evaristorivi

Keybase proof

I hereby claim:

• I am evaristorivi on github.
• I am evtrompa (https://keybase.io/evtrompa) on keybase.
• I have a public key ASCj2O5Z2FvYyHgv_sdaErnkMrfiIfXFjytuZUW6LvVJRAo

To claim this, I am signing this object:

evaristorivi

# partly from https://github.com/PCextreme/logstash-grok-patterns/blob/master/auth
#
# ssh
SSH_PUB_LOGIN %{SYSLOGBASE} Accepted publickey for %{USERNAME:username} from %{IPORHOST:remote} port %{BASE10NUM:port:int} %{WORD:protocol}
SSH_PUB_LOGIN_S Accepted publickey for %{USERNAME:username} from %{IPORHOST:remote} port %{BASE10NUM:port:int} %{WORD:protocol}
SSH_OPEN_SESSION session opened for user %{USERNAME:username} by \(uid=%{INT:uid:int}\)
SSH_CLOSE_SESSION session closed for user %{USERNAME:username}
SSH_PASSWORD_LOGIN %{SYSLOGBASE} Accepted password for %{USERNAME:username} from %{IPORHOST:remote} port %{BASE10NUM:port:int} %{WORD:protocol}
SSH_PASSWORD_LOGIN_S Accepted password for %{USERNAME:username} from %{IPORHOST:remote} port %{BASE10NUM:port:int} %{WORD:protocol}
SSH_FAILED_LOGIN %{SYSLOGBASE} Failed password for (invalid user |)%{USERNAME:username} from %{IPORHOST:remote} port %{BASE10NUM:port:int} %{WORD:protocol}

evaristorivi

filter {
  if [source] == "/var/log/auth.log"{
    grok {
      patterns_dir => "/etc/logstash/patterns"
      match   => ["message", "%{AUTH_LOG_LINE}"]
      add_tag => ["auth_parse"]
    }
    if [program] == "sshd" {
      grok {
        patterns_dir => "/etc/logstash/patterns"

evaristorivi

filter {
    grok {
        match => ["message","%{INT:timestamp}.%{INT}\s*%{NUMBER:request_msec:float} %{IPORHOST:src_ip} %{WORD:cache_result}/%{NUMBER:response_status:int} %{NUMBER:response_size:int} %{WORD:http_method} (%{URIPROTO:http_proto}://)?%{IPORHOST:dst_host}(?::%{POSINT:port})?(?:%{DATA:uri_param})? %{USERNAME:cache_user} %{WORD:request_route}/(%{IPORHOST:forwarded_to}|-) %{GREEDYDATA:content_type}"]  
        add_tag => ["squid"]
        }    
    date {
        match => [ "timestamp", "UNIX" ]
        }

}

evaristorivi

input {
  beats {
    type => "squid"
    port => 5044
    ssl => true
    ssl_certificate_authorities => ["/etc/metricbeat/MyRootCA.pem"]
    ssl_certificate => "/etc/metricbeat/odfe-node1.pem"
    ssl_key => "/etc/metricbeat/odfe-node1.key"

  }

evaristorivi

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject"

evaristorivi

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "sts:DecodeAuthorizationMessage",
                "sts:GetCallerIdentity"

evaristorivi

  # Optional protocol and basic auth credentials.
  protocol: "https"
  username: "admin"
  password: "admin"


  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  ssl.certificate_authorities: ["/etc/metricbeat/MyRootCA.pem"]

evaristorivi

input {
  beats {
    type => "squid"
    port => 5044
    ssl => true
    ssl_certificate_authorities => ["/etc/metricbeat/MyRootCA.pem"]
    ssl_certificate => "/etc/metricbeat/odfe-node1.pem"
    ssl_key => "/etc/metricbeat/odfe-node1.key"

  }

evaristorivi

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ses:SendEmail",
                "ses:SendRawEmail"
            ],
            "Resource": "*"