Please help me to correct my Logstash conf as below:
Log:
11/28-06:50:39.263833 [**] [1:31978:5] OS-OTHER Bash CGI environment variable injection attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 10.120.41.183:44224 -> 10.120.69.42:80
Conf:
input {
file {
path => "/var/log/snort/enp175s0f0/alert"
start_position => "beginning"
}
}
filter {
if [path] =~ "access" {
grok {
match => {"message"=> [' %{MONTHNUM:month}\/%{MONTHDAY:day}-%{HOUR:hour}:%{MINUTE:minute}:%{DATA:ids_proto}
\s+\[\*\*]\s+\[Classification:\s+%{DATA:ids_classification}\]\s+\[Priority:\s+%{INT:priority}\]\s+\{%{WORD:protocol}\}
\s+%{IP:src_ip}\:%{INT:src_port}\s+\-\>\s+%{IP:dst_ip}\:%{INT:dst_port}'] }
}
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}
output
{
elasticsearch
{
hosts => ["localhost:9200"]
manage_template => true
index => "snortids-%{+YYYY.MM.dd}"
template_name => "snorids"
}
stdout{
codec => rubydebug
}
}
Output:
"path" => "/var/log/snort/enp175s0f0/alert",
"@version" => "1",
"message" => "11/28-06:50:39.263833 [**] [1:31978:5] OS-OTHER Bash CGI environment variable injection attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 10.120.41.183:44224 -> 10.120.69.42:80",
"@timestamp" => 2020-11-28T12:01:41.624Z,
"host" => "ids01.atlis1"
What I am missing ? My grok is correct and tested with debugger and the out put works fine but in logstash output still is online and is not filtering anything. based on my groke.
Any help would be much apricated.