mirror of
https://github.com/Lanakod-Networks/snort-docker.git
synced 2025-07-04 21:36:37 +03:00
61 lines
1.2 KiB
Plaintext
61 lines
1.2 KiB
Plaintext
input {
|
|
file {
|
|
mode => "tail"
|
|
type => "snort-json"
|
|
path => "/usr/share/logstash/ingest_data/alert_json.txt"
|
|
}
|
|
file {
|
|
mode => "tail"
|
|
type => "snort-appid"
|
|
path => "/usr/share/logstash/ingest_data/appid_stats.log"
|
|
}
|
|
}
|
|
|
|
|
|
filter {
|
|
if [type] == "snort-json" {
|
|
if [message] =~ /^{.*}$/ {
|
|
json {
|
|
source => "message"
|
|
}
|
|
}
|
|
}
|
|
if [type] == "snort-appid" {
|
|
csv {
|
|
source => "message"
|
|
separator => ","
|
|
skip_header => "false"
|
|
columns => ["timestamp","app","bytesToClient","bytesToServer"]
|
|
}
|
|
mutate {
|
|
convert => {
|
|
timestamp => "date"
|
|
bytesToClient => "integer"
|
|
bytesToServer => "integer"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
output {
|
|
if [type] == "snort-json" {
|
|
elasticsearch {
|
|
index => "snort-json-%{+YYYY.MM.dd}"
|
|
hosts=> "${ELASTIC_HOSTS}"
|
|
user=> "${ELASTIC_USER}"
|
|
password=> "${ELASTIC_PASSWORD}"
|
|
cacert=> "certs/ca/ca.crt"
|
|
}
|
|
}
|
|
if [type] == "snort-appid" {
|
|
elasticsearch {
|
|
index => "snort-appid-%{+YYYY.MM.dd}"
|
|
hosts=> "${ELASTIC_HOSTS}"
|
|
user=> "${ELASTIC_USER}"
|
|
password=> "${ELASTIC_PASSWORD}"
|
|
cacert=> "certs/ca/ca.crt"
|
|
}
|
|
}
|
|
|
|
} |