line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
package Search::ESsearcher::Templates::bf2b; |
2
|
|
|
|
|
|
|
|
3
|
1
|
|
|
1
|
|
67997
|
use 5.006; |
|
1
|
|
|
|
|
11
|
|
4
|
1
|
|
|
1
|
|
6
|
use strict; |
|
1
|
|
|
|
|
2
|
|
|
1
|
|
|
|
|
39
|
|
5
|
1
|
|
|
1
|
|
6
|
use warnings; |
|
1
|
|
|
|
|
2
|
|
|
1
|
|
|
|
|
202
|
|
6
|
|
|
|
|
|
|
|
7
|
|
|
|
|
|
|
=head1 NAME |
8
|
|
|
|
|
|
|
|
9
|
|
|
|
|
|
|
Search::ESsearcher::Templates::sfail2ban - Provicdes support for fail2ban logs sucked down via beats. |
10
|
|
|
|
|
|
|
|
11
|
|
|
|
|
|
|
=head1 VERSION |
12
|
|
|
|
|
|
|
|
13
|
|
|
|
|
|
|
Version 0.0.1 |
14
|
|
|
|
|
|
|
|
15
|
|
|
|
|
|
|
=cut |
16
|
|
|
|
|
|
|
|
17
|
|
|
|
|
|
|
our $VERSION = '0.0.1'; |
18
|
|
|
|
|
|
|
|
19
|
|
|
|
|
|
|
=head1 LOGSTASH |
20
|
|
|
|
|
|
|
|
21
|
|
|
|
|
|
|
This uses a logstash configuration like below. |
22
|
|
|
|
|
|
|
|
23
|
|
|
|
|
|
|
input { |
24
|
|
|
|
|
|
|
beats { |
25
|
|
|
|
|
|
|
host => "10.10.10.10" |
26
|
|
|
|
|
|
|
port => 5044 |
27
|
|
|
|
|
|
|
type => "beats" |
28
|
|
|
|
|
|
|
} |
29
|
|
|
|
|
|
|
} |
30
|
|
|
|
|
|
|
|
31
|
|
|
|
|
|
|
filter { |
32
|
|
|
|
|
|
|
if [fields][log] == "fail2ban" { |
33
|
|
|
|
|
|
|
grok { |
34
|
|
|
|
|
|
|
match => { |
35
|
|
|
|
|
|
|
"message" => "%{TIMESTAMP_ISO8601:timestamp} %{WORD:log_src}.%{WORD:src_action} *\[%{INT:fail2ban_digit}\]: %{LOGLEVEL:loglevel} *\[%{NOTSPACE:service}\] %{WORD:ban_status} %{IP:clientip}" |
36
|
|
|
|
|
|
|
} |
37
|
|
|
|
|
|
|
} |
38
|
|
|
|
|
|
|
geoip { |
39
|
|
|
|
|
|
|
source => "clientip" |
40
|
|
|
|
|
|
|
} |
41
|
|
|
|
|
|
|
mutate { |
42
|
|
|
|
|
|
|
convert => [ "[geoip][coordinates]", "float" ] |
43
|
|
|
|
|
|
|
} |
44
|
|
|
|
|
|
|
} |
45
|
|
|
|
|
|
|
} |
46
|
|
|
|
|
|
|
|
47
|
|
|
|
|
|
|
output { |
48
|
|
|
|
|
|
|
if [type] == "beats" { |
49
|
|
|
|
|
|
|
elasticsearch { |
50
|
|
|
|
|
|
|
hosts => [ "127.0.0.1:9200" ] |
51
|
|
|
|
|
|
|
} |
52
|
|
|
|
|
|
|
} |
53
|
|
|
|
|
|
|
} |
54
|
|
|
|
|
|
|
|
55
|
|
|
|
|
|
|
For filebeats, it is assuming this sort of configuration. |
56
|
|
|
|
|
|
|
|
57
|
|
|
|
|
|
|
- type: log |
58
|
|
|
|
|
|
|
paths: |
59
|
|
|
|
|
|
|
- /var/log/fail2ban.log |
60
|
|
|
|
|
|
|
fields: |
61
|
|
|
|
|
|
|
log: fail2ban |
62
|
|
|
|
|
|
|
|
63
|
|
|
|
|
|
|
If you have type set different or are using a diffent field, you can change that via --field and --fieldv. |
64
|
|
|
|
|
|
|
|
65
|
|
|
|
|
|
|
If you have fields.log set differently, you can set that via --field2 and --field2v. |
66
|
|
|
|
|
|
|
|
67
|
|
|
|
|
|
|
=head1 Options |
68
|
|
|
|
|
|
|
|
69
|
|
|
|
|
|
|
=head2 --host <host> |
70
|
|
|
|
|
|
|
|
71
|
|
|
|
|
|
|
The machine beasts is running on feeding fail2ban info to logstash/ES. |
72
|
|
|
|
|
|
|
|
73
|
|
|
|
|
|
|
=head2 --jail <jail> |
74
|
|
|
|
|
|
|
|
75
|
|
|
|
|
|
|
The fail2ban jail name to query. |
76
|
|
|
|
|
|
|
|
77
|
|
|
|
|
|
|
=head2 --country <country> |
78
|
|
|
|
|
|
|
|
79
|
|
|
|
|
|
|
The 2 letter country code. |
80
|
|
|
|
|
|
|
|
81
|
|
|
|
|
|
|
=head2 --region <state> |
82
|
|
|
|
|
|
|
|
83
|
|
|
|
|
|
|
The state/province/etc to search for. |
84
|
|
|
|
|
|
|
|
85
|
|
|
|
|
|
|
=head2 --postal <zipcode> |
86
|
|
|
|
|
|
|
|
87
|
|
|
|
|
|
|
The postal code to search for. |
88
|
|
|
|
|
|
|
|
89
|
|
|
|
|
|
|
=head2 --city <cide> |
90
|
|
|
|
|
|
|
|
91
|
|
|
|
|
|
|
The city to search for. |
92
|
|
|
|
|
|
|
|
93
|
|
|
|
|
|
|
=head2 --ip <ip> |
94
|
|
|
|
|
|
|
|
95
|
|
|
|
|
|
|
The IP to search for. |
96
|
|
|
|
|
|
|
|
97
|
|
|
|
|
|
|
=head2 --size <count> |
98
|
|
|
|
|
|
|
|
99
|
|
|
|
|
|
|
The number of items to return. |
100
|
|
|
|
|
|
|
|
101
|
|
|
|
|
|
|
=head2 --dgt <date> |
102
|
|
|
|
|
|
|
|
103
|
|
|
|
|
|
|
Date greater than. |
104
|
|
|
|
|
|
|
|
105
|
|
|
|
|
|
|
=head2 --dgte <date> |
106
|
|
|
|
|
|
|
|
107
|
|
|
|
|
|
|
Date greater than or equal to. |
108
|
|
|
|
|
|
|
|
109
|
|
|
|
|
|
|
=head2 --dlt <date> |
110
|
|
|
|
|
|
|
|
111
|
|
|
|
|
|
|
Date less than. |
112
|
|
|
|
|
|
|
|
113
|
|
|
|
|
|
|
=head2 --dlte <date> |
114
|
|
|
|
|
|
|
|
115
|
|
|
|
|
|
|
Date less than or equal to. |
116
|
|
|
|
|
|
|
|
117
|
|
|
|
|
|
|
=head2 --msg <message> |
118
|
|
|
|
|
|
|
|
119
|
|
|
|
|
|
|
Messages to match. |
120
|
|
|
|
|
|
|
|
121
|
|
|
|
|
|
|
=head2 --field <field> |
122
|
|
|
|
|
|
|
|
123
|
|
|
|
|
|
|
The term field to use for matching them all. |
124
|
|
|
|
|
|
|
|
125
|
|
|
|
|
|
|
=head2 --fieldv <fieldv> |
126
|
|
|
|
|
|
|
|
127
|
|
|
|
|
|
|
The value of the term field to matching them all. |
128
|
|
|
|
|
|
|
|
129
|
|
|
|
|
|
|
=head2 --field2 <field2> |
130
|
|
|
|
|
|
|
|
131
|
|
|
|
|
|
|
The term field to use for what beats is setting. |
132
|
|
|
|
|
|
|
|
133
|
|
|
|
|
|
|
=head2 --field2v <field2v> |
134
|
|
|
|
|
|
|
|
135
|
|
|
|
|
|
|
The value to look for in the field beats is setting. |
136
|
|
|
|
|
|
|
|
137
|
|
|
|
|
|
|
=head1 AND, OR, or NOT shortcut |
138
|
|
|
|
|
|
|
|
139
|
|
|
|
|
|
|
, OR |
140
|
|
|
|
|
|
|
+ AND |
141
|
|
|
|
|
|
|
! NOT |
142
|
|
|
|
|
|
|
|
143
|
|
|
|
|
|
|
A list seperated by any of those will be transformed |
144
|
|
|
|
|
|
|
|
145
|
|
|
|
|
|
|
These may be used with program, facility, pid, or host. |
146
|
|
|
|
|
|
|
|
147
|
|
|
|
|
|
|
example: --program postfix,spamd |
148
|
|
|
|
|
|
|
|
149
|
|
|
|
|
|
|
results: postfix OR spamd |
150
|
|
|
|
|
|
|
|
151
|
|
|
|
|
|
|
=head1 date |
152
|
|
|
|
|
|
|
|
153
|
|
|
|
|
|
|
date |
154
|
|
|
|
|
|
|
|
155
|
|
|
|
|
|
|
/^-/ appends "now" to it. So "-5m" becomes "now-5m". |
156
|
|
|
|
|
|
|
|
157
|
|
|
|
|
|
|
/^u\:/ takes what is after ":" and uses Time::ParseDate to convert it to a |
158
|
|
|
|
|
|
|
unix time value. |
159
|
|
|
|
|
|
|
|
160
|
|
|
|
|
|
|
Any thing not matching maching any of the above will just be passed on. |
161
|
|
|
|
|
|
|
|
162
|
|
|
|
|
|
|
=cut |
163
|
|
|
|
|
|
|
|
164
|
|
|
|
|
|
|
|
165
|
|
|
|
|
|
|
sub search{ |
166
|
0
|
|
|
0
|
0
|
|
return ' |
167
|
|
|
|
|
|
|
[% USE JSON ( pretty => 1 ) %] |
168
|
|
|
|
|
|
|
[% DEFAULT o.size = "50" %] |
169
|
|
|
|
|
|
|
[% DEFAULT o.field = "type" %] |
170
|
|
|
|
|
|
|
[% DEFAULT o.fieldv = "beats" %] |
171
|
|
|
|
|
|
|
[% DEFAULT o.field2 = "fields.log" %] |
172
|
|
|
|
|
|
|
[% DEFAULT o.field2v = "fail2ban" %] |
173
|
|
|
|
|
|
|
{ |
174
|
|
|
|
|
|
|
"index": "logstash-*", |
175
|
|
|
|
|
|
|
"body": { |
176
|
|
|
|
|
|
|
"size": [% o.size.json %], |
177
|
|
|
|
|
|
|
"query": { |
178
|
|
|
|
|
|
|
"bool": { |
179
|
|
|
|
|
|
|
"must": [ |
180
|
|
|
|
|
|
|
{ |
181
|
|
|
|
|
|
|
"term": { [% o.field.json %]: [% o.fieldv.json %] } |
182
|
|
|
|
|
|
|
}, |
183
|
|
|
|
|
|
|
{ |
184
|
|
|
|
|
|
|
"term": { [% o.field2.json %]: [% o.field2v.json %] } |
185
|
|
|
|
|
|
|
}, |
186
|
|
|
|
|
|
|
[% IF o.country %] |
187
|
|
|
|
|
|
|
{"query_string": { |
188
|
|
|
|
|
|
|
"default_field": "geoip.country_code2", |
189
|
|
|
|
|
|
|
"query": [% aon( o.country ).json %] |
190
|
|
|
|
|
|
|
} |
191
|
|
|
|
|
|
|
}, |
192
|
|
|
|
|
|
|
[% END %] |
193
|
|
|
|
|
|
|
[% IF o.region %] |
194
|
|
|
|
|
|
|
{"query_string": { |
195
|
|
|
|
|
|
|
"default_field": "geoip.region_code", |
196
|
|
|
|
|
|
|
"query": [% aon( o.region ).json %] |
197
|
|
|
|
|
|
|
} |
198
|
|
|
|
|
|
|
}, |
199
|
|
|
|
|
|
|
[% END %] |
200
|
|
|
|
|
|
|
[% IF o.city %] |
201
|
|
|
|
|
|
|
{"query_string": { |
202
|
|
|
|
|
|
|
"default_field": "geoip.city_name", |
203
|
|
|
|
|
|
|
"query": [% aon( o.city ).json %] |
204
|
|
|
|
|
|
|
} |
205
|
|
|
|
|
|
|
}, |
206
|
|
|
|
|
|
|
[% END %] |
207
|
|
|
|
|
|
|
[% IF o.postal %] |
208
|
|
|
|
|
|
|
{"query_string": { |
209
|
|
|
|
|
|
|
"default_field": "geoip.postal_code", |
210
|
|
|
|
|
|
|
"query": [% aon( o.postal ).json %] |
211
|
|
|
|
|
|
|
} |
212
|
|
|
|
|
|
|
}, |
213
|
|
|
|
|
|
|
[% END %] |
214
|
|
|
|
|
|
|
[% IF o.host %] |
215
|
|
|
|
|
|
|
{"query_string": { |
216
|
|
|
|
|
|
|
"default_field": "host", |
217
|
|
|
|
|
|
|
"query": [% aon( o.host ).json %] |
218
|
|
|
|
|
|
|
} |
219
|
|
|
|
|
|
|
}, |
220
|
|
|
|
|
|
|
[% END %] |
221
|
|
|
|
|
|
|
[% IF o.jail %] |
222
|
|
|
|
|
|
|
{"query_string": { |
223
|
|
|
|
|
|
|
"default_field": "service", |
224
|
|
|
|
|
|
|
"query": [% aon( o.jail ).json %] |
225
|
|
|
|
|
|
|
} |
226
|
|
|
|
|
|
|
}, |
227
|
|
|
|
|
|
|
[% END %] |
228
|
|
|
|
|
|
|
[% IF o.ip %] |
229
|
|
|
|
|
|
|
{"query_string": { |
230
|
|
|
|
|
|
|
"default_field": "clientip", |
231
|
|
|
|
|
|
|
"query": [% aon( o.ip ).json %] |
232
|
|
|
|
|
|
|
} |
233
|
|
|
|
|
|
|
}, |
234
|
|
|
|
|
|
|
[% END %] |
235
|
|
|
|
|
|
|
[% IF o.status %] |
236
|
|
|
|
|
|
|
{"query_string": { |
237
|
|
|
|
|
|
|
"default_field": "ban_status", |
238
|
|
|
|
|
|
|
"query": [% aon( o.status ).json %] |
239
|
|
|
|
|
|
|
} |
240
|
|
|
|
|
|
|
}, |
241
|
|
|
|
|
|
|
[% END %] |
242
|
|
|
|
|
|
|
[% IF o.msg %] |
243
|
|
|
|
|
|
|
{"query_string": { |
244
|
|
|
|
|
|
|
"default_field": "message", |
245
|
|
|
|
|
|
|
"query": [% o.msg.json %] |
246
|
|
|
|
|
|
|
} |
247
|
|
|
|
|
|
|
}, |
248
|
|
|
|
|
|
|
[% END %] |
249
|
|
|
|
|
|
|
[% IF o.dgt %] |
250
|
|
|
|
|
|
|
{"range": { |
251
|
|
|
|
|
|
|
"@timestamp": { |
252
|
|
|
|
|
|
|
"gt": [% pd( o.dgt ).json %] |
253
|
|
|
|
|
|
|
} |
254
|
|
|
|
|
|
|
} |
255
|
|
|
|
|
|
|
}, |
256
|
|
|
|
|
|
|
[% END %] |
257
|
|
|
|
|
|
|
[% IF o.dgte %] |
258
|
|
|
|
|
|
|
{"range": { |
259
|
|
|
|
|
|
|
"@timestamp": { |
260
|
|
|
|
|
|
|
"gte": [% pd( o.dgte ).json %] |
261
|
|
|
|
|
|
|
} |
262
|
|
|
|
|
|
|
} |
263
|
|
|
|
|
|
|
}, |
264
|
|
|
|
|
|
|
[% END %] |
265
|
|
|
|
|
|
|
[% IF o.dlt %] |
266
|
|
|
|
|
|
|
{"range": { |
267
|
|
|
|
|
|
|
"@timestamp": { |
268
|
|
|
|
|
|
|
"lt": [% pd( o.dlt ).json %] |
269
|
|
|
|
|
|
|
} |
270
|
|
|
|
|
|
|
} |
271
|
|
|
|
|
|
|
}, |
272
|
|
|
|
|
|
|
[% END %] |
273
|
|
|
|
|
|
|
[% IF o.dlte %] |
274
|
|
|
|
|
|
|
{"range": { |
275
|
|
|
|
|
|
|
"@timestamp": { |
276
|
|
|
|
|
|
|
"lte": [% pd( o.dlte ).json %] |
277
|
|
|
|
|
|
|
} |
278
|
|
|
|
|
|
|
} |
279
|
|
|
|
|
|
|
}, |
280
|
|
|
|
|
|
|
[% END %] |
281
|
|
|
|
|
|
|
] |
282
|
|
|
|
|
|
|
} |
283
|
|
|
|
|
|
|
}, |
284
|
|
|
|
|
|
|
"sort": [ |
285
|
|
|
|
|
|
|
{ |
286
|
|
|
|
|
|
|
"@timestamp": {"order" : "desc"}} |
287
|
|
|
|
|
|
|
] |
288
|
|
|
|
|
|
|
} |
289
|
|
|
|
|
|
|
} |
290
|
|
|
|
|
|
|
'; |
291
|
|
|
|
|
|
|
} |
292
|
|
|
|
|
|
|
|
293
|
|
|
|
|
|
|
sub options{ |
294
|
0
|
|
|
0
|
0
|
|
return ' |
295
|
|
|
|
|
|
|
host=s |
296
|
|
|
|
|
|
|
country=s |
297
|
|
|
|
|
|
|
jail=s |
298
|
|
|
|
|
|
|
region=s |
299
|
|
|
|
|
|
|
postal=s |
300
|
|
|
|
|
|
|
status=s |
301
|
|
|
|
|
|
|
city=s |
302
|
|
|
|
|
|
|
ip=s |
303
|
|
|
|
|
|
|
msg=s |
304
|
|
|
|
|
|
|
field=s |
305
|
|
|
|
|
|
|
fieldv=s |
306
|
|
|
|
|
|
|
field2=s |
307
|
|
|
|
|
|
|
field2v=s |
308
|
|
|
|
|
|
|
dgt=s |
309
|
|
|
|
|
|
|
dgte=s |
310
|
|
|
|
|
|
|
dlt=s |
311
|
|
|
|
|
|
|
dlte=s |
312
|
|
|
|
|
|
|
'; |
313
|
|
|
|
|
|
|
} |
314
|
|
|
|
|
|
|
|
315
|
|
|
|
|
|
|
sub output{ |
316
|
0
|
|
|
0
|
0
|
|
return '[% c("cyan") %][% f.timestamp %] [% c("bright_blue") %][% f.host %] '. |
317
|
|
|
|
|
|
|
'[% c("bright_green") %][% f.service %][% c("bright_magenta") %][[% c("bright_yellow") %]'. |
318
|
|
|
|
|
|
|
'[% f.ban_status %][% c("bright_magenta") %]] [% c("white") %][% f.clientip %]'; |
319
|
|
|
|
|
|
|
} |
320
|
|
|
|
|
|
|
|
321
|
|
|
|
|
|
|
sub help{ |
322
|
0
|
|
|
0
|
0
|
|
return ' |
323
|
|
|
|
|
|
|
|
324
|
|
|
|
|
|
|
|
325
|
|
|
|
|
|
|
|
326
|
|
|
|
|
|
|
--status <status> The status value of the message. |
327
|
|
|
|
|
|
|
--host <log host> The system beats in question is running on. |
328
|
|
|
|
|
|
|
--jail <jail> The fail2ban jail in question. |
329
|
|
|
|
|
|
|
--ip <ip> The IP to search for. |
330
|
|
|
|
|
|
|
|
331
|
|
|
|
|
|
|
--country <country> The 2 letter country code. |
332
|
|
|
|
|
|
|
--region <state> The state/province/etc to search for. |
333
|
|
|
|
|
|
|
--postal <zipcode> The postal code to search for. |
334
|
|
|
|
|
|
|
--city <cide> The city to search for. |
335
|
|
|
|
|
|
|
|
336
|
|
|
|
|
|
|
--dgt <date> Date greater than. |
337
|
|
|
|
|
|
|
--dgte <date> Date greater than or equal to. |
338
|
|
|
|
|
|
|
--dlt <date> Date less than. |
339
|
|
|
|
|
|
|
--dlte <date> Date less than or equal to. |
340
|
|
|
|
|
|
|
|
341
|
|
|
|
|
|
|
--msg <message> Messages to match. |
342
|
|
|
|
|
|
|
|
343
|
|
|
|
|
|
|
--field <field> The term field to use for matching them all. |
344
|
|
|
|
|
|
|
--field2 <field2> The term field to use for what beats is setting. |
345
|
|
|
|
|
|
|
--fieldv <fieldv> The value of the term field to matching them all. |
346
|
|
|
|
|
|
|
--field2v <field2v> The value to look for in the field beats is setting. |
347
|
|
|
|
|
|
|
|
348
|
|
|
|
|
|
|
|
349
|
|
|
|
|
|
|
AND, OR, or NOT shortcut |
350
|
|
|
|
|
|
|
, OR |
351
|
|
|
|
|
|
|
+ AND |
352
|
|
|
|
|
|
|
! NOT |
353
|
|
|
|
|
|
|
|
354
|
|
|
|
|
|
|
A list seperated by any of those will be transformed |
355
|
|
|
|
|
|
|
|
356
|
|
|
|
|
|
|
These may be used with host, country, jail, region, postal, city, and ip. |
357
|
|
|
|
|
|
|
|
358
|
|
|
|
|
|
|
example: --country CN,RU |
359
|
|
|
|
|
|
|
|
360
|
|
|
|
|
|
|
|
361
|
|
|
|
|
|
|
|
362
|
|
|
|
|
|
|
field and fieldv |
363
|
|
|
|
|
|
|
|
364
|
|
|
|
|
|
|
The search template is written with the expectation that logstash is setting |
365
|
|
|
|
|
|
|
"type" with a value of "syslog". If you are using like "tag" instead of "type" |
366
|
|
|
|
|
|
|
or the like, this allows you to change the field and value. |
367
|
|
|
|
|
|
|
|
368
|
|
|
|
|
|
|
|
369
|
|
|
|
|
|
|
|
370
|
|
|
|
|
|
|
date |
371
|
|
|
|
|
|
|
|
372
|
|
|
|
|
|
|
/^-/ appends "now" to it. So "-5m" becomes "now-5m". |
373
|
|
|
|
|
|
|
|
374
|
|
|
|
|
|
|
/^u\:/ takes what is after ":" and uses Time::ParseDate to convert it to a |
375
|
|
|
|
|
|
|
unix time value. |
376
|
|
|
|
|
|
|
|
377
|
|
|
|
|
|
|
Any thing not matching maching any of the above will just be passed on. |
378
|
|
|
|
|
|
|
'; |
379
|
|
|
|
|
|
|
|
380
|
|
|
|
|
|
|
|
381
|
|
|
|
|
|
|
} |