-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlogstash-patterns
16 lines (11 loc) · 1.45 KB
/
logstash-patterns
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#this file is for custom definitions in the pattern file for logstash. Either append what's below to your current
#pattern file, or ensure your logstash config server is pointed to a second pattern file
IPTABLES_DENIED %{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:_host} kernel: iptables denied: IN=(?<in>eth0) OUT= MAC=(?<mac_addr>\S+) SRC=%{IP:src_ip} DST=%{IP:dst_ip} LEN=\d+ TOS=0x\d+ PREC=0x\d+ TTL=\d+ ID=\d+(?:\sDF)? PROTO=(?<proto>\S+) SPT=(?<src_port>\d+) DPT=(?<dst_port>\d+)(?:\sWINDOW=\d+)?(?:\sRES=0x\d+)?(?:\s[ACKSYNFIRT]{3})+(?:\sURGP=\d)?
KIPPO_TIMESTAMP (?<timestamp>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2})
#I found that the grok filter below did not work. It would not properly parse the IP's so I am building a new one
## KIPPO_BODY_SSHSERVICE \[SSHService ssh-userauth on HoneyPotTransport,\d+,%{IP:src_ip>}\]
#This is the new Regex which accounts for the newer version of kippo. Please report if this doesn't work.
##KIPPO_BODY_SSHSERVICE \[(?<SSHType>SSHService\s(ssh-connection|ssh-userauth)\son\sHoneyPotTransport|HoneyPotTransport|kippo.core.ssh.HoneyPotSSHFactory|-),(?<number>\d+),%{IP:src_ip>}\]
## In order to make this more compatible with elasticsearch dynamic mapping, I am altering multiple fields
KIPPO_BODY_SSHSERVICE \[(?<SSHType>SSHService\s(ssh-connection|ssh-userauth)\son\sHoneyPotTransport|HoneyPotTransport|kippo.core.ssh.HoneyPotSSHFactory|-)\]
KIPPO_MSG_LOGIN login\sattempt\s\[(?<src_user>\S+)/(?<src_pwd>\S+)\]\s(?<outcome>succeeded|failed)