tweaking, add sentrypeer to logstash config

2025-07-02 01:27:27 -04:00 · 2022-02-24 17:39:57 +00:00
parent aa6afc37fe
commit 5237215bf0
7 changed files with 49 additions and 105 deletions
--- a/docker/elk/logstash/dist/logstash.conf
+++ b/docker/elk/logstash/dist/logstash.conf
@ -119,13 +119,6 @@ input {
    type => "Honeypots"
  }

-# Honeysap
-  file {
-    path => ["/data/honeysap/log/honeysap-external.log"]
-    codec => json
-    type => "Honeysap"
-  }
-
 # Honeytrap
  file {
    path => ["/data/honeytrap/log/attackers.json"]
@ -161,12 +154,6 @@ input {
    type => "Medpot"
  }

-# Rdpy
-  file {
-    path => ["/data/rdpy/log/rdpy.log"]
-    type => "Rdpy"
-  }
-
 # Redishoneypot
  file {
    path => ["/data/redishoneypot/log/redishoneypot.log"]
@ -174,6 +161,13 @@ input {
    type => "Redishoneypot"
  }

+# Sentrypeer 
+  file {
+    path => ["/data/sentrypeer/log/sentrypeer.json"]
+    codec => json
+    type => "Sentrypeer"
+  }
+
 # Host NGINX
  file {
    path => ["/data/nginx/log/access.log"]
@ -494,31 +488,6 @@ filter {
    }
  }

-# Honeysap
-  if [type] == "Honeysap" {
-    date {
-      match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSS" ]
-      remove_field => ["timestamp"]
-    }
-    mutate {
-      rename => {
-        "[data][error_msg]" => "event_type"
-        "service" => "sensor"
-        "source_port" => "src_port"
-        "source_ip" => "src_ip"
-        "target_port" => "dest_port"
-        "target_ip" => "dest_ip"
-      }
-      remove_field => "event"
-      remove_field => "return_code"
-    }
-    if [data] {
-      mutate {
-	remove_field => "[data]"
-      }
-    }    
-  }
-
 # Honeytrap
  if [type] == "Honeytrap" {
    date {
@ -591,18 +560,6 @@ filter {
    }
  }

-# Rdpy
-  if [type] == "Rdpy" {
-    grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp},domain:%{CISCO_REASON:domain},username:%{CISCO_REASON:username},password:%{CISCO_REASON:password},hostname:%{GREEDYDATA:hostname}", "\A%{TIMESTAMP_ISO8601:timestamp},Connection from %{IPV4:src_ip}:%{INT:src_port:integer}" ] } }
-    date {
-      match => [ "timestamp", "ISO8601" ]
-      remove_field => ["timestamp"]
-    }
-    mutate {
-      add_field => { "dest_port" => "3389" }
-    }
-  }
-
 # Redishoneypot
  if [type] == "Redishoneypot" {
    date {
@ -629,6 +586,21 @@ filter {
    }
  }

+# Sentrypeer
+  if [type] == "Sentrypeer" {
+    date {
+      match => [ "event_timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSSSSS" ]
+      remove_field => ["event_timestamp"]
+    }
+    mutate {
+      rename => {
+        "source_ip" => "src_ip"
+        "destination_ip" => "dest_ip"
+      }
+      add_field => { "dest_port" => "5060" }
+    }
+  }
+
 # Tanner
  if [type] == "Tanner" {
    date {