BUYTIME

[Logstash] AXGATE 방화벽 DB syslog 연동

반응형

[INPUT]
input {
  syslog {
   port => 9407  // 포트는 임의로 지정
   grok_pattern => "%{GREEDYDATA:message}"
  }
}


[Filter]
filter {
  dissect {
    mapping => {
     "message" => "<%{priority}>%{created.month} %{created.date} %{created.time} %{[machine][name]} %{[event][category]}: ver:%{version},%{msg}"
    }
  }

  mutate {
    gsub => ["message","\n",""]
  }

  date {
      match => ["time","yyyy-MM-dd HH:mm:ss","MMM  d HH:mm:ss"]
      timezone => "Asia/Seoul"
      locale => "en"
  }

  if [event][category] == "audit" {
    dissect {
      mapping => {
        "msg" => "time:%{time},sev:%{sev},type:%{type},user:%{user},vd_id:%{vd_id},host:%{host},action:%{action}"
      }
    }
    mutate {
      remove_field => ["msg"]
      rename => {
        "time" => "[event][created]"
        "hostname" => "[machine][name]"
        "ver" => "[event][version]"
        "sev" => "[severity]"
        "type" => "[log][type]"
        "vd_id" => "[vd][id]"
        "user" => "[user][name]"
        "action" => "[event][action]"
      }
    }
  }
  if [event][category] == "mklog" {
    mutate {
      remove_field => ["msg"]
      }
    }

  if [event][category] == "kernel" {
    dissect {
      mapping => {
       "msg" => "stime:%{stime},etime:%{etime},src:%{src},dst:%{dst},sport:%{sport},dport:%{dport},action:%{action},proto:%{proto},vd_id:%{vd_id},rule_id:%{rule_id},message:%{message}"
      }
    }
    mutate {
      gsub => ["message","\n",""]
      remove_field => ["msg"]
      rename => {
        "stime" => "[event][created]"
        "etime" => "[event][closed]"
        "src" => "[source][ip]"
        "dst" => "[destination][ip]"
        "sport" => "[source][port]"
        "dport" => "[destination][port]"
        "action" => "[event][action]"
        "proto" => "[network][protocol]"
        "vd_id" => "[vd][id]"
        "rule_id" => "[rule][id]"
        "message" => "[message]"
      }
    }
  }
}


[OUTPUT] // machine 장비별로 인덱스를 분리하긴 했지만 굳이 분리할 필요는 없음
 output {
#  stdout {}
  if [event][category] == "audit" {
    if [machine][name] == "DB_FW1" {
      elasticsearch {
        hosts => ["https://192.168.0.1:9200", "https://192.168.0.2:9200", "https://192.168.0.3:9200"]
        user => "elastic"
        password => "P@ssw0rd"
        index => "syslog_axgate_db_fw1_audit"
        ssl => true
        ssl_certificate_verification => false
        cacert => "/usr/share/logstash/elasticsearch-ca.pem"
      }
    }
    else if [machine][name] == "DB_FW2" {
      elasticsearch {
        hosts => ["https://192.168.0.1:9200", "https://192.168.0.2:9200", "https://192.168.0.3:9200"]
        user => "elastic"
        password => "P@ssw0rd"
        index => "syslog_axgate_db_fw2_audit"
        ssl => true
        ssl_certificate_verification => false
        cacert => "/usr/share/logstash/elasticsearch-ca.pem"
      }
    }
  }
  else if [event][category] == "mklog" {
    if [machine][name] == "DB_FW1" {
      elasticsearch {
        hosts => ["https://192.168.0.1:9200", "https://192.168.0.2:9200", "https://192.168.0.3:9200"]
        user => "elastic"
        password => "P@ssw0rd"
        index => "syslog_axgate_db_fw1_system"
        ssl => true
        ssl_certificate_verification => false
        cacert => "/usr/share/logstash/elasticsearch-ca.pem"
      }
    }
    else if [machine][name] == "DB_FW2" {
      elasticsearch {
        hosts => ["https://192.168.0.1:9200", "https://192.168.0.2:9200", "https://192.168.0.3:9200"]
        user => "elastic"
        password => "P@ssw0rd"
        index => "syslog_axgate_db_fw2_system"
        ssl => true
        ssl_certificate_verification => false
        cacert => "/usr/share/logstash/elasticsearch-ca.pem"
      }
    }
  }
  else if [event][category] == "kernel" {
    if [machine][name] == "DB_FW1" {
      elasticsearch {
        hosts => ["https://192.168.0.1:9200", "https://192.168.0.2:9200", "https://192.168.0.3:9200"]
        user => "elastic"
        password => "P@ssw0rd"
        index => "syslog_axgate_db_fw1_session"
        ssl => true
        ssl_certificate_verification => false
        cacert => "/usr/share/logstash/elasticsearch-ca.pem"
      }
    }
    else if [machine][name] == "DB_FW2" {
      elasticsearch {
        hosts => ["https://192.168.0.1:9200", "https://192.168.0.2:9200", "https://192.168.0.3:9200"]
        user => "elastic"
        password => "P@ssw0rd"
        index => "syslog_axgate_db_fw2_session"
        ssl => true
        ssl_certificate_verification => false
        cacert => "/usr/share/logstash/elasticsearch-ca.pem"
      }
    }
  }
}

 

반응형
저작자표시 비영리 변경금지

'IT2 > elk stack' 카테고리의 다른 글

[Logstash] MF2 방화벽 syslog 연동  (0) 2023.02.02
[Logstash] NAC syslog 연동  (0) 2023.02.01
[Logstash] Oracle DB ORA-12514, TNS:listener does not currently know of service 문제  (0) 2022.10.28
[Logstash] Oracle DB ORA-00933: SQL 명령어가 올바르게 종료되지 않았습니다  (0) 2022.10.27
[Logstash] ms-sql 드라이버가 SSL(Secure Sockets Layer) 암호화를 사용하여 SQL Sever로 보안 연결을 설정할 수 없습니다.  (0) 2022.10.14

'IT2/elk stack' 관련 글

더 보기

[Logstash] MF2 방화벽 syslog 연동

2023.02.02

[Logstash] NAC syslog 연동

2023.02.01

[Logstash] Oracle DB ORA-12514, TNS:listener does not currently know of service 문제

2022.10.28

[Logstash] Oracle DB ORA-00933: SQL 명령어가 올바르게 종료되지 않았습니다

2022.10.27

댓글

Copyright © BUYTIME :: 시간을 산다 All Rights Reserved

Designed by JB FACTORY

티스토리툴바