[Logstash] NAC syslog 연동
- IT2/elk stack
- 2023. 2. 1. 20:11
반응형
# NAC 5.0 버전
[INPUT]
input {
udp {
port => 5514
}
}
[FILTER]
filter {
grok {
match => {
"message" => "\<%{INT:facility}\>%{TIMESTAMP_ISO8601:_datetime} %{LOGLEVEL:_logtype} %{INT:_logid} %{DATA:_sensorname} %{DATA:_ip} %{DATA:_mac} %{DATA:detailmsg} %{GREEDYDATA:_fullmsg}"
}
}
mutate {
gsub => ["_fullmsg"," NONE",". "]
gsub => ["_fullmsg","NONE ",""]
}
mutate {
split => ["_fullmsg",". "]
add_field => {
"_fullmsg_str" => "%{[_fullmsg][0]}"
"_fullmsg_detail" => "%{[_fullmsg][1]}"
}
remove_field => ["_fullmsg"]
}
mutate {
rename => {
"host" => "[host][ip]"
}
}
translate {
source => "_logid"
target => "[_logid_full]"
dictionary_path => "/etc/logstash/conf.d/shipper_syslog/dictionary/nac_logid.yaml"
}
mutate {
split => ["[_logid_full]","/"]
add_field => {
"[log][name]" => "%{[_logid_full][0]}"
"[log][desc]" => "%{[_logid_full][1]}"
}
}
date {
match => ["_datetime","yyyy-MM-dd HH:mm:ss"]
target => "_datetime"
timezone => "Asia/Seoul"
}
mutate {
rename => {
"_datetime" => "[event][created]"
"_logtype" => "[log][type]"
"_logid" => "[log][id]"
"_sensorname" => "[sensor][ip]"
"_ip" => "[client][ip]"
"_mac" => "[client][mac]"
"_fullmsg_str" => "[log][msg]"
"_fullmsg_detail" => "[log][detail]"
}
add_field => {
"[event][category]" => "nac"
}
remove_field => ["facility", "detailmsg","_logid_full"]
}
mutate {
gsub => ["[log][detail]"," ",""]
}
kv {
source => "[log][detail]"
target => "[log][detail]"
field_split => ","
value_split => "="
trim_key => " "
transform_key => "lowercase"
}
if [client][ip] == "NONE" {
mutate {
replace => {"[client][ip]" => "0.0.0.0"}
}
}
if [sensor][ip] == "NONE" {
mutate {
replace => {"[sensor][ip]" => "0.0.0.0"}
}
}
if [log][detail] == "%{[_fullmsg][1]}" {
mutate {
replace => {"[log][detail]" => ""}
}
}
}
[OUTPUT]
output {
elasticsearch {
hosts => ["https://192.168.0.1:9200", "https://192.168.0.2:9200", "https://192.168.0.3:9200"]
user => "elastic"
password => "P@ssw0rd"
index => "syslog_nac_audit"
ssl => true
ssl_certificate_verification => false
cacert => "/usr/share/logstash/elasticsearch-ca.pem"
}
}반응형
'IT2 > elk stack' 카테고리의 다른 글
| [Logstash] MFI IPS syslog 연동 (0) | 2023.02.02 |
|---|---|
| [Logstash] MF2 방화벽 syslog 연동 (0) | 2023.02.02 |
| [Logstash] AXGATE 방화벽 DB syslog 연동 (0) | 2023.01.27 |
| [Logstash] Oracle DB ORA-12514, TNS:listener does not currently know of service 문제 (0) | 2022.10.28 |
| [Logstash] Oracle DB ORA-00933: SQL 명령어가 올바르게 종료되지 않았습니다 (0) | 2022.10.27 |