[Logstash] MF2 방화벽 syslog 연동
- IT2/elk stack
- 2023. 2. 2. 01:11
반응형
[INPUT]
input {
syslog {
port => 9401
grok_pattern => "%{GREEDYDATA:message}"
}
}
[FILTER]
filter {
mutate {
gsub => ["message","\n",""]
remove_field => ["severity","priority"]
}
dissect {
mapping => {
"message" => "<%{facility}>1 %{syslogtime} [%{[event][type]}] [%{from_ip}]%{msg}"
}
}
if [event][type] == "audit" {
mutate {
split => ["msg",","]
add_field => {
"time" => "%{[msg][0]}"
"machine_name" => "%{[msg][1]}"
"admin_id" => "%{[msg][2]}"
"admin_ip" => "%{[msg][3]}"
"admin_level" => "%{[msg][4]}"
"menu_id" => "%{[msg][5]}"
"command" => "%{[msg][6]}"
"result" => "%{[msg][7]}"
"fail_reason" => "%{[msg][8]}"
"difference" => "%{[msg][9]}"
}
}
}
else if [event][type] == "fw4_allow" {
mutate {
split => ["msg",","]
add_field => {
"start_time" => "%{[msg][0]}"
"end_time" => "%{[msg][1]}"
"duration" => "%{[msg][2]}"
"machine_name" => "%{[msg][3]}"
"fw_rule_id" => "%{[msg][4]}"
"nat_rule_id" => "%{[msg][5]}"
"src_ip" => "%{[msg][6]}"
"src_port" => "%{[msg][7]}"
"vlan_id" => "%{[msg][8]}"
"dst_ip" => "%{[msg][9]}"
"dst_port" => "%{[msg][10]}"
"protocol" => "%{[msg][11]}"
"ingres_if" => "%{[msg][12]}"
"input_interafce" => "%{[msg][13]}"
"packets_forward" => "%{[msg][14]}"
"packets_backward" => "%{[msg][15]}"
"bytes_forward" => "%{[msg][16]}"
"bytes_backward" => "%{[msg][17]}"
"frament_info" => "%{[msg][18]}"
"flag_record" => "%{[msg][19]}"
"terminate_reason" => "%{[msg][20]}"
}
}
}
else if [event][type] == "fw4_deny" {
mutate {
split => ["msg",","]
add_field => {
"start_time" => "%{[msg][0]}"
"end_time" => "%{[msg][1]}"
"duration" => "%{[msg][2]}"
"machine_name" => "%{[msg][3]}"
"fw_rule_id" => "%{[msg][4]}"
"nat_rule_id" => "%{[msg][5]}"
"src_ip" => "%{[msg][6]}"
"src_port" => "%{[msg][7]}"
"vlan_id" => "%{[msg][8]}"
"dst_ip" => "%{[msg][9]}"
"dst_port" => "%{[msg][10]}"
"protocol" => "%{[msg][11]}"
"ingres_if" => "%{[msg][12]}"
"input_interface" => "%{[msg][13]}"
"packets_forward" => "%{[msg][14]}"
"bytes_forward" => "%{[msg][15]}"
"fragment_info" => "%{[msg][16]}"
"flag_record" => "%{[msg][17]}"
"terminate_reason" => "%{[msg][18]}"
}
}
}
else if [event][type] == "nat_session" {
mutate {
split => ["msg",","]
add_field => {
"start_time" => "%{[msg][0]}"
"end_time" => "%{[msg][1]}"
"machine_name" => "%{[msg][2]}"
"nat_rule_id" => "%{[msg][3]}"
"fw_rule_id" => "%{[msg][4]}"
"applied_if" => "%{[msg][5]}"
"src_ip" => "%{[msg][6]}"
"src_port" => "%{[msg][7]}"
"dst_ip" => "%{[msg][8]}"
"dst_port" => "%{[msg][9]}"
"protocol" => "%{[msg][10]}"
"src_ip_nat" => "%{[msg][11]}"
"src_port_nat" => "%{[msg][12]}"
"dst_ip_nat" => "%{[msg][13]}"
"dst_port_nat" => "%{[msg][14]}"
"packets_forward" => "%{[msg][15]}"
"packets_backward" => "%{[msg][16]}"
"bytes_forward" => "%{[msg][17]}"
}
}
}
else if [event][type] == "fw4_traffic" {
mutate {
split => ["msg",","]
add_field => {
"time" => "%{[msg][0]}"
"machine_name" => "%{[msg][1]}"
"allow_packets" => "%{[msg][2]}"
"deny_packets" => "%{[msg][3]}"
"sessions" => "%{[msg][4]}"
"max_sessions" => "%{[msg][5]}"
"allow_bytes" => "%{[msg][6]}"
"deny_bytes" => "%{[msg][7]}"
}
}
}
else if [event][type] == "nat_traffic" {
mutate {
split => ["msg",","]
add_field => {
"time" => "%{[msg][0]}"
"machine_name" => "%{[msg][1]}"
"packets" => "%{[msg][2]}"
"bytes" => "%{[msg][3]}"
"sessions" => "%{[msg][4]}"
"max_sessions" => "%{[msg][5]}"
}
}
}
else if [event][type] == "nat_rule_traffic" {
mutate {
split => ["msg",","]
add_field => {
"time" => "%{[msg][0]}"
"machine_name" => "%{[msg][1]}"
"nat_rule_id" => "%{[msg][2]}"
"packets" => "%{[msg][3]}"
"bytes" => "%{[msg][4]}"
"sessions" => "%{[msg][5]}"
"max_sessions" => "%{[msg][6]}"
}
}
}
if [difference] == "%{[msg][9]}" {
mutate {
replace => {"[difference]" => ""}
}
}
mutate {
remove_field => ["msg"]
}
date {
match => ["time","yyyy-MM-dd HH:mm:ss"]
timezone => "Asia/Seoul"
locale => "ko"
target => "time"
}
date {
match => ["start_time","yyyy-MM-dd HH:mm:ss"]
timezone => "Asia/Seoul"
locale => "ko"
target => "start_time"
}
date {
match => ["end_time","yyyy-MM-dd HH:mm:ss"]
timezone => "Asia/Seoul"
locale => "ko"
target => "end_time"
}
if [event][type] == "audit" {
mutate {
remove_field => ["severity_label", "facility", "facility_label", "syslogtime", "host"]
rename => {
"from_ip" => "[server][ip]"
"[event][type]" => "[event][category]"
"time" => "[event][created]"
"machine_name" => "[machine][name]"
"admin_id" => "[admin][id]"
"admin_ip" => "[admin][ip]"
"admin_level" => "[admin][level]"
"menu_id" => "[order][path]"
"command" => "[order][command]"
"result" => "[order][result]"
"fail_reason" => "[order][fail_reason]"
"difference" => "[order][difference]"
}
}
if [admin][ip] == "-" {
mutate {
replace => {"[admin][ip]" => "0.0.0.0"}
}
}
}
else if [event][type] == "fw4_allow" {
mutate {
remove_field => ["severity_label", "facility", "facility_label", "syslogtime", "host", "duration"]
rename => {
"from_ip" => "[server][ip]"
"[event][type]" => "[event][category]"
"start_time" => "[event][created]"
"end_time" => "[event][closed]"
"machine_name" => "[machine][name]"
"fw_rule_id" => "[fw][rule_id]"
"nat_rule_id" => "[nat][rule_id]"
"src_ip" => "[source][ip]"
"src_port" => "[source][port]"
"vlan_id" => "[vlan][id]"
"dst_ip" => "[destination][ip]"
"dst_port" => "[destination][port]"
"protocol" => "[network][protocol]"
"ingres_if" => "[ingress][if]"
"input_interface" => "[network][interface]"
"packets_forward" => "[packets][forward]"
"packets_backward" => "[packets][backward]"
"bytes_forward" => "[bytes][forward]"
"bytes_backward" => "[bytes][backward]"
"frament_info" => "[fragment][info]"
"flag_record" => "[tcp][flag]"
"terminate_reason" => "[terminate][reason]"
}
add_field => {
"[event][action]" => "MF2"
}
}
if [destination][ip] {
geoip {
source => "[destination][ip]"
}
if [tags][0] == "_geoip_lookup_failure" {
mutate {
remove_field => ["tags","geoip"]
}
}
}
}
else if [event][type] == "fw4_deny" {
mutate {
remove_field => ["severity_label", "facility", "facility_label", "syslogtime", "host", "duration"]
rename => {
"from_ip" => "[server][ip]"
"[event][type]" => "[event][category]"
"start_time" => "[event][created]"
"end_time" => "[event][closed]"
"machine_name" => "[machine][name]"
"fw_rule_id" => "[fw][rule_id]"
"nat_rule_id" => "[nat][rule_id]"
"src_ip" => "[source][ip]"
"src_port" => "[source][port]"
"vlan_id" => "[vlan][id]"
"dst_ip" => "[destination][ip]"
"dst_port" => "[destination][port]"
"protocol" => "[network][protocol]"
"ingres_if" => "[ingress][if]"
"input_interface" => "[network][interface]"
"packets_forward" => "[packets][forward]"
"bytes_forward" => "[bytes][forward]"
"fragment_info" => "[fragment][info]"
"flag_record" => "[tcp][flag]"
"terminante_reason" => "[terminate][reason]"
}
}
}
else if [event][type] == "nat_session" {
mutate {
remove_field => ["severity_label", "facility", "facility_label", "syslogtime", "host"]
rename => {
"from_ip" => "[server][ip]"
"[event][type]" => "[event][category]"
"start_time" => "[event][created]"
"end_time" => "[event][closed]"
"machine_name" => "[machine][name]"
"nat_rule_id" => "[nat][rule_id]"
"fw_rule_id" => "[fw][rule_id]"
"applied_if" => "[network][interface]"
"src_ip" => "[source][ip]"
"src_port" => "[source][port]"
"dst_ip" => "[destination][ip]"
"dst_port" => "[destination][port]"
"protocol" => "[network][protocol]"
"src_ip_nat" => "[source][nat_ip]"
"src_port_nat" => "[source][nat_port]"
"dst_ip_nat" => "[destination][nat_ip]"
"dst_port_nat" => "[destination][nat_port]"
"packets_forward" => "[packets][forward]"
"packets_backward" => "[packets][backward]"
"bytes_forward" => "[bytes][forward]"
"bytes_backward" => "[bytes][backward]"
}
}
}
else if [event][type] == "fw4_traffic" {
mutate {
remove_field => ["severity_label", "facility", "facility_label", "syslogtime", "host"]
rename => {
"from_ip" => "[server][ip]"
"[event][type]" => "[event][category]"
"time" => "[event][created]"
"machine_name" => "[machine][name]"
"allow_packets" => "[packets][allow]"
"deny_packets" => "[packets][deny]"
"sessions" => "[session][number]"
"max_sessions" => "[session][max]"
"allow_bytes" => "[bytes][allow]"
"deny_bytes" => "[bytes][deny]"
}
}
}
else if [event][type] == "nat_traffic" {
mutate {
remove_field => ["severity_label", "facility", "facility_label", "syslogtime", "host"]
rename => {
"from_ip" => "[server][ip]"
"[event][type]" => "[event][category]"
"time" => "[event][created]"
"machine_name" => "[machine][name]"
"packets" => "[packets][forward]"
"bytes" => "[bytes][forward]"
"sessions" => "[session][number]"
"max_sessions" => "[session][max]"
}
}
}
else if [event][type] == "nat_rule_traffic" {
mutate {
remove_field => ["severity_label", "facility", "facility_label", "syslogtime", "host"]
rename => {
"from_ip" => "[server][ip]"
"[event][type]" => "[event][category]"
"time" => "[event][created]"
"machine_name" => "[machine][name]"
"nat_rule_id" => "[nat][rule_id]"
"packets" => "[packets][forward]"
"bytes" => "[bytes][forward]"
"sessions" => "[session][number]"
"max_sessions" => "[session][max]"
}
}
}
}
[OUTPUT]
output {
if [event][category] == "audit" {
if [machine][name] == "EXT_FW1" {
elasticsearch {
hosts => ["https://192.168.0.1:9200", "https://192.168.0.2:9200", "https://192.168.0.3:9200"]
user => "elastic"
password => "P@ssw0rd"
index => "syslog_mf2_audit"
ssl => true
ssl_certificate_verification => false
cacert => "/usr/share/logstash/elasticsearch-ca.pem"
}
}
else if [machine][name] == "EXT_FW2" {
elasticsearch {
hosts => ["https://192.168.0.1:9200", "https://192.168.0.2:9200", "https://192.168.0.3:9200"]
user => "elastic"
password => "P@ssw0rd"
index => "syslog_mf2_ext_fw2_audit"
ssl => true
ssl_certificate_verification => false
cacert => "/usr/share/logstash/elasticsearch-ca.pem"
}
}
}
else if [event][category] == "fw4_allow" {
if [machine][name] == "EXT_FW1" {
elasticsearch {
hosts => ["https://192.168.0.1:9200", "https://192.168.0.2:9200", "https://192.168.0.3:9200"]
user => "elastic"
password => "P@ssw0rd"
index => "syslog_mf2_allow"
ssl => true
ssl_certificate_verification => false
cacert => "/usr/share/logstash/elasticsearch-ca.pem"
}
}
else if [machine][name] == "EXT_FW2" {
elasticsearch {
hosts => ["https://192.168.0.1:9200", "https://192.168.0.2:9200", "https://192.168.0.3:9200"]
user => "elastic"
password => "P@ssw0rd"
index => "syslog_mf2_ext_fw2_allow"
ssl => true
ssl_certificate_verification => false
cacert => "/usr/share/logstash/elasticsearch-ca.pem"
}
}
}
else if [event][category] == "fw4_deny" {
if [machine][name] == "EXT_FW1" {
elasticsearch {
hosts => ["https://192.168.0.1:9200", "https://192.168.0.2:9200", "https://192.168.0.3:9200"]
user => "elastic"
password => "P@ssw0rd"
index => "syslog_mf2_deny"
ssl => true
ssl_certificate_verification => false
cacert => "/usr/share/logstash/elasticsearch-ca.pem"
}
}
else if [machine][name] == "EXT_FW2" {
elasticsearch {
hosts => ["https://192.168.0.1:9200", "https://192.168.0.2:9200", "https://192.168.0.3:9200"]
user => "elastic"
password => "P@ssw0rd"
index => "syslog_mf2_ext_fw2_deny"
ssl => true
ssl_certificate_verification => false
cacert => "/usr/share/logstash/elasticsearch-ca.pem"
}
}
}
else if [event][category] == "nat_session" {
if [machine][name] == "EXT_FW1" {
elasticsearch {
hosts => ["https://192.168.0.1:9200", "https://192.168.0.2:9200", "https://192.168.0.3:9200"]
user => "elastic"
password => "P@ssw0rd"
index => "syslog_mf2_nat_session"
ssl => true
ssl_certificate_verification => false
cacert => "/usr/share/logstash/elasticsearch-ca.pem"
}
}
else if [machine][name] == "EXT_FW2" {
elasticsearch {
hosts => ["https://192.168.0.1:9200", "https://192.168.0.2:9200", "https://192.168.0.3:9200"]
user => "elastic"
password => "P@ssw0rd"
index => "syslog_mf2_ext_fw2_nat_session"
ssl => true
ssl_certificate_verification => false
cacert => "/usr/share/logstash/elasticsearch-ca.pem"
}
}
}
else if [event][category] == "fw4_traffic" {
if [machine][name] == "EXT_FW1" {
elasticsearch {
hosts => ["https://192.168.0.1:9200", "https://192.168.0.2:9200", "https://192.168.0.3:9200"]
user => "elastic"
password => "P@ssw0rd"
index => "syslog_mf2_traffic"
ssl => true
ssl_certificate_verification => false
cacert => "/usr/share/logstash/elasticsearch-ca.pem"
}
}
else if [machine][name] == "EXT_FW2" {
elasticsearch {
hosts => ["https://192.168.0.1:9200", "https://192.168.0.2:9200", "https://192.168.0.3:9200"]
user => "elastic"
password => "P@ssw0rd"
index => "syslog_mf2_ext_fw2_traffic"
ssl => true
ssl_certificate_verification => false
cacert => "/usr/share/logstash/elasticsearch-ca.pem"
}
}
}
else if [event][category] == "nat_traffic" {
if [machine][name] == "EXT_FW1" {
elasticsearch {
hosts => ["https://192.168.0.1:9200", "https://192.168.0.2:9200", "https://192.168.0.3:9200"]
user => "elastic"
password => "P@ssw0rd"
index => "syslog_mf2_nat_traffic"
ssl => true
ssl_certificate_verification => false
cacert => "/usr/share/logstash/elasticsearch-ca.pem"
}
}
else if [machine][name] == "EXT_FW2" {
elasticsearch {
hosts => ["https://192.168.0.1:9200", "https://192.168.0.2:9200", "https://192.168.0.3:9200"]
user => "elastic"
password => "P@ssw0rd"
index => "syslog_mf2_ext_fw2_nat_traffic"
ssl => true
ssl_certificate_verification => false
cacert => "/usr/share/logstash/elasticsearch-ca.pem"
}
}
}
else if [event][category] == "nat_rule_traffic" {
if [machine][name] == "EXT_FW1" {
elasticsearch {
hosts => ["https://192.168.0.1:9200", "https://192.168.0.2:9200", "https://192.168.0.3:9200"]
user => "elastic"
password => "P@ssw0rd"
index => "syslog_mf2_rule_traffic"
ssl => true
ssl_certificate_verification => false
cacert => "/usr/share/logstash/elasticsearch-ca.pem"
}
}
else if [machine][name] == "EXT_FW2" {
elasticsearch {
hosts => ["https://192.168.0.1:9200", "https://192.168.0.2:9200", "https://192.168.0.3:9200"]
user => "elastic"
password => "P@ssw0rd"
index => "syslog_mf2_ext_fw2_rule_traffic"
ssl => true
ssl_certificate_verification => false
cacert => "/usr/share/logstash/elasticsearch-ca.pem"
}
}
}
}반응형
'IT2 > elk stack' 카테고리의 다른 글
| [Logstash] wapple syslog 연동 (0) | 2023.02.03 |
|---|---|
| [Logstash] MFI IPS syslog 연동 (0) | 2023.02.02 |
| [Logstash] NAC syslog 연동 (0) | 2023.02.01 |
| [Logstash] AXGATE 방화벽 DB syslog 연동 (0) | 2023.01.27 |
| [Logstash] Oracle DB ORA-12514, TNS:listener does not currently know of service 문제 (0) | 2022.10.28 |