little help needed please

[idreeszaheer786]

Hi. I am a student and trying to implement the GDPR Complaint SIEM . The issue is that i can't logstash output file. You have shared the logstash input file, in which logstash takes input and pseudonomyzes the data , but can't find the output logstash file? Would you please share the code for output file , that sends pseudonomyzed data to Server A and original to Server B? second i see that in beats configuration, data is being sent directly to elastic search, why not logstash ? Thanks

[AnaVazao]

Hi idreeszaheer786, I didn't realize I didn't provide the configuration. I'll share the initial one for Winlogbeat, and I suggest you validate that logstash is receiving logs and after create the certificates.

https://github.com/AnaVazao/SIEM_GDPR/blob/main/prototype/Beats/winlogbeat.yml

PS: What goes directly into Elasticsearch and Kibana are metrics, not user logs and Kibana are metrics, not user logs.

[idreeszaheer786]

ok thankyou very much :). and please also elaborate how to send output from logstash to both servers (Pseudonomyzed to server A and original to Server B )

[AnaVazao]

Hi idreeszaheer786, I update the logstash file: https://github.com/AnaVazao/SIEM_GDPR/blob/main/prototype/Server_Logstash/beats.conf

---

output { if "clone_name_equip" not in [tags] { elasticsearch { hosts => ["https://IP_Elstic:9201"] user => "elastic" password => "*****" index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+yyyy.MM.dd}" ssl => true ssl_certificate_verification => false cacert => "/etc/logstash/client-ca.cer" } } if "clone_name_equip" in [tags] { elasticsearch { ssl => true ssl_certificate_verification => false hosts => ["IP_SEGUNDO_SERVIDOR:9201"] index => "data_key" document_id => "%{[@metadata][fingerprint_id]}" id => elasticsearch_datakey user => "logstash" password => "**" truststore => "/etc/logstash/keystore.jks" truststore_password => "readonlyrest" } }

[idreeszaheer786]

thank you very much . one more thing , i see the filter block x2 times in the code, and can;t see any difference. Is it mistakenly repeated ?

[AnaVazao]

yes it is a mistake (I fixed)

[idreeszaheer786]

hi , hope you are doing well. i am encountering an error in logstash logs. on the code line mutate { gsub => [ "%{"[@metadata][ip_orig]}" , " %{[@metadata][fingerprintsip]} " ] } any suggestions on how to fix ? error: [2024-02-10T21:28:59,561][ERROR][logstash.javapipeline ][main] Pipeline error {:pipeline_id=>"main", :exception=>#<LogStash::ConfigurationError: Cannot register filter mutate plugin. The error reported is: Invalid gsub configuration ["%{[@metadata][ip_orig]}", "%{[@metadata][fingerprintsip]}", nil]. gsub requires 3 non-nil elements per config entry>,

[idreeszaheer786]

is there any element missing in this line of code

[AnaVazao]

Hi [idreeszaheer786! sorry for the delay, but I've had a lot of work! Regarding your question, you have to check if the variable is defined and there is no extra {}

---

        mutate {
            add_field => { 
                "[@metadata][name]" => "%{[agent][name]}"
                "[@metadata][name_uppercase]" => "%{[agent][name]}" 
                "[@metadata][name_lowercase]" => "%{[agent][name]}"
                "[@metadata][user]" => "-"
                "[@metadata][user_uppercase]" => "-"
                "[@metadata][user_lowercase]" => "-"
                "[@metadata][ip_orig]" => "-"
                "[@metadata][ip_orig_temp]" => "-"
            }
        }

---

fingerprint { source => "[host][ip]" target => "[@metadata][fingerprintsip]" method => "SHA256" key => "HMAC-SHA-256" }