How to add tags and add filter?

Blason · September 11, 2017, 5:30pm

Hi Guys,

I have below kind of information and looking assistance from community for creating logstash filter and add tag like "malware"

So that I am planning to start netflow on my devices and index the data and filter the data basis on tags "malware"

Can someone please tell me how do I put up logstatsh.

1.30.21.82 => IPADDR
1.30.57.188 => IPADDR
1.30.210.103 => IPADDR
1.30.218.38 => IPADDR
1.30.218.39 => IPADDR
1.30.218.40 => IPADDR
1.30.218.42 => IPADDR
xyz.com => DOMAIN
abc.com=> DOMAIN
kyz.net=> DOMAIN
fsfwessrsrssrsrrssrs324f = MD5
w2sgw4r45rh6ey56t564 =MD5

magnusbaeck · September 11, 2017, 6:22pm

It's not clear what you want to accomplish. Please show an example event before and after the kind of filter you're looking for.

Blason · September 13, 2017, 5:30am

Hi there,

Her is the workflow -

Well I have simple file which has a records like specified above. Rather has IP addresses, domains, URLs and MD5 hashes.
I want to parse it in a Customized index like malicious-*
Then create dashboard on IP addresses GEO hashes and of course multiple dashboards.

NerdSec · September 13, 2017, 6:01am

Hi Blason,

This is a pretty simple use case. I encourage you to read the documentation for ingesting documents and visualizing using ELK.

The workflow would be as follows:

Logstash => Elasticsearch => Kibana

Here is a sample conf file of logstash for reference:

input {
  file {
        path => "/opt/malware/*.csv"
        start_position => "beginning"
        sincedb_path => "/dev/null"
        tags => ["malware"]
  }
}

filter {
if "malware" in [tags] {
    csv {
      separator => ","
      columns => ["alertType","alertid","product","release","fileHash","dvchost","sname","dvc","locations","malware_type","timeoccured"]
    }
    date {
        locale => "en"
        match => ["timeoccurred", "YYYY-MM-dd'T'HH:mm:ss'Z'"]
        timezone => "Etc/GMT"
        target => "occurred"
        add_field => { "debug" => "timestampMatched"}
    }
   mutate {
     add_field => {
        "[@metadata][document_id]" => "%{alertid}"
     }
   }
}
}

output {
if "malware" in [tags] {
    stdout {
            codec => "rubydebug"
    }
    elasticsearch {
    action => "index"
    hosts => ["http://localhost:9200"]
    document_id => "%{[@metadata][document_id]}"
    index => "malware"
    }
}
}

To create geo location from ip, please refer this blog:

GeoIP in the Elastic Stack - Elasticsearch, Logstash, Ingest API | Elastic Blog

Once you have achieved this, creating visualizations is straight forward.

Blason · September 14, 2017, 4:09am

And I do need to have template for this right?I am sorry since I am pretty novice asking such a basic questions. even for geo tagging I guess I need to have template, correct me if I am wrong?

magnusbaeck · September 14, 2017, 5:31am

IP numbers and geopoints won't be autodetected by ES so in those cases you need to set the desired mapping explicitly, preferably via an index template.

Topic		Replies	Views
Filter messages based on tags Logstash	2	5095	January 31, 2019
Logstasth Filter and Plugins Elasticsearch to Search and Add New Tag Logstash	1	504	January 12, 2020
Logstash Filter - Elasticserach Query Logstash	1	383	January 1, 2018
Sending events from specific ip adress to specific index Logstash	2	262	October 11, 2022
Logstash add tag Logstash	1	856	February 25, 2020

How to add tags and add filter?

Related topics