These are some different log parsing configs i've used to parse logs on various client engagements. It's not uncommon to be passed some logs and say, "here, find evil". If only there wasn't 50GB+ of logs it wouldn't be so bad. That's where logstash comes into play.
- Blucoat Web Proxy
- McAfee IPS
- Microsoft IIS
- Checkpoint Firewall
Hit me up if you get any errors or if you have suggestions for making them better/more effecient. patrick[dot]olsen@sysforensics[dot]org, or twitter [at]patrickrolsen.
Hardware
- Intel NUC mini-PC
- I5 Dual core
- 16GB of memory
- 240GB SSD drive
- 500GB SSD USB 3.0 External HDD (NUC has 4 USB 3.0 ports.)
- Qty 2 - 64GB USB 3.0 Drives
Software
- Ubuntu 12.04
- Kibana 3.1.0
- Elasticsearch 1.2.0
- Logstash 1.4.1
- Java 7
- @hiddenillusion - Got me started on the idea.
- Good Blog Posts and some configs here: http://www.505forensics.com