142 строки
3.5 KiB
Plaintext
142 строки
3.5 KiB
Plaintext
input {
|
|
tcp {
|
|
port => 5514
|
|
type => syslog
|
|
codec => cef
|
|
}
|
|
udp {
|
|
port => 5514
|
|
type => syslog
|
|
codec => cef
|
|
}
|
|
}
|
|
|
|
filter {
|
|
geoip {
|
|
source => "src"
|
|
target => "srcGeoIP"
|
|
add_field => { "sourceLongitude" => "%{[srcGeoIP][longitude]}" }
|
|
add_field => { "sourceLatitude" => "%{[srcGeoIP][latitude]}" }
|
|
}
|
|
geoip{
|
|
source => "dst"
|
|
target => "dstGeoIP"
|
|
add_field => { "destinationLongitude" => "%{[dstGeoIP][longitude]}" }
|
|
add_field => { "destinationLatitude" => "%{[dstGeoIP][latitude]}" }
|
|
}
|
|
mutate{
|
|
add_field => { "agentReceiptTime" => "%{@timestamp}" }
|
|
}
|
|
}
|
|
|
|
output {
|
|
syslog {
|
|
host => "127.0.0.1"
|
|
port => 25226
|
|
protocol => "tcp"
|
|
codec => cef {
|
|
reverse_mapping => true
|
|
delimiter => "\r\n"
|
|
vendor => "%{deviceVendor}"
|
|
product => "%{deviceProduct}"
|
|
version => "%{deviceVersion}"
|
|
signature => "%{deviceEventClassId}"
|
|
name => "%{name}"
|
|
severity => "%{severity}"
|
|
fields => [
|
|
"deviceAction",
|
|
"applicationProtocol",
|
|
"deviceCustomIPv6Address1",
|
|
"deviceCustomIPv6Address1Label",
|
|
"deviceCustomIPv6Address2",
|
|
"deviceCustomIPv6Address2Label",
|
|
"deviceCustomIPv6Address3",
|
|
"deviceCustomIPv6Address3Label",
|
|
"deviceCustomIPv6Address4",
|
|
"deviceCustomIPv6Address4Label",
|
|
"deviceEventCategory",
|
|
"deviceCustomFloatingPoint1",
|
|
"deviceCustomFloatingPoint1Label",
|
|
"deviceCustomFloatingPoint2",
|
|
"deviceCustomFloatingPoint2Label",
|
|
"deviceCustomFloatingPoint3",
|
|
"deviceCustomFloatingPoint3Label",
|
|
"deviceCustomFloatingPoint4",
|
|
"deviceCustomFloatingPoint4Label",
|
|
"deviceCustomNumber1",
|
|
"fieldDeviceCustomNumber1",
|
|
"deviceCustomNumber1Label",
|
|
"deviceCustomNumber2",
|
|
"fieldDeviceCustomNumber2",
|
|
"deviceCustomNumber2Label",
|
|
"deviceCustomNumber3",
|
|
"fieldDeviceCustomNumber3",
|
|
"deviceCustomNumber3Label",
|
|
"baseEventCount",
|
|
"deviceCustomString1",
|
|
"deviceCustomString1Label",
|
|
"deviceCustomString2",
|
|
"deviceCustomString2Label",
|
|
"deviceCustomString3",
|
|
"deviceCustomString3Label",
|
|
"deviceCustomString4",
|
|
"deviceCustomString4Label",
|
|
"deviceCustomString5",
|
|
"deviceCustomString5Label",
|
|
"deviceCustomString6",
|
|
"deviceCustomString6Label",
|
|
"destinationHostName",
|
|
"destinationMacAddress",
|
|
"destinationNtDomain",
|
|
"destinationProcessId",
|
|
"destinationUserPrivileges",
|
|
"destinationProcessName",
|
|
"destinationPort",
|
|
"destinationAddress",
|
|
"destinationUserId",
|
|
"destinationUserName",
|
|
"deviceAddress",
|
|
"deviceHostName",
|
|
"deviceProcessId",
|
|
"endTime",
|
|
"fileName",
|
|
"fileSize",
|
|
"bytesIn",
|
|
"message",
|
|
"bytesOut",
|
|
"eventOutcome",
|
|
"transportProtocol",
|
|
"requestUrl",
|
|
"deviceReceiptTime",
|
|
"sourceHostName",
|
|
"sourceMacAddress",
|
|
"sourceNtDomain",
|
|
"sourceProcessId",
|
|
"sourceUserPrivileges",
|
|
"sourceProcessName",
|
|
"sourcePort",
|
|
"sourceAddress",
|
|
"startTime",
|
|
"sourceUserId",
|
|
"sourceUserName",
|
|
"agentHostName",
|
|
"agentReceiptTime",
|
|
"agentType",
|
|
"agentId",
|
|
"cefVersion",
|
|
"agentAddress",
|
|
"agentVersion",
|
|
"agentTimeZone",
|
|
"destinationTimeZone",
|
|
"sourceLongitude",
|
|
"sourceLatitude",
|
|
"destinationLongitude",
|
|
"destinationLatitude",
|
|
"categoryDeviceType",
|
|
"managerReceiptTime",
|
|
"agentMacAddress",
|
|
"reason"
|
|
]
|
|
}
|
|
}
|
|
} |