我已經在一系列不同的linux機器上安裝了logstash-forwarders來創建一個用於日誌收集的ELK堆棧,並且這個工作非常好。在ELK堆棧建議之上的Suricata安裝?
現在我期待在安裝suricata到主ELK堆棧開始使用IDS/IPS功能
我的第一個問題是,我只需要安裝suricata到主ELK對話框,改變conf文件上這個盒子加上logtash-forwarders,所以suricata只需要安裝在一個盒子上?
其次,我試圖改變conf文件,以允許suricata所以我列出了我的conf文件logstash及以下
的文件logstash轉發13 suricata.conf是我嘗試把它帶入logstash conf文件,但我不確定這是否是正確的方法,我不知道如何處理logstash-forwarder conf甚至?
任何幫助將是驚人
/etc/logstash/conf.d$ ls
01-lumberjack-input.conf 11-sshlog.conf 13-suricata.conf
10-syslog.conf 12-apache.conf 30-lumberjack-output.conf
01-伐木-input.conf中
input {
lumberjack {
port => 5000
type => "logs"
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
10的syslog.conf
濾波器{ 如果[式] ==「日誌「{
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
} }
11 sshlog.conf
filter {
if [type] == "sshlog" {
grok {
type => "sshlog"
match => {"message" => "Failed password for (invalid user |)%{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"}
add_tag => "ssh_brute_force_attack"
}
grok {
type => "sshlog"
match => {"message" => "Accepted password for %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"}
add_tag => "ssh_sucessful_login"
}
geoip {
source => "src_ip"
}
}
}
12的apache.conf
filter {
if [type] == "apache-access" {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
}
}
13 suricata.conf
filter {
if [type] == "SuricataIDPS" {
date {
match => [ "timestamp", "ISO8601" ]
}
ruby {
code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;"
}
}
if [src_ip] {
geoip {
source => "src_ip"
target => "geoip"
#database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
if ![geoip.ip] {
if [dest_ip] {
geoip {
source => "dest_ip"
target => "geoip"
#database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
}
}
}
}
30伐木輸出。 conf
output {
elasticsearch { host => localhost }
stdout { codec => rubydebug }
}
logstash fordwarer的conf
"files": [
{
"paths": [
"/var/log/syslog",
"/var/log/auth.log"
],
"fields": { "type": "syslog" }
},
# An array of hashes. Each hash tells what paths to watch and
# what fields to annotate on events from those paths.
#{
#"paths": [
# single paths are fine
#"/var/log/messages",
# globs are fine too, they will be periodically evaluated
# to see if any new files match the wildcard.
#"/var/log/*.log"
#],
# A dictionary of fields to annotate on each event.
#"fields": { "type": "syslog" }
#}, {
# A path of "-" means stdin.
#"paths": [ "-" ],
#"fields": { "type": "stdin" }
# },
{
"paths": [
"/var/log/apache2/*.log"
],
"fields": { "type": "apache-access" }
},
{
"paths": [
"/var/log/auth*.log"
],
"fields": { "type": "sshlog" }
}
"files": [
{
"paths": [ "/var/log/suricata/eve.json" ],
"fields": { "type": "suricata" }
}
]
}