62 lines
1.8 KiB
JSON
62 lines
1.8 KiB
JSON
PUT _ingest/pipeline/rk-siem_ssh_logs
|
|
{
|
|
"description": "Pipeline do RK-SIEM para normalização de logs SSH",
|
|
"processors": [
|
|
{
|
|
"grok": {
|
|
"field": "log",
|
|
"patterns": [
|
|
"%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host} %{WORD:program}\\[%{NUMBER:pid}\\]: %{WORD:ssh_event} password for %{USER:user} from %{IP:source_ip} port %{NUMBER:source_port} ssh2",
|
|
"%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host} %{WORD:program}\\[%{NUMBER:pid}\\]: %{WORD:ssh_event} for invalid user %{USER:user} from %{IP:source_ip} port %{NUMBER:source_port} ssh2",
|
|
"%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host} %{WORD:program}\\[%{NUMBER:pid}\\]: Connection closed by (authenticating |)%{IP:source_ip} port %{NUMBER:source_port}"
|
|
],
|
|
"description": "Extrai eventos de Accepted, Failed e Disconnected do SSH"
|
|
}
|
|
},
|
|
{
|
|
"date": {
|
|
"field": "timestamp",
|
|
"formats": ["MMM d HH:mm:ss", "MMM dd HH:mm:ss"],
|
|
"target_field": "@timestamp",
|
|
"description": "Padroniza o tempo vindo do syslog (ex: Oct 10 13:55:36)"
|
|
}
|
|
},
|
|
{
|
|
"set": {
|
|
"if": "ctx.ssh_event == 'Accepted'",
|
|
"field": "event.outcome",
|
|
"value": "success"
|
|
}
|
|
},
|
|
{
|
|
"set": {
|
|
"if": "ctx.ssh_event == 'Failed'",
|
|
"field": "event.outcome",
|
|
"value": "failure"
|
|
}
|
|
},
|
|
{
|
|
"geoip": {
|
|
"field": "source_ip",
|
|
"target_field": "geo",
|
|
"ignore_missing": true,
|
|
"description": "Enriquecimento: Localiza a origem do acesso"
|
|
}
|
|
},
|
|
{
|
|
"remove": {
|
|
"field": ["log", "timestamp", "program"],
|
|
"ignore_missing": true
|
|
}
|
|
}
|
|
],
|
|
"on_failure": [
|
|
{
|
|
"set": {
|
|
"field": "error.message",
|
|
"value": "Falha no processamento do pipeline rk_siem_ssh_logs"
|
|
}
|
|
}
|
|
]
|
|
}
|