ELK watcher WIP

This commit is contained in:
ts
2018-09-21 12:07:18 +01:00
parent b34a84c9d3
commit 6c1a1f31d2
4 changed files with 108 additions and 0 deletions

View File

@@ -0,0 +1,23 @@
class watcher::configure {
$secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
$elasticsearch_ip = $secgen_parameters['elasticsearch_ip'][0]
$elasticsearch_port = 0 + $secgen_parameters['elasticsearch_port'][0]
# Search string within kibana for a successful login on account: 'test'
# "event.category : user-login and event.type : user_login and auditd.result : success and user.name_map.auid : test"
# TODO: Need some automated curl script that utilises a template to generate "create watcher" request
# Need to send a request to: "172.16.0.2":9200 [ $elasticsearch_ip:$elasticsearch_port ]
# PUT _xpack/watcher/watch/my-watch
# templates('watcher/watch.json.erb')
# First: Get it working within Kibana, there is a testing tool within 'Dev tools' section
# Second: Create a way to detect whether the watcher is registered correctly, we can GET the watcher endpoint in kibana to check
# Third: Implement functionality so the watcher fires a HTTP request to 172.16.0.2:8080
# Fourth: Implement a dummy webserver running on 8080 that can recieve requests + displays their contents on the screen.
# Fifth: Look into adding SSL to this whole process.
}

View File

@@ -0,0 +1,34 @@
<?xml version="1.0"?>
<utility xmlns="http://www.github/cliffe/SecGen/utility"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/utility">
<name>Watcher</name>
<author>Thomas Shaw</author>
<author>Elastic</author>
<module_license>Apache v2</module_license>
<description>TODO</description>
<type>log_tool</type>
<platform>linux</platform>
<read_fact>elasticsearch_ip</read_fact>
<read_fact>elasticsearch_port</read_fact>
<default_input into="elasticsearch_ip">
<value>localhost</value>
</default_input>
<default_input into="elasticsearch_port">
<value>9200</value>
</default_input>
<requires>
<type>update</type>
</requires>
<requires>
<module_path>.*elasticsearch</module_path>
</requires>
</utility>

View File

@@ -0,0 +1,50 @@
{
"trigger": {
"schedule": {
"cron": "0 0/1 * * * ?"
}
},
"input": {
"search": {
"request": {
"indices": [
"logstash*"
],
"body": {
"query": {
"bool": {
"must": {
"match": {
"response": 404
}
},
"filter": {
"range": {
"@timestamp": {
"from": "{{ctx.trigger.scheduled_time}}||-5m",
"to": "{{ctx.trigger.triggered_time}}"
}
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"email_admin": {
"email": {
"to": "admin@domain.host.com",
"subject": "404 recently encountered"
}
}
}
}

View File

@@ -0,0 +1 @@
include watcher::configure