Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added filebeat patterns #25

Merged
merged 2 commits into from Jul 6, 2021
Merged

Added filebeat patterns #25

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
cb12fb4
Added evtxtoelk in docker-compose
hariomch Jul 2, 2021
dd240da
Added filebeat.ndjson and update kibana.ndjson
hariomch Jul 5, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
20 changes: 10 additions & 10 deletions README.md
View file
Open in desktop
Expand Up @@ -163,20 +163,20 @@ Now you can find the Event logs in `windows_events_original_ts` and in `windows_
If you would like like to use ECS (elastic common schema) to process your Zeek and Suricata logs you should launch also ``filebeat``

Start the Elasticsearch with filebeat container:
```
```bash
sudo docker-compose up -d elasticsearch filebeat kibana
```

Create a new index for filebeat.

```Stack Management -> Index Patterns -> Create new pattern.```

![Kibana Index Patterns](./images/kibana_management_filebeat.png)
Import the `filebeat.ndjson` objects to Kibana.

Enter index pattern name `filebeat-*` and select `@timestamp` as the time field.
```Stack Management -> Saved Objects -> Import```

![New Index Pattern](./images/kibana_new_index_filebeat.png)
The `filebeat.ndjson` objects are:

You can view your logs in `filebeat-*` index in the Discover section.
| Object Name | Description |
|-----------------------------|----------------------------------------------------|
| filebeat-* | @timestamp indexed Filebeat Patterns. |
| file* | Filebeat Patterns indexed with log ingestion time. |
| winlogbeat* | Windows Event Log Pattern indexed with ingestion time. |

![Filebeat Index Pattern](./images/kibana_index_dropdown_filebeat.png)
You can now analyze the data in the Discover section.
19 changes: 0 additions & 19 deletions docker-compose-evtxtoelk.yaml
View file
Open in desktop

This file was deleted.

17 changes: 17 additions & 0 deletions docker-compose.yaml
View file
Open in desktop
Expand Up @@ -102,6 +102,23 @@ services:
- ./logs/zeek:/var/log/zeek
- ./logs/zeek/extracted_files:/opt/zeek/extracted

evtxtoelk:
container_name: pcapmonkey_evtxtoelk
image: certego/evtxtoelk:v1.1.0
entrypoint:
- python
- evtxtoelk.py
- /var/log/event_logs
- elasticsearch:9200
- -s
- "2000"
- -i
- winlogbeat
depends_on:
- elasticsearch
volumes:
- ./import_event_logs:/var/log/event_logs:ro

volumes:

elasticsearch_data:
Expand Down
10 changes: 10 additions & 0 deletions filebeat.ndjson
View file
Open in desktop
@@ -0,0 +1,10 @@
{"attributes":{"fieldAttrs":"{}","fields":"[]","runtimeFieldMap":"{}","timeFieldName":"@timestamp","title":"filebeat-*"},"coreMigrationVersion":"7.13.2","id":"5b4ca870-db71-11eb-8d71-e148878ab61e","migrationVersion":{"index-pattern":"7.11.0"},"references":[],"sort":[1625517347550,38],"type":"index-pattern","updated_at":"2021-07-05T20:35:47.550Z","version":"WzE5LDFd"}
{"attributes":{"fieldAttrs":"{}","fields":"[]","runtimeFieldMap":"{}","timeFieldName":"event.ingested","title":"file*"},"coreMigrationVersion":"7.13.2","id":"6e2380e0-db71-11eb-8d71-e148878ab61e","migrationVersion":{"index-pattern":"7.11.0"},"references":[],"sort":[1625517347550,17],"type":"index-pattern","updated_at":"2021-07-05T20:35:47.550Z","version":"WzIwLDFd"}
{"attributes":{"buildNum":40943,"defaultIndex":"5b4ca870-db71-11eb-8d71-e148878ab61e"},"coreMigrationVersion":"7.13.2","id":"7.13.2","migrationVersion":{"config":"7.13.0"},"references":[],"sort":[1625517370611,33],"type":"config","updated_at":"2021-07-05T20:36:10.611Z","version":"WzMwLDFd"}
{"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"tags:\\\"zeek.dns\\\" \",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Zeek DNS Logs","version":1},"coreMigrationVersion":"7.13.2","id":"72cdc7b0-db74-11eb-8d71-e148878ab61e","migrationVersion":{"search":"7.9.3"},"references":[{"id":"5b4ca870-db71-11eb-8d71-e148878ab61e","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1625517347550,20],"type":"search","updated_at":"2021-07-05T20:35:47.550Z","version":"WzIyLDFd"}
{"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"tags:\\\"zeek.ssl\\\" \",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Zeek SSL Logs","version":1},"coreMigrationVersion":"7.13.2","id":"7b1185c0-db73-11eb-8d71-e148878ab61e","migrationVersion":{"search":"7.9.3"},"references":[{"id":"5b4ca870-db71-11eb-8d71-e148878ab61e","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1625517347550,22],"type":"search","updated_at":"2021-07-05T20:35:47.550Z","version":"WzIzLDFd"}
{"attributes":{"fieldAttrs":"{}","fields":"[]","runtimeFieldMap":"{}","timeFieldName":"@timestamp","title":"winlogbeat*"},"coreMigrationVersion":"7.13.2","id":"a6de76c0-ddd2-11eb-a3fd-31e52f3ab3dc","migrationVersion":{"index-pattern":"7.11.0"},"references":[],"sort":[1625518237740,245],"type":"index-pattern","updated_at":"2021-07-05T20:50:37.740Z","version":"WzI0MiwxXQ=="}
{"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"suricata.eve.event_type : \\\"alert\\\" \",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Suricata Alert Logs","version":1},"coreMigrationVersion":"7.13.2","id":"a960aa40-ddd1-11eb-a3fd-31e52f3ab3dc","migrationVersion":{"search":"7.9.3"},"references":[{"id":"6e2380e0-db71-11eb-8d71-e148878ab61e","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1625517812452,158],"type":"search","updated_at":"2021-07-05T20:43:32.452Z","version":"WzE2MSwxXQ=="}
{"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"tags:\\\"zeek.http\\\" \",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Zeek HTTP Logs","version":1},"coreMigrationVersion":"7.13.2","id":"c9effa20-db7b-11eb-8d71-e148878ab61e","migrationVersion":{"search":"7.9.3"},"references":[{"id":"5b4ca870-db71-11eb-8d71-e148878ab61e","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1625517347550,25],"type":"search","updated_at":"2021-07-05T20:35:47.550Z","version":"WzI1LDFd"}
{"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"tags:\\\"zeek.files\\\" \",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Zeek File Logs","version":1},"coreMigrationVersion":"7.13.2","id":"fd820ce0-db74-11eb-8d71-e148878ab61e","migrationVersion":{"search":"7.9.3"},"references":[{"id":"5b4ca870-db71-11eb-8d71-e148878ab61e","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1625517347550,29],"type":"search","updated_at":"2021-07-05T20:35:47.550Z","version":"WzI3LDFd"}
{"exportedCount":9,"missingRefCount":0,"missingReferences":[]}