Triggering a command in logstash

ilalorel · December 14, 2016, 10:20am

Hello, I'm fairly new to the ELK stack (and also pretty new to Linux) . I have 2 servers 1 contains my ELK stack the other one is a honeypot with beats on it. Now my question, is it possible with logstash when someone connects to my honeypot to trigger a command like whois or any other command and write the results away to a file? If so can you help me with my config files how to do this?

input/output:

input {
  beats {
    port => 5044
    ssl => false
  }
}

output {
  elasticsearch {
    hosts => "localhost:9200"
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
    template => "/etc/logstash/templates/filebeat-index-template.json"
    template_name => "filebeat"
  }
}

Filter 1:

filter {
if [fields][log_type] == "cowrie" {
   grok {
            match => { "message" => "%{GREEDYDATA:request}"}
        }

    json{
        source => "request"
        target => "parsedJson"
        remove_field=>["request"]
    }
    mutate {
        add_field => {
           "src_ip" => "%{[parsedJson][src_ip]}"
           "input" => "%{[parsedJson][input]}"
           "eventid" => "%{[parsedJson][eventid]}"
           "message" => "%{[parsedJson][message]}"
           "system" => "%{[parsedJson][system]}"
        }
    }
}
}

Filter 2:

filter {
  if [fields][log_type] == "messages" {
    grok{
       match=>{"message"=>"%{SYSLOGTIMESTAMP:nf_timestamp}\s*%{HOSTNAME:nf_host}\s*kernel\S+\s*%{WORD:nf_action}?.*IN=%{USERNAME:nf_in_interface}?.*OUT=%{USERNAME:nf_out_interface}?.*MAC=%{COMMONMAC:nf_dst_mac}:%{COMMONMAC:nf_src_mac}?.*SRC=%{IPV4:nf_src_ip}.*DST=%{IPV4:nf_dst_ip}.*PROTO=%{WORD:nf_protocol}.?*SPT=%{INT:nf_src_port}?.*DPT=%{INT:nf_dst_port}?.*"}
       add_field=>{"eventName"=>"groke"}
    }
  }
}

Filter 3:`

 filter{
         if [fields][log_type] == "cowrie" {

           grok {
            match => { "message" => " %{IP:client}"}
        }
        geoip{
                source => "client"
                target => "geoip"
                database => "/etc/logstash/GeoLite2-City.mmdb"
                add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
                add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
        }
                 mutate {
         convert => [ "[geoip][coordinates]", "float" ]
        }
                }
        if [fields][log_type] == "messages" {

        geoip{
                source => "nf_src_ip"
                target => "geoip"
                database => "/etc/logstash/GeoLite2-City.mmdb"
                add_field => [ "[geoip][coordinate]", "%{[geoip][longitude]}" ]
                add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
        }
                 mutate {
         convert => [ "[geoip][coordinates]", "float" ]

                }
}}

Thanks In Advance

warkolm · December 14, 2016, 10:22am

No ,there's not unfotunately.

ilalorel · December 14, 2016, 10:26am

Alright, thanks I'll try to find another way then.

system · January 11, 2017, 10:27am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.