Skip to content
This repository has been archived by the owner on Mar 5, 2021. It is now read-only.

Latest commit

 

History

History
109 lines (84 loc) · 3.33 KB

index.asciidoc

File metadata and controls

109 lines (84 loc) · 3.33 KB

Greynoise filter plugin

Description

The Greynoise filter adds information about IP addresses from logstash events via the Greynoise API.

GreyNoise is a system that collects and analyzes data on Internet-wide scanners. GreyNoise collects data on benign scanners such as Shodan.io, as well as malicious actors like SSH and telnet worms.

Greynoise Filter Configuration Options

Setting Input type Required

ip

string

Yes

key

string

No
ip

  • Value type is string

  • There is no default value for this setting.

The field containing the IP address or hostname to search via Greynoise. If this field is an array, only the first value will be used.

key

  • Value type is string

  • There is no default value for this setting.

Your Greynoise API key. If you don’t have a key, either signup for a free enterprise trial or simply leave out this field to perform lookups via the Alpha(free) api. NOTE, the enterpise and alpha api do not return the same data.

hit_cache_size

  • Value type is number

  • Default value is 0

Number of items to store in LRU cache.

id="plugins-filters-greynoise-hit_cache_ttl"] ===== hit_cache_ttl

  • Value type is number

  • Default value is 60

Time in seconds for LRU cache item eviction.

../../../../logstash/docs/include/filter.asciidoc