Blason
(R)
September 11, 2017, 5:30pm
1
Hi Guys,
I have below kind of information and looking assistance from community for creating logstash filter and add tag like "malware"
So that I am planning to start netflow on my devices and index the data and filter the data basis on tags "malware"
Can someone please tell me how do I put up logstatsh.
1.30.21.82 => IPADDR
1.30.57.188 => IPADDR
1.30.210.103 => IPADDR
1.30.218.38 => IPADDR
1.30.218.39 => IPADDR
1.30.218.40 => IPADDR
1.30.218.42 => IPADDR
xyz.com => DOMAIN
abc.com=> DOMAIN
kyz.net=> DOMAIN
fsfwessrsrssrsrrssrs324f = MD5
w2sgw4r45rh6ey56t564 =MD5
It's not clear what you want to accomplish. Please show an example event before and after the kind of filter you're looking for.
NerdSec
(Nachiket)
September 13, 2017, 6:01am
4
Hi Blason,
This is a pretty simple use case. I encourage you to read the documentation for ingesting documents and visualizing using ELK.
The workflow would be as follows:
Logstash => Elasticsearch => Kibana
Here is a sample conf file of logstash for reference:
input {
file {
path => "/opt/malware/*.csv"
start_position => "beginning"
sincedb_path => "/dev/null"
tags => ["malware"]
}
}
filter {
if "malware" in [tags] {
csv {
separator => ","
columns => ["alertType","alertid","product","release","fileHash","dvchost","sname","dvc","locations","malware_type","timeoccured"]
}
date {
locale => "en"
match => ["timeoccurred", "YYYY-MM-dd'T'HH:mm:ss'Z'"]
timezone => "Etc/GMT"
target => "occurred"
add_field => { "debug" => "timestampMatched"}
}
mutate {
add_field => {
"[@metadata][document_id]" => "%{alertid}"
}
}
}
}
output {
if "malware" in [tags] {
stdout {
codec => "rubydebug"
}
elasticsearch {
action => "index"
hosts => ["http://localhost:9200"]
document_id => "%{[@metadata][document_id]}"
index => "malware"
}
}
}
To create geo location from ip, please refer this blog:
GeoIP in the Elastic Stack - Elasticsearch, Logstash, Ingest API | Elastic Blog
Once you have achieved this, creating visualizations is straight forward.
2 Likes
Blason
(R)
September 14, 2017, 4:09am
5
NerdSec:
columns => ["alertType","alertid","product","release","fileHash","dvchost","sname","dvc","locations","malware_typ
And I do need to have template for this right?I am sorry since I am pretty novice asking such a basic questions. even for geo tagging I guess I need to have template, correct me if I am wrong?
IP numbers and geopoints won't be autodetected by ES so in those cases you need to set the desired mapping explicitly, preferably via an index template.
system
(system)
Closed
October 12, 2017, 5:40am
7
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.