diff options
| author | jerome <jerome@xlinfo.fr> | 2023-09-30 22:41:07 +0200 |
|---|---|---|
| committer | jerome <jerome@xlinfo.fr> | 2023-09-30 22:41:07 +0200 |
| commit | 788e4af10b9da09ec0ae981f0f8a3e163a76bdc3 (patch) | |
| tree | 8bc86b2ef2090de85316670f19b1a486c27c041b | |
| download | filebeat-788e4af10b9da09ec0ae981f0f8a3e163a76bdc3.tar.gz filebeat-788e4af10b9da09ec0ae981f0f8a3e163a76bdc3.zip | |
| -rw-r--r-- | fail2ban.yml | 31 | ||||
| -rw-r--r-- | psad.yml | 39 |
2 files changed, 70 insertions, 0 deletions
diff --git a/fail2ban.yml b/fail2ban.yml new file mode 100644 index 0000000..bdec775 --- /dev/null +++ b/fail2ban.yml @@ -0,0 +1,31 @@ +- type: filestream + id: fail2ban + enabled: true + paths: + - /var/log/fail2ban.log + include_lines: ['Ban','Unban','Found'] + processors: + - add_tags: + tags: ['fail2ban'] + target: "service.type" + - add_tags: + tags: ['fail2ban'] + target: "event.module" + - add_tags: + tags: ['intrusion_detection'] + target: "event.category" + - dissect: + when: + contains: + message: "INFO" + tokenizer: "%{+timestamp} %{+timestamp} %{component->} [%{pid}]: %{log_level->} [%{jail}] %{action} %{ip|ip} - %{} %{}" + field: "message" + target_prefix: "fail2ban" + - dissect: + when: + contains: + message: "NOTICE" + tokenizer: "%{+timestamp} %{+timestamp} %{component->} [%{pid}]: %{log_level->} [%{jail}] %{action} %{ip|ip}" + field: "message" + target_prefix: "fail2ban" + diff --git a/psad.yml b/psad.yml new file mode 100644 index 0000000..cd5af7e --- /dev/null +++ b/psad.yml @@ -0,0 +1,39 @@ +- type: filestream + id: psad + enabled: true + paths: + - /var/log/syslog + include_lines: ['psad'] + exclude_lines: ['dropping event','auto-block'] + processors: + - add_tags: + tags: ['psad'] + target: "service.type" + - add_tags: + tags: ['psad'] + target: "event.module" + - add_tags: + tags: ['intrusion_detection'] + target: "event.category" + - dissect: + when: + contains: + message: "udp pkts" + tokenizer: "%{+timestamp->} %{+timestamp} %{+timestamp} %{host} %{}: %{info}: %{ip|ip} -> %{host_ip|ip} %{protocol}: [%{port}]%{} %{*pkts}: %{&pkts|integer} %{*D}: %{&D|integer}" + field: "message" + target_prefix: "psad" + - dissect: + when: + contains: + message: "tcp pkts" + tokenizer: "%{+timestamp->} %{+timestamp} %{+timestamp} %{host} %{}: %{info}: %{ip|ip} -> %{host_ip|ip} %{protocol}: [%{port}] %{}: %{+flags} %{+flags} %{*pkts}: %{&pkts|integer} %{*D}: %{&D|integer}" + field: "message" + target_prefix: "psad" + - dissect: + when: + contains: + message: "signature" + tokenizer: '%{+timestamp->} %{+timestamp} %{+timestamp} %{host} %{}: %{}: %{ip|ip} %{*sig} "%{&sig}" (%{*i}: %{&i}) %{protocol} %{}: %{port}' + field: "message" + target_prefix: "psad" + |