如何为Elasticsearch提供Snort警报日志?
如何为Elasticsearch提供Snort警报日志?
提问于 2016-10-14 21:45:03
我昨天从麋鹿如何开始,很容易就跑起来了。接下来我要做的就是将我的Snort警报日志插入其中。我将Logstash (如下所示)配置为一个过滤器和一个绝对令人讨厌的Grok,以便使用格氏调试对所有字段进行分割。然后我打开snort,警报日志开始填充,然后重新启动logstash (当然是在执行--configtest之后)。我安装了ES "Head“插件,这样我就可以稍微戳一下。我的snort警报似乎是用syslog映射映射的,就像在howto中创建的那样(见下面的图)。在ES中,我似乎无法使用logstash (ids_proto、src_ip、dst_ip)中定义的任何字段进行搜索。为什么会这样呢?我需要定义一个映射吗?还是这里有什么东西搞砸了?
input
{
file {
path => "/var/log/snort/alert"
type => "snort_tcp" # a type to identify those logs (will need this later)
start_position => beginning
ignore_older => 0 # Setting ignore_older to 0 disables file age checking so that the tutorial file is processed even though it’s older than a day.
sincedb_path => "/dev/null"
}
}
filter {
if [type] == "snort_tcp" {
grok {
add_tag => [ "IDS" ]
match => [ "message", "%{MONTHNUM:month}\/%{MONTHDAY:day}-%{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second}\s+\[\*\*\]\s+\[%{INT:ids_gid}\:%{INT:ids_sid}\:%{INT:ids_rev}\]\s+%{DATA:ids_proto}\s+\[\*\*\]\s+\[Classification:\s+%{DATA:ids_classification}\]\s+\[Priority:\s+%{INT:priority}\]\s+\{%{WORD:ids_proto}\}\s+%{IP:src_ip}\:%{INT:src_port}\s+\-\>\s+%{IP:dst_ip}\:%{INT:dst_port}"]
}
}
geoip {
source => "[src_ip]"
target => "SrcGeo"
}
geoip {
source => "[dst_ip]"
target => "DstGeo"
}
if [priority] == "1" {
mutate {
add_field => { "severity" => "High" }
}
}
if [priority] == "2" {
mutate {
add_field => { "severity" => "Medium" }
}
}
if [priority] == "3" {
mutate {
add_field => { "severity" => "Low" }
}
}
if [ids_proto] {
if [ids_proto] =~ /^GPL/ {
mutate {
add_tag => [ "Snort-ET-sig" ]
add_field => [ "ids_rule_type", "Emerging Threats" ]
}
}
if [ids_proto] =~ /^ET/ {
mutate {
add_tag => [ "Snort-ET-sig" ]
add_field => [ "ids_rule_type", "Emerging Threats" ]
}
}
if "Snort-ET-sig" not in [tags] {
mutate {
add_tag => [ "Snort-sig" ]
add_field => [ "ids_rule_type", "Snort" ]
}
}
}
if "Snort-sig" in [tags] {
if [ids_gid] == "1" {
mutate {
add_field => [ "Signature_Info", "http://rootedyour/.com/snortsid?sid=%{ids_sid}" ]
}
}
if [ids_gid] != "1" {
mutate {
add_field => [ "Signature_Info", "http://rootedyour.com/snortsid?sid=%{ids_gid}-%{ids_sid}" ]
}
}
}
if "Snort-ET-sig" in [tags] {
mutate {
add_field => [ "Signature_Info", "http://doc.emergingthreats.net/bin/view/Main/%{ids_sid}" ]
}
}
}
output
{
elasticsearch
{
hosts => ["localhost:9200"]
manage_template => false
index => "snort_tcp-%{+YYYY.MM.dd}"
}
}回答 1
Server Fault用户
回答已采纳
发布于 2016-10-24 01:46:26
这里有几件事:
- 默认映射logstash将所有字符串字段设置为非分析字段,这对下游查看工具更友好。
- 没有像您所做的那样设置映射,而是使用默认的ElasticSearch 动态映射,这对Logstash来说并不合适。
为了进行测试,我建议使用以下输出部分:
output
{
elasticsearch
{
hosts => ["localhost:9200"]
manage_template => true
index => "logstash-%{+YYYY.MM.dd}"
}
}这样设置时,logstash索引将得到默认的logstash映射,该映射的行为可能更接近您的预期。如果是这样,您可能需要定义一个映射文件。
output
{
elasticsearch
{
hosts => ["localhost:9200"]
manage_template => true
index => "snort_tcp-%{+YYYY.MM.dd}"
template => "/etc/logstash/template.json"
template_name => "snort_tcp"
}
}页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/809156
复制相关文章
相似问题
腾讯云开发者
