mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 09:12:45 +01:00
24 lines
1.1 KiB
Plaintext
24 lines
1.1 KiB
Plaintext
# Author: Wes Lambert
|
|
# wlambertts@gmail.com
|
|
#
|
|
# Last Update: 07/17/2017
|
|
#
|
|
# This conf file is based on accepting Autoruns logs from OSSEC
|
|
#
|
|
# Parse using grok
|
|
filter {
|
|
if [type] == "autoruns" {
|
|
grok {
|
|
match => ["message", "%{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} \(%{DATA:ossec_agent_name}\) %{IP:source_ip}->%{DATA:location} %{DATA:log_name}\|%{DATA:hostname}\|%{DATESTAMP:log_timestamp}\|%{DATA:event_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}"]
|
|
}
|
|
#csv {
|
|
# columns => ["log_name","entry_location","entry","enabled","category","autoruns_description","signer","company","image_path","version","launch_string","md5","sha1","pesha1","pesha256","sha256","imphash"]
|
|
# separator => "|"
|
|
# }
|
|
mutate {
|
|
remove_field => [ "year" ]
|
|
remove_field => [ "timestamp" ]
|
|
}
|
|
}
|
|
}
|