update logstash config and process_leak

bwi.conf: now is correctly extracting querystrings from urlparameters if they are named "q" process_leak.py: fixed output to add pid automatically added lenght restriction to passwordfield
2019-02-22 13:16:05 +01:00
parent 2d631cef27
commit f71c15d6f5
2 changed files with 31 additions and 23 deletions
--- a/dockerfiles/logstash/configs/bwi.conf
+++ b/dockerfiles/logstash/configs/bwi.conf
@@ -9,7 +9,7 @@ input {
  # }
    file{
        type => syslog
-        path => "/config/*"
+        path => "/config/data.csv"
        start_position => "beginning"
    }
 }
@@ -79,10 +79,18 @@ filter {
        match => { "mwg[parsedurl][host]" => "((?<mwg[parsedurl][subdomain]>[^/]+)\.)?(?<mwg[parsedurl][domain]>[^/.]+)\.(?<mwg[parsedurl][tld]>[^/.]+)" }
        }

-        if [mwg.parsedurl.domain] == "google"{
-          grok {
-            match => { "mwg[parsedurl][parameters]" => "(?<mwg[parsedurl][googlesearch]>q=[^&]+)" }
-          }
+        grok {
+          match => { "mwg[parsedurl][parameters]" => "q=(?<mwg[parsedurl][querystring]>[^&]+)" }
+          add_tag => "querystring"
+          tag_on_failure => "no_querystring"
+        }
+        urldecode {
+          field => "mwg[parsedurl][querystring]"
+          add_tag => "urldecoded_querystring"
+        }
+        urldecode {
+          field => "mwg[parsedurl][parameters]"
+          add_tag => "urldecoded_parameters"
        }

 	# parsing von allen url parameter macht probleme weil zu viele
@@ -96,9 +104,9 @@ filter {
    }
 }
 output {
-#  elasticsearch {
-#    hosts => ["elasticsearch:9200"]
-#    index => "logstash-bwi-casenr"
-#  }
+ elasticsearch {
+   hosts => ["elasticsearch:9200"]
+   index => "logstash-testindex"
+ }
  stdout { codec => rubydebug }
 }