forked from enigy/SophosXG-ELK
-
Notifications
You must be signed in to change notification settings - Fork 0
/
SophosXG Logstash Config
67 lines (62 loc) · 1.42 KB
/
SophosXG Logstash Config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
input {
tcp {
port => 6000
type => syslog
}
udp {
port => 6000
type => syslog
}
}
filter {
if [type] == "syslog" {
mutate {
gsub => [
# replace all "= " with double quotes to truly indicate no value
"message", "= ", '="" '
]
}
kv {
id => "sophos_kv"
source => "message"
trim_key => " "
trim_value => " "
value_split => "="
field_split => " "
}
#now check if source IP is a private IP, if so, tag it
cidr {
add_tag => [ "src_internalIP" ]
address => [ "%{src_ip}" ]
network => [ "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ]
}
# don't run geoip if it's internalIP, otherwise find the GEOIP location
if "src_internalIP" not in [tags] {
geoip {
add_tag => [ "src_geoip" ]
source => "src_ip"
}
}
else {
#check DST IP now. If it is a private IP, tag it
cidr {
add_tag => [ "dst_internalIP" ]
address => [ "%{dst_ip}" ]
network => [ "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ]
}
# don't run geoip if it's internalIP, otherwise find the GEOIP location
if "dst_internalIP" not in [tags] {
geoip {
add_tag => [ "dst_geoip" ]
source => "dst_ip"
}
}
}
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "sophos_xg-%{+YYYY.MM.dd}"
}
}