-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path01-logstash-pfsense-dhcp.conf
131 lines (117 loc) · 4.57 KB
/
01-logstash-pfsense-dhcp.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
input {
udp {
type => "pfsense"
port => 5455
}
}
filter {
if [type] == "pfsense" {
grok {
add_tag => [ "firewall" ]
match => [ "message", "<(?<evtid>.*)>(?<datetime>(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\s+(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) (?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:[0-5][0-9])) (?<prog>.*?): (?<msg>.*)" ]
}
mutate {
gsub => ["datetime"," "," "]
}
date {
match => [ "datetime", "MMM dd HH:mm:ss" ]
timezone => "Europe/Istanbul"
}
mutate {
replace => [ "message", "%{msg}" ]
}
mutate {
remove_field => [ "msg", "datetime" ]
}
}
if [prog] =~ /^dhcpd$/ {
if [message] =~ /^DHCPACK .*/ {
grok {
match => {
"message" => [
"%{WORD:DHCP_ACTION} on %{IP:DHCP_CLIENT_IP} to %{MAC:DHCP_CLIENT_MAC} via %{GREEDYDATA:INTERFACE}",
"%{WORD:DHCP_ACTION} on %{IP:DHCP_CLIENT_IP} to %{MAC:DHCP_CLIENT_MAC} \(%{GREEDYDATA:CLIENT_HOSTNAME}\) via %{GREEDYDATA:INTERFACE}",
"%{WORD:DHCP_ACTION} to %{IPV4:DHCP_CLIENT_IP} \(%{MAC:DHCP_CLIENT_MAC}\) via %{GREEDYDATA:INTERFACE}"
]
}
}
} else if [message] =~ /^DHCPREQUEST .*/ {
grok {
match => {
"message" => [
"%{WORD:DHCP_ACTION} for %{IP:DHCP_CLIENT_IP} from %{MAC:DHCP_CLIENT_MAC} via %{GREEDYDATA:INTERFACE}",
"%{WORD:DHCP_ACTION} for %{IP:DHCP_CLIENT_IP} \(%{IP:FIREWALL_GW}\) from %{MAC:DHCP_CLIENT_MAC} via %{GREEDYDATA:INTERFACE}",
"%{WORD:DHCP_ACTION} for %{IP:DHCP_CLIENT_IP} from %{MAC:DHCP_CLIENT_MAC} \(%{GREEDYDATA:CLIENT_HOSTNAME}\) via %{GREEDYDATA:INTERFACE}",
"%{WORD:DHCP_ACTION} for %{IP:DHCP_CLIENT_IP} \(%{IP:FIREWALL_GW}\) from %{MAC:DHCP_CLIENT_MAC} \(%{GREEDYDATA:CLIENT_HOSTNAME}\) via %{GREEDYDATA:INTERFACE}",
"%{WORD:DHCP_ACTION} for %{IP:DHCP_CLIENT_IP} from %{MAC:DHCP_CLIENT_MAC} via %{GREEDYDATA:INTERFACE}: %{GREEDYDATA:ERROR}",
"%{WORD:DHCP_ACTION} for %{IP:DHCP_CLIENT_IP} from %{MAC:DHCP_CLIENT_MAC} \(%{GREEDYDATA:CLIENT_HOSTNAME}\) via %{GREEDYDATA:INTERFACE}: %{GREEDYDATA:ERROR}",
"%{WORD:DHCP_ACTION} for %{IP:DHCP_CLIENT_IP} \(%{IP:FIREWALL_GW}\) from %{MAC:DHCP_CLIENT_MAC} \(%{GREEDYDATA:CLIENT_HOSTNAME}\) via %{GREEDYDATA:INTERFACE}: %{GREEDYDATA:ERROR}"
]
}
}
} else if [message] =~ /^DHCPDISCOVER .*/ {
grok {
match => {
"message" => [
"%{WORD:DHCP_ACTION} from %{MAC:DHCP_CLIENT_MAC} via %{GREEDYDATA:INTERFACE}",
"%{WORD:DHCP_ACTION} from %{MAC:DHCP_CLIENT_MAC} \(%{GREEDYDATA:CLIENT_HOSTNAME}\) via %{GREEDYDATA:INTERFACE}"
]
}
}
} else if [message] =~ /^DHCPOFFER .*/ {
grok {
match => {
"message" => [
"%{WORD:DHCP_ACTION} on %{IP:DHCP_CLIENT_IP} to %{MAC:DHCP_CLIENT_MAC} via %{GREEDYDATA:INTERFACE}",
"%{WORD:DHCP_ACTION} on %{IP:DHCP_CLIENT_IP} to %{MAC:DHCP_CLIENT_MAC} \(%{GREEDYDATA:CLIENT_HOSTNAME}\) via %{GREEDYDATA:INTERFACE}"
]
}
}
} else if [message] =~ /^DHCPRELEASE .*/ {
grok {
match => {
"message" => [
"%{WORD:DHCP_ACTION} of %{IP:DHCP_CLIENT_IP} from %{MAC:DHCP_CLIENT_MAC} via %{GREEDYDATA:INTERFACE} \(%{GREEDYDATA:RELEASE_MESSAGE}\)",
"%{WORD:DHCP_ACTION} of %{IP:DHCP_CLIENT_IP} from %{MAC:DHCP_CLIENT_MAC} \(%{GREEDYDATA:CLIENT_HOSTNAME}\) via %{GREEDYDATA:INTERFACE} \(%{GREEDYDATA:RELEASE_MESSAGE}\)"
]
}
}
} else if [message] =~ /^DHCPINFORM .*/ {
grok {
match => {
"message" => [
"%{WORD:DHCP_ACTION} from %{IPV4:DHCP_CLIENT_IP} via %{GREEDYDATA:INTERFACE}: \(%{GREEDYDATA:DESCRIPTION}\) %{IPV4:SUBNET}",
"%{WORD:DHCP_ACTION} from %{IPV4:DHCP_CLIENT_IP} via %{GREEDYDATA:INTERFACE}"
]
}
}
} else if [message] =~ /^DHCPNAK .*/ {
grok {
match => [ "message", "%{WORD:DHCP_ACTION} on %{IP:DHCP_CLIENT_IP} to %{MAC:DHCP_CLIENT_MAC} via %{GREEDYDATA:INTERFACE}" ]
}
} else if [message] =~/^reuse_lease.*/ {
grok {
match => [ "message", "%{WORD:DHCP_ACTION}: %{GREEDYDATA:INFO} %{IP:DHCP_CLIENT_IP}" ]
}
} else if [message] =~/^uid .*/ {
grok {
match => [ "message", "%{GREEDYDATA:DHCP_ACTION} %{IPV4:DHCP_CLIENT_IP} for client %{MAC:DHCP_CLIENT_MAC} is duplicate on %{IPV4:SUBNETIP}/%{INT:SUBNETMASK}" ]
}
} else {
grok {
match => [ "message", "%{GREEDYDATA:DHCPMESSAGE}" ]
}
}
mutate {
remove_field => [ "msg", "datetime" ]
}
}
}
output {
if [prog] =~ /^dhcpd$/ {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "logstash-dhcp-%{+YYYY.MM.dd}"
}
}
}