ciscoasa, tweaking, hardening, logging, logstash

docker/elk/logstash/dist/logstash.conf

@@ -15,6 +15,13 @@ input {
     type => "P0f"
   }
 
+# Ciscoasa
+  file {
+    path => ["/data/ciscoasa/log/ciscoasa.log"]
+    codec => plain
+    type => "Ciscoasa"
+  }
+
 # Conpot 
   file {
     path => ["/data/conpot/log/*.json"]
@@ -140,6 +147,19 @@ filter {
     }
   }
 
+# Ciscoasa
+  if [type] == "Ciscoasa" {
+    kv {
+      remove_char_key => " '{}"
+      remove_char_value => "'{}"
+      value_split => ":"
+      field_split => ","
+    }
+    date {
+      match => [ "timestamp", "ISO8601" ]
+    }
+  }
+
 # Conpot
   if [type] == "ConPot" {
     date {
@@ -410,7 +430,7 @@ if "_grokparsefailure" in [tags] { drop {} }
   }
 
 # Add T-Pot hostname and external IP
-  if [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "eMobility" or [type] == "Glastopf" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Mailoney" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Vnclowpot" {
+  if [type] == "Ciscoasa" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "eMobility" or [type] == "Glastopf" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Mailoney" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Vnclowpot" {
     mutate {
       add_field => {
         "t-pot_ip_ext" => "${MY_EXTIP}"