Trend Micro: Control Manager, Deep Security, Deep Discovery Inspector

GlennH · January 24, 2018, 11:11pm

Im a bit new to elastic and spend too much time trying to figure out how to configure these so figured I would share so someone can either show me a better way or use this and save some time. FYI this thing still needs work but it will hopefully point you in the right direction.

Control Manager: CEF
Deep Security: LEEF
Deep Discovery Inspector: LEEF

input {
  udp {
port => 40514
type => syslog
  }
  tcp {
port => 40514
type => syslog
  }
}

filter {
  if [message] =~ "\bDeep Security\b" {
mutate {
  gsub => ["message", "\t", "|"]
  add_tag => [ "Deep Security" ]
}
grok {
  match => { "message" => "%{SYSLOG5424PRI}%{SYSLOGTIMESTAMP:devTime}" }
}
date {
   match => [ "devTime", "MMM dd HH:mm:ss" ]
}
kv {
  source => "message"
  value_split => "="
  field_split => "|"
}
mutate {
  rename => { "cn1" => "%{cn1Label}"}
  rename => { "cn2" => "%{cn2Label}"}
  rename => { "cn3" => "%{cn3Label}"}
  rename => { "cn4" => "%{cn4Label}"}
  rename => { "cs1" => "%{cs1Label}"}
  rename => { "cs2" => "%{cs2Label}"}
  rename => { "cs3" => "%{cs3Label}"}
  rename => { "cs4" => "%{cs4Label}"}
  rename => { "cs5" => "%{cs5Label}"}
  rename => { "cs6" => "%{cs6Label}"}
  remove_field => ["cn1Label", "cn2Label", "cn3Label", "cn4Label", "cs1Label", "cs2Label", "cs3Label", "cs4Label", "cs5Label", "cs6Label", "syslog5424_pri"]
}
  }
  else if [message] =~ "\bDeep Discovery Inspector\b" {
mutate {
  add_tag => [ "Deep Discovery Inspector" ]
  gsub => ["message", "\t", "|"]
}
kv {
  source => "message"
  value_split => "="
  field_split => "|"
}
mutate {
  gsub => ["devTime", "GMT", ""]
  remove_field => "devTimeFormat"
}
date {
  match => [ "devTime", "MMM dd yyyy HH:mm:ss Z" ]
}
  }
  else if [message] =~ "\bTrend Micro\b" {
mutate {
  add_tag => [ "OfficeScan" ]
  gsub => ["message", " act=", "|act=" ]
  gsub => ["message", " cat=", "|cat=" ]
  gsub => ["message", " deviceExternalId=", "|deviceExternalId=" ]
  gsub => ["message", " deviceFacility=", "|deviceFacility=" ]
  gsub => ["message", " dhost=", "|dhost=" ]
  gsub => ["message", " fileHash=", "|fileHash=" ]
  gsub => ["message", " rt=", "|rt=" ]
  gsub => ["message", " sproc=", "|sproc=" ]
  gsub => ["message", " shost=", "|shost=" ]
  gsub => ["message", " src=", "|src=" ]
  gsub => ["message", " app=", "|app=" ]
  gsub => ["message", " dpt=", "|dpt=" ]
  gsub => ["message", " cnt=", "|cnt=" ]
  gsub => ["message", " dst=", "|dst=" ]
  gsub => ["message", " deviceDirection=", "|deviceDirection=" ]
  gsub => ["message", " dvchost=", "|dvchost=" ]
  gsub => ["message", " request=", "|request=" ]
  gsub => ["message", " cn1=", "|cn1=" ]
  gsub => ["message", " cn1Label=", "|cn1Label=" ]
  gsub => ["message", " cn2=", "|cn2=" ]
  gsub => ["message", " cn2Label=", "|cn2Label=" ]
  gsub => ["message", " cn3=", "|cn3=" ]
  gsub => ["message", " cn3Label=", "|cn3Label=" ]
  gsub => ["message", " cn4=", "|cn4=" ]
  gsub => ["message", " cn4Label=", "|cn4Label=" ]
  gsub => ["message", " cn5=", "|cn5=" ]
  gsub => ["message", " cn5Label=", "|cn5Label=" ]
  gsub => ["message", " cn6=", "|cn6=" ]
  gsub => ["message", " cn6Label=", "|cn6Label=" ]
  gsub => ["message", " cs1=", "|cs1=" ]
  gsub => ["message", " cs1Label=", "|cs1Label=" ]
  gsub => ["message", " cs2=", "|cs2=" ]
  gsub => ["message", " cs2Label=", "|cs2Label=" ]
  gsub => ["message", " cs3=", "|cs3=" ]
  gsub => ["message", " cs3Label=", "|cs3Label=" ]
  gsub => ["message", " cs4=", "|cs4=" ]
  gsub => ["message", " cs4Label=", "|cs4Label=" ]
  gsub => ["message", " cs5=", "|cs5=" ]
  gsub => ["message", " cs5Label=", "|cs5Label=" ]
  gsub => ["message", " cs4=", "|cs4=" ]
  gsub => ["message", " cs6Label=", "|cs6Label=" ]
}
kv {
  source => "message"
  value_split => "="
  field_split => "|"
}
mutate {
  rename => { "cn1" => "%{cn1Label}"}
  rename => { "cn2" => "%{cn2Label}"}
  rename => { "cn3" => "%{cn3Label}"}
  rename => { "cn4" => "%{cn4Label}"}
  rename => { "cs1" => "%{cs1Label}"}
  rename => { "cs2" => "%{cs2Label}"}
  rename => { "cs3" => "%{cs3Label}"}
  rename => { "cs4" => "%{cs4Label}"}
  rename => { "cs5" => "%{cs5Label}"}
  rename => { "cs6" => "%{cs6Label}"}
  remove_field => ["cn1Label", "cn2Label", "cn3Label", "cn4Label", "cs1Label", "cs2Label", "cs3Label", "cs4Label", "cs5Label", "cs6Label"]
  gsub => ["rt", "GMT", ""]
}
date {
  match => [ "rt", "MMM dd yyyy HH:mm:ss Z" ]
}
  }
  else {
mutate {
  add_tag => [ "notag" ]
}
  }
}
output {
  elasticsearch {
hosts => "localhost:9200"
index => "securityevents-%{+YYYY.MM.dd}"
  }
}

GlennH · February 9, 2018, 9:42pm

Since this will close after a while I moved my working copy to https://github.com/Glenn-Herdrich/Logstash-Trend-Micro

system · March 9, 2018, 9:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.