Logstash as security monitoring/reporting tool


we recently deployed the elastic-search/logstash/kibana stack in our infrastructure. Very nice. Now we're wondering wether we could use this information to get out some basic security reporting.

We're looking for a way to have some basic security monitoring, without the need to install a full blown IDS.

The reports we were thinking of:

  • brute force pw logins attempts
  • DDOS attempts
  • sql injection like attacks

Browsing the web I found:

So does any of you have some experience/plugins/resources we could use to do some basic security reporting with logstash?


This is a bit of a "it depends" answer.
What sort of logs do you have access to, and what do you think you will need to extract that doesn't exist now?

But things like Packetbeats could help get data you don't have.