|
@version: 3.2
|
|
|
|
source s_network {
|
|
tcp();
|
|
udp();
|
|
};
|
|
|
|
parser p_db {
|
|
db-parser(file("/opt/elsa/node/conf/patterndb.xml"));
|
|
};
|
|
|
|
filter f_rewrite_cisco_program { match('^(%[A-Z]+\-\d\-[0-9A-Z]+): ([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches" "nobackref")); };
|
|
filter f_rewrite_cisco_program_2 { match('^[\*\.]?(?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}(?:\.\d+)?(?: [A-Z]{3})?: (%[^:]+): ([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches" "nobackref")); };
|
|
filter f_rewrite_cisco_program_3 { match('^\d+[ywdh]\d+[ywdh]: (%[^:]+): ([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches" "nobackref")); };
|
|
#filter f_local7 { facility(local7); };
|
|
|
|
### added
|
|
source s_suricata { unix-dgram("/dev/log"); internal();
|
|
file("/proc/kmsg" program_override("kernel")); };
|
|
|
|
rewrite r_cisco_program {
|
|
set("$1", value("PROGRAM") condition(filter(f_rewrite_cisco_program) or filter(f_rewrite_cisco_program_2) or filter(f_rewrite_cisco_program_3)));
|
|
set("$2", value("MESSAGE") condition(filter(f_rewrite_cisco_program) or filter(f_rewrite_cisco_program_2) or filter(f_rewrite_cisco_program_3)));
|
|
};
|
|
|
|
rewrite r_snare { subst("MSWinEventLog.+(Security|Application|System).+", "$1", value("PROGRAM") flags(global)); };
|
|
rewrite r_pipes { subst("\t", "|", value("MESSAGE") flags(global)); };
|
|
rewrite r_host { set("$SOURCEIP", value("HOST")); };
|
|
rewrite r_extracted_host { set("$pdb_extracted_sourceip", value("HOST") condition("$pdb_extracted_sourceip" != "")); };
|
|
|
|
template t_db_parsed { template("$R_UNIXTIME\t$HOST\t$PROGRAM\t${.classifier.class}\t$MSGONLY\t${i0}\t${i1}\t${i2}\t${i3}\t${i4}\t${i5}\t${s0}\t${s1}\t${s2}\t${s3}\t${s4}\t${s5}\n"); };
|
|
|
|
source s_bro_conn { file("/nsm/bro/logs/current/conn.log" flags(no-parse) program_override("bro_conn")); };
|
|
source s_bro_http {
|
|
file("/nsm/bro/logs/current/http.log" flags(no-parse) program_override("bro_http"));
|
|
};
|
|
source s_bro_dns { file("/nsm/bro/logs/current/dns.log" flags(no-parse) program_override("bro_dns")); };
|
|
source s_bro_notice { file("/nsm/bro/logs/current/notice.log" flags(no-parse) program_override("bro_notice")); };
|
|
source s_bro_smtp { file("/nsm/bro/logs/current/smtp.log" flags(no-parse) program_override("bro_smtp")); };
|
|
source s_bro_smtp_entities { file("/nsm/bro/logs/current/smtp_entities.log" flags(no-parse) program_override("bro_smtp_entities")); };
|
|
source s_bro_ssl { file("/nsm/bro/logs/current/ssl.log" flags(no-parse) program_override("bro_ssl")); };
|
|
source s_ossec { file("/var/ossec/logs/archives/archives.log" program_override('ossec_archive') follow_freq(1) flags(no-parse)); };
|
|
destination d_elsa { program("perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf" template(t_db_parsed)); };
|
|
|
|
log {
|
|
source(s_suricata); #filter (f_local7);
|
|
source(s_bro_conn);
|
|
source(s_bro_http);
|
|
source(s_bro_dns);
|
|
source(s_bro_notice);
|
|
source(s_bro_smtp);
|
|
source(s_bro_smtp_entities);
|
|
source(s_bro_ssl);
|
|
source(s_ossec);
|
|
source(s_network);
|
|
rewrite(r_host);
|
|
rewrite(r_cisco_program);
|
|
rewrite(r_snare);
|
|
rewrite(r_pipes);
|
|
parser(p_db);
|
|
rewrite(r_extracted_host);
|
|
destination(d_elsa);
|
|
};
|