mirror of
https://github.com/wazuh/wazuh-docker.git
synced 2025-11-02 21:13:30 +00:00
46 lines
1.2 KiB
Plaintext
46 lines
1.2 KiB
Plaintext
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
|
|
# Wazuh - Logstash configuration file
|
|
## Remote Wazuh Manager - Filebeat input
|
|
input {
|
|
beats {
|
|
port => 5000
|
|
codec => "json_lines"
|
|
# ssl => true
|
|
# ssl_certificate => "/etc/logstash/logstash.crt"
|
|
# ssl_key => "/etc/logstash/logstash.key"
|
|
}
|
|
}
|
|
filter {
|
|
if [data][srcip] {
|
|
mutate {
|
|
add_field => [ "@src_ip", "%{[data][srcip]}" ]
|
|
}
|
|
}
|
|
if [data][aws][sourceIPAddress] {
|
|
mutate {
|
|
add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ]
|
|
}
|
|
}
|
|
}
|
|
filter {
|
|
geoip {
|
|
source => "@src_ip"
|
|
target => "GeoLocation"
|
|
fields => ["city_name", "continent_code", "country_code2", "country_name", "region_name", "location"]
|
|
}
|
|
date {
|
|
match => ["timestamp", "ISO8601"]
|
|
target => "@timestamp"
|
|
}
|
|
mutate {
|
|
remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type","@src_ip"]
|
|
}
|
|
}
|
|
output {
|
|
elasticsearch {
|
|
hosts => ["elasticsearch:9200"]
|
|
index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
|
|
document_type => "wazuh"
|
|
}
|
|
}
|