[Filebeat] Module for Ubiquiti Firewall Logs #8781
Assignees
Labels
Comments
|
Pinging @elastic/secops |
|
@andrewkroh - plan on having a PR for this early Jan. Sorry for the delay! |
adriansr
added a commit
to adriansr/beats
that referenced
this issue
Jan 28, 2019
This adds a new x-pack module to parse iptables logs from a file.
The module understands additional fields added by Ubiquiti firewalls.
Example iptables event:
```
"iptables": {
"ether_type": 2048,
"input_device": "eth0",
"output_device": "wan1",
"tcp": {
"reserved_bits": 0,
"flags": "ACK",
"window": 128
},
"precedence_bits": 0,
"length": 123,
"tos": 0,
"output_device": "lo",
"id": 12345,
"ttl": 255
},
```
For Ubiquiti logs, it parses the Ubiquiti tag before iptables logs.
Format: RuleSet-RuleNumber-Action
It's a common pattern to format the RuleSet as "InputDevice-OutputDevice".
Action can be A for allow and D for Deny. RuleNumber can be a number
or "default".
For [source-dest-42-D]:
```
"iptables.ubiquiti.input_zone": "source",
"iptables.ubiquiti.output_zone": "dest",
"iptables.ubiquiti.rule_number": "42",
"iptables.ubiquiti.rule_set": "source-dest",
"event.outcome": "deny",
```
The following ECS fields are populated:
```
"destination.ip": "10.4.0.5",
"destination.mac": "90:10:20:76:8d:20",
"destination.port": 443,
"ecs.version": "1.0.0-beta2",
"event.dataset": "iptables.log",
"event.module": "iptables",
"event.outcome": "deny", (only when Ubiquiti extension found)
"fileset.name": "log",
"network.transport": "tcp",
"network.type": "ipv4",
"source.geo.city_name": "Bellaterra",
"source.geo.continent_name": "Europe",
"source.geo.country_iso_code": "ES",
"source.geo.location.lat": 41.5026,
"source.geo.location.lon": 2.0875,
"source.geo.region_iso_code": "ES-B",
"source.geo.region_name": "Barcelona",
"source.ip": "158.109.0.1",
"source.mac": "90:10:65:29:b6:2a",
"source.port": 38842
```
Closes elastic#8781
Co-Authored-by: James Spiteri <james.spiteri@elastic.co>
adriansr
added a commit
that referenced
this issue
Jan 29, 2019
This adds a new x-pack module to parse iptables logs from a file.
The module understands additional fields added by Ubiquiti firewalls.
Example iptables event:
```
"iptables": {
"ether_type": 2048,
"input_device": "eth0",
"output_device": "wan1",
"tcp": {
"reserved_bits": 0,
"flags": "ACK",
"window": 128
},
"precedence_bits": 0,
"length": 123,
"tos": 0,
"output_device": "lo",
"id": 12345,
"ttl": 255
},
```
For Ubiquiti logs, it parses the Ubiquiti tag before iptables logs.
Format: RuleSet-RuleNumber-Action
It's a common pattern to format the RuleSet as "InputDevice-OutputDevice".
Action can be A for allow and D for Deny. RuleNumber can be a number
or "default".
For [source-dest-42-D]:
```
"iptables.ubiquiti.input_zone": "source",
"iptables.ubiquiti.output_zone": "dest",
"iptables.ubiquiti.rule_number": "42",
"iptables.ubiquiti.rule_set": "source-dest",
"event.outcome": "deny",
```
The following ECS fields are populated:
```
"destination.ip": "10.4.0.5",
"destination.mac": "90:10:20:76:8d:20",
"destination.port": 443,
"ecs.version": "1.0.0-beta2",
"event.dataset": "iptables.log",
"event.module": "iptables",
"event.outcome": "deny", (only when Ubiquiti extension found)
"fileset.name": "log",
"network.transport": "tcp",
"network.type": "ipv4",
"source.geo.city_name": "Bellaterra",
"source.geo.continent_name": "Europe",
"source.geo.country_iso_code": "ES",
"source.geo.location.lat": 41.5026,
"source.geo.location.lon": 2.0875,
"source.geo.region_iso_code": "ES-B",
"source.geo.region_name": "Barcelona",
"source.ip": "158.109.0.1",
"source.mac": "90:10:65:29:b6:2a",
"source.port": 38842
```
Closes #8781
Co-Authored-by: James Spiteri <james.spiteri@elastic.co>
adriansr
added a commit
to adriansr/beats
that referenced
this issue
Jan 31, 2019
This adds a new x-pack module to parse iptables logs from a file.
The module understands additional fields added by Ubiquiti firewalls.
Example iptables event:
```
"iptables": {
"ether_type": 2048,
"input_device": "eth0",
"output_device": "wan1",
"tcp": {
"reserved_bits": 0,
"flags": "ACK",
"window": 128
},
"precedence_bits": 0,
"length": 123,
"tos": 0,
"output_device": "lo",
"id": 12345,
"ttl": 255
},
```
For Ubiquiti logs, it parses the Ubiquiti tag before iptables logs.
Format: RuleSet-RuleNumber-Action
It's a common pattern to format the RuleSet as "InputDevice-OutputDevice".
Action can be A for allow and D for Deny. RuleNumber can be a number
or "default".
For [source-dest-42-D]:
```
"iptables.ubiquiti.input_zone": "source",
"iptables.ubiquiti.output_zone": "dest",
"iptables.ubiquiti.rule_number": "42",
"iptables.ubiquiti.rule_set": "source-dest",
"event.outcome": "deny",
```
The following ECS fields are populated:
```
"destination.ip": "10.4.0.5",
"destination.mac": "90:10:20:76:8d:20",
"destination.port": 443,
"ecs.version": "1.0.0-beta2",
"event.dataset": "iptables.log",
"event.module": "iptables",
"event.outcome": "deny", (only when Ubiquiti extension found)
"fileset.name": "log",
"network.transport": "tcp",
"network.type": "ipv4",
"source.geo.city_name": "Bellaterra",
"source.geo.continent_name": "Europe",
"source.geo.country_iso_code": "ES",
"source.geo.location.lat": 41.5026,
"source.geo.location.lon": 2.0875,
"source.geo.region_iso_code": "ES-B",
"source.geo.region_name": "Barcelona",
"source.ip": "158.109.0.1",
"source.mac": "90:10:65:29:b6:2a",
"source.port": 38842
```
Closes elastic#8781
Co-Authored-by: James Spiteri <james.spiteri@elastic.co>
(cherry picked from commit d7c14df)
adriansr
added a commit
that referenced
this issue
Feb 4, 2019
…10462) This adds a new x-pack module to parse iptables logs from a file. The module understands additional fields added by Ubiquiti firewalls. Example iptables event: ``` "iptables": { "ether_type": 2048, "input_device": "eth0", "output_device": "wan1", "tcp": { "reserved_bits": 0, "flags": "ACK", "window": 128 }, "precedence_bits": 0, "length": 123, "tos": 0, "output_device": "lo", "id": 12345, "ttl": 255 }, ``` For Ubiquiti logs, it parses the Ubiquiti tag before iptables logs. Format: RuleSet-RuleNumber-Action It's a common pattern to format the RuleSet as "InputDevice-OutputDevice". Action can be A for allow and D for Deny. RuleNumber can be a number or "default". For [source-dest-42-D]: ``` "iptables.ubiquiti.input_zone": "source", "iptables.ubiquiti.output_zone": "dest", "iptables.ubiquiti.rule_number": "42", "iptables.ubiquiti.rule_set": "source-dest", "event.outcome": "deny", ``` The following ECS fields are populated: ``` "destination.ip": "10.4.0.5", "destination.mac": "90:10:20:76:8d:20", "destination.port": 443, "ecs.version": "1.0.0-beta2", "event.dataset": "iptables.log", "event.module": "iptables", "event.outcome": "deny", (only when Ubiquiti extension found) "fileset.name": "log", "network.transport": "tcp", "network.type": "ipv4", "source.geo.city_name": "Bellaterra", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", "source.geo.location.lat": 41.5026, "source.geo.location.lon": 2.0875, "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "158.109.0.1", "source.mac": "90:10:65:29:b6:2a", "source.port": 38842 ``` Closes #8781 Co-Authored-by: James Spiteri <james.spiteri@elastic.co> (cherry picked from commit d7c14df)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As a user I want to be able to ingest firewall logs from Ubiquiti network gear. Ubiquiti firewall logs are essentially Linux iptables log message with a prefix that designates the source interface. In my experience the primary means of getting these logs is via syslog. Here are some samples (without the syslog header).
[wan-local-default-D]IN=eth0 OUT= MAC=05:10:d6:f0:81:b4:f8:e4:00:9a:f9:00:08:00 SRC=23.102.178.95 DST=192.168.1.4 LEN=1357 TOS=0x00 PREC=0x00 TTL=116 ID=18905 DF PROTO=TCP SPT=443 DPT=33785 WINDOW=514 RES=0x00 ACK PSH URGP=0[wan-lan-3-A]IN=eth0 OUT=eth1 MAC=05:10:d6:f0:81:b4:f8:e4:fb:00:f9:00:08:00 SRC=1.2.3.4 DST=10.0.0.5 LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=3097 DF PROTO=TCP SPT=54488 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0The text was updated successfully, but these errors were encountered: