Blame view
CEPTD/docker/logstash/dist/logstash.conf
1.64 KB
626c0d577
Use a docker volu...
|
1 |
u Input section |
0d8c0f816
initial commit
|
2 3 4 5 |
input {
# Suricata
file {
|
|
626c0d577
Use a docker volu...
|
6 |
path => ["/data/eve.json"] |
|
0d8c0f816
initial commit
|
7 8 9 10 |
codec => json
type => "Suricata"
}
file {
|
|
626c0d577
Use a docker volu...
|
11 |
path => ["/data/capec.json"] |
|
0d8c0f816
initial commit
|
12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 |
codec => json
type => "CAPEC"
}
}
# Filter Section
filter {
# Suricata
if [type] == "Suricata" {
date {
match => [ "timestamp", "ISO8601" ]
}
translate {
refresh_interval => 86400
field => "[alert][signature_id]"
destination => "[alert][cve_id]"
dictionary_path => "/etc/listbot/cve.yaml"
# fallback => "-"
}
}
# Drop if parse fails
if "_grokparsefailure" in [tags] { drop {} }
# Add geo coordinates / ASN info / IP rep.
if [src_ip] {
geoip {
cache_size => 10000
source => "src_ip"
database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-6.0.3-java/vendor/GeoLite2-City.mmdb"
}
geoip {
cache_size => 10000
source => "src_ip"
database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-6.0.3-java/vendor/GeoLite2-ASN.mmdb"
}
translate {
refresh_interval => 86400
field => "src_ip"
destination => "ip_rep"
dictionary_path => "/etc/listbot/iprep.yaml"
}
}
# In some rare conditions dest_port, src_port, status are indexed as string, forcing integer for now
if [dest_port] {
mutate {
convert => { "dest_port" => "integer" }
}
}
if [src_port] {
mutate {
convert => { "src_port" => "integer" }
}
}
if [status] {
mutate {
convert => { "status" => "integer" }
}
}
}
# Output section
output {
elasticsearch {
hosts => ["elasticsearch:9200"]
}
}
|