BUYTIME

[Logstash] wapple syslog 연동

반응형

[INPUT]
input {
  syslog {
    port => 9400
  }
}



[FILTER]
filter {
  dissect {
    mapping => {
      "message" => "[WAPPLES}: 10 %{[log][type]} 10 %{msg}"
    }
  }

  mutate {
    gsub => ["msg"," 10 "," & "]
    gsub => ["msg"," \[ ",":["]
  }

  date {
    match => ["timestamp","MMM dd HH:mm:ss","MMM  d HH:mm:ss"]
    timezone => "Asia/Seoul"
    locale => "en"
    target => "timestamp"
  }
  
  if [log][type] == "AUDIT" {
    dissect {
      mapping => {
        "msg" => "MESSAGE : %{audit_msg} & SOURCE : %{SOURCE} & TYPE : %{TYPE} & MESSAGE TYPE : %{msg_type} 10"
      }
    }

    mutate {
      gsub => ["GUI"," \(",""]
      gsub => ["GUI","\)",""]
    }

    kv {
      source => "SOURCE"
      field_split => "-"
      value_split => ":"
      trim_key => " "
    }

    mutate {
      remove_field => ["logsource","severity_label","severity","facility","facility_label","priority","SOURCE"]
      rename => {
        "host" => "[host][ip]"
        "timestamp" => "[event][created]"
        "[log][type]" => "[event][category]"
        "audit_msg" => "[audit][message]"
        "GUI" => "[client][ip]"
        "ID" => "[user][id]"
        "TYPE" => "[audit][type]"
        "msg_type" => "[mesg][type]"
      }
    }
  }

  else if [log][type] == "INTRUSION" {
    mutate {
      gsub => ["msg"," 10\)","&"]
    }

    dissect {
      mapping => {
        "msg" => "DETECTION TIME : %{detection_time} & RULE NAME : %{rule_name} & (client %{client_ip}& -> (server %{server_ip}:%{port})"
      }
    }

    mutate {
      remove_field => ["facility","facility_label","logsource","severity","priority","severity_label","detection_time"]
      rename => {
        "timestamp" => "[event][created]"
        "host" => "[host][ip]"
        "[log][type]" => "[event][category]"
        "rule_name" => "[rule][name]"
        "client_ip" => "[client][ip]"
        "server_ip" => "[server][ip]"
        "port" => "[server][port]"
      }
      add_field => {
        "[event][action]" => "WAF"
      }
    }
  }

  else if [log][type] == "SYSMON" {
    mutate {
      gsub => ["msg"," ",""]
      gsub => ["msg","KB",""]
      gsub => ["msg","Kbps10",""]
      gsub => ["msg","\\%",""]
    }

    kv {
      source => "msg"
      field_split => "&"
      value_split => ":"
    }

    mutate {
      convert => {
        "CPUIDLE" => "integer"
        "CPUUSER" => "integer"
        "CPUSYS" => "integer"
        "CPUIO" => "integer"
        "MEMTOTAL" => "integer"
        "MEMFREE" => "integer"
        "MEMCACHE" => "integer"
        "MEMBUFFER" => "integer"
        "SWBYPASS" => "integer"
        "DETOTAL" => "integer"
        "CPS" => "integer"
        "TPS" => "integer"
        "DESESSION" => "integer"
        "DETRAFFIC" => "integer"
        "NPSESSION" => "integer"
        "NPKERNELBUFFER" => "integer"
        "THROUGHPUT" => "integer"
      }
    }

    mutate {
      remove_field => ["severity","priority","facility","severity_label","logsource","facility_label"]
      
      rename => {
        "host" => "[host][ip]"
        "timestamp" => "[event][created]"
        "[log][type]" => "[event][category]"
        "CPUIDLE" => "[cpu][idle]"
        "CPUUSER" => "[cpu][user]"
        "CPUSYS" => "[cpu][sys]"
        "CPUIO" => "[cpu][io]"
        "MEMTOTAL" => "[mem][total]"
        "MEMFREE" => "[mem][free]"
        "MEMCACHE" => "[mem][cache]"
        "MEMBUFFER" => "[mem][buffer]"
        "SWBYPASS" => "[status][bypass]"
        "DETOTAL" => "[count][total]"
        "DESTAT" => "[count][status]"
        "CPS" => "[status][cps]"
        "TPS" => "[status][tps]"
        "DESESSION" => "[count][session]"
        "DETRAFFIC" => "[count][traffic]"
        "NPSESSION" => "[number][session]"
        "NPKERNELBUFFER" => "[number][buffer]"
        "THROUGHPUT" => "[through][put]"
      }
    }
  }

  mutate {
    remove_field => ["msg","log"]
  }
}



[OUTPUT]
output {
  if [event][category] == "SYSMON" {
    elasticsearch {
      hosts => ["https://192.168.0.1:9200", "https://192.168.0.2:9200", "https://192.168.0.3:9200"]
      user => "elastic"
      password => "P@ssw0rd"
      index => "syslog_new_wapple_system"
      ssl => true
      ssl_certificate_verification => false
      cacert => "/usr/share/logstash/elasticsearch-ca.pem"
    }
  }
  else if [event][category] == "INTRUSION" {
    elasticsearch {
      hosts => ["https://192.168.0.1:9200", "https://192.168.0.2:9200", "https://192.168.0.3:9200"]
      user => "elastic"
      password => "P@ssw0rd"
      index => "syslog_new_wapple_detect"
      ssl => true
      ssl_certificate_verification => false
      cacert => "/usr/share/logstash/elasticsearch-ca.pem"
    }
  }
  else if [event][category] == "AUDIT" {
    elasticsearch {
      hosts => ["https://192.168.0.1:9200", "https://192.168.0.2:9200", "https://192.168.0.3:9200"]
      user => "elastic"
      password => "P@ssw0rd"
      index => "syslog_new_wapple_audit"
      ssl => true
      ssl_certificate_verification => false
      cacert => "/usr/share/logstash/elasticsearch-ca.pem"
    }
  }
}
반응형
저작자표시 비영리 변경금지

'IT2 > elk stack' 카테고리의 다른 글

[Logstash] ionenet 망연계 mysql db 연동  (0) 2023.02.05
[Logstash] secuve tos mariadb 연동  (0) 2023.02.04
[Logstash] MFI IPS syslog 연동  (0) 2023.02.02
[Logstash] MF2 방화벽 syslog 연동  (0) 2023.02.02
[Logstash] NAC syslog 연동  (0) 2023.02.01

'IT2/elk stack' 관련 글

더 보기

[Logstash] ionenet 망연계 mysql db 연동

2023.02.05

[Logstash] secuve tos mariadb 연동

2023.02.04

[Logstash] MFI IPS syslog 연동

2023.02.02

[Logstash] MF2 방화벽 syslog 연동

2023.02.02

댓글

Copyright © BUYTIME :: 시간을 산다 All Rights Reserved

Designed by JB FACTORY

티스토리툴바