我昨天开始ELK 指南并相当轻松地启动并运行了 ELK。接下来我想做的是将我的 Snort 警报日志插入其中。我使用过滤器和绝对讨厌的 Grok 正则表达式配置了 Logstash(如下所示),以使用以下方式拆分所有字段grok调试测试一下。然后我打开了 snort,警报日志开始填满,然后 logstash 重新启动(--configtest
当然是在重新启动之后)。我安装了 ES“Head”插件,这样我就可以稍微探索一下。似乎我的 snort 警报正在与我的 syslog 映射进行映射,就像在 howto 中创建的一样(下图)。在 ES 中,我似乎无法使用 logstash 配置中定义的任何字段(ids_proto、src_ip、dst_ip)进行搜索。为什么会这样?我需要定义映射吗?还是这里出了其他问题?
input
{
file {
path => "/var/log/snort/alert"
type => "snort_tcp" # a type to identify those logs (will need this later)
start_position => beginning
ignore_older => 0 # Setting ignore_older to 0 disables file age checking so that the tutorial file is processed even though it’s older than a day.
sincedb_path => "/dev/null"
}
}
filter {
if [type] == "snort_tcp" {
grok {
add_tag => [ "IDS" ]
match => [ "message", "%{MONTHNUM:month}\/%{MONTHDAY:day}-%{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second}\s+\[\*\*\]\s+\[%{INT:ids_gid}\:%{INT:ids_sid}\:%{INT:ids_rev}\]\s+%{DATA:ids_proto}\s+\[\*\*\]\s+\[Classification:\s+%{DATA:ids_classification}\]\s+\[Priority:\s+%{INT:priority}\]\s+\{%{WORD:ids_proto}\}\s+%{IP:src_ip}\:%{INT:src_port}\s+\-\>\s+%{IP:dst_ip}\:%{INT:dst_port}"]
}
}
geoip {
source => "[src_ip]"
target => "SrcGeo"
}
geoip {
source => "[dst_ip]"
target => "DstGeo"
}
if [priority] == "1" {
mutate {
add_field => { "severity" => "High" }
}
}
if [priority] == "2" {
mutate {
add_field => { "severity" => "Medium" }
}
}
if [priority] == "3" {
mutate {
add_field => { "severity" => "Low" }
}
}
if [ids_proto] {
if [ids_proto] =~ /^GPL/ {
mutate {
add_tag => [ "Snort-ET-sig" ]
add_field => [ "ids_rule_type", "Emerging Threats" ]
}
}
if [ids_proto] =~ /^ET/ {
mutate {
add_tag => [ "Snort-ET-sig" ]
add_field => [ "ids_rule_type", "Emerging Threats" ]
}
}
if "Snort-ET-sig" not in [tags] {
mutate {
add_tag => [ "Snort-sig" ]
add_field => [ "ids_rule_type", "Snort" ]
}
}
}
if "Snort-sig" in [tags] {
if [ids_gid] == "1" {
mutate {
add_field => [ "Signature_Info", "http://rootedyour/.com/snortsid?sid=%{ids_sid}" ]
}
}
if [ids_gid] != "1" {
mutate {
add_field => [ "Signature_Info", "http://rootedyour.com/snortsid?sid=%{ids_gid}-%{ids_sid}" ]
}
}
}
if "Snort-ET-sig" in [tags] {
mutate {
add_field => [ "Signature_Info", "http://doc.emergingthreats.net/bin/view/Main/%{ids_sid}" ]
}
}
}
output
{
elasticsearch
{
hosts => ["localhost:9200"]
manage_template => false
index => "snort_tcp-%{+YYYY.MM.dd}"
}
}
答案1
这里有几件事:
- logstash 创建的默认映射将所有字符串字段设置为未分析,这对下游查看工具来说更为友好。
- 根本不设置映射,就像你正在做的那样,使用默认的 ElasticSearch动态映射,这不太适合 Logstash。
为了进行测试,我推荐以下输出部分:
output
{
elasticsearch
{
hosts => ["localhost:9200"]
manage_template => true
index => "logstash-%{+YYYY.MM.dd}"
}
}
当以这种方式设置时,logstash 索引将获得默认的 logstash 映射,这可能更接近您的预期。如果是这种情况,您可能必须定义一个映射文件。
output
{
elasticsearch
{
hosts => ["localhost:9200"]
manage_template => true
index => "snort_tcp-%{+YYYY.MM.dd}"
template => "/etc/logstash/template.json"
template_name => "snort_tcp"
}
}