[Logstash] MFI IPS syslog 연동
- IT2/elk stack
- 2023. 2. 2. 07:58
반응형
[INTPUT]
input {
syslog {
port => 9406
grok_pattern => "%{GREEDYDATA:message}"
}
}
[FILTER]
filter {
mutate {
remove_field => ["facility", "priority", "severity"]
gsub => ["message","\u0000",""]
}
dissect {
mapping => {
"message" => "<%{facility}>1 %{syslogtime} [%{[event][type]}] [%{send_ip}] %{mesg}"
}
}
if [event][type] == "raw" {
mutate {
split => ["mesg",","]
add_field => {
"starttime" => "%{[mesg][0]}"
"endtime" => "%{[mesg][1]}"
"machine_name" => "%{[mesg][2]}"
"log_id" => "%{[mesg][3]}"
"log_type" => "%{[mesg][4]}"
"ha_id" => "%{[mesg][5]}"
"pdomain_name" => "%{[mesg][6]}"
"interface" => "%{[mesg][7]}"
"segment" => "%{[mesg][8]}"
"direction" => "%{[mesg][9]}"
"vlanid" => "%{[mesg][10]}"
"ethertype" => "%{[mesg][11]}"
"src_ip" => "%{[mesg][12]}"
"dst_ip" => "%{[mesg][13]}"
"src_port" => "%{[mesg][14]}"
"dst_port" => "%{[mesg][15]}"
"protocol" => "%{[mesg][16]}"
"pcapid" => "%{[mesg][17]}"
"detects" => "%{[mesg][18]}"
"packets" => "%{[mesg][19]}"
"bytes" => "%{[mesg][20]}"
"module_type" => "%{[mesg][21]}"
"rule_id" => "%{[mesg][22]}"
"rule_name" => "%{[mesg][23]}"
"profile_name" => "%{[mesg][24]}"
"category" => "%{[mesg][25]}"
"sub_category" => "%{[mesg][26]}"
"function" => "%{[mesg][27]}"
"priority_" => "%{[mesg][28]}"
"action" => "%{[mesg][29]}"
"packet_len" => "%{[mesg][30]}"
"tcp_flag" => "%{[mesg][31]}"
"icmp_type" => "%{[mesg][32]}"
"icmp_code" => "%{[mesg][33]}"
}
}
}
else if [event][type] == "system_event" {
mutate {
split => ["mesg",","]
add_field => {
"timestamp" => "%{[mesg][0]}"
"machine" => "%{[mesg][1]}"
"event_type" => "%{[mesg][2]}"
"msg" => "%{[mesg][3]}"
}
}
}
else if [event][type] == "audit" {
mutate {
split => ["mesg",","]
add_field => {
"timestamp" => "%{[mesg][0]}"
"machine" => "%{[mesg][1]}"
"adminip" => "%{[mesg][2]}"
"cmdcode" => "%{[mesg][3]}"
"resultcode" => "%{[mesg][4]}"
"adminlevel" => "%{[mesg][5]}"
"menuid" => "%{[mesg][6]}"
"adminid" => "%{[mesg][7]}"
"parameter" => "%{[mesg][8]}"
"fail_msg" => "%{[mesg][9]}"
"diff_msg" => "%{[mesg][10]}"
}
}
}
else if [event][type] == "alert" {
mutate {
split => ["mesg",","]
add_field => {
"timestamp" => "%{[mesg][0]}"
"machine" => "%{[mesg][1]}"
"alerttype" => "%{[mesg][2]}"
"alertlevel" => "%{[mesg][3]}"
"msg" => "%{[mesg][4]}"
}
}
}
else {
drop {}
}
if [diff_msg] == "%{[mesg][10]}" {
mutate {
replace => {"[diff_msg]" => ""}
}
}
if [tcp_flag] == "%{[mesg][31]}" {
mutate {
replace => {"[tcp_flag]" => ""}
}
}
if [icmp_type] == "%{[mesg][32]}" {
mutate {
replace => {"[icmp_type]" => ""}
}
}
if [icmp_code] == "%{[mesg][33]}" {
mutate {
replace => {"[icmp_code]" => ""}
}
}
mutate {
remove_field => ["mesg"]
}
date {
match => ["starttime","yyyy-MM-dd HH:mm:ss"]
timezone => "Asia/Seoul"
locale => "ko"
target => "starttime"
}
date {
match => ["endtime","yyyy-MM-dd HH:mm:ss", "yyyy-MM-dd HH:mm:ss.SSS"]
timezone => "Asia/Seoul"
locale => "ko"
target => "endtime"
}
date {
match => ["timestamp","yyyy-MM-dd HH:mm:ss"]
timezone => "Asia/Seoul"
locale => "ko"
target => "timestamp"
}
if [event][type] == "raw" {
mutate {
remove_field => ["facility","syslogtime"]
rename => {
"[event][type]" => "[event][category]"
"send_ip" => "[server][ip]"
"starttime" => "[event][created]"
"endtime" => "[event][closed]"
"machine_name" => "[machine][name]"
"log_id" => "[log][id]"
"log_type" => "[log][type]"
"ha_id" => "[ha][id]"
"pdomain_name" => "[pdomain][name]"
"interface" => "[type][interface]"
"segment" => "[type][segment]"
"direction" => "[type][direction]"
"vlanid" => "[vlan][id]"
"ethertype" => "[network][eth_type]"
"src_ip" => "[source][ip]"
"dst_ip" => "[destination][ip]"
"src_port" => "[source][port]"
"dst_port" => "[destination][port]"
"protocol" => "[network][protocol]"
"pcapid" => "[dump][info]"
"detects" => "[detects][forward]"
"packets" => "[packets][forward]"
"bytes" => "[bytes][forward]"
"module_type" => "[module][type]"
"rule_id" => "[rule][id]"
"rule_name" => "[rule][name]"
"profile_name" => "[profile][name]"
"category" => "[event][type]"
"sub_category" => "[event][sub_type]"
"function" => "[event][function]"
"priority" => "[event][priority]"
"action" => "[type][action]"
"packet_len" => "[packets][length]"
"tcp_flag" => "[tcp][flag]"
"icmp_type" => "[icmp][type]"
"icmp_code" => "[icmp][code]"
}
add_field => {
"[event][action]" => "MFI"
}
}
}
else if [event][type] == "system_event" {
mutate {
remove_field => ["severity_label", "facility", "facility_label", "syslogtime", "host"]
rename => {
"[event][type]" => "[event][category]"
"send_ip" => "[server][ip]"
"timestamp" => "[event][created]"
"machine" => "[machine][name]"
"event_type" => "[alert][type]"
"msg" => "[alert][message]"
}
}
}
else if [event][type] == "audit" {
mutate {
remove_field => ["severity_label", "facility", "facility_label", "syslogtime", "host"]
rename => {
"[event][type]" => "[event][category]"
"send_ip" => "[server][ip]"
"timestamp" => "[event][created]"
"machine" => "[machine][name]"
"adminip" => "[admin][ip]"
"cmdcode" => "[order][command]"
"resultcode" => "[order][result]"
"adminlevel" => "[admin][level]"
"menuid" => "[menu][id]"
"adminid" => "[admin][id]"
"parameter" => "[order][parameter]"
"fail_msg" => "[order][fail_reason]"
"diff_msg" => "[order][difference]"
}
}
}
else if [event][type] == "alert" {
mutate {
remove_field => ["severity_label", "facility", "facility_label", "syslogtime", "host"]
rename => {
"[event][type]" => "[event][category]"
"send_ip" => "[server][ip]"
"timestamp" => "[event][created]"
"machine" => "[machine][name]"
"alerttype" => "[alert][type]"
"alertlevel" => "[alert][level]"
"msg" => "[alert][message]"
}
}
}
translate {
source => "[event][priority]"
target => "[event][priority]"
dictionary => {
"0" => "NONE"
"1" => "INFORMATIONAL"
"2" => "LOW"
"3" => "MEDIUM"
"4" => "HIGH"
"5" => "CRITICAL"
}
override => true
}
translate {
source => "[order][command]"
target => "[order][command]"
dictionary => {
"1" => "ERROR"
"0" => "OK"
}
override => true
}
}
[OUTPUT]
output {
if [event][category] == "raw" {
if [machine][name] == "INT_IPS1" {
elasticsearch {
hosts => ["https://192.168.0.1:9200", "https://192.168.0.2:9200", "https://192.168.0.3:9200"]
user => "elastic"
password => "P@ssw0rd"
index => "syslog_mfi_int_ips1_raw"
ssl => true
ssl_certificate_verification => false
cacert => "/usr/share/logstash/elasticsearch-ca.pem"
}
}
else if [machine][name] == "INT_IPS2" {
elasticsearch {
hosts => ["https://192.168.0.1:9200", "https://192.168.0.2:9200", "https://192.168.0.3:9200"]
user => "elastic"
password => "P@ssw0rd"
index => "syslog_mfi_int_ips2_raw"
ssl => true
ssl_certificate_verification => false
cacert => "/usr/share/logstash/elasticsearch-ca.pem"
}
}
}
else if [event][category] == "system" {
if [machine][name] == "INT_IPS1" {
elasticsearch {
hosts => ["https://192.168.0.1:9200", "https://192.168.0.2:9200", "https://192.168.0.3:9200"]
user => "elastic"
password => "P@ssw0rd"
index => "syslog_mfi_int_ips1_system"
ssl => true
ssl_certificate_verification => false
cacert => "/usr/share/logstash/elasticsearch-ca.pem"
}
}
else if [machine][name] == "INT_IPS2" {
elasticsearch {
hosts => ["https://192.168.0.1:9200", "https://192.168.0.2:9200", "https://192.168.0.3:9200"]
user => "elastic"
password => "P@ssw0rd"
index => "syslog_mfi_int_ips2_system"
ssl => true
ssl_certificate_verification => false
cacert => "/usr/share/logstash/elasticsearch-ca.pem"
}
}
}
else if [event][category] == "audit" {
if [machine][name] == "INT_IPS1" {
elasticsearch {
hosts => ["https://192.168.0.1:9200", "https://192.168.0.2:9200", "https://192.168.0.3:9200"]
user => "elastic"
password => "P@ssw0rd"
index => "syslog_mfi_int_ips1_audit"
ssl => true
ssl_certificate_verification => false
cacert => "/usr/share/logstash/elasticsearch-ca.pem"
}
}
else if [machine][name] == "INT_IPS2" {
elasticsearch {
hosts => ["https://192.168.0.1:9200", "https://192.168.0.2:9200", "https://192.168.0.3:9200"]
user => "elastic"
password => "P@ssw0rd"
index => "syslog_mfi_int_ips2_audit"
ssl => true
ssl_certificate_verification => false
cacert => "/usr/share/logstash/elasticsearch-ca.pem"
}
}
}
else if [event][category] == "alert" {
if [machine][name] == "INT_IPS1" {
elasticsearch {
hosts => ["https://192.168.0.1:9200", "https://192.168.0.2:9200", "https://192.168.0.3:9200"]
user => "elastic"
password => "P@ssw0rd"
index => "syslog_mfi_int_ips1_alert"
ssl => true
ssl_certificate_verification => false
cacert => "/usr/share/logstash/elasticsearch-ca.pem"
}
}
else if [machine][name] == "INT_IPS2" {
elasticsearch {
hosts => ["https://192.168.0.1:9200", "https://192.168.0.2:9200", "https://192.168.0.3:9200"]
user => "elastic"
password => "P@ssw0rd"
index => "syslog_mfi_int_ips2_alert"
ssl => true
ssl_certificate_verification => false
cacert => "/usr/share/logstash/elasticsearch-ca.pem"
}
}
}
}반응형
'IT2 > elk stack' 카테고리의 다른 글
| [Logstash] secuve tos mariadb 연동 (0) | 2023.02.04 |
|---|---|
| [Logstash] wapple syslog 연동 (0) | 2023.02.03 |
| [Logstash] MF2 방화벽 syslog 연동 (0) | 2023.02.02 |
| [Logstash] NAC syslog 연동 (0) | 2023.02.01 |
| [Logstash] AXGATE 방화벽 DB syslog 연동 (0) | 2023.01.27 |