psad.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

- type: filestream
  id: psad
  enabled: true
  paths:
    - /var/log/syslog
  include_lines: ['psad']
  exclude_lines: ['dropping event','auto-block']
  processors:
    - add_tags:
        tags: ['psad']
        target: "service.type"
    - add_tags:
        tags: ['psad']
        target: "event.module"
    - add_tags:
        tags: ['intrusion_detection']
        target: "event.category"
    - dissect:
        when:
          contains:
            message: "udp pkts"
        tokenizer: "%{+timestamp->} %{+timestamp} %{+timestamp} %{host} %{}: %{info}: %{ip|ip} -> %{host_ip|ip} %{protocol}: [%{port}]%{} %{*pkts}: %{&pkts|integer} %{*D}: %{&D|integer}"
        field: "message"
        target_prefix: "psad"
    - dissect:
        when:
          contains:
            message: "tcp pkts"
        tokenizer: "%{+timestamp->} %{+timestamp} %{+timestamp} %{host} %{}: %{info}: %{ip|ip} -> %{host_ip|ip} %{protocol}: [%{port}] %{}: %{+flags} %{+flags} %{*pkts}: %{&pkts|integer} %{*D}: %{&D|integer}"
        field: "message"
        target_prefix: "psad"
    - dissect:
        when:
          contains:
            message: "signature"
        tokenizer: '%{+timestamp->} %{+timestamp} %{+timestamp} %{host} %{}: %{}: %{ip|ip} %{*sig} "%{&sig}" (%{*i}: %{&i}) %{protocol} %{}: %{port}'
        field: "message"
        target_prefix: "psad"