67 lines
1.7 KiB
Plaintext
67 lines
1.7 KiB
Plaintext
# Author: Austin Taylor and Justin Henderson
|
|
# Email: email@austintaylor.io
|
|
# Last Update: 12/20/2017
|
|
# Version 0.3
|
|
# Description: Take in nessus reports from vulnWhisperer and pumps into logstash
|
|
|
|
|
|
input {
|
|
file {
|
|
path => "/opt/VulnWhisperer/data/nessus/**/*.json"
|
|
mode => "read"
|
|
start_position => "beginning"
|
|
file_completed_action => "delete"
|
|
tags => "nessus"
|
|
codec => json
|
|
}
|
|
file {
|
|
path => "/opt/VulnWhisperer/data/tenable/*.json"
|
|
mode => "read"
|
|
start_position => "beginning"
|
|
file_completed_action => "delete"
|
|
tags => "tenable"
|
|
codec => json
|
|
}
|
|
}
|
|
|
|
filter {
|
|
if "nessus" in [tags] or "tenable" in [tags] {
|
|
|
|
date {
|
|
match => [ "scan_time", "UNIX" ]
|
|
target => "@timestamp"
|
|
remove_field => ["scan_time"]
|
|
}
|
|
|
|
#If using filebeats as your source, you will need to replace the "path" field to "source"
|
|
# Remove when scan name is included in event (current method is error prone)
|
|
grok {
|
|
match => { "path" => "([a-zA-Z0-9_.\-]+)_%{INT}_%{INT:history_id}_%{INT}.json$" }
|
|
tag_on_failure => []
|
|
}
|
|
|
|
mutate {
|
|
convert => { "cvss" => "float"}
|
|
convert => { "cvss_base" => "float"}
|
|
convert => { "cvss_temporal" => "float"}
|
|
convert => { "cvss3" => "float"}
|
|
convert => { "cvss3_base" => "float"}
|
|
convert => { "cvss3_temporal" => "float"}
|
|
convert => { "risk_number" => "integer"}
|
|
convert => { "total_times_detected" => "integer"}
|
|
}
|
|
}
|
|
}
|
|
|
|
output {
|
|
if "nessus" in [tags] or "tenable" in [tags]{
|
|
stdout {
|
|
codec => dots
|
|
}
|
|
elasticsearch {
|
|
hosts => [ "elasticsearch:9200" ]
|
|
index => "logstash-vulnwhisperer-%{+YYYY.MM}"
|
|
}
|
|
}
|
|
}
|