-
Notifications
You must be signed in to change notification settings - Fork 0
/
10-syslog-filter.conf
105 lines (102 loc) · 4.67 KB
/
10-syslog-filter.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
filter {
if [type] == "syslog" {
mutate {
add_tag => [ "in_10" ]
}
grok {
patterns_dir => ["/etc/logstash/patterns"]
match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{HOSTNAME} %{DATA:syslog_program}(?:\[%{POSINT:pid}\])?: %{AUDITLOGLEVEL:loglevel} : %{GREEDYDATA:content}" }
match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{HOSTNAME} %{DATA:syslog_program}(?:\[%{POSINT:pid}\])?: %{GREEDYDATA:content}" }
match => { "message" => "%{AUDITLOGLEVEL:loglevel} +?\[%{DATA:syslog_program}\] %{GREEDYDATA:content}" }
add_tag => [ "syslog_bp" ]
tag_on_failure => ["_gpf_syslog"]
}
if "syslog_bp" in [tags] {
mutate {
replace => { message => "%{content}" }
remove_field => [ "content" ]
}
}
#DHCP
grok {
match => { "message" => "%{WORD:type}\(%{DATA:bridge}\) %{IP:server} %{MAC:mac}" }
add_tag => [ "dhcp" ]
}
#MARTIAN SOURCE
grok {
#match => { "message" => "martian source %{IP:mask} from %{IP:ip_from}%{NOTSPACE}%{SPACE}%{WORD}%{SPACE}%{WORD:aword}%{SPACE}%{GREEDYDATA:interface}" }
match => { "message" => "martian source %{IP:mask} from %{IP:ip_from}%{NOTSPACE} %{WORD} %{WORD:aword} %{GREEDYDATA:interface}" }
add_tag => [ "martian" ]
}
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME} %{DATA:syslog_program}(?:\[%{POSINT:pid}\])?: Accepted password for %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"}
add_tag => [ "ssh_sucessful_login", "matched_syslog2" ]
}
grok {
patterns_dir => ["/etc/logstash/patterns"]
match => { "message" => "sshd\[%{BASE10NUM}\]: Accepted publickey for %{WORD:username} from %{IP:src_ip} port %{POSINT:src_port} ssh2: %{WORD:key_type} %{RSAKEY:rsa_key}" }
add_tag => [ "matched_syslog3" ]
}
grok {
match => { "message" => "sshd\[%{BASE10NUM}\]: Failed password for invalid user %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2" }
add_tag => [ "bad_login", "matched_syslog4" ]
}
grok {
match => { "message" => "sshd\[%{BASE10NUM}\]: Invalid user %{USERNAME:username} from %{IP:src_ip}" }
add_tag => [ "bad_login", "matched_syslog5" ]
}
grok {
match => { "message" => "sshd\[%{BASE10NUM}\]: Received disconnect from %{IP:src_ip}: [preauth]" }
add_tag => [ "bad_login", "matched_syslog6" ]
}
grok {
match => { "message" => "sshd\[%{BASE10NUM}\]: Failed password for %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2" }
add_tag => [ "failed_password", "matched_syslog7" ]
}
grok {
match => { "message" => "sudo: pam_unix\(sudo:auth\): authentication failure; logname=%{USERNAME:logname} uid=%{BASE10NUM:uid} euid=%{BASE10NUM:euid} tty=%{TTY:tty} ruser=%{USERNAME:ruser} rhost=(?:%{HOSTNAME:remote_host}|\s*) user=%{USERNAME:user}" }
add_tag => [ "failed_password", "matched_syslog8" ]
}
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME} sshd\[%{BASE10NUM}\]: Accepted publickey for %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"}
add_tag => [ "ssh_sucessful_login", "matched_syslog10" ]
}
grok {
match => { "message" => "sshd\[%{BASE10NUM}\]: %{GREEDYDATA:syslog_message}" }
add_tag => [ "matched_syslog_catchall" ]
remove_tag => [ "_grokparsefailure" ]
}
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:pid}\])?: %{GREEDYDATA:logmessage}" }
}
syslog_pri {
severity_labels => ["ERROR", "ERROR", "ERROR", "ERROR", "WARNING", "INFO", "INFO", "DEBUG" ]
}
date {
match => [ "timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss", "yyyy-MM-dd'THH:mm:ss:S+ZZ", "yyyy-MM-dd'THH:mm:ss:SSSSSS+ZZ" ]
#2016-08-10T02:04:04.173127+00:00
add_tag => [ "syslog_date" ]
tag_on_failure => [ "syslog_date_fail" ]
}
mutate {
#remove_field => [ "syslog_hostname", "timestamp" ]
add_field => [ "loglevel", "%{level}" ]
add_field => [ "module", "%{syslog_program}" ]
add_tag => [ "syslog_processed" ]
}
}
if "pam_unix(su:session): session opened" in [message] {
metrics {
meter => [ "system.session_opened" ]
add_tag => [ "metric" ]
clear_interval => 3600 # This needs to be multiples of 5
}
}
if "pam_unix(su:session): session closed" in [message] {
metrics {
meter => [ "system.session_closed" ]
add_tag => [ "metric" ]
clear_interval => 3600 # This needs to be multiples of 5
}
}
}