2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								# Input section
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								input {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# Suricata
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/suricata/log/eve.json"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    codec => json
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Suricata"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# P0f
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/p0f/log/p0f.json"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    codec => json
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "P0f"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2018-04-27 23:10:45 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Ciscoasa
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/ciscoasa/log/ciscoasa.log"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    codec => plain
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Ciscoasa"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2018-06-24 03:24:51 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Conpot
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
									
										
										
										
											2018-03-25 18:35:32 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    path => ["/data/conpot/log/*.json"]
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								    codec => json
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "ConPot"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# Cowrie
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/cowrie/log/cowrie.json"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    codec => json
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Cowrie"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# Dionaea
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/dionaea/log/dionaea.json"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    codec => json
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Dionaea"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# Elasticpot
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/elasticpot/log/elasticpot.log"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    codec => json
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "ElasticPot"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# eMobility
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/emobility/log/centralsystemEWS.log"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "eMobility"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# Glastopf
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/glastopf/log/glastopf.log"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Glastopf"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2018-04-16 22:05:16 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Glutton
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/glutton/log/glutton.log"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    codec => json
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Glutton"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2018-03-25 18:35:32 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Heralding
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/heralding/log/auth.csv"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Heralding"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								# Honeytrap
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/honeytrap/log/attackers.json"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    codec => json
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Honeytrap"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2018-06-24 03:24:51 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Mailoney
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/mailoney/log/commands.log"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Mailoney"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# Rdpy
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/rdpy/log/rdpy.log"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Rdpy"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# Host NGINX
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
									
										
										
										
											2018-06-24 03:24:51 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    path => ["/data/nginx/log/access.log"]
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								    codec => json
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "NGINX"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2018-06-24 03:24:51 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Tanner
							 
						 
					
						
							
								
									
										
										
										
											2018-05-28 21:46:51 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/tanner/log/tanner_report.json"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    codec => json
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Tanner"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								# Vnclowpot
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    path => ["/data/vnclowpot/log/vnclowpot.log"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    type => "Vnclowpot"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# Filter Section
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								filter {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# Suricata
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "Suricata" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "ISO8601" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    translate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      refresh_interval => 86400
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      field => "[alert][signature_id]"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      destination => "[alert][cve_id]"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      dictionary_path => "/etc/listbot/cve.yaml"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# P0f
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "P0f" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "yyyy'/'MM'/'dd HH:mm:ss" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      remove_field => ["timestamp"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      rename => {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "server_port" => "dest_port"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "server_ip" => "dest_ip"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "client_port" => "src_port"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "client_ip" => "src_ip"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2018-04-27 23:10:45 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Ciscoasa
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "Ciscoasa" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    kv {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      remove_char_key => " '{}"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      remove_char_value => "'{}"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      value_split => ":"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      field_split => ","
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "ISO8601" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2018-05-09 16:43:37 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      add_field => {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dest_ip" => "${MY_EXTIP}"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2018-04-27 23:10:45 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								# Conpot
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "ConPot" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "ISO8601" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2018-08-28 13:30:58 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    mutate {                                                                                                                                                                                                                                                              
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      rename => {                                                                                                                                                                                                                                                         
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dst_port" => "dest_port"                                                                                                                                                                                                                                         
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dst_ip" => "dest_ip"                                                                                                                                                                                                                                             
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }                                                                                                                                                                                                                                                                   
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }                                                                                                                                                                                                                                                                     
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# Cowrie
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "Cowrie" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "ISO8601" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      rename => {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dst_port" => "dest_port"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dst_ip" => "dest_ip"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# Dionaea
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "Dionaea" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "ISO8601" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      rename => {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dst_port" => "dest_port"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dst_ip" => "dest_ip"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      gsub => [
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "src_ip", "::ffff:", "",
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dest_ip", "::ffff:", ""
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    if [credentials] {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        add_field => {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								          "login.username" => "%{[credentials][username]}"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								          "login.password" => "%{[credentials][password]}"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        remove_field => "[credentials]"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# ElasticPot
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "ElasticPot" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "ISO8601" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# eMobility
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "eMobility" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    grok {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "message", "\A%{IP:src_ip}\.%{POSINT:src_port:integer}\|%{IP:dest_ip}\.%{POSINT:dest_port:integer}:%{SPACE}%{SYSLOG5424PRINTASCII}%{SPACE}%{SYSLOG5424PRINTASCII}%{SPACE}%{SYSLOG5424PRINTASCII}%{SPACE}%{SYSLOG5424PRINTASCII}%{SPACE}%{SYSLOG5424PRINTASCII}%{SPACE}%{SYSLOG5424PRINTASCII}%{SPACE}%{SYSLOG5424PRINTASCII}%{SPACE}%{SYSLOG5424PRINTASCII}%{SPACE}%{SYSLOG5424PRINTASCII}%{SPACE}%{SYSLOG5424SD}%{SYSLOG5424PRINTASCII}%{SPACE}%{SYSLOG5424PRINTASCII}%{SPACE}%{SYSLOG5424PRINTASCII}%{SPACE}%{URIPROTO:http_method}\|%{URIPATH:http_uri}\|%{TIMESTAMP_ISO8601:timestamp}" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "ISO8601" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# Glastopf
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "Glastopf" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    grok {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "message", "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{NOTSPACE}%{SPACE}%{IP:src_ip}%{SPACE}%{WORD}%{SPACE}%{URIPROTO:http_method}%{SPACE}%{NOTSPACE:http_uri}%{SPACE}%{NOTSPACE}%{SPACE}%{HOSTNAME}:%{NUMBER:dest_port:integer}" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "yyyy-MM-dd HH:mm:ss,SSS" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      remove_field => ["timestamp"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2018-04-16 22:05:16 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Glutton
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "Glutton" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "ts", "UNIX" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      remove_field => ["ts"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2018-03-25 18:35:32 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Heralding
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "Heralding" {
							 
						 
					
						
							
								
									
										
										
										
											2018-06-24 03:24:51 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    csv {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      columns => ["timestamp","auth_id","session_id","src_ip","src_port","dest_ip","dest_port","proto","username","password"] separator => ","
							 
						 
					
						
							
								
									
										
										
										
											2018-03-25 18:35:32 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSS" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      remove_field => ["timestamp"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								# Honeytrap
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "Honeytrap" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "ISO8601" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      rename => {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "[attack_connection][local_port]" => "dest_port"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "[attack_connection][local_ip]" => "dest_ip"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "[attack_connection][remote_port]" => "src_port"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "[attack_connection][remote_ip]" => "src_ip"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# Mailoney
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "Mailoney" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    grok {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "message", "\A%{NAGIOSTIME}\[%{IPV4:src_ip}:%{INT:src_port:integer}] %{GREEDYDATA:smtp_input}" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      add_field => {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dest_port" => "25"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "nagios_epoch", "UNIX" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      remove_field => ["nagios_epoch"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# Rdpy
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "Rdpy" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp},domain:%{CISCO_REASON:domain},username:%{CISCO_REASON:username},password:%{CISCO_REASON:password},hostname:%{GREEDYDATA:hostname}", "\A%{TIMESTAMP_ISO8601:timestamp},Connection from %{IPV4:src_ip}:%{INT:src_port:integer}" ] } }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "ISO8601" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      remove_field => ["timestamp"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      add_field => {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dest_port" => "3389"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# NGINX
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "NGINX" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "ISO8601" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2018-06-24 03:24:51 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Tanner
							 
						 
					
						
							
								
									
										
										
										
											2018-05-28 21:46:51 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								  if [type] == "Tanner" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "ISO8601" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2018-05-29 12:05:07 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      rename => {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "[peer][ip]" => "src_ip"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "[peer][port]" => "src_port"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      add_field => {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dest_port" => "80"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2018-05-28 21:46:51 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2018-06-24 03:24:51 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# Vnclowpot
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								  if [type] == "Vnclowpot" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    grok {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "message", "\A%{NOTSPACE}%{SPACE}%{TIME}%{SPACE}%{IPV4:src_ip}:%{INT:src_port}%{SPACE}%{NOTSPACE:vnc_handshake}" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    date {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      match => [ "timestamp", "yyyy/MM/dd HH:mm:ss" ]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      remove_field => ["timestamp"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      add_field => {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "dest_port" => "5900"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# Drop if parse fails
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								if "_grokparsefailure" in [tags] { drop {} }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# Add geo coordinates / ASN info / IP rep.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [src_ip]  {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    geoip {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      cache_size => 10000
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      source => "src_ip"
							 
						 
					
						
							
								
									
										
										
										
											2018-04-18 15:21:32 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								      database => "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-filter-geoip-5.0.3-java/vendor/GeoLite2-City.mmdb"
							 
						 
					
						
							
								
									
										
										
										
											2018-06-24 03:24:51 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								    geoip {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      cache_size => 10000
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      source => "src_ip"
							 
						 
					
						
							
								
									
										
										
										
											2018-04-18 15:21:32 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								      database => "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-filter-geoip-5.0.3-java/vendor/GeoLite2-ASN.mmdb"
							 
						 
					
						
							
								
									
										
										
										
											2018-06-24 03:24:51 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								    translate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      refresh_interval => 86400
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      field => "src_ip"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      destination => "ip_rep"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      dictionary_path => "/etc/listbot/iprep.yaml"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2018-06-24 03:24:51 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2018-08-28 12:41:11 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								# In some rare conditions dest_port, src_port, status are indexed as string, forcing integer for now
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								  if [dest_port] {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        convert => { "dest_port" => "integer" }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [src_port] {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        convert => { "src_port" => "integer" }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
									
										
										
										
											2018-08-28 12:41:11 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								  if [status] {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        convert => { "status" => "integer" }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# Add T-Pot hostname and external IP
							 
						 
					
						
							
								
									
										
										
										
											2018-05-29 12:05:07 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								  if [type] == "Ciscoasa" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "eMobility" or [type] == "Glastopf" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Mailoney" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" or [type] == "Vnclowpot" {
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								    mutate {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      add_field => {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "t-pot_ip_ext" => "${MY_EXTIP}"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "t-pot_ip_int" => "${MY_INTIP}"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        "t-pot_hostname" => "${MY_HOSTNAME}"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								# Output section
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								output {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  elasticsearch {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    hosts => ["elasticsearch:9200"]
							 
						 
					
						
							
								
									
										
										
										
											2018-08-24 17:07:00 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								#    document_type => "doc"
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  if [type] == "Suricata" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      file {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        file_mode => 0760
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        path => "/data/suricata/log/suricata_ews.log"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								      }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  # Debug output
							 
						 
					
						
							
								
									
										
										
										
											2018-05-29 12:06:20 +00:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								  #if [type] == "XYZ" {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  #  stdout {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  #    codec => rubydebug
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  #  }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  #}
							 
						 
					
						
							
								
									
										
										
										
											2017-10-13 18:58:14 +00:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								  # Debug output
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  #stdout {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  #  codec => rubydebug
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								  #}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								}