mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-14 05:02:52 +01:00
32 lines
1.3 KiB
Plaintext
32 lines
1.3 KiB
Plaintext
# Author: Justin Henderson
|
|
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
|
|
# Email: justin@hasecuritysolution.com
|
|
# Last Update: 12/9/2016
|
|
#
|
|
# This configuration file takes ESXi syslog messages and filters them. There is no input as the logs would have came in via syslog
|
|
filter {
|
|
# This is an example of using an IP address range to classify a syslog message to a specific type of log
|
|
# This is helpful as so many devices only send logs via syslog
|
|
if [host] =~ "10\.[0-1]\.9\." {
|
|
mutate {
|
|
replace => ["type", "esxi"]
|
|
}
|
|
}
|
|
if [host] =~ "\.234$" {
|
|
mutate {
|
|
replace => ["type", "esxi"]
|
|
}
|
|
}
|
|
if [type] == "esxi" {
|
|
grok {
|
|
match => { "message" => "(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?<messagebody>(?:\[(?<esxi_thread_id>[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))"}
|
|
|
|
# pattern => ['(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?<messagebody>(?:\[(?<esxi_thread_id>[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))']
|
|
}
|
|
mutate {
|
|
#add_tag => [ "conf_file_1029"]
|
|
}
|
|
}
|
|
}
|
|
|