we recently deployed the elastic-search/logstash/kibana stack in our infrastructure. Very nice. Now we're wondering wether we could use this information to get out some basic security reporting.
We're looking for a way to have some basic security monitoring, without the need to install a full blown IDS.
The reports we were thinking of:
- brute force pw logins attempts
- DDOS attempts
- sql injection like attacks
Browsing the web I found:
which is nice, but only for apache. We're also looking for things to monitor like sftp/ssh logs, tomcat logs
- http://www.ossec.net/?p=1002, here we need a full blown IDS, which is currently not what we want.
So does any of you have some experience/plugins/resources we could use to do some basic security reporting with logstash?