
73 lines (69 loc) · 2.49 KB
/
elasticsearch.sec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
#
# Sending Reformatted Data to ElasticSearch
# -----------------------------------------
#
# Problem: Logstash lines are verbatim log messages, we want to add some intelligence.
# "%SEC-6-IPACCESSLOGP: list ACCESS-LIST-IN denied tcp 10.1.2.22(1234) -> 10.1.3.33(5678), 1 packet"
# Solution: Reformat your message using regex to json and send it to elasticsearch.
# "{"timestamp": 123456789000, "srcip": "10.1.2.22","dstip": "10.1.3.33","srcport": 1234, "dstport": 5678, "protocol": "udp", "disposition": "denied"}"
#
# Jan 13 10:49:14 my-router 291: 000288: Jan 13 10:48:40.215: %SEC-6-IPACCESSLOGP: list ACCESS-LIST-IN denied tcp 10.1.2.22(1234) -> 10.1.3.33(5678), 1 packet
type=Single
ptype=RegExp
pattern=SEC-6-IPACCESSLOGP:\slist\s[\w\-]+\s([\w]+)\s([\w]+)\s([\d\.]+)\((\d+)\)\s->\s([\d\.]+)\((\d+)\)
desc='{"timestamp": %{u}000, "srcip": "$3", "dstip": "$5", "srcport": $4, "dstport": $6, "protocol": "$2", "disposition": "$1"}'
action=pipe '%s' curl -d @- http://elasticsearch.local:9200/acl-%{.year}.%{.mon}.%{.mday}/entry
# NOTES:
# * If you add in additional fields for host and access-list name, be sure to make them "not_analyzed", elasticsearch
# splits on word boundries (dashes), you will need to update your pattern and desc fields to include them.
# * Elasticsearch prefers splitting out time sensitive data into time-based indexes. This way you can optimize older indexes.
# To update your elasticsearch mapping:
# curl -XPUT http://elasticsearch.local:9200/_template/acl -d '
# {
# "order": 0,
# "template": "acl-*",
# "settings": {
# "index.refresh_interval": "5s",
# "number_of_shards" : 1
# },
# "mappings": {
# "entry": {
# "properties": {
# "disposition": {
# "type": "string"
# },
# "dstip": {
# "type": "ip",
# "fields": {
# "raw": {
# "type": "string",
# "index": "not_analyzed"
# }
# }
# },
# "dstport": {
# "type": "integer"
# },
# "protocol": {
# "type": "string"
# },
# "srcip": {
# "type": "ip",
# "fields": {
# "raw": {
# "type": "string",
# "index": "not_analyzed"
# }
# }
# },
# "srcport": {
# "type": "integer"
# },
# "timestamp": {
# "type": "date",
# "format": "dateOptionalTime"
# }
# }
# }
# }
# }'