atomic-elk/logstash-ossec.conf at master · atomicturtle/atomic-elk · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
input {
  file {
    type => "ossec"
    path => "/var/ossec/logs/alerts/alerts.log"
    sincedb_path => "/opt/logstash/sincedb"
    codec => multiline {
      pattern => "^\*\*"
      negate => true
      what => "previous"
    }
  }
}

filter {
  # Parse the header of the alert
  grok {
    # Matches  2014 Mar 08 00:57:49 (some.server.com) 10.1.2.3->ossec
    # (?m) fixes issues with multi-lines see https://logstash.jira.com/browse/LOGSTASH-509
    match => ["message", "(?m)\*\* Alert %{DATA:timestamp_seconds}:%{SPACE}%{WORD}?%{SPACE}\- %{DATA:ossec_group}\n%{YEAR} %{SYSLOGTIMESTAMP:syslog_timestamp} \(%{DATA:reporting_host}\) %{IP:reporting_ip}\-\>%{DATA:reporting_source}\nRule: %{NONNEGINT:rule_number} \(level %{NONNEGINT:severity}\) \-\> '%{DATA:signature}'\n%{GREEDYDATA:remaining_message}"]

    # Matches  2014 Mar 08 00:00:00 ossec-server01->/var/log/auth.log
    match => ["message", "(?m)\*\* Alert %{DATA:timestamp_seconds}:%{SPACE}%{WORD}?%{SPACE}\- %{DATA:ossec_group}\n%{YEAR} %{SYSLOGTIMESTAMP:syslog_timestamp} %{DATA:reporting_host}\-\>%{DATA:reporting_source}\nRule: %{NONNEGINT:rule_number} \(level %{NONNEGINT:severity}\) \-\> '%{DATA:signature}'\n%{GREEDYDATA:remaining_message}"]
  }

  # Attempt to parse additional data from the alert
  grok {
    match => ["remaining_message", "(?m)(Src IP: %{IP:src_ip}%{SPACE})?(Src Port: %{NONNEGINT:src_port}%{SPACE})?(Dst IP: %{IP:dst_ip}%{SPACE})?(Dst Port: %{NONNEGINT:dst_port}%{SPACE})?(User: %{USER:acct}%{SPACE})?%{GREEDYDATA:real_message}"]
  }

  geoip {
    source => "src_ip"
  }

  mutate {
    convert      => [ "severity", "integer"]
    replace      => [ "@message", "%{real_message}" ]
    replace      => [ "hostname", "%{reporting_host}"]
    add_field    => [ "product", "ossec"]
    add_field    => [ "raw_message", "%{message}"]
    add_field    => [ "ossec_server", "%{host}"]
    remove_field => [ "type", "syslog_program", "syslog_timestamp", "reporting_host", "message", "timestamp_seconds", "real_message", "remaining_message", "path", "host", "tags"]
  }
}

output {
  elasticsearch {
         hosts => ["127.0.0.1:9200"]
         index => "ossec-%{+YYYY.MM.dd}"
         document_type => "ossec"
   }
}