Addition of logstash configs

2017-07-25 12:23:47 -04:00
parent dab91faff8
commit 6a29cb7b84
7 changed files with 864 additions and 2 deletions
--- a/logstash/0001_input_beats.conf
+++ b/logstash/0001_input_beats.conf
@ -0,0 +1,14 @@
+input {
+  beats {
+    port => 5044
+    tags => "beats"
+  }
+}
+
+filter {
+  if [beat][hostname] == "filebeathost" {
+    mutate {
+      add_tag => ["nessus"]
+    }
+  }
+}
--- a/logstash/1000_nessus_preprocess_nessus.conf
+++ b/logstash/1000_nessus_preprocess_nessus.conf
@ -4,6 +4,22 @@
 # Version 0.2
 # Description: Take in nessus reports from vulnWhisperer and pumps into logstash

+input {
+  beats {
+    port => 5044
+    tags => "beats"
+  }
+}
+
+filter {
+  if [beat][hostname] == "filebeathost" {
+    mutate {
+      add_tag => ["nessus"]
+    }
+  }
+}
+
+
 filter {
  if "nessus" in [tags]{
    mutate {
@ -85,7 +101,7 @@ filter {
    }

    # Add tags for reporting based on assets or criticality
-    if [host] == "192.168.0.1" or [host] == "192.168.0.50" or [host] =~ "^192\.168\.10\." or [host] =~ "^192\.168\.5\." {
+    if [host] == "192.168.0.1" or [host] == "192.168.0.50" or [host] =~ "^192\.168\.10\." or [host] =~ "^42.42.42." {
      mutate {
        add_tag => [ "critical_asset" ]
      }
@ -111,3 +127,14 @@ filter {
    }
  }
 }
+}
+
+output {
+   if "nessus" in [tags]  or [type] == "nessus" {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => [ "localhost" ]
+      index => "logstash-nessus-%{+YYYY.MM}"
+    }
+  }
+}
--- a/logstash/9000_output_nessus.conf
+++ b/logstash/9000_output_nessus.conf
@ -7,7 +7,7 @@ output {
   if "nessus" in [tags]  or [type] == "nessus" {
    #stdout { codec => rubydebug }
    elasticsearch {
-      hosts => [ "elasticsearch01.yourdomain.local","elasticseach02.yourdomain.local","elasticsearch03.yourdomain.local" ]
+      hosts => [ "localhost" ]
      index => "logstash-nessus-%{+YYYY.MM}"
    }
  }
--- a/logstash/9998_input_broker_rabbitmq.conf
+++ b/logstash/9998_input_broker_rabbitmq.conf
@ -0,0 +1,13 @@
+input {
+  rabbitmq {
+    key => "nessus"
+    queue => "nessus"
+    durable => true
+    exchange => "nessus"
+    user => "logstash"    
+    password => "yourpassword"
+    host => "buffer01"
+    port => 5672
+    tags => [ "queue_nessus", "rabbitmq" ]
+  }
+}
--- a/logstash/9998_output_broker_rabbitmq.conf
+++ b/logstash/9998_output_broker_rabbitmq.conf
@ -0,0 +1,16 @@
+output {
+  if "nessus" in [tags]{
+    rabbitmq {
+      key => "nessus"
+      exchange => "nessus"
+      exchange_type => "direct"
+      user => "logstash"
+      password => "yourbufferpassword"
+      host => "buffer01"
+      port => 5672
+      durable => true
+      persistent => true
+    }
+  }
+
+}