Logstash as security monitoring/reporting tool

Hi,

we recently deployed the elastic-search/logstash/kibana stack in our infrastructure. Very nice. Now we're wondering wether we could use this information to get out some basic security reporting.

We're looking for a way to have some basic security monitoring, without the need to install a full blown IDS.

The reports we were thinking of:

• brute force pw logins attempts
• DDOS attempts
• sql injection like attacks
  -...

Browsing the web I found:

• https://github.com/bitsofinfo/logstash-modsecurity
  which is nice, but only for apache. We're also looking for things to monitor like sftp/ssh logs, tomcat logs
• http://www.ossec.net/?p=1002, here we need a full blown IDS, which is currently not what we want.

So does any of you have some experience/plugins/resources we could use to do some basic security reporting with logstash?

thanks

This is a bit of a "it depends" answer.
What sort of logs do you have access to, and what do you think you will need to extract that doesn't exist now?

But things like Packetbeats could help get data you don't have.