Commit 2e20dacc71b1255e8933f542b48a47e7cd4f1e6f
1 parent
92d105af13
Exists in
master
and in
4 other branches
MLTD implementation to send logs to remote rsyslog server through TCP
Showing 9 changed files with 65 additions and 17 deletions
.gitignore
View file @
2e20dac
MLTD/Dockerfile
View file @
2e20dac
| ... | ... | @@ -5,11 +5,12 @@ |
| 5 | 5 | |
| 6 | 6 | WORKDIR /app |
| 7 | 7 | |
| 8 | -RUN pip install --upgrade pip && pip3 install -r requirements.txt | |
| 8 | +RUN pip install --upgrade pip && pip3 install -r requirements.txt && apt-get update && apt-get install -y rsyslog | |
| 9 | 9 | |
| 10 | 10 | COPY src/. /app |
| 11 | +COPY xlsiem.conf /etc/rsyslog.d/xlsiem.conf | |
| 12 | +COPY entrypoint.sh . | |
| 11 | 13 | |
| 12 | -ENTRYPOINT [ "python3" ] | |
| 13 | - | |
| 14 | -CMD [ "MLTD_API.py" ] | |
| 14 | +RUN ["chmod", "+x", "/app/entrypoint.sh"] | |
| 15 | +ENTRYPOINT ["/app/entrypoint.sh"] |
MLTD/entrypoint.sh
View file @
2e20dac
MLTD/event_example
View file @
2e20dac
| 1 | +{ | |
| 2 | + "asset_id": "server", | |
| 3 | + "timestamp": "2021-05-28T13:40:18.224Z", | |
| 4 | + "event_alarm": [ | |
| 5 | + { | |
| 6 | + "event_alarm_id": "danger", | |
| 7 | + "event_alarm_char": "danger", | |
| 8 | + "name": "danger", | |
| 9 | + "source_ip": "192.168.1.1", | |
| 10 | + "source_port": 1234, | |
| 11 | + "destination_ip": "192.168.1.50", | |
| 12 | + "destination_port": 1231, | |
| 13 | + "priority": 0, | |
| 14 | + "confidence": 0 | |
| 15 | + } | |
| 16 | + ] | |
| 17 | +} |
MLTD/src/OnlinePrediction.py
View file @
2e20dac
| ... | ... | @@ -14,6 +14,7 @@ |
| 14 | 14 | import PredictionKorvesis as pdm |
| 15 | 15 | import paho.mqtt.client as paho |
| 16 | 16 | import ReportTimeDB |
| 17 | +import ReportSyslog | |
| 17 | 18 | import logging |
| 18 | 19 | import logging.config |
| 19 | 20 | import yaml |
| 20 | 21 | |
| ... | ... | @@ -61,9 +62,9 @@ |
| 61 | 62 | "destination_ip": "string", |
| 62 | 63 | "destination_port": 0, |
| 63 | 64 | "priority": 0, |
| 64 | - "confidence": 0, | |
| 65 | + "confidence": 0 | |
| 65 | 66 | } |
| 66 | - ], | |
| 67 | + ] | |
| 67 | 68 | } |
| 68 | 69 | :param client: |
| 69 | 70 | :param userdata: |
| ... | ... | @@ -114,14 +115,6 @@ |
| 114 | 115 | self.data_dates = data_dates |
| 115 | 116 | |
| 116 | 117 | if max(predictions) > self.sigmoid_threshold: |
| 117 | - time_db_client = ReportTimeDB.connect( | |
| 118 | - self.time_db_host, | |
| 119 | - self.time_db_port, | |
| 120 | - self.time_db_database, | |
| 121 | - self.time_db_username, | |
| 122 | - self.time_db_password, | |
| 123 | - self.time_db_ssl, | |
| 124 | - ) | |
| 125 | 118 | timeframe = Utils.sigmoid_mins( |
| 126 | 119 | max(predictions), |
| 127 | 120 | self.rf_s, |
| ... | ... | @@ -131,6 +124,13 @@ |
| 131 | 124 | self.logger.info(f"A prominent security incident is predicted" |
| 132 | 125 | f" - Risk level: {round(max(predictions),2)}" |
| 133 | 126 | f" - Expected timeframe: {round(timeframe,2)} secs") |
| 127 | + | |
| 128 | + ReportSyslog.report( | |
| 129 | + self.asset_id, max(predictions) * 100, timeframe | |
| 130 | + ) | |
| 131 | + time_db_client = ReportTimeDB.connect(self.time_db_host, self.time_db_port, | |
| 132 | + self.time_db_database, self.time_db_username, self.time_db_password, | |
| 133 | + self.time_db_ssl, ) | |
| 134 | 134 | ReportTimeDB.report( |
| 135 | 135 | time_db_client, self.asset_id, max(predictions) * 100, timeframe |
| 136 | 136 | ) |
MLTD/src/ReportSyslog.py
View file @
2e20dac
| 1 | +import logging.handlers | |
| 2 | + | |
| 3 | +def report(asset_id, risk, timeframe): | |
| 4 | + my_logger = logging.getLogger('MyLogger') | |
| 5 | + my_logger.setLevel(logging.DEBUG) | |
| 6 | + | |
| 7 | + # handler = logging.FileHandler('mltd.log') | |
| 8 | + handler = logging.handlers.SysLogHandler(address='/dev/log') | |
| 9 | + handler.ident = 'KEA-MLTD' | |
| 10 | + formatter = logging.Formatter(' %(message)s') | |
| 11 | + handler.setFormatter(formatter) | |
| 12 | + my_logger.addHandler(handler) | |
| 13 | + my_logger.critical(f'asset: {asset_id} risk: {risk} timeframe: {timeframe}') |
MLTD/src/logging.yml
View file @
2e20dac
| ... | ... | @@ -10,7 +10,7 @@ |
| 10 | 10 | stream: ext://sys.stderr |
| 11 | 11 | loggers: |
| 12 | 12 | mltd-online: |
| 13 | - level: INFO | |
| 13 | + level: DEBUG | |
| 14 | 14 | handlers: |
| 15 | 15 | - console |
| 16 | 16 | mltd-offline: |
| ... | ... | @@ -18,7 +18,7 @@ |
| 18 | 18 | handlers: |
| 19 | 19 | - console |
| 20 | 20 | mltd-api: |
| 21 | - level: INFO | |
| 21 | + level: DEBUG | |
| 22 | 22 | handlers: |
| 23 | 23 | - console |
MLTD/xlsiem.conf
View file @
2e20dac
docker-compose.yml
View file @
2e20dac
| ... | ... | @@ -112,6 +112,8 @@ |
| 112 | 112 | context: ./MLTD |
| 113 | 113 | image: datalabauth/kea-curex_mltd:v1.0.0 |
| 114 | 114 | container_name: curex-mltd |
| 115 | + environment: | |
| 116 | + - REMOTESYSLOG=192.168.50.32 | |
| 115 | 117 | depends_on: |
| 116 | 118 | - timescaledb |
| 117 | 119 | - mosquitto |
| ... | ... | @@ -146,7 +148,7 @@ |
| 146 | 148 | #Visualization |
| 147 | 149 | grafana: |
| 148 | 150 | build: |
| 149 | - contenxt: ./grafana | |
| 151 | + context: ./grafana | |
| 150 | 152 | image: kea_grafana:1.0.0 |
| 151 | 153 | container_name: curex-grafana |
| 152 | 154 | ports: |