Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
title/etc/logstash/conf.d/dhcp-pipeline.conf
input {
    pipeline { address => dhcplogs }
}

filter {
    dissect {
        mapping => {
            "message" => "%{} DHCPACK on %{ip} to %{mac} %{}"
        }

        remove_field => [
            "logtype",
            "message",
            "@version"
        ]
    }

    if "beats_input_codec_plain_applied" in [tags] {
        mutate { remove_tag => ["beats_input_codec_plain_applied"] }
    }

    fingerprint {
        key => "${cipher_key}"
        method => "SHA512"
        source => "ip"
        target => "ip"
    }

    fingerprint {
        key => "${cipher_key}"
        method => "SHA512"
        source => "mac"
        target => "mac"
    }
}

output {

    stdout { codec => rubydebug }
}

...

Code Block
{
"Called-Station-Id" => "CC-2D-E0-9A-EB-A3:eduroam",
"Acct-Status-Type" => "Start",
"NAS-IP-Address" => "162.13.218.132",
"@timestamp" => 2019-12-10T17:35:38.054Z,
"Calling-Station-Id" =>
 "UFWjPNUDSNkBYirsfcaZlkPrY0UOddLORId8boq59FTAhE3fM8xyV2uShOIf5y8W",
"Timestamp" => "1552029365",
"geoip" => {
"country_code3" => "GB",
"ip" => "162.13.218.132",
"timezone" => "Europe/London",
"country_code2" => "GB",
"continent_code" => "EU",
"latitude" => 51.4964,
"country_name" => "United Kingdom",
"location" => {
"lat" => 51.4964,
"lon" => -0.1224
},
"longitude" => -0.1224
},
"tags" => []
}

...

On wifimon-logstash.rash.al terminal should be shown something like:

Code Block
{
"mac" =>
 "8db8b992e5a9686e0113b1f885ff485e274d3824847a11c6a371ad873eea2959198199068472f84dc8
9a9489380b6cd8ff02cb97c32dfb849c43a8ed86898b768db8b992e5a9686e0113b1f885ff485e274d3824847a11c6a371ad873eea2959198199068472f84dc89a9489380b6cd8ff02cb97c32dfb849c43a8ed86898b76",
"@timestamp" => 2020-06-28T09:46:36.638Z,
"tags" => [],
"ip" =>
 "a5b40b78fb8b1062ba2464f2d5d15e05bde353beae313d67a6caabf7d219f7905377f706b13f5bc863
20e6784b97bcad25a90d120bb64137d605a67313b2c415a5b40b78fb8b1062ba2464f2d5d15e05bde353beae313d67a6caabf7d219f7905377f706b13f5bc86320e6784b97bcad25a90d120bb64137d605a67313b2c415"
 }

The outputs verify the tests were successful, the fields of interest are populated with their values, with some of them being hash-ed. The traffic Filebeat → Logstash was sent over SSL/TLS.

...

Code Block
curl -X POST --cacert /etc/elasticsearch/certs/ca.crt --user elastic \
'https://wifimon-kibana.rash.al:9200/_security/role/logstash_writer_role?pretty' \
-H 'Content-Type: application/json' -d'
{
  "cluster": [
    "monitor",
      "manage_index_templates"
  ],
  "indices": [
    {
      "names": [
        "radiuslogs",
        “dhcplogs”
      ],
      "privileges": [
        "write",
        "create_index"
      ],
      "field_security": {
        "grant": [
          "*"
        ]
      }
    }
  ],
  "run_as": [],
  "metadata": {},
  "transient_metadata": {
    "enabled": true
  }
}
'

To create the user logstash_user replace some-password-goes-here and run:

...