mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-05-02 17:37:58 +02:00
m0duspwnens
74 lines
2.0 KiB
Plaintext
74 lines
2.0 KiB
Plaintext
# Author: Wes Lambert
|
|
#
|
|
# Adapted from existing filters provided by Justin Henderson
|
|
#
|
|
# Updated by: Doug Burks
|
|
#
|
|
# This conf file is based on accepting logs for radius.log from Bro systems
|
|
#
|
|
filter {
|
|
if [type] == "bro_radius" {
|
|
# If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
|
|
if [message] =~ /^{.*}$/ {
|
|
json {
|
|
source => "message"
|
|
}
|
|
|
|
mutate {
|
|
rename => { "ts" => "timestamp" }
|
|
#uid
|
|
rename => { "id.orig_h" => "source_ip" }
|
|
rename => { "id.orig_p" => "source_port" }
|
|
rename => { "id.resp_h" => "destination_ip" }
|
|
rename => { "id.resp_p" => "destination_port" }
|
|
#username
|
|
#mac
|
|
#framed_addr
|
|
#tunnel_client
|
|
#connect_info
|
|
rename => { "reply_msg" => "reply_message" }
|
|
#result
|
|
#ttl
|
|
#logged
|
|
}
|
|
} else {
|
|
mutate {
|
|
gsub => [ "message", "[\"']", "" ]
|
|
}
|
|
csv {
|
|
columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","username","mac","framed_addr","tunnel_client","connect_info","reply_message","result","ttl","logged"]
|
|
separator => " "
|
|
}
|
|
if [tunnel_client] == "-" {
|
|
mutate {
|
|
remove_field => [ "tunnel_client" ]
|
|
}
|
|
}
|
|
|
|
}
|
|
# Remove the ttl and framed_addr fields
|
|
if [ttl] {
|
|
mutate {
|
|
remove_field => [ "ttl" ]
|
|
}
|
|
}
|
|
if [framed_addr] {
|
|
mutate {
|
|
remove_field => [ "framed_addr" ]
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
# Parse using grok
|
|
#filter {
|
|
# if [type] == "bro_radius" {
|
|
# grok {
|
|
# match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<username>(.*?))\t(?<mac>(.*?))\t(?<tunnel_client>(.*?))\t(?<logged>(.*?))\t(?<connect_info>(.*?))$" ]
|
|
# }
|
|
# mutate {
|
|
# #add_tag => [ "conf_file_1127"]
|
|
# }
|
|
# }
|
|
#}
|