input {
file {
path => [ "/mnt/logs/ids/dns.log" ]
sincedb_path => "/dev/null"
start_position => "beginning" #Поменять на end#
tags => ["dns"]
}
file {
path => [ "/mnt/logs/ids/fast.log" ]
sincedb_path => "/dev/null"
start_position => "beginning" #Поменять на end#
tags => ["ids"]
}
}
filter {
if "dns" in [tags] {
if "Query" in [message] and "AAAA" not in [message] {
grok {
match => {
"message" => "%{GREEDYDATA:timestamp} ?\[?\*?\*?\] %{WORD:dns.message.type} %{WORD} %{WORD} ?\[?\*?\*?\] %{HOSTNAME:dns.request} ?\[?\*?\*?\] %{WORD:dns.record.type} ?\[?\*?\*?\] %{IP:dns.client.ip}:%{NUMBER:dns.client.port} %{GREEDYDATA} %{IP:dns.server.ip}:%{NUMBER:dns.server.port}"
}
}
if "_grokparsefailure" in [tags] {
drop { }
}
}
if "Query" in [message] and "AAAA" in [message] {
grok {
match => {
"message" => "%{GREEDYDATA:timestamp} ?\[?\*?\*?\] %{WORD:dns.message.type} %{WORD} %{WORD} ?\[?\*?\*?\] %{DATA:dns.request} ?\[?\*?\*?\] %{WORD:dns.record.type} ?\[?\*?\*?\] %{IP:dns.client.ip}:%{NUMBER:dns.client.port} %{GREEDYDATA} %{IP:dns.server.ip}:%{NUMBER:dns.server.port}"
}
}
if "_grokparsefailure" in [tags] {
drop { }
}
}
else if "Response" in [message] and "AAAA" not in [message] and "CNAME" not in [message] {
grok {
match => {
"message" => "%{GREEDYDATA:timestamp} ?\[?\*?\*?\] %{WORD:dns.message.type} %{WORD} %{WORD} ?\[?\*?\*?\] %{DATA:dns.request} ?\[?\*?\*?\] %{WORD:dns.record.type} ?\[?\*?\*?\] %{WORD} %{NUMBER:dns.ttl} ?\[?\*?\*?\] %{DATA:dns.reply.ip} ?\[?\*?\*?\] %{IP:dns.server.ip}:%{NUMBER:dns.server.port} %{GREEDYDATA} %{IP:dns.client.ip}:%{NUMBER:dns.client.port}"
}
add_tag => ["ip.v4"]
}
geoip {
source => "dns.reply.ip"
}
if "_grokparsefailure" in [tags] {
drop { }
}
}
else if "Response" in [message] and "AAAA" in [message] and "CNAME" not in [message] {
grok {
match => {
"message" => "%{GREEDYDATA:timestamp} ?\[?\*?\*?\] %{WORD:dns.message.type} %{WORD} %{WORD} ?\[?\*?\*?\] %{DATA:dns.request} ?\[?\*?\*?\] %{WORD:dns.record.type} ?\[?\*?\*?\] %{WORD} %{NUMBER:dns.ttl} ?\[?\*?\*?\] %{DATA:dns.reply.ip} ?\[?\*?\*?\] %{IP:dns.server.ip}:%{NUMBER:dns.server.port} %{GREEDYDATA} %{IP:dns.client.ip}:%{NUMBER:dns.client.port}"
}
add_tag => ["ip.v6"]
}
if "_grokparsefailure" in [tags] {
drop {}
}
}
else if "Response" in [message] and "AAAA" not in [message] and "CNAME" in [message] {
grok {
match => {
"message" => "%{GREEDYDATA:timestamp} ?\[?\*?\*?\] %{WORD:dns.message.type} %{WORD} %{WORD} ?\[?\*?\*?\] %{HOSTNAME:dns.cname.response} ?\[?\*?\*?\] %{WORD:dns.record.type} ?\[?\*?\*?\] %{WORD} %{NUMBER:dns.ttl} ?\[?\*?\*?\] %{HOSTNAME:dns.name.orig} ?\[?\*?\*?\] %{IP:dns.server.ip}:%{NUMBER:dns.server.port} %{GREEDYDATA} %{IP:dns.client.ip}:%{NUMBER:dns.client.port}"
}
}
if "_grokparsefailure" in [tags] {
drop {}
}
}
date {
match => ["timestamp", "MM/dd/yyyy-HH:mm:ss.SSSSSS"]
timezone => "America/Toronto"
target => ["@timestamp"]
}
}
else if "ids" in [tags] {
grok {
match => {
"message" => "%{GREEDYDATA:timestamp} ?\[?\*?\*?\] ?\[%{INT}:%{INT}:%{INT}?\] %{WORD} %{WORD} %{GREEDYDATA:ids.signature} ?\[?\*?\*?\] ?\[%{WORD}: %{GREEDYDATA:ids.classification}?\] ?\[%{WORD}: %{INT:ids.severity}?\] ?\{%{WORD:ids.protocol}?\} %{IP:ids.source.ip}:%{INT:ids.source.port} -> %{IP:ids.destination.ip}:%{INT:ids.destination.port}"
}
}
if "_grokparsefailure" in [tags] {
drop {}
}
}
geoip {
source => "ids.source.ip"
}
geoip {
source => "ids.destination.ip"
}
date {
match => ["timestamp", "MM/dd/yyyy-HH:mm:ss.SSSSSS "]
timezone => "America/Toronto"
target => ["@timestamp"]
}
}
output {
elasticsearch {
hosts => ['127.0.0.1:9200']
}
}
https://pastebin.com/ixmdkYhX
