Im a bit new to elastic and spend too much time trying to figure out how to configure these so figured I would share so someone can either show me a better way or use this and save some time. FYI this thing still needs work but it will hopefully point you in the right direction.
Control Manager: CEF
Deep Security: LEEF
Deep Discovery Inspector: LEEF
input {
udp {
port => 40514
type => syslog
}
tcp {
port => 40514
type => syslog
}
}
filter {
if [message] =~ "\bDeep Security\b" {
mutate {
gsub => ["message", "\t", "|"]
add_tag => [ "Deep Security" ]
}
grok {
match => { "message" => "%{SYSLOG5424PRI}%{SYSLOGTIMESTAMP:devTime}" }
}
date {
match => [ "devTime", "MMM dd HH:mm:ss" ]
}
kv {
source => "message"
value_split => "="
field_split => "|"
}
mutate {
rename => { "cn1" => "%{cn1Label}"}
rename => { "cn2" => "%{cn2Label}"}
rename => { "cn3" => "%{cn3Label}"}
rename => { "cn4" => "%{cn4Label}"}
rename => { "cs1" => "%{cs1Label}"}
rename => { "cs2" => "%{cs2Label}"}
rename => { "cs3" => "%{cs3Label}"}
rename => { "cs4" => "%{cs4Label}"}
rename => { "cs5" => "%{cs5Label}"}
rename => { "cs6" => "%{cs6Label}"}
remove_field => ["cn1Label", "cn2Label", "cn3Label", "cn4Label", "cs1Label", "cs2Label", "cs3Label", "cs4Label", "cs5Label", "cs6Label", "syslog5424_pri"]
}
}
else if [message] =~ "\bDeep Discovery Inspector\b" {
mutate {
add_tag => [ "Deep Discovery Inspector" ]
gsub => ["message", "\t", "|"]
}
kv {
source => "message"
value_split => "="
field_split => "|"
}
mutate {
gsub => ["devTime", "GMT", ""]
remove_field => "devTimeFormat"
}
date {
match => [ "devTime", "MMM dd yyyy HH:mm:ss Z" ]
}
}
else if [message] =~ "\bTrend Micro\b" {
mutate {
add_tag => [ "OfficeScan" ]
gsub => ["message", " act=", "|act=" ]
gsub => ["message", " cat=", "|cat=" ]
gsub => ["message", " deviceExternalId=", "|deviceExternalId=" ]
gsub => ["message", " deviceFacility=", "|deviceFacility=" ]
gsub => ["message", " dhost=", "|dhost=" ]
gsub => ["message", " fileHash=", "|fileHash=" ]
gsub => ["message", " rt=", "|rt=" ]
gsub => ["message", " sproc=", "|sproc=" ]
gsub => ["message", " shost=", "|shost=" ]
gsub => ["message", " src=", "|src=" ]
gsub => ["message", " app=", "|app=" ]
gsub => ["message", " dpt=", "|dpt=" ]
gsub => ["message", " cnt=", "|cnt=" ]
gsub => ["message", " dst=", "|dst=" ]
gsub => ["message", " deviceDirection=", "|deviceDirection=" ]
gsub => ["message", " dvchost=", "|dvchost=" ]
gsub => ["message", " request=", "|request=" ]
gsub => ["message", " cn1=", "|cn1=" ]
gsub => ["message", " cn1Label=", "|cn1Label=" ]
gsub => ["message", " cn2=", "|cn2=" ]
gsub => ["message", " cn2Label=", "|cn2Label=" ]
gsub => ["message", " cn3=", "|cn3=" ]
gsub => ["message", " cn3Label=", "|cn3Label=" ]
gsub => ["message", " cn4=", "|cn4=" ]
gsub => ["message", " cn4Label=", "|cn4Label=" ]
gsub => ["message", " cn5=", "|cn5=" ]
gsub => ["message", " cn5Label=", "|cn5Label=" ]
gsub => ["message", " cn6=", "|cn6=" ]
gsub => ["message", " cn6Label=", "|cn6Label=" ]
gsub => ["message", " cs1=", "|cs1=" ]
gsub => ["message", " cs1Label=", "|cs1Label=" ]
gsub => ["message", " cs2=", "|cs2=" ]
gsub => ["message", " cs2Label=", "|cs2Label=" ]
gsub => ["message", " cs3=", "|cs3=" ]
gsub => ["message", " cs3Label=", "|cs3Label=" ]
gsub => ["message", " cs4=", "|cs4=" ]
gsub => ["message", " cs4Label=", "|cs4Label=" ]
gsub => ["message", " cs5=", "|cs5=" ]
gsub => ["message", " cs5Label=", "|cs5Label=" ]
gsub => ["message", " cs4=", "|cs4=" ]
gsub => ["message", " cs6Label=", "|cs6Label=" ]
}
kv {
source => "message"
value_split => "="
field_split => "|"
}
mutate {
rename => { "cn1" => "%{cn1Label}"}
rename => { "cn2" => "%{cn2Label}"}
rename => { "cn3" => "%{cn3Label}"}
rename => { "cn4" => "%{cn4Label}"}
rename => { "cs1" => "%{cs1Label}"}
rename => { "cs2" => "%{cs2Label}"}
rename => { "cs3" => "%{cs3Label}"}
rename => { "cs4" => "%{cs4Label}"}
rename => { "cs5" => "%{cs5Label}"}
rename => { "cs6" => "%{cs6Label}"}
remove_field => ["cn1Label", "cn2Label", "cn3Label", "cn4Label", "cs1Label", "cs2Label", "cs3Label", "cs4Label", "cs5Label", "cs6Label"]
gsub => ["rt", "GMT", ""]
}
date {
match => [ "rt", "MMM dd yyyy HH:mm:ss Z" ]
}
}
else {
mutate {
add_tag => [ "notag" ]
}
}
}
output {
elasticsearch {
hosts => "localhost:9200"
index => "securityevents-%{+YYYY.MM.dd}"
}
}