...
Code Block | ||
---|---|---|
| ||
input { pipeline { address => dhcplogs } } filter { dissect { mapping => { "message" => "%{} DHCPACK on %{ip} to %{mac} %{}" } remove_field => [ "logtype", "message", "@version" ] } if "beats_input_codec_plain_applied" in [tags] { mutate { remove_tag => ["beats_input_codec_plain_applied"] } } fingerprint { key => "${cipher_key}" method => "SHA512" source => "ip" target => "ip" } fingerprint { key => "${cipher_key}" method => "SHA512" source => "mac" target => "mac" } } output { stdout { codec => rubydebug } } |
...
Code Block |
---|
{ "Called-Station-Id" => "CC-2D-E0-9A-EB-A3:eduroam", "Acct-Status-Type" => "Start", "NAS-IP-Address" => "162.13.218.132", "@timestamp" => 2019-12-10T17:35:38.054Z, "Calling-Station-Id" => "UFWjPNUDSNkBYirsfcaZlkPrY0UOddLORId8boq59FTAhE3fM8xyV2uShOIf5y8W", "Timestamp" => "1552029365", "geoip" => { "country_code3" => "GB", "ip" => "162.13.218.132", "timezone" => "Europe/London", "country_code2" => "GB", "continent_code" => "EU", "latitude" => 51.4964, "country_name" => "United Kingdom", "location" => { "lat" => 51.4964, "lon" => -0.1224 }, "longitude" => -0.1224 }, "tags" => [] } |
...
On wifimon-logstash.rash.al terminal should be shown something like:
Code Block |
---|
{ "mac" => "8db8b992e5a9686e0113b1f885ff485e274d3824847a11c6a371ad873eea2959198199068472f84dc8 9a9489380b6cd8ff02cb97c32dfb849c43a8ed86898b768db8b992e5a9686e0113b1f885ff485e274d3824847a11c6a371ad873eea2959198199068472f84dc89a9489380b6cd8ff02cb97c32dfb849c43a8ed86898b76", "@timestamp" => 2020-06-28T09:46:36.638Z, "tags" => [], "ip" => "a5b40b78fb8b1062ba2464f2d5d15e05bde353beae313d67a6caabf7d219f7905377f706b13f5bc863 20e6784b97bcad25a90d120bb64137d605a67313b2c415a5b40b78fb8b1062ba2464f2d5d15e05bde353beae313d67a6caabf7d219f7905377f706b13f5bc86320e6784b97bcad25a90d120bb64137d605a67313b2c415" } |
The outputs verify the tests were successful, the fields of interest are populated with their values, with some of them being hash-ed. The traffic Filebeat → Logstash was sent over SSL/TLS.
...
Code Block |
---|
curl -X POST --cacert /etc/elasticsearch/certs/ca.crt --user elastic \ 'https://wifimon-kibana.rash.al:9200/_security/role/logstash_writer_role?pretty' \ -H 'Content-Type: application/json' -d' { "cluster": [ "monitor", "manage_index_templates" ], "indices": [ { "names": [ "radiuslogs", “dhcplogs” ], "privileges": [ "write", "create_index" ], "field_security": { "grant": [ "*" ] } } ], "run_as": [], "metadata": {}, "transient_metadata": { "enabled": true } } ' |
To create the user logstash_user replace some-password-goes-here and run:
...