We are building a rule "Sucessful Connection to Blacklisted IP". We are doing this using translate filter.
We are taking the Blacklisted IPs from SANS or other security websites. Is their any way to automatically update the list on a daily basis or is their any way where the ELK can connect to the SANS Database/Website and auto update the blacklisted IP sheet on a daily basis.
If you're already using a translate filter it sounds like you just need a cronjob that pulls fresh data from the sources and stores in the YAML file. Building such functionality into Logstash seems highly unnecessary.
Hi Praveen,
we have a similar case. Our blacklists are based on network's and not single ip's. We work also with the translate filter. We would like to use the cidr filter to check if a specific IP matchs a network, but how you can combine cidr filter with lookup datas (from translate)?
I remember that if you update the YAML-file using in the translate filter, the update should be automatically, so normally it is enough update the source file for example trough a cron job.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.