CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
3d71d2a76c8cb8ffb7e1f37523e7608ee3bef40b
securityonion/salt/logstash/files/conf.d/6500_ossec.conf
Mike Reeves 5a6c66bde5 Initial Commit
2018-02-05 12:36:27 -05:00

84 lines
5.0 KiB
Plaintext
Raw Blame History

# Author: Wes Lambert
# wlambertts@gmail.com
#
# Last Update: 05/21/2017
#
# This conf file is based on accepting logs from OSSEC
#
# Parse using grok
filter {
# OSSEC Logs and Alerts
if [type] == "ossec" {
grok {
match => ["message", "Alert Level: %{NONNEGINT;alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; user: +%{DATA:user}; %{SYSLOGTIMESTAMP} %{DATA:host} %{DATA:process}\[%{INT:pid}]: %{GREEDYDATA:details}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: +%{DATA:user} : TTY=%{DATA:tty} ; PWD=%{DATA:dir} ; USER=%{DATA:escalated_user} ; COMMAND=%{GREEDYDATA:command}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: %{GREEDYDATA:details}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: +%{DATA:user} : %{GREEDYDATA:details}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; srcip: %{IP:source_ip};%{GREEDYDATA:details}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA:user}: %{DATA}: \'%{DATA}': %{DATA:interface}: %{INT:num_packets}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA:user}: %{GREEDYDATA:details}.",
"message", "Alert Level: %{NONNEGINT:alert_Level}; Rule: %{NONNEGINT:Rule} - %{DATA:Description}; Location: %{DATA:location}; user: +%{DATA:user};",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA}: %{DATA}: \'%{DATA}': %{DATA:interface}: %{NONNEGINT:num_packets}",
"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{GREEDYDATA:details}"]
# Add tag for OSSEC alerts
add_tag => [ "alert" ]
}
translate {
field => "alert_level"
destination => "classification"
dictionary => [
"1", "None",
"2", "System low priority notification",
"3", "Successful/authorized event",
"4", "System low priority error",
"5", "User generated error",
"6", "Low relevance attack",
"7", '"Bad word" matching',
"8", "First time seen",
"9", "Error from invalid source",
"10", "Multiple user generated errors",
"11", "Integrity checking warning",
"12", "High importance event",
"13", "Unusal error (high importance)",
"14", "High importance security event",
"15", "Severe attack"
]
}
}
if [type] == "ossec" and "alert" not in [tags] {
grok {
match => ["message", "%{DATA:user} : TTY=%{DATA:tty} ; PWD=%{DATA:dir} ; USER=%{DATA:escalated_user} ; COMMAND=%{GREEDYDATA:command}"]
}
}
# OSSEC Archive Logs
if [type] == "ossec_archive" {
grok {
match => ["message",'%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip} - %{DATA:user} \[%{DATA:request_timestamp}] "%{DATA:method} %{DATA:requested_resource} %{DATA:protocol}\/%{DATA:protocol_version}" %{NONNEGINT:status_code} %{NONNEGINT:object_size} "%{DATA:referrer}" "%{DATA:user_agent}"',
"message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{SYSLOGTIMESTAMP:ossec_timestamp} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: \(%{DATA:user}\) CMD \(%{DATA:command}\)",
"message", "%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{GREEDYDATA:details}","message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{SYSLOGTIMESTAMP:ossec_timestamp} %{DATA:ossec_host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
"message","%{DATA:age} %{DATA:program} %{DATA} '%{DATA:checksum}'"]
remove_field => [ "ossec_timestamp" ]
}
mutate {
convert => [ "status_code", "integer" ]
}
}
# Sysmon logs transported by OSSEC
if [type] =~ "ossec" {
if [message] =~ "WinEvtLog: Microsoft-Windows-Sysmon" {
mutate { replace => { "type" => "sysmon" } }
}
if [message] =~ "AR-LOG" {
mutate { replace => { "type" => "autoruns" } }
}
}
}
Reference in New Issue View Git Blame Copy Permalink