-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathFirepowerLogstash.conf
114 lines (102 loc) · 5.55 KB
/
FirepowerLogstash.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
#####################
# ABOUT THIS SCRIPT #
#####################
#
# FirepowerLogstash.conf
# ----------------
# Author: Alan Nix
# Property of: Cisco Systems
# Version: 1.3
# Release Date: 9/6/2019
#
# Summary
# -------
#
# This is an example Logstash config for Cisco Firepower / Firepower Threat Defense event data.
# This config has now been updated to handle the new syslog format for Firepower Threat Defense 6.5
#
#
# Requirements
# ------------
#
# 1) Logstash
#
#
# How To Run
# ----------
#
# 1) Put this file in your /etc/logstash/conf.d/ folder.
# 2) Restart Logstash if it's not configured to watch for config changes.
# 3) Send syslog to the Logstash server on the port that you specify. (Default: 8514)
#
############################################################
#
# INPUT - Logstash listens on port 8514 for these logs.
#
input {
udp {
port => "8514"
type => "syslog-cisco-firepower"
}
}
#
# FILTER - Try to parse the cisco log format
#
filter {
if [type] == "syslog-cisco-firepower" {
grok {
match => {
"message" => [
"%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:source} %{DATA:dvc} Protocol: %{WORD:protocol}, SrcIP: %{IP:src_addr},( OriginalClientIP: %{DATA:client_ip},)? DstIP: %{IP:dst_addr},( ICMPType: %{DATA:icmp_type},)?( ICMPCode: %{DATA:icmp_code},)?( SrcPort: %{INT:src_port},)?( DstPort: %{INT:dst_port},)? TCPFlags: %{BASE16NUM:tcp_flags},( IngressInterface: %{DATA:ingress_interface},)?( EgressInterface: %{DATA:egress_interface},)? IngressZone: %{DATA:ingress_zone}, EgressZone: %{DATA:egress_zone}, DE: %{DATA:engine}, Policy: %{DATA:policy}, ConnectType: %{WORD:conn_type}, AccessControlRuleName: %{DATA:acl_rule_name}, AccessControlRuleAction: %{WORD:acl_rule_action},( AccessControlRuleReason: %{DATA:acl_rule_reason},)?( Prefilter Policy: %{DATA:prefilter_policy},)?( UserName: %{DATA:user_name},)?( UserAgent: %{DATA:user_agent},)?( Client: %{DATA:client},)?( ClientVersion: %{DATA:client_version},)?( ApplicationProtocol: %{WORD:app_protocol},)?( WebApplication: %{DATA:web_app},)? InitiatorPackets: %{NUMBER:init_packets}, ResponderPackets: %{NUMBER:resp_packets}, InitiatorBytes: %{NUMBER:init_bytes}, ResponderBytes: %{NUMBER:resp_bytes},( NAPPolicy: %{DATA:nap_policy},)?( DNSQuery: %{DATA:dns_query},)?( DNSRecordType: %{DATA:dns_rec_type},)? DNSResponseType: %{DATA:dns_response_type},( DNS_TTL: %{NUMBER:dns_ttl},)? Sinkhole: %{WORD:sinkhole},( HTTPReferer: %{URI:http_referer},)?( ReferencedHost: %{URIHOST:referenced_host},)?( URLCategory: %{DATA:url_category},)?( URLReputation: %{DATA:url_reputation},)?( URL: %{GREEDYDATA:url})?",
"%{TIMESTAMP_ISO8601:timestamp} %%{CISCOTAG}: (EventPriority: %{WORD:event_priority}, )?(DeviceUUID: %{UUID:device_uuid}, )?(InstanceID: %{NUMBER:instance_id}, )?(FirstPacketSecond: %{TIMESTAMP_ISO8601:first_packet_timestamp}, )?(ConnectionID: %{NUMBER:connection_id}, )?AccessControlRuleAction: %{WORD:rule_action}, SrcIP: %{IP:src_addr}, (OriginalClientIP: %{DATA:client_ip}, )?DstIP: %{IP:dst_addr}, (ICMPType: %{DATA:icmp_type}, )?(ICMPCode: %{DATA:icmp_code}, )?(SrcPort: %{INT:src_port}, )?(DstPort: %{INT:dst_port}, )?Protocol: %{WORD:protocol}, (IngressInterface: %{DATA:ingress_interface}, )?(EgressInterface: %{DATA:engress_interface}, )?IngressZone: %{DATA:ingress_zone}, (EgressZone: %{DATA:egress_zone}, )?(Security Group: %{DATA:security_group}, )?(Endpoint Profile: %{DATA:endpoint_profile}, )?ACPolicy: %{DATA:access_control_policy}, (AccessControlRuleName: %{DATA:access_control_rule}, )?Prefilter Policy: %{DATA:prefilter_policy}, (Tunnel or Prefilter Rule: %{DATA:prefilter_rule}, )?(User: %{DATA:user}, )?(Client: %{DATA:client}, )?(ApplicationProtocol: %{WORD:app_protocol}, )?(WebApplication: %{DATA:web_app}, )?(ConnectionDuration: %{NUMBER:connection_duration}, )?InitiatorPackets: %{NUMBER:init_packets}, ResponderPackets: %{NUMBER:resp_packets}, InitiatorBytes: %{NUMBER:init_bytes}, ResponderBytes: %{NUMBER:resp_bytes}, NAPPolicy: (?<nap_policy>[a-zA-Z0-9 ]+)(, DNSQuery: %{HOSTNAME:dns_query}, DNSRecordType: %{GREEDYDATA:dns_rec_type})?(, ReferencedHost: %{HOSTNAME:referenced_host})?(, URLCategory: %{DATA:url_category}, URLReputation: %{DATA:url_reputation}, URL: %{URI:url})?"
]
}
overwrite => [ "message" ]
add_tag => [ "cisco-firepower" ]
remove_field => [ "@version" ]
}
date {
match => [ "timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss", "MMM dd yyyy HH:mm:ss", "MMM d yyyy HH:mm:ss", "MMM d HH:mm:ss", "ISO8601" ]
timezone => "UTC"
}
cidr {
add_tag => [ "src_private" ]
address => [ "%{src_addr}" ]
network => [ "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8", "127.0.0.0/8", "224.0.0.0/4", "169.254.0.0/16", "fe80::/64" ]
}
cidr {
add_tag => [ "dst_private" ]
address => [ "%{dst_addr}" ]
network => [ "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8", "127.0.0.0/8", "224.0.0.0/4", "169.254.0.0/16", "fe80::/64" ]
}
if "src_private" not in [tags] {
geoip {
source => "src_addr"
}
}
if "dst_private" not in [tags] {
geoip {
source => "dst_addr"
}
}
mutate {
convert => {
"dns_ttl" => "integer"
"dst_port" => "integer"
"init_bytes" => "integer"
"init_packets" => "integer"
"resp_bytes" => "integer"
"resp_packets" => "integer"
"src_port" => "integer"
}
}
}
}
output {
stdout {
codec => rubydebug
}
elasticsearch {
hosts => "localhost" # Use the internal IP of your Elasticsearch server
}
}