Atualização - 23/04/2026 - 12:17

2026-04-23 12:17:21 -03:00
parent 82ac465600
commit e412681f96
12 changed files with 307 additions and 0 deletions
--- a/roteiros/06-lab04/pipelines/aplicar_pipeline.json
+++ b/roteiros/06-lab04/pipelines/aplicar_pipeline.json
@@ -0,0 +1,4 @@
+PUT /teste-logs/_settings
+{
+  "index.default_pipeline": "rk-siem_web_logs"
+}
--- a/roteiros/06-lab04/pipelines/deletar_pipeline.json
+++ b/roteiros/06-lab04/pipelines/deletar_pipeline.json
@@ -0,0 +1 @@
+DELETE _ingest/pipeline/rk-siem_web_logs
--- a/roteiros/06-lab04/pipelines/exibir_pipelines_aplicadas.json
+++ b/roteiros/06-lab04/pipelines/exibir_pipelines_aplicadas.json
@@ -0,0 +1 @@
+GET /_settings?filter_path=*.settings.index.default_pipeline
--- a/roteiros/06-lab04/pipelines/listar_pipelines.json
+++ b/roteiros/06-lab04/pipelines/listar_pipelines.json
@@ -0,0 +1 @@
+GET _ingest/pipeline
--- a/roteiros/06-lab04/pipelines/remover_aplicacao_pipeline.json
+++ b/roteiros/06-lab04/pipelines/remover_aplicacao_pipeline.json
@@ -0,0 +1,6 @@
+PUT /teste-logs/_settings
+{
+  "index": {
+    "default_pipeline": null
+  }
+}
--- a/roteiros/06-lab04/pipelines/rk-siem_ssh_logs.json
+++ b/roteiros/06-lab04/pipelines/rk-siem_ssh_logs.json
@@ -0,0 +1,61 @@
+PUT _ingest/pipeline/rk-siem_ssh_logs
+{
+  "description": "Pipeline do RK-SIEM para normalização de logs SSH",
+  "processors": [
+    {
+      "grok": {
+        "field": "log",
+        "patterns": [
+          "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host} %{WORD:program}\\[%{NUMBER:pid}\\]: %{WORD:ssh_event} password for %{USER:user} from %{IP:source_ip} port %{NUMBER:source_port} ssh2",
+          "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host} %{WORD:program}\\[%{NUMBER:pid}\\]: %{WORD:ssh_event} for invalid user %{USER:user} from %{IP:source_ip} port %{NUMBER:source_port} ssh2",
+          "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host} %{WORD:program}\\[%{NUMBER:pid}\\]: Connection closed by (authenticating |)%{IP:source_ip} port %{NUMBER:source_port}"
+        ],
+        "description": "Extrai eventos de Accepted, Failed e Disconnected do SSH"
+      }
+    },
+    {
+      "date": {
+        "field": "timestamp",
+        "formats": ["MMM  d HH:mm:ss", "MMM dd HH:mm:ss"],
+        "target_field": "@timestamp",
+        "description": "Padroniza o tempo vindo do syslog (ex: Oct 10 13:55:36)"
+      }
+    },
+    {
+      "set": {
+        "if": "ctx.ssh_event == 'Accepted'",
+        "field": "event.outcome",
+        "value": "success"
+      }
+    },
+    {
+      "set": {
+        "if": "ctx.ssh_event == 'Failed'",
+        "field": "event.outcome",
+        "value": "failure"
+      }
+    },
+    {
+      "geoip": {
+        "field": "source_ip",
+        "target_field": "geo",
+        "ignore_missing": true,
+        "description": "Enriquecimento: Localiza a origem do acesso"
+      }
+    },
+    {
+      "remove": {
+        "field": ["log", "timestamp", "program"],
+        "ignore_missing": true
+      }
+    }
+  ],
+  "on_failure": [
+    {
+      "set": {
+        "field": "error.message",
+        "value": "Falha no processamento do pipeline rk_siem_ssh_logs"
+      }
+    }
+  ]
+}
--- a/roteiros/06-lab04/pipelines/rk-siem_ssh_logs_teste.json
+++ b/roteiros/06-lab04/pipelines/rk-siem_ssh_logs_teste.json
@@ -0,0 +1,10 @@
+POST _ingest/pipeline/rk-siem_ssh_logs/_simulate
+{
+  "docs": [
+    {
+      "_source": {
+        "log": "Oct 23 11:30:05 servidor-prod sshd[1234]: Failed password for root from 192.168.1.50 port 54321 ssh2"
+      }
+    }
+  ]
+}
--- a/roteiros/06-lab04/pipelines/rk-siem_web_logs.json
+++ b/roteiros/06-lab04/pipelines/rk-siem_web_logs.json
@@ -0,0 +1,51 @@
+PUT _ingest/pipeline/rk-siem_web_logs
+{
+  "description": "Pipeline do RK-SIEM para normalização de logs HTTP - Ajustado para campo 'log'",
+  "processors": [
+    {
+      "grok": {
+        "field": "log",
+        "patterns": [
+          "%{IPORHOST:source_ip} - %{USER:user_id} \\[%{HTTPDATE:timestamp}\\] \"%{WORD:http_method} %{NOTSPACE:url_path} HTTP/%{NUMBER:http_version}\" %{NUMBER:status_code} %{NUMBER:bytes_sent}"
+        ],
+        "description": "Extrai dados do campo 'log' enviado pelo Fluent-bit"
+      }
+    },
+    {
+      "date": {
+        "field": "timestamp",
+        "formats": [
+          "dd/MMM/yyyy:HH:mm:ss Z"
+        ],
+        "target_field": "@timestamp"
+      }
+    },
+    {
+      "convert": {
+        "field": "status_code",
+        "type": "integer"
+      }
+    },
+    {
+      "user_agent": {
+        "field": "user_agent_string",
+        "target_field": "browser_info",
+        "ignore_missing": true
+      }
+    },
+    {
+      "remove": {
+        "field": ["log", "timestamp"],
+        "ignore_missing": true
+      }
+    }
+  ],
+  "on_failure": [
+    {
+      "set": {
+        "field": "error.message",
+        "value": "Falha no processamento do pipeline rk_siem_web_logs"
+      }
+    }
+  ]
+}
--- a/roteiros/06-lab04/pipelines/rk-siem_web_logs_teste.json
+++ b/roteiros/06-lab04/pipelines/rk-siem_web_logs_teste.json
@@ -0,0 +1,10 @@
+POST _ingest/pipeline/rk-siem_web_logs/_simulate
+{
+  "docs": [
+    {
+      "_source": {
+        "log": "192.168.1.10 - - [23/Apr/2026:14:00:12 +0000] \"DELETE /index.html HTTP/1.1\" 500 5124"
+      }
+    }
+  ]
+}
				`@@ -0,0 +1 @@`
				`GET /_settings?filter_path=*.settings.index.default_pipeline`