iamhowardtheduck · May 30, 2021 18:36 · felix-lessoer · May 30, 2021
diff --git a/fail2ban-ecs-pipeline b/fail2ban-ecs-pipeline
 PUT _ingest/pipeline/fail2ban-ecs
 {
  "processors": [
    {
      "grok": {
        "field": "message",
        "patterns": [
          "%{SYSLOGTIMESTAMP:timestamp} %{WORD:host.name} %{GREEDYDATA:message}"
        ],
        "ignore_missing": true,
        "tag": "Initial",
        "ignore_failure": true,
        "description": "Initial sever-journal deliniation"
      }
    },
    {
      "date": {
        "field": "timestamp",
        "formats": [
          "MMM dd HH:mm:ss",
          "MMM dd HH:m:s",
          "MMM  d HH:mm:ss",
          "MMM   d HH:mm:ss"
        ],
        "timezone": "America/New_York",
        "description": "Set @timestamp from timestamp"
      }
    },
    {
      "grok": {
        "field": "message",
        "patterns": [
          "(?<process.title>fail2ban-server)\\: (?<event.action>Server ready)"
        ],
        "ignore_failure": true,
        "description": "Server Ready"
      }
    },
    {
      "grok": {
        "field": "message",
        "patterns": [
          "(?<process.title>journal)\\: (?<event.module>fail2ban)\\.%{NOTSPACE:service.type} \\[%{INT:process.pid}\\]\\: %{NOTSPACE:log.level} %{GREEDYDATA:message}"
        ],
        "ignore_missing": true,
        "tag": "Event type delineation ",
        "ignore_failure": true,
        "description": "Event type delineation "
      }
    },
    {
      "grok": {
        "field": "message",
        "patterns": [
          "\\[(?<service.name>[^\\]]+)\\] (?<event.action>Restore Ban|Unban|Ban) %{IP:client.ip}",
          "\\s+(?<event.action>banTime\\: (?<event.duration>\\d+))"
        ],
        "if": "ctx.service?.type == 'actions'",
        "ignore_failure": true,
        "description": "Action Type"
      }
    },
    {
      "grok": {
        "field": "message",
        "patterns": [
          "\\[(?<service.name>[^\\]]+)\\] (?<event.action>Found) %{IP:client.ip} - (?<event.date>\\d{4}-\\d{2}-\\d{2}) (?<event.time>\\d{2}\\:\\d{2}\\:\\d{2})",
          "(?<event.action>Added logfile)\\: \\'(?<log.origin.file.name>[^\\']+)\\' \\(pos \\= %{INT:log.origin.file.line}\\, hash = (?<event.hash>[^\\)]+)\\)",
          "\\s+(?<event.action>findtime\\: (?<event.duration>\\d+))",
          "\\s+(?<event.action>maxRetry\\: (?<event.duration>\\d+))",
          "\\s{3}(?<event.action>[^\\:]+\\:\\s{1}.*)"
        ],
        "if": "ctx.service?.type == 'filter'",
        "ignore_failure": true,
        "description": "Filter Type"
      }
    },
    {
      "grok": {
        "field": "message",
        "patterns": [
          "(?<event.action>Creating new jail) \\'(?<service.name>[^\\']+)\\'",
          "(?<message>Jail \\'(?<service.name>[^\\']+)\\' uses poller \\{\\})",
          "(?<message>Initiated \\'polling\\' backend)",
          "(?<message>Jail \\'(?<service.name>[^\\']+)\\' started)"
        ],
        "if": "ctx.service?.type == 'jail'",
        "ignore_failure": true,
        "description": "Jail Type"
      }
    },
    {
      "grok": {
        "field": "message",
        "patterns": [
          "(?<message>Connected to fail2ban persistent database) \\'(?<service.database>[^\\']+)\\'"
        ],
        "if": "ctx.service?.type == 'database'",
        "ignore_failure": true,
        "description": "Database Type"
      }
    },
    {
      "grok": {
        "field": "message",
        "patterns": [
          "--------------------------------------------------",
          "(?<event.action>Starting Fail2ban v\\S+)"
        ],
        "if": "ctx.service?.type == 'server'",
        "ignore_failure": true,
        "description": "Server Type"
      }
    },
    {
      "grok": {
        "field": "message",
        "patterns": [
          "(?<event.action>Observer start)..."
        ],
        "if": "ctx.service?.type == 'observer'",
        "ignore_failure": true,
        "description": "Observer Type"
      }
    },
    {
      "geoip": {
        "field": "client.ip",
        "target_field": "client.geo",
        "ignore_failure": true,
        "description": "Geo Client IPs"
      }
    },
    {
      "set": {
        "field": "event.category",
        "value": "intrusion_detection",
        "ignore_failure": true,
        "description": "event.category: intrusion_detection"
      }
    },
    {
      "set": {
        "field": "event.outcome",
        "value": "failure",
        "ignore_failure": true,
        "description": "event.outcome: failure",
        "if": "ctx.event?.action == 'Restore Ban'"
      }
    }
  ]
 }
	PUT _ingest/pipeline/fail2ban-ecs
	{
	"processors": [
	{
	"grok": {
	"field": "message",
	"patterns": [
	"%{SYSLOGTIMESTAMP:timestamp} %{WORD:host.name} %{GREEDYDATA:message}"
	],
	"ignore_missing": true,
	"tag": "Initial",
	"ignore_failure": true,
	"description": "Initial sever-journal deliniation"
	}
	},
	{
	"date": {
	"field": "timestamp",
	"formats": [
	"MMM dd HH:mm:ss",
	"MMM dd HH:m:s",
	"MMM d HH:mm:ss",
	"MMM d HH:mm:ss"
	],
	"timezone": "America/New_York",
	"description": "Set @timestamp from timestamp"
	}
	},
	{
	"grok": {
	"field": "message",
	"patterns": [
	"(?<process.title>fail2ban-server)\\: (?<event.action>Server ready)"
	],
	"ignore_failure": true,
	"description": "Server Ready"
	}
	},
	{
	"grok": {
	"field": "message",
	"patterns": [
	"(?<process.title>journal)\\: (?<event.module>fail2ban)\\.%{NOTSPACE:service.type} \\[%{INT:process.pid}\\]\\: %{NOTSPACE:log.level} %{GREEDYDATA:message}"
	],
	"ignore_missing": true,
	"tag": "Event type delineation ",
	"ignore_failure": true,
	"description": "Event type delineation "
	}
	},
	{
	"grok": {
	"field": "message",
	"patterns": [
	"\\[(?<service.name>[^\\]]+)\\] (?<event.action>Restore Ban\|Unban\|Ban) %{IP:client.ip}",
	"\\s+(?<event.action>banTime\\: (?<event.duration>\\d+))"
	],
	"if": "ctx.service?.type == 'actions'",
	"ignore_failure": true,
	"description": "Action Type"
	}
	},
	{
	"grok": {
	"field": "message",
	"patterns": [
	"\\[(?<service.name>[^\\]]+)\\] (?<event.action>Found) %{IP:client.ip} - (?<event.date>\\d{4}-\\d{2}-\\d{2}) (?<event.time>\\d{2}\\:\\d{2}\\:\\d{2})",
	"(?<event.action>Added logfile)\\: \\'(?<log.origin.file.name>[^\\']+)\\' \\(pos \\= %{INT:log.origin.file.line}\\, hash = (?<event.hash>[^\\)]+)\\)",
	"\\s+(?<event.action>findtime\\: (?<event.duration>\\d+))",
	"\\s+(?<event.action>maxRetry\\: (?<event.duration>\\d+))",
	"\\s{3}(?<event.action>[^\\:]+\\:\\s{1}.*)"
	],
	"if": "ctx.service?.type == 'filter'",
	"ignore_failure": true,
	"description": "Filter Type"
	}
	},
	{
	"grok": {
	"field": "message",
	"patterns": [
	"(?<event.action>Creating new jail) \\'(?<service.name>[^\\']+)\\'",
	"(?<message>Jail \\'(?<service.name>[^\\']+)\\' uses poller \\{\\})",
	"(?<message>Initiated \\'polling\\' backend)",
	"(?<message>Jail \\'(?<service.name>[^\\']+)\\' started)"
	],
	"if": "ctx.service?.type == 'jail'",
	"ignore_failure": true,
	"description": "Jail Type"
	}
	},
	{
	"grok": {
	"field": "message",
	"patterns": [
	"(?<message>Connected to fail2ban persistent database) \\'(?<service.database>[^\\']+)\\'"
	],
	"if": "ctx.service?.type == 'database'",
	"ignore_failure": true,
	"description": "Database Type"
	}
	},
	{
	"grok": {
	"field": "message",
	"patterns": [
	"--------------------------------------------------",
	"(?<event.action>Starting Fail2ban v\\S+)"
	],
	"if": "ctx.service?.type == 'server'",
	"ignore_failure": true,
	"description": "Server Type"
	}
	},
	{
	"grok": {
	"field": "message",
	"patterns": [
	"(?<event.action>Observer start)..."
	],
	"if": "ctx.service?.type == 'observer'",
	"ignore_failure": true,
	"description": "Observer Type"
	}
	},
	{
	"geoip": {
	"field": "client.ip",
	"target_field": "client.geo",
	"ignore_failure": true,
	"description": "Geo Client IPs"
	}
	},
	{
	"set": {
	"field": "event.category",
	"value": "intrusion_detection",
	"ignore_failure": true,
	"description": "event.category: intrusion_detection"
	}
	},
	{
	"set": {
	"field": "event.outcome",
	"value": "failure",
	"ignore_failure": true,
	"description": "event.outcome: failure",
	"if": "ctx.event?.action == 'Restore Ban'"
	}
	}
	]
	}