dsiem icon indicating copy to clipboard operation
dsiem copied to clipboard

Published 20 hours ago verified publisher icon defenxor

Unable to send events from Logstash to Dsiem

Open alinaa-khalid opened this issue 2 years ago • 2 comments

We are trying to send ossec logs from logstash to Dsiem without using Elastic search. Below is the logstash configuration... what output pllugin is required to get desired work done. p.s. when i use dtester with command ./dtester dsiem -f directives_dsiem.json -v -n 10000000 then Dsiem shows events , otherwise it shows "0 eps" . But desired work is to get events without using dtester I'll value early responses

input { syslog { port => 514 add_field => { "application" => "syslog" } } }

filter {

if [application] == "syslog" { clone { clones => [ "siem_ossec_events" ] }

if [type] == "siem_ossec_events" {
  mutate {
    id => "tag normalizedEvent 50001"
    remove_field => [ "application" , "type" ]
    add_field => {
      "[@metadata][siem_plugin_type]" => "ossec"
      "[@metadata][siem_data_type]" => "normalizedEvent"
    }
  }
}

}

if [@metadata][siem_plugin_type] == "ossec" { date { id => "timestamp 50001" match => [ "[timestamp]", "ISO8601" ] target => [timestamp] } mutate { id => "siem_event fields 50001" replace => { "title" => "%{[description]}" "src_index_pattern" => "ossec-*" "sensor" => "%{[host]}" "product" => "Host Intrusion Detection System" "src_ip" => "%{[src_ip]}" "dst_ip" => "%{[dst_ip]}" "protocol" => "TCP/IP" "category" => "%{[classification]}"

    "plugin_id" => "50001"
    "plugin_sid" => "%{[id]}"

    "custom_label1" => "message"

    "custom_data1" => "%{[message]}"

  }
}

mutate {
  id => "integer fields 50001"
  convert => {
    "plugin_id" => "integer"
    "plugin_sid" => "integer"

  }
}

if [src_ip] == "%{[src_ip]}" {
  mutate {
    replace => {
     "src_ip" => "0.0.0.0"
    }
    # remove_field => [ "src_ip" ]
  }
}

if [custom_data1] == "%{[message]}" { mutate { remove_field => [ "custom_label1", "custom_data1" ]}}

# delete fields except those included in the whitelist below
prune {
  whitelist_names => [ "@timestamp$" , "^timestamp$", "@metadata", "^src_index_pattern$", "^title$", "^sensor$", "^product$",
    "^src_ip$", "^dst_ip$", "^plugin_id$", "^plugin_sid$", "^category$", "^subcategory$",
    "^src_port$", "^dst_port$", "^protocol$", "^custom_label1$", "^custom_label2$", "^custom_label3$",
    "^custom_data1$", "^custom_data2$", "^custom_data3$" ]
}

} if [application] == "dtester" { mutate { remove_field => [ "application", "beat", "host.name", "source" ] add_field => { "[@metadata][siem_plugin_type]" => "dtester" "[@metadata][siem_data_type]" => "normalizedEvent" } } }

}

output { http { format=>"json" http_method=>"post" url=>"http://0.0.0.0:8080" } stdout { codec => json } }

alinaa-khalid avatar Sep 27 '22 07:09 alinaa-khalid

here is the error i am facing error

alinaa-khalid avatar Sep 27 '22 08:09 alinaa-khalid

Sorry for the late reply. For future reference, what's needed is a Logstash config (plugins) that will transform the Ossec fields into normalized events.

The process can be complicated and error prone without dsiem-tools help. So even if you don't want to use Elasticsearch/Opensearch, I'd still suggest ingesting logs into a temporary ES first just so that you can auto-generate the Logstash config using dsiem-tools. You can remove the ES/OS after that.

mmta avatar Jan 10 '23 13:01 mmta