f71c15d6f5
bwi.conf: now is correctly extracting querystrings from urlparameters if they are named "q" process_leak.py: fixed output to add pid automatically added lenght restriction to passwordfield
113 lines
3.2 KiB
Plaintext
113 lines
3.2 KiB
Plaintext
input {
|
|
# tcp {
|
|
# port => 5000
|
|
# type => syslog
|
|
# }
|
|
# udp {
|
|
# port => 5000
|
|
# type => syslog
|
|
# }
|
|
file{
|
|
type => syslog
|
|
path => "/config/data.csv"
|
|
start_position => "beginning"
|
|
}
|
|
}
|
|
filter {
|
|
if [type] == "syslog" {
|
|
syslog_pri{}
|
|
grok {
|
|
match => { "message" => [
|
|
"%{SYSLOGTIMESTAMP:syslog_timestamp} (%{SYSLOGHOST:syslog_hostname} |)%{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}",
|
|
"%{SYSLOGTIMESTAMP:syslog_timestamp} (%{SYSLOGHOST:syslog_hostname} |)%{GREEDYDATA:syslog_message}"
|
|
]
|
|
}
|
|
add_field => [ "received_at", "%{@timestamp}" ]
|
|
add_field => [ "received_from", "%{host}" ]
|
|
}
|
|
date {
|
|
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
|
|
}
|
|
mutate {
|
|
# replace => [ "message", "%{syslog_message}" ]
|
|
rename => [ "syslog_message", "message" ]
|
|
}
|
|
}
|
|
if [syslog_program] == "mwg"{
|
|
kv{
|
|
field_split => "|"
|
|
transform_key => "lowercase"
|
|
trim_value => '"'
|
|
target => "mwg"
|
|
add_tag => "mwg"
|
|
remove_field => "message"
|
|
include_keys => [
|
|
"devtime",
|
|
"referer",
|
|
"httpmethod",
|
|
"bytes",
|
|
"mediatype",
|
|
"useragent",
|
|
"blockreason",
|
|
"url",
|
|
"dst",
|
|
"httpstatus",
|
|
"src",
|
|
"urlcategories",
|
|
"usrname"
|
|
]
|
|
}
|
|
mutate{
|
|
convert => { "mwg[bytes]" => "integer" }
|
|
}
|
|
date{
|
|
match => ["mwg[devtime]" , "UNIX_MS"]
|
|
# target => "mwg[timestamp]"
|
|
}
|
|
useragent {
|
|
source => "mwg[useragent]"
|
|
target => "mwg[ua]"
|
|
}
|
|
geoip {
|
|
source => "mwg[dst]"
|
|
}
|
|
|
|
grok {
|
|
match => { "mwg[url]" => "%{URIPROTO:mwg[parsedurl][protocol]}://(?<mwg[parsedurl][host]>[^/]+)(/(?<mwg[parsedurl][path]>[^?]+)(\?%{GREEDYDATA:mwg[parsedurl][parameters]})?)?" }
|
|
}
|
|
grok {
|
|
match => { "mwg[parsedurl][host]" => "((?<mwg[parsedurl][subdomain]>[^/]+)\.)?(?<mwg[parsedurl][domain]>[^/.]+)\.(?<mwg[parsedurl][tld]>[^/.]+)" }
|
|
}
|
|
|
|
grok {
|
|
match => { "mwg[parsedurl][parameters]" => "q=(?<mwg[parsedurl][querystring]>[^&]+)" }
|
|
add_tag => "querystring"
|
|
tag_on_failure => "no_querystring"
|
|
}
|
|
urldecode {
|
|
field => "mwg[parsedurl][querystring]"
|
|
add_tag => "urldecoded_querystring"
|
|
}
|
|
urldecode {
|
|
field => "mwg[parsedurl][parameters]"
|
|
add_tag => "urldecoded_parameters"
|
|
}
|
|
|
|
# parsing von allen url parameter macht probleme weil zu viele
|
|
# kv {
|
|
# source => "mwg[parsedurl][parameters]"
|
|
# field_split => "&"
|
|
# target => "mwg[parsedurl][parsedparameters]"
|
|
# }
|
|
|
|
|
|
}
|
|
}
|
|
output {
|
|
elasticsearch {
|
|
hosts => ["elasticsearch:9200"]
|
|
index => "logstash-testindex"
|
|
}
|
|
stdout { codec => rubydebug }
|
|
}
|