Hello! I am working with Nessus scan results, and have been using Logstash to parse out additional fields based on specific logs that are ingested.
For example, a "mac_address" field is parsed out IF the "name" field is "Ethernet MAC Addresses":
The same is done with other fields, such as hostname, device_type, etc., as well as tagging the machine as a "server" or a "workstation". This is all done with Logstash.
Here is my Logstash config:
input {
beats {
id = "nessusbeat"
port = 5057
codec = json {
charset = "ISO-8859-1"
}
client_inactivity_timeout = 3600
}
}
filter {
if [fields][index] == "nessusbeat" {
mutate {
remove_field = [ '' ]
}
mutate {
rename = { "host" = "source_ip" }
}
if "Ethernet MAC Addresses" in [name] {
grok {
match = [ 'plugin_output', '[A-z ]*:\n[ ]*-[ ]*(?<mac_address(.*))' ]
}
}
if "Additional DNS Hostnames" in [name] {
grok {
match = [ 'plugin_output', '[A-z ]*:\n[ ]*-[ ]*(?<hostname(.*))' ]
}
}
if "Common Platform Enumeration (CPE)" in [name] {
grok {
match = [ 'plugin_output', '\n[A-z ]*:[ ]*\n\n[ ]*(?<cpe([^\n]*)).*' ]
}
}
if "OS Identification" in [name] {
grok {
match = [ 'plugin_output', '\n[A-z ]*:[ ]*(?<operating_system([^\n]*)).*' ]
}
}
if "Device Type" in [name] {
grok {
match = [ 'plugin_output', '[A-z ]*:[ ]*(?<device_type([^\n]*)).*' ]
}
}
if "H**_SERVERS" in [plugin_output] {
mutate {
add_tag = [ "server" ]
}
}
if "H**_WORKSTATIONS" in [plugin_output] {
mutate {
add_tag = [ "workstation" ]
}
}
}
}
My problem, however, is that the parsed fields only reflect in those FEW logs that contain that information, rather than applying to the entire scan. This makes sense to me as to why it is doing that, but I am wondering if there is a way to achieve what I want to do.
I was thinking maybe changing up the mapping and implementing some sort of parent/child relationship with these fields, but I really don't know where to effectively start. This is also the reason why I am posting this here and not in Logstash, because I believe I may be able to index/structure the data in a way that will work for me.
I would like to accomplish this in order to create server/workstation filters and a data table containing host information in my Nessus dashboard. Currently, it will only filter out the few logs that the fields are parsed from, because they are not applied to the entire group of scan logs.
Any advice?
Thanks,
Joe