diff --git a/docker/elk/logstash/dist/logstash.conf b/docker/elk/logstash/dist/logstash.conf index 2c51078a..daba56be 100644 --- a/docker/elk/logstash/dist/logstash.conf +++ b/docker/elk/logstash/dist/logstash.conf @@ -421,6 +421,23 @@ filter { } } +# Endlessh +# Example: 2021-10-29T21:08:31.026Z CLOSE host=1.2.3.4 port=12345 fd=4 time=20.015 bytes=24 +# Example: 2021-10-29T21:08:11.011Z ACCEPT host=1.2.3.4 port=12346 fd=4 n=1/4096 + if [type] == "Endlessh" { + grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:reason}%{SPACE}host=%{IPV4:src_ip}%{SPACE}port=%{INT:src_port}%{SPACE}fd=%{INT}%{SPACE}time=%{SECOND:DURATION}%{SPACE}bytes=%{NUMBER:BYTES}", "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:reason}%{SPACE}host=%{IPV4:src_ip}%{SPACE}port=%{INT:src_port}%{SPACE}fd=%{INT}%{SPACE}n=%{INT}/%{INT}" ] } } + date { + match => [ "timestamp", "ISO8601" ] + remove_field => ["timestamp"] + } + mutate { + add_field => { + "dest_port" => "22" + "dest_ip" => "${MY_EXTIP}" + } + } + } + # Glutton if [type] == "Glutton" { date { @@ -531,9 +548,7 @@ filter { match => [ "timestamp", "ISO8601" ] } mutate { - add_field => { - "dest_port" => "25" - } + add_field => { "dest_port" => "25" } } } @@ -558,9 +573,7 @@ filter { remove_field => ["timestamp"] } mutate { - add_field => { - "dest_port" => "3389" - } + add_field => { "dest_port" => "3389" } } } @@ -571,6 +584,16 @@ filter { remove_field => ["time"] remove_field => ["timestamp"] } + mutate { + split => { "addr" => ":" } + add_field => { + "src_ip" => "%{[addr][0]}" + "src_port" => "%{[addr][1]}" + "dest_port" => "6379" + "dest_ip" => "${MY_EXTIP}" + } + remove_field => ["addr"] + } } # NGINX @@ -590,9 +613,7 @@ filter { "[peer][ip]" => "src_ip" "[peer][port]" => "src_port" } - add_field => { - "dest_port" => "80" - } + add_field => { "dest_port" => "80" } } }