332 lines
11 KiB
TOML
332 lines
11 KiB
TOML
|
|
# ───────────────────────────────────────────────────────────────────────────────────────────────────
|
|
# ─██████████████─████████████████───██████──────────██████─██████████████─██████████─██████████████─
|
|
# ─██░░░░░░░░░░██─██░░░░░░░░░░░░██───██░░██████████████░░██─██░░░░░░░░░░██─██░░░░░░██─██░░░░░░░░░░██─
|
|
# ─██░░██████░░██─██░░████████░░██───██░░░░░░░░░░░░░░░░░░██─██░░██████░░██─████░░████─██░░██████████─
|
|
# ─██░░██──██░░██─██░░██────██░░██───██░░██████░░██████░░██─██░░██──██░░██───██░░██───██░░██─────────
|
|
# ─██░░██████░░██─██░░████████░░██───██░░██──██░░██──██░░██─██░░██████░░██───██░░██───██░░██████████─
|
|
# ─██░░░░░░░░░░██─██░░░░░░░░░░░░██───██░░██──██░░██──██░░██─██░░░░░░░░░░██───██░░██───██░░░░░░░░░░██─
|
|
# ─██░░██████░░██─██░░██████░░████───██░░██──██████──██░░██─██░░██████░░██───██░░██───██░░██████████─
|
|
# ─██░░██──██░░██─██░░██──██░░██─────██░░██──────────██░░██─██░░██──██░░██───██░░██───██░░██─────────
|
|
# ─██░░██──██░░██─██░░██──██░░██████─██░░██──────────██░░██─██░░██──██░░██─████░░████─██░░██████████─
|
|
# ─██░░██──██░░██─██░░██──██░░░░░░██─██░░██──────────██░░██─██░░██──██░░██─██░░░░░░██─██░░░░░░░░░░██─
|
|
# ─██████──██████─██████──██████████─██████──────────██████─██████──██████─██████████─██████████████─
|
|
# ───────────────────────────────────────────────────────────────────────────────────────────────────
|
|
|
|
|
|
|
|
|
|
[sources.ie_{{pk}}_socket_source]
|
|
type = "syslog"
|
|
address = '0.0.0.0:{{port}}'
|
|
mode = "udp"
|
|
|
|
|
|
# 1. Check is message CEF
|
|
[transforms.ie_{{pk}}_cef_filter]
|
|
type="filter"
|
|
inputs=["ie_{{pk}}_socket_source"]
|
|
condition = ''' match(string!(.message),r'^*CEF:.*')'''
|
|
|
|
|
|
# Parse data from socket
|
|
[transforms.ie_{{pk}}_parse_logs]
|
|
type = "remap"
|
|
inputs = ["ie_{{pk}}_cef_filter"]
|
|
source = '''
|
|
. |= parse_regex!(.message,r'CEF:\d+\|(?P<device_vendor>([^\|]*))\|(?P<device_product>([^\|]*))\|(?P<device_version>([^\|]*))\|(?P<signature>([^\|]*))\|(?P<name>([^\|]*))\|(?P<severity>([^\|]*))\|(?P<extension>.*)')
|
|
.@timestamp = now()
|
|
.@timestamp = format_timestamp!(to_timestamp(.@timestamp), format: "%+")
|
|
.aggregated = "false"
|
|
.orig_message = .message
|
|
.device_vendor = "Infowatch ARMA"
|
|
.format = "CEF"
|
|
.source_ip=.host
|
|
.source_host=.host
|
|
.source_ip = .host
|
|
.event_severity = .severity
|
|
.sign_category = .signature
|
|
.event_src_msg = .message
|
|
.destination_ip="127.0.0.1"
|
|
.source_ip = .host
|
|
.extension = strip_whitespace(.extension)
|
|
.extension = strip_ansi_escape_codes(.extension)
|
|
'''
|
|
|
|
|
|
|
|
#Check device product
|
|
[transforms.ie_{{pk}}_check_device_product]
|
|
type="lua"
|
|
version="2"
|
|
inputs=["ie_{{pk}}_parse_logs"]
|
|
hooks.process ="""
|
|
function(event,emit)
|
|
if event.log["device_product"] == "ARMAIE" then
|
|
event.log.type="endpoint_{{ pk }}"
|
|
event.log.device_product = "Industrial Endpoint"
|
|
emit(event)
|
|
end
|
|
end
|
|
"""
|
|
|
|
|
|
|
|
#Parse key value
|
|
[transforms.ie_{{pk}}_parse_key_value]
|
|
type="lua"
|
|
version="2"
|
|
inputs=["ie_{{pk}}_check_device_product"]
|
|
hooks.process="""
|
|
function(event,emit)
|
|
str=event.log["extension"]
|
|
for name, value in str:gmatch"%s*([^=]*)=([^=]*)%f[%s%z]" do
|
|
event.log[name]=value
|
|
end
|
|
emit(event)
|
|
end
|
|
"""
|
|
|
|
{% if adjust_datetime == 1 %}
|
|
[transforms.ie_{{pk}}_made_timestamp]
|
|
type="remap"
|
|
inputs=["ie_{{pk}}_parse_key_value"]
|
|
source ="""
|
|
.event_timestamp= now()
|
|
.event_timestamp = format_timestamp!(.event_timestamp, format: "%+")
|
|
|
|
"""
|
|
|
|
{%else%}
|
|
[transforms.ie_{{pk}}_made_timestamp]
|
|
type="lua"
|
|
version="2"
|
|
inputs=["ie_{{pk}}_parse_key_value"]
|
|
hooks.process = """
|
|
function(event,emit)
|
|
local date_time = tonumber(event.log["rt"])
|
|
event.log.event_timestamp = os.date("%Y-%m-%dT%H:%M:%SZ",date_time)
|
|
local date_str = event.log["event_timestamp"]:match("^+")
|
|
if date_str ~= nil then
|
|
m_date_time = date_time/1000
|
|
event.log.event_timestamp = os.date("!%Y-%m-%dT%H:%M:%SZ",m_date_time)
|
|
end
|
|
|
|
emit(event)
|
|
end
|
|
"""
|
|
{%endif%}
|
|
|
|
#Parse White list
|
|
[transforms.ie_{{pk}}_parse_white_list]
|
|
type="lua"
|
|
version="2"
|
|
inputs = ["ie_{{pk}}_made_timestamp"]
|
|
hooks.process = """
|
|
function (event,emit)
|
|
if event.log["name"] == "White list" then
|
|
event.log.sign_category = "Whitelist"
|
|
event.log.sign_name =event.log["act"]..":"..event.log["filePath"].."->"..event.log["cat"]
|
|
event.log.device_action = "BLOCK"
|
|
event.log.sign_subcategory = "ACCESS DENIED"
|
|
|
|
end
|
|
emit(event)
|
|
end
|
|
"""
|
|
|
|
#Parse Integrity control
|
|
[transforms.ie_{{pk}}_parse_integrity_control]
|
|
type="lua"
|
|
version="2"
|
|
inputs=["ie_{{pk}}_parse_white_list"]
|
|
hooks.process="""
|
|
function(event,emit)
|
|
if event.log["name"] == "Integrity control" then
|
|
event.log.sign_name = event.log["act"]..":"..event.log["filePath"]..","..event.log["fname"]
|
|
event.log.sign_category = "Integrity control"
|
|
end
|
|
emit(event)
|
|
end
|
|
"""
|
|
|
|
#Parse USB
|
|
[transforms.ie_{{pk}}_parse_usb]
|
|
type="lua"
|
|
version="2"
|
|
inputs=["ie_{{pk}}_parse_integrity_control"]
|
|
hooks.process = """
|
|
function(event,emit)
|
|
if event.log["name"] == "USB" then
|
|
event.log.sign_name = "USB status="..event.log["act"]
|
|
event.log.sign_category = "Usb devices"
|
|
event.log.device_action = "Usb action"
|
|
event.log.sign_subcategory = event.log["msg"]
|
|
|
|
end
|
|
emit(event)
|
|
end
|
|
"""
|
|
|
|
#Parse antivirus
|
|
[transforms.ie_{{pk}}_parse_antivirus]
|
|
type="lua"
|
|
version="2"
|
|
inputs=["ie_{{pk}}_parse_usb"]
|
|
hooks.process = """
|
|
function (event,emit)
|
|
if event.log["name"] == "Antivirus" then
|
|
if event.log["cs2"] ~= nil then
|
|
cs2 = event.log["cs2"]
|
|
end
|
|
event.log.sign_category = "Antivirus"
|
|
event.log.device_action = event.log["act"]
|
|
event.log.sign_name = event.log["act"]
|
|
event.log.sign_subcategory = event.log["act"]
|
|
if event.log["cs1"] ~= nil then
|
|
cs1 = event.log["cs1"]
|
|
event.log.sign_name = event.log["act"]..":"..event.log["filePath"].." "..cs1.." "..cs2
|
|
end
|
|
|
|
end
|
|
emit(event)
|
|
end
|
|
"""
|
|
|
|
|
|
|
|
|
|
#Check event type
|
|
[transforms.ie_{{pk}}_check_event_type]
|
|
type="lua"
|
|
version="2"
|
|
inputs=["ie_{{pk}}_parse_antivirus"]
|
|
hooks.process="""
|
|
function(event,emit)
|
|
if event.log["type"]:match("^endpoint_*") ~= nil then
|
|
emit(event)
|
|
end
|
|
end
|
|
"""
|
|
|
|
|
|
|
|
|
|
|
|
#Create UUID
|
|
[transforms.ie_{{pk}}_create_uuid]
|
|
type = "remap"
|
|
inputs=["ie_{{pk}}_check_event_type"]
|
|
source = """
|
|
.event_id = uuid_v4()
|
|
|
|
"""
|
|
|
|
# Replace
|
|
[transforms.ie_{{pk}}_replace]
|
|
type="lua"
|
|
version="2"
|
|
inputs=["ie_{{pk}}_create_uuid"]
|
|
hooks.process = """
|
|
function(event,emit)
|
|
event.log.event_src_msg = event.log["orig_message"]:gsub("\u0000","")
|
|
event.log.message = event.log["event_src_msg"]
|
|
event.log.orig_message = event.log["message"]
|
|
emit(event)
|
|
end
|
|
"""
|
|
|
|
|
|
# Delete bad fields
|
|
[transforms.ie_{{pk}}_prune_fields]
|
|
type="lua"
|
|
version="2"
|
|
inputs=["ie_{{pk}}_replace"]
|
|
source ="""
|
|
function check_field(field)
|
|
local fields_list = {'event_src_msg',
|
|
'event_severity',
|
|
'event_timestamp',
|
|
'event_id',
|
|
'device_vendor',
|
|
'sign_name',
|
|
'sign_subcategory',
|
|
'event_id',
|
|
'device_version',
|
|
'device_product',
|
|
'device_action',
|
|
'sign_id',
|
|
'message',
|
|
'sign_category',
|
|
'event_timestamp',
|
|
'@timestamp',
|
|
'source_host',
|
|
'source_ip',
|
|
'destination_ip',
|
|
'format',
|
|
'type'
|
|
}
|
|
|
|
|
|
|
|
|
|
for key,value in pairs(fields_list) do
|
|
if value == field then
|
|
return true
|
|
end
|
|
end
|
|
return false
|
|
|
|
end
|
|
function process (event,emit)
|
|
for f, v in pairs(event.log) do
|
|
if check_field(f) ~= true then
|
|
--- print("delete-> "..f)
|
|
event.log[f] = nil
|
|
end
|
|
end
|
|
|
|
emit(event)
|
|
end
|
|
"""
|
|
hooks.process="process"
|
|
|
|
# Cast variables to the right types
|
|
[transforms.ie_{{pk}}_cast_types]
|
|
type="remap"
|
|
inputs = ["ie_{{pk}}_prune_fields"]
|
|
source = '''
|
|
.event_uuid = .event_id
|
|
#.source_port = to_int!(.source_port)
|
|
#.destination_port = to_int!(.destination_port)
|
|
.aggregated = to_bool!(.aggregated)
|
|
#.celery_done = to_bool!(.celery_done)
|
|
.event_severity = to_int!(.event_severity )
|
|
.event_timestamp = to_timestamp!(.event_timestamp)
|
|
.@timestamp = to_timestamp!(.@timestamp)
|
|
'''
|
|
|
|
|
|
## Print parsed logs to stdout
|
|
#[sinks.ie_print]
|
|
# type = "console"
|
|
# inputs=["ie_cast_types"]
|
|
# encoding.codec ="json"
|
|
|
|
|
|
|
|
|
|
[sinks.ie_{{pk}}_elasticsearch_vector]
|
|
type = "elasticsearch"
|
|
inputs = ["ie_{{pk}}_cast_types"]
|
|
compression = "none"
|
|
healthcheck = true
|
|
auth.strategy= "basic"
|
|
auth.user = "{{ elastic_login }}"
|
|
auth.password = "{{ elastic_pass }}"
|
|
endpoint = "{{ elastic_url }}"
|
|
normal.index = "arma-%Y.%m.%d"
|
|
id_key = "event_uuid"
|
|
|
|
|
|
|