diff --git a/Dockerfile b/Dockerfile index e783354..2992298 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM debian:latest MAINTAINER Kameron Kenny -LABEL version="20240619.1.1" +LABEL version="20240619.1.2" LABEL description="Debian Based syslog-ng" RUN apt-get update diff --git a/config/syslog-ng.conf.d/0-service.conf.template b/config/syslog-ng.conf.d/0-service.conf.template new file mode 100644 index 0000000..f86a4d2 --- /dev/null +++ b/config/syslog-ng.conf.d/0-service.conf.template @@ -0,0 +1,72 @@ +filter f_unifi_suricata { match("suricata" value("PROGRAM")); }; +filter f_unifi_fw_lan { match("LAN_" value("PID")); }; +filter f_unifi_stahtd { message("stahtd"); }; + +parser p_kv { kv-parser(prefix("kv.")); }; + +parser p_suricata_json { json-parser(prefix("suricata.")); }; + +parser p_fw_src_ip_geoip2_city { + geoip2( + "${kv.SRC}", + prefix( "geoip2.source." ) + database( "/config/GeoIP/GeoLite2-City.mmdb" ) + ); +}; + +destination d_unifi_fw { file("/var/log/unifi_fw.log"); }; + +destination d_unifi_suricata { + elasticsearch-http( + index("unifi-suricata") + type("") + user("elastic") + password("forty6and2") + url("http://pi501.in.thelinuxpro.net:9200/_bulk") + template("$(format-json --scope rfc5424 --scope dot-nv-pairs + --rekey .* --shift 1 --scope nv-pairs + --exclude DATE @timestamp=${ISODATE})") + persist-name("d_unifi_suricata") + ); +}; + +destination d_unifi_wlan { + elasticsearch-http( + index("unifi-wlan") + type("") + user("elastic") + password("forty6and2") + url("http://pi501.in.thelinuxpro.net:9200/_bulk") + template("$(format-json --scope rfc5424 --scope dot-nv-pairs + --rekey .* --shift 1 --scope nv-pairs + --exclude DATE @timestamp=${ISODATE})") + persist-name("d_unifi_wlan") + ); +}; + +log { + source(s_network_udp); + filter(f_unifi_suricata); + parser(p_suricata_json); + parser(p_suricata_src_ip_geoip2_city); + parser(p_suricata_dest_ip_geoip2_city); + destination(d_unifi_suricata); + flags(final); +}; + +log { + source(s_network_udp); + filter(f_unifi_bash_history); + destination(d_unifi_bash_history); + flags(final); +}; + +log { + source(s_network_udp); + filter(f_unifi_fw_lan); + parser(p_kv); + parser(p_fw_src_ip_geoip2_city); + parser(p_fw_dst_ip_geoip2_city); + destination(d_unifi_firewall); + flags(final); +}; diff --git a/config/syslog-ng.conf.d/bind-dns.conf b/config/syslog-ng.conf.d/bind-dns.conf new file mode 100644 index 0000000..b261e15 --- /dev/null +++ b/config/syslog-ng.conf.d/bind-dns.conf @@ -0,0 +1,47 @@ +filter f_bind9_primary { message("bind9-primary"); }; +filter f_bind9_secondary { message("bind9-secondary"); }; + +parser p_bind_kv { + kv-parser( + prefix("bind9.") + value-separator(":") + ); +}; + +parser p_bind_client_ip_geoip2_city { + geoip2( + "${kv.SRC}", + prefix( "geoip2.source." ) + database( "/config/GeoIP/GeoLite2-City.mmdb" ) + ); +}; + +destination d_bind_logs { + elasticsearch-http( + index("bind9-logs") + type("") + user("elastic") + password("forty6and2") + url("http://pi501.in.thelinuxpro.net:9200/_bulk") + template("$(format-json --scope rfc5424 --scope dot-nv-pairs + --rekey .* --shift 1 --scope nv-pairs + --exclude DATE @timestamp=${ISODATE})") + persist-name("d_bind_logs") + ); +}; + +log { + source(s_network_udp); + filter(f_bind9_primary); + parser(p_bind_kv); + destination(d_bind_logs); + flags(final); +}; + +log { + source(s_network_udp); + filter(f_bind9_secondary); + parser(p_bind_kv); + destination(d_bind_logs); + flags(final); +}; diff --git a/docker-compose.yml b/docker-compose.yml index 2bf87f3..c5f27b5 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -10,7 +10,7 @@ services: syslog-ng: build: dockerfile: Dockerfile - image: docker-registry1.in.thelinuxpro.net:5000/tlp/syslog-ng:240619.1.1 + image: docker-registry1.in.thelinuxpro.net:5000/tlp/syslog-ng:240619.1.2 container_name: syslog-ng #environment: #- TZ:America/Indianapolis