Advertisement
D0cEvil

Logstash - HTTP parcer for Suricata IDS

Sep 23rd, 2022
100
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JavaScript 0.75 KB | Cybersecurity | 0 0
  1. input {
  2.     file {
  3.         path => [ "/tmp/http.log" ]
  4.         sincedb_path => "/dev/null"
  5.         start_position => "beginning"
  6.     }
  7. }
  8. filter {
  9.     grok {
  10.         match => {
  11.             "message" => "%{GREEDYDATA:timestamp} %{HOSTNAME:http.host} ?\[?\*?\*?\] %{GREEDYDATA:http.path}  ?\[?\*?\*?\] %{GREEDYDATA:http.useragent}  ?\[?\*?\*?\] %{IP:http.source.ip}:%{NUMBER:http.source.port} %{GREEDYDATA} %{IP:http.dest.ip}:%{NUMBER:http.dest.port}"
  12.         }
  13.     }
  14.     if "_grokparsefailure" in [tags] {
  15.         drop { }
  16.     }
  17.     date {
  18.         match => ["timestamp", "MM/dd/yyyy-HH:mm:ss.SSSSSS"]
  19.         timezone => "America/Toronto"
  20.         target => ["@timestamp"]
  21.     }
  22. }
  23. output {
  24.         elasticsearch {
  25.                 hosts => ['адрес этого гребанного эластика:9200']
  26.         }
  27. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement