-
Notifications
You must be signed in to change notification settings - Fork 3
/
25-ufw.conf
36 lines (35 loc) · 1.04 KB
/
25-ufw.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
filter {
if [fields][beats_output] == "ufw" {
grok {
patterns_dir => "/etc/logstash/patterns.d"
match => { "message" => "%{IPTABLES}" }
tag_on_failure => [ "_grok_ufw_nomatch" ]
add_tag => [ "_grok_ufw_success" ]
}
date {
match => [ "[ufw][timestamp]", "MMM dd HH:mm:ss" ]
target => "timestamp"
remove_field => ["[ufw][timestamp]"]
}
if [ufw][source][ip] {
geoip {
source => "[ufw][source][ip]"
target => "[ufw][source][geoip]"
}
mutate {
add_field => {"[ufw][source][hostname]" => "%{[ufw][source][ip]}"}
}
dns {
reverse => [ "[ufw][source][hostname]" ]
action => "replace"
hit_cache_size => 8000
hit_cache_ttl => 300
failed_cache_size => 1000
failed_cache_ttl => 300
}
mutate {
update => { "message" => "[%{[ufw][status]}] IP: %{[ufw][source][ip]} (%{[ufw][source][hostname]}) dst_port: %{[ufw][destination][port]}" }
}
}
}
}