Shawn Q Jackson gt50

gt50 / cisco-asa.conf

Created October 24, 2014 02:12

cisco asa conf for logstash

	input {
	syslog {
	port => 5140
	type => "cisco-asa"
	}
	}

	filter {
	if [type] == "cisco-asa" {
	# Split the syslog part and Cisco tag out of the message

gt50 / iis.conf

Created October 24, 2014 02:11

iis.conf for logstash

	input {
	tcp {
	type => "iis"
	port => 3515
	}
	}
	filter {
	if [type] == "iis" {
	grok {
	#match => ["message", "%{TIMESTAMP_ISO8601:timestamp} %{IPORHOST:hostip} %{WORD:method} %{URIPATH:page} %{NOTSPACE:query} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clientip} %{NOTSPACE:useragent} %{NOTSPACE:referrer} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:scstatus} %{NUMBER:timetaken}"]

gt50 / netflow.conf

Created October 24, 2014 02:11

netflow.conf for logstash (not working with ASA)

	input {
	udp {
	port => 6343
	codec => netflow { versions => [ 5, 9] }
	type => "netflow"
	}
	}
	output {
	if [type] == "netflow" {
	elasticsearch { host => localhost }

gt50 / windowseventlog.conf

Created October 24, 2014 02:10

windowseventlog.conf for logstash

gt50 / pacs.conf

Created October 24, 2014 02:09

pacs.conf

	input {
	tcp {
	type => "pacs"
	port => 3517
	}
	}
	filter {
	if [type] == "pacs" {
	grok {
	match => ["message", "%{TIMESTAMP_ISO8601:timestamp} %{WORD:loglevel} %{SYSLOG5424SD:logsource} \(Import:%{GREEDYDATA:studyuid}\) %{GREEDYDATA:action} Patient:%{GREEDYDATA:patienname}, PatientID:%{GREEDYDATA:patientid}, IPID:%{WORD:ipid}, Modality:%{WORD:modality}, Accession:%{WORD:accession}, StudyDate:%{YEAR:dosyear}%{MONTHNUM:dosmonth}%{MONTHDAY:dosday}"]