| local cjson = require "cjson" | |
| -- local dt = require "date_time" | |
| -- { | |
| -- "timestamp": "2009-11-24T21:27:09.534255", | |
| -- "event_type": "alert", | |
| -- "src_ip": "192.168.2.7", | |
| -- "src_port": 1041, | |
| -- "dest_ip": "x.x.250.50", | |
| -- "dest_port": 80, |
| local cjson = require "cjson" | |
| -- local dt = require "date_time" | |
| -- { | |
| -- "timestamp": "2009-11-24T21:27:09.534255", | |
| -- "event_type": "alert", | |
| -- "src_ip": "192.168.2.7", | |
| -- "src_port": 1041, | |
| -- "dest_ip": "x.x.250.50", | |
| -- "dest_port": 80, |
I needed a syslog server and had been reading about ELK for the past few months. I finally decided to throw together a basic implementation in my home lab. I've recorded my notes for this process in this document & dumped the notes online at the following locations:
The implementation I built is super basic, it's just in my lab for dev purposes atm - so I didn't finish securing or building the integrations - just needed it to visualize some syslog data ATM.
| module DNSLongQuery; | |
| export { | |
| redef enum Notice::Type += { | |
| DNS_LongQuery, | |
| }; | |
| const blacklist_dns_qtypes: set[string] = { "TSIG", "IXFR", "TXT", "NSEC", "AXFR", "TKEY", "SIG", "EDNS", "KEY", "DNSKEY", "SOA", "SPF", "RRSIG" }; | |
| } | |
| event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) |
| import os | |
| import sys | |
| import ConfigParser | |
| configfile = './example.conf' | |
| try: | |
| if os.path.exists(configfile): | |
| Config = ConfigParser.ConfigParser() | |
| Config.read(configfile) |
| @load base/protocols/ssl | |
| module SSL; | |
| export { | |
| redef record SSL::Info += { | |
| client_ciphers: index_vec &log &optional; | |
| client_curves: index_vec &log &optional; | |
| extensions: index_vec &log &optional; | |
| point_formats: index_vec &log &optional; |
| TMP_ROOT=~/tmp/dest | |
| rm -rf ~/bro 2>&1 > /dev/null | |
| rm -rf "${TMP_ROOT}" 2>&1 > /dev/null | |
| mkdir -p "${TMP_ROOT}" 2>&1 > /dev/null | |
| git clone --recursive https://github.com/bro/bro.git ~/bro | |
| git checkout remotes/origin/topic/seth/remove-flarecd ~/bro && ./configure --prefix=/opt/bro --disable-broker --with-pcap=/opt/snf || exit 1 | |
| make install DESTDIR=~/tmp/dest || exit 1 | |
| cd ~/ |
| Build and install your kernel with netmap support | |
| FreeBSD nsm1 10.2-RELEASE-p12 FreeBSD 10.2-RELEASE-p12 #1: Sat Feb 6 11:12:43 UTC 2016 michal@nsm1:/usr/obj/usr/src/sys/NETMAP amd64 | |
| cat interfaces_setup.sh | |
| ifconfig em0 -arp promisc -rxcsum -txcsum -rxcsum6 -txcsum6 -tso -tso4 -tso6 -lro -vlanmtu -vlanhwtag -vlanhwfilter -vlanhwtso | |
| ifconfig em1 -arp promisc -rxcsum -txcsum -rxcsum6 -txcsum6 -tso -tso4 -tso6 -lro -vlanmtu -vlanhwtag -vlanhwfilter -vlanhwtso | |
| ifconfig em0 mtu 1524 up | |
| ifconfig em1 mtu 1524 up |
| . ./common.sh | |
| BOOST_VER=1_60_0 | |
| BOOT_URL=http://downloads.sourceforge.net/project/boost/boost/1.60.0/boost_"${BOOST_VER}".tar.gz | |
| rm -rf "${SRC_ROOT}"/boost_"${BOOST_VER}" 2>&1 > /dev/null | |
| rm -rf "${SRC_ROOT}"/boost_"${BOOST_VER}".tar.gz 2>&1 > /dev/null | |
| wget http://downloads.sourceforge.net/project/boost/boost/1.60.0/boost_"${BOOST_VER}".tar.gz -O "${SRC_ROOT}"/boost_"${BOOST_VER}".tar.gz || exit 1 | |
| tar zxvf "${SRC_ROOT}"/boost_"${BOOST_VER}".tar.gz -C "${SRC_ROOT}" || exit 1 |
| #!/bin/bash | |
| CPU_NUM=`cat /proc/cpuinfo | grep -E 'model name' | wc -l` | |
| if [[ "${CPU_NUM}" -eq 32 ]]; then | |
| export SNF_NUM_RINGS=26 | |
| elif [[ "${CPU_NUM}" -eq 56 ]]; then | |
| export SNF_NUM_RINGS=32 | |
| else | |
| exit 1; |
