Logstash alert type =>

kunam · December 21, 2017, 9:42pm

Hi,

I'm new to logstash, please bare me and help me in writing this.

How to use logstash alert type in logstash config file. I had a log source called allyourbase and alert type should be mapped to "AllYourBase - Audio Alert " & "AllyourBase_Block_DNS_Sinkhole_Alert" in logstash filters. How would I do that.

#filter configuration
} else if [name] == "AllYourBase" {
mutate {
add_field => {
"[fields][logsource]" => "allyourbase"
}

help would be appreciated.

magnusbaeck · December 22, 2017, 6:31am

What does an input event look like? What does an output event (produced by Logstash) look like? What would you like it to look like instead? What does the rest of your Logstash pipeline configuration look like?

kunam · December 22, 2017, 4:10pm

Thanks for your reply Magnus Back.

Here is my logstash config file with input, flter and output.

##i need to set an alert type for "allyour base" log source.

lets say {(AllYourBase - Audio") ("AllyourBase_Block_DNS_Sinkhole_Alert")} these two are part of allyourbase log source.

In output I need to have alerts for following fields. can you please help me in writing this alert tpe in logstash filter

input is ingested through beats and some other ports.

input {
tcp {
port => 5514
codec => json
ssl_enable => true
ssl_cert => "xxxxxx"
ssl_key => "xxxxxxxxxxxxxx"
ssl_verify => false
ssl_extra_chain_certs => ["xxxxxxxx"]
}
beats {
port => 5044
ssl => true
ssl_certificate_authorities => ["xxxxxxxxxxx"]
ssl_certificate => "xxxxxxxxxx"
ssl_key => "xxxxxxxxxxx"
ssl_verify_mode => "xxxxxxxx"
}
}

filter {
if [fields][logsource] == "activeDirectory" {
if [event_data][TargetUserName] {
mutate {
add_field => {
"username" => "%{[event_data][TargetUserName]}"
}
}
} else if [name] == "AllYourBase" {
mutate {
add_field => {
"[fields][logsource]" => "allyourbase"
}

output {
} if [fields][logsource] == "activedirectory" {
elasticsearch {
hosts => ["xxxx"]
user => "logstash"
password => "xxx"
ssl => true
cacert => "xxxx"
ssl_certificate_verification => false
index => "paloalto-%{+YYYY.MM.dd}"
}
} else if [fields][logsource] == "allyourbase" {
elasticsearch {
hosts => ["xxx"]
user => "logstash"
password => "xxxx"
ssl => true
cacert => "xxxx"
ssl_certificate_verification => false
index => "iis-%{+YYYY.MM.dd}"
}

magnusbaeck · December 22, 2017, 4:13pm

Okay, that answers the last question. Please also answer these questions:

What does an input event look like?
What does an output event (produced by Logstash) look like?
What would you like it to look like instead?

kunam · December 26, 2017, 3:14am

=>logstash input event is JSON

=>This is my logstash output, and AllYourbase is my event.
###RulesMatched:AllYourBase - Audio Alert type:Event version:1.4 lowLevelCategory:Misc Malware isoTimeFormat:yyyy-MM-dd'T'HH:mm:ss.SSSZ destinationIP:172.16.211.134 @timestamp:December 25th 2017, 17:16:42.549 sourceIP:xxx highLevelCategory:Malware payload:<149>Dec 25 17:16:41 ODCLNFIRE002 cef[9122]: CEF:0|fireeye|hx|3.1.3|IOC Hit Found|IOC Hit Found|10|rt=Dec 25 2017 23:16:41 UTC host=ODCLNFIRE002 ####

=>I want to make an alert type for allyourbase event.

hope, I've answered your three questions.

system · January 24, 2018, 10:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.