search

defenxor / dsiem

Security event correlation engine for ELK stack
GNU General Public License v3.0
434 stars 101 forks source link

Unable to send events from Logstash to Dsiem #418

Open alinaa-khalid opened 2 years ago

alinaa-khalid commented 2 years ago

We are trying to send ossec logs from logstash to Dsiem without using Elastic search. Below is the logstash configuration... what output pllugin is required to get desired work done. p.s. when i use dtester with command ./dtester dsiem -f directives_dsiem.json -v -n 10000000 then Dsiem shows events , otherwise it shows "0 eps" . But desired work is to get events without using dtester I'll value early responses

input { syslog { port => 514 add_field => { "application" => "syslog" } } }

filter {

if [application] == "syslog" { clone { clones => [ "siem_ossec_events" ] }

if [type] == "siem_ossec_events" {
  mutate {
    id => "tag normalizedEvent 50001"
    remove_field => [ "application" , "type" ]
    add_field => {
      "[@metadata][siem_plugin_type]" => "ossec"
      "[@metadata][siem_data_type]" => "normalizedEvent"
    }
  }
}

}

if [@metadata][siem_plugin_type] == "ossec" { date { id => "timestamp 50001" match => [ "[timestamp]", "ISO8601" ] target => [timestamp] } mutate { id => "siem_event fields 50001" replace => { "title" => "%{[description]}" "src_index_pattern" => "ossec-*" "sensor" => "%{[host]}" "product" => "Host Intrusion Detection System" "src_ip" => "%{[src_ip]}" "dst_ip" => "%{[dst_ip]}" "protocol" => "TCP/IP" "category" => "%{[classification]}"

    "plugin_id" => "50001"
    "plugin_sid" => "%{[id]}"

    "custom_label1" => "message"

    "custom_data1" => "%{[message]}"

  }
}

mutate {
  id => "integer fields 50001"
  convert => {
    "plugin_id" => "integer"
    "plugin_sid" => "integer"

  }
}

if [src_ip] == "%{[src_ip]}" {
  mutate {
    replace => {
     "src_ip" => "0.0.0.0"
    }
    # remove_field => [ "src_ip" ]
  }
}

if [custom_data1] == "%{[message]}" { mutate { remove_field => [ "custom_label1", "custom_data1" ]}}

# delete fields except those included in the whitelist below
prune {
  whitelist_names => [ "@timestamp$" , "^timestamp$", "@metadata", "^src_index_pattern$", "^title$", "^sensor$", "^product$",
    "^src_ip$", "^dst_ip$", "^plugin_id$", "^plugin_sid$", "^category$", "^subcategory$",
    "^src_port$", "^dst_port$", "^protocol$", "^custom_label1$", "^custom_label2$", "^custom_label3$",
    "^custom_data1$", "^custom_data2$", "^custom_data3$" ]
}

} if [application] == "dtester" { mutate { remove_field => [ "application", "beat", "host.name", "source" ] add_field => { "[@metadata][siem_plugin_type]" => "dtester" "[@metadata][siem_data_type]" => "normalizedEvent" } } }

}

output { http { format=>"json" http_method=>"post" url=>"http://0.0.0.0:8080" } stdout { codec => json } }

alinaa-khalid commented 2 years ago

here is the error i am facing error

mmta commented 1 year ago

Sorry for the late reply. For future reference, what's needed is a Logstash config (plugins) that will transform the Ossec fields into normalized events.

The process can be complicated and error prone without dsiem-tools help. So even if you don't want to use Elasticsearch/Opensearch, I'd still suggest ingesting logs into a temporary ES first just so that you can auto-generate the Logstash config using dsiem-tools. You can remove the ES/OS after that.