时间戳

首页 > 技术文章 > ELK接收paloalto防火墙威胁日志并定位城市展示

ELK接收paloalto防火墙威胁日志并定位城市展示

obitoma 2021-05-28 10:24 原文

ELK接收paloalto防火墙威胁日志并定位城市展示

一、准备环境:

搭建好的ELK环境

palo alto防火墙(企业用的)

二、安装logstash并做好过滤

将palo alto日志打到一台centos的rsyslog上并用logstash监听514端口

这里用到了logstash的两个模块grok(分词)还有http(请求第三方api)

百度地图的api自行到官网申请https://lbsyun.baidu.com/apiconsole/key#/home

配置如下:

input{
    syslog{
    type => "syslog"
    port => 514
    }
}
filter {
    grok {
        match => ["message", "%{DATA:Domain}\,%{DATA:Receive-Time}\,%{DATA:Serial}\,%{DATA:Type}\,%{DATA:Threat-Type}\,%{DATA:Conf
ig-Version}\,%{DATA:Generate-Time}\,%{IP:Source-address}\,%{IP:Destination-address}\,%{DATA:NAT-Source-IP}\,%{DATA:NAT-Destination
-IP}\,%{DATA:Rule}\,%{DATA:Source-User}\,%{DATA:Destination-User}\,%{DATA:Application}\,%{DATA:Virtual-System}\,%{DATA:Source-Zone
}\,%{DATA:Destination-Zone}\,%{DATA:Inbound-Interface}\,%{DATA:Outbound-Interface}\,%{DATA:Log-Action}\,%{DATA:Time-Logged}\,%{DAT
A:Session-ID}\,%{DATA:Repeat-Count}\,%{DATA:Source-Port}\,%{DATA:Destination-Port}\,%{DATA:NAT-Source-Port}\,%{DATA:NAT-Destinatio
n-Port}\,%{DATA:Flags}\,%{DATA:IP-Protocol}\,%{DATA:Action}\,%{DATA:URL}\,%{DATA:Threat-Content-Name}\,%{DATA:Category}\,%{DATA:Se
verity}\,%{DATA:Direction}\,%{DATA:Sequence-Number}\,%{DATA:Action-Flags}\,%{DATA:Source-Country}\,%{DATA:Destination-Country}\,%{
DATA:cpadding}\,%{DATA:contenttype}\,%{DATA:pcap_id}\,%{DATA:filedigest}\,%{DATA:cloud}\,%{DATA:url_idx}\,%{DATA:user_agent}\,%{DA
TA:filetype}\,%{DATA:xff}\,%{DATA:referer}\,%{DATA:sender}\,%{DATA:subject}\,%{DATA:recipient}\,%{DATA:reportid}\,%{DATA:dg_hier_l
evel_1}\,%{DATA:dg_hier_level_2}\,%{DATA:dg_hier_level_3}\,%{DATA:dg_hier_level_4}\,%{DATA:Virtual-System-Name}\,%{DATA:Device-Nam
e}\,%{DATA:file_url}"] }
    http {
        body_format => "json"
        follow_redirects => false
        url => "http://api.map.baidu.com/location/ip?ak=我的AK&ip=%{Source-address}&coor=bd09ll"
        verb => "GET"
        headers => [ "Content-Type", "application/json" ]
        target_body => "address"
}
}
output {
    elasticsearch {
        hosts => "xxxx:9200"
        user => "elastic"
        password => "passwd"
        index => "pa-threat-%{+yyyy.MM.dd}"
        }
}

三、运行

这里建议自己选择合适的守护进程

使用systemctl start logstash可能会有问题,推荐supervisor守护进程
这边是我测试的使用nohup运行的,运行时一定要-f带上指定配置文件

 nohup /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/pa.conf >> /root/logstash-logs/logs 2>&1 &

四、结果

日志里就有请求的地址信息了,后面就可以自己做图表了

image-20210528102019981

五、注意点

更改logstash配置后fields会出现未知fields

根据下面步骤更新fields即可!

image-20210528102159936

image-20210528102210791

image-20210528102228227

推荐阅读