├── 01-f5-input.conf ├── 20-f5-filter.conf ├── 40-f5-output.conf ├── README.md ├── f5-template.json ├── kibana-export.json └── license.txt /01-f5-input.conf: -------------------------------------------------------------------------------- 1 | input { 2 | udp { 3 | port => 1026 4 | type => 'hsl' 5 | } 6 | tcp { 7 | port => 1026 8 | type => 'syslog' 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /20-f5-filter.conf: -------------------------------------------------------------------------------- 1 | filter { 2 | kv { 3 | field_split => "," 4 | trim => "\"" 5 | } 6 | if ([ClientIP]) { 7 | geoip { 8 | source => "ClientIP" 9 | } 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /40-f5-output.conf: -------------------------------------------------------------------------------- 1 | output { 2 | elasticsearch { 3 | hosts => ["x.x.x.x:9200"] 4 | template => "/etc/logstash/templates/f5-template.json" 5 | template_name => "f5-template" 6 | template_overwrite => true 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # f5-elk 2 | ### Logstash Configs and Kibana Dashboards for F5 LTM & ASM 3 | 4 | Logstash input, filter, output, and mapping template used to store F5 LTM and ASM logs. Presented at the Kansas City F5 User Group. 5 | 6 | https://johntuckner.me/2017/02/20/elk-integrating-f5-ltm-and-asm/ 7 | 8 | ##### Logstash Directory Structure: 9 | 10 | ``` 11 | /etc/logstash 12 | ├── /conf.d # Logstash conf directory 13 | │ ├── 01-f5-input.conf # Input configurations 14 | │ ├── 20-f5-filter.conf # Filter configurations 15 | │ └── 40-f5-output.conf # Output configurations 16 | └─ /templates # Logstash templates for Elasticsearch 17 | │ └── f5-template.json # Template used for F5 mappings 18 | ``` 19 | 20 | ##### Kibana Dashboards and Visualizations: 21 | 22 | Import the kibana-export.json file into your Kibana instace: 23 | 24 | `Management -> Saved Objects -> Dashboards -> Import` 25 | -------------------------------------------------------------------------------- /f5-template.json: -------------------------------------------------------------------------------- 1 | { 2 | "template": "logstash-*", 3 | "settings": { 4 | "index.refresh_interval": "5s" 5 | }, 6 | "mappings": { 7 | "_default_": { 8 | "_all": { 9 | "enabled": true, 10 | "omit_norms": true 11 | }, 12 | "dynamic_templates": [{ 13 | "message_field": { 14 | "match": "message", 15 | "match_mapping_type": "string", 16 | "mapping": { 17 | "type": "string", 18 | "index": "analyzed", 19 | "omit_norms": true, 20 | "fielddata": { 21 | "format": "disabled" 22 | } 23 | } 24 | } 25 | }, { 26 | "string_fields": { 27 | "match": "*", 28 | "match_mapping_type": "string", 29 | "mapping": { 30 | "type": "string", 31 | "index": "analyzed", 32 | "omit_norms": true, 33 | "fielddata": { 34 | "format": "disabled" 35 | }, 36 | "fields": { 37 | "raw": { 38 | "type": "string", 39 | "index": "not_analyzed", 40 | "ignore_above": 256 41 | } 42 | } 43 | } 44 | } 45 | } 46 | ], 47 | "properties": { 48 | "@timestamp": { 49 | "type": "date" 50 | }, 51 | "@version": { 52 | "type": "string", 53 | "index": "not_analyzed" 54 | }, 55 | "geoip": { 56 | "dynamic": true, 57 | "properties": { 58 | "ip": { 59 | "type": "ip" 60 | }, 61 | "location": { 62 | "type": "geo_point" 63 | }, 64 | "latitude": { 65 | "type": "float" 66 | }, 67 | "longitude": { 68 | "type": "float" 69 | } 70 | } 71 | }, 72 | "HitCount": { 73 | "type": "long", 74 | "index": "not_analyzed" 75 | }, 76 | "ServerLatencyMax": { 77 | "type": "long", 78 | "index": "not_analyzed" 79 | }, 80 | "ServerLatencyTotal": { 81 | "type": "long", 82 | "index": "not_analyzed" 83 | }, 84 | "ServerLatency": { 85 | "type": "long", 86 | "index": "not_analyzed" 87 | }, 88 | "RequestSize": { 89 | "type": "long", 90 | "index": "not_analyzed" 91 | }, 92 | "ResponseSize": { 93 | "type": "long", 94 | "index": "not_analyzed" 95 | }, 96 | "ClientPort": { 97 | "type": "long", 98 | "index": "not_analyzed" 99 | }, 100 | "ClientIP": { 101 | "type": "ip", 102 | "index": "not_analyzed" 103 | } 104 | } 105 | } 106 | } 107 | } 108 | -------------------------------------------------------------------------------- /kibana-export.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "_id": "067a9110-ea83-11e6-ac95-3180bfac707d", 4 | "_type": "dashboard", 5 | "_source": { 6 | "title": "LTM Dashboard", 7 | "hits": 0, 8 | "description": "", 9 | "panelsJSON": "[{\"col\":8,\"id\":\"f4de5b80-ea82-11e6-ac95-3180bfac707d\",\"panelIndex\":1,\"row\":1,\"size_x\":5,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"id\":\"2241c900-ea87-11e6-ac95-3180bfac707d\",\"panelIndex\":2,\"row\":14,\"size_x\":8,\"size_y\":4,\"type\":\"visualization\"},{\"col\":9,\"id\":\"6e22f860-ecff-11e6-b656-4f755662d06e\",\"panelIndex\":3,\"row\":5,\"size_x\":4,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"id\":\"3dfbb320-ecff-11e6-b656-4f755662d06e\",\"panelIndex\":4,\"row\":5,\"size_x\":4,\"size_y\":4,\"type\":\"visualization\"},{\"col\":11,\"id\":\"f40f98d0-ecfe-11e6-b943-156675487da4\",\"panelIndex\":5,\"row\":9,\"size_x\":2,\"size_y\":2,\"type\":\"visualization\"},{\"col\":5,\"id\":\"406bcbf0-ed03-11e6-8ec9-13ff70145b5e\",\"panelIndex\":6,\"row\":5,\"size_x\":4,\"size_y\":4,\"type\":\"visualization\"},{\"col\":9,\"id\":\"68dabfb0-ed03-11e6-8ec9-13ff70145b5e\",\"panelIndex\":7,\"row\":9,\"size_x\":2,\"size_y\":2,\"type\":\"visualization\"},{\"col\":1,\"id\":\"110031e0-f801-11e6-9423-5deed3ff2b0f\",\"panelIndex\":8,\"row\":1,\"size_x\":7,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"id\":\"9e250c70-f802-11e6-9423-5deed3ff2b0f\",\"panelIndex\":9,\"row\":9,\"size_x\":8,\"size_y\":5,\"type\":\"visualization\"}]", 10 | "optionsJSON": "{\"darkTheme\":false}", 11 | "uiStateJSON": "{\"P-1\":{\"vis\":{\"legendOpen\":true}},\"P-3\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-4\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-6\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-8\":{\"mapCenter\":[52.482780222078226,-161.54296875]}}", 12 | "version": 1, 13 | "timeRestore": false, 14 | "kibanaSavedObjectMeta": { 15 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}" 16 | } 17 | } 18 | }, 19 | { 20 | "_id": "afd47f70-f850-11e6-8698-21d7387da0a7", 21 | "_type": "dashboard", 22 | "_source": { 23 | "title": "ASM Dashboard", 24 | "hits": 0, 25 | "description": "", 26 | "panelsJSON": "[{\"col\":1,\"id\":\"110031e0-f801-11e6-9423-5deed3ff2b0f\",\"panelIndex\":1,\"row\":1,\"size_x\":9,\"size_y\":4,\"type\":\"visualization\"},{\"size_x\":3,\"size_y\":4,\"panelIndex\":2,\"type\":\"visualization\",\"id\":\"88d725a0-f867-11e6-9d3c-996cef895d77\",\"col\":10,\"row\":1},{\"size_x\":11,\"size_y\":2,\"panelIndex\":3,\"type\":\"visualization\",\"id\":\"4eb8d7c0-f88e-11e6-95fd-65efa0e6b33d\",\"col\":1,\"row\":5},{\"size_x\":3,\"size_y\":3,\"panelIndex\":4,\"type\":\"visualization\",\"id\":\"5908cea0-f88f-11e6-95fd-65efa0e6b33d\",\"col\":4,\"row\":7},{\"size_x\":3,\"size_y\":3,\"panelIndex\":5,\"type\":\"visualization\",\"id\":\"9a054ff0-f88f-11e6-95fd-65efa0e6b33d\",\"col\":7,\"row\":7},{\"size_x\":3,\"size_y\":4,\"panelIndex\":6,\"type\":\"visualization\",\"id\":\"37ebfb10-f890-11e6-95fd-65efa0e6b33d\",\"col\":10,\"row\":7},{\"size_x\":3,\"size_y\":3,\"panelIndex\":7,\"type\":\"visualization\",\"id\":\"e78eee40-f88d-11e6-95fd-65efa0e6b33d\",\"col\":1,\"row\":7}]", 27 | "optionsJSON": "{\"darkTheme\":false}", 28 | "uiStateJSON": "{\"P-1\":{\"mapCenter\":[36.61376396163659,-106.875],\"mapZoom\":3},\"P-2\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"asc\"}}}},\"P-4\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-5\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-6\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-7\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", 29 | "version": 1, 30 | "timeRestore": false, 31 | "kibanaSavedObjectMeta": { 32 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}" 33 | } 34 | } 35 | }, 36 | { 37 | "_id": "6826ce70-ed02-11e6-8ec9-13ff70145b5e", 38 | "_type": "visualization", 39 | "_source": { 40 | "title": "Server Latency", 41 | "visState": "{\"title\":\"Server Latency\",\"type\":\"line\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":true,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"ServerLatency\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", 42 | "uiStateJSON": "{}", 43 | "description": "", 44 | "version": 1, 45 | "kibanaSavedObjectMeta": { 46 | "searchSourceJSON": "{\"index\":\"logstash-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 47 | } 48 | } 49 | }, 50 | { 51 | "_id": "6e22f860-ecff-11e6-b656-4f755662d06e", 52 | "_type": "visualization", 53 | "_source": { 54 | "title": "Top URI", 55 | "visState": "{\"title\":\"Top URI\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"URLString.raw\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 56 | "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", 57 | "description": "", 58 | "version": 1, 59 | "kibanaSavedObjectMeta": { 60 | "searchSourceJSON": "{\"index\":\"logstash-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 61 | } 62 | } 63 | }, 64 | { 65 | "_id": "3dfbb320-ecff-11e6-b656-4f755662d06e", 66 | "_type": "visualization", 67 | "_source": { 68 | "title": "Client IP", 69 | "visState": "{\"title\":\"Client IP\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ClientIP\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 70 | "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", 71 | "description": "", 72 | "version": 1, 73 | "kibanaSavedObjectMeta": { 74 | "searchSourceJSON": "{\"index\":\"logstash-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 75 | } 76 | } 77 | }, 78 | { 79 | "_id": "2241c900-ea87-11e6-ac95-3180bfac707d", 80 | "_type": "visualization", 81 | "_source": { 82 | "title": "Response Codes", 83 | "visState": "{\"title\":\"Response Codes\",\"type\":\"histogram\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"scale\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"ResponseCode.raw\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 84 | "uiStateJSON": "{}", 85 | "description": "", 86 | "version": 1, 87 | "kibanaSavedObjectMeta": { 88 | "searchSourceJSON": "{\"index\":\"logstash-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 89 | } 90 | } 91 | }, 92 | { 93 | "_id": "f4de5b80-ea82-11e6-ac95-3180bfac707d", 94 | "_type": "visualization", 95 | "_source": { 96 | "title": "User Agents", 97 | "visState": "{\"title\":\"User Agents\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"UserAgentString.raw\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 98 | "uiStateJSON": "{}", 99 | "description": "", 100 | "version": 1, 101 | "kibanaSavedObjectMeta": { 102 | "searchSourceJSON": "{\"filter\":[],\"index\":\"logstash-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647}}" 103 | } 104 | } 105 | }, 106 | { 107 | "_id": "68dabfb0-ed03-11e6-8ec9-13ff70145b5e", 108 | "_type": "visualization", 109 | "_source": { 110 | "title": "Server Latency Metric", 111 | "visState": "{\"title\":\"Server Latency Metric\",\"type\":\"metric\",\"params\":{\"handleNoResults\":true,\"fontSize\":\"36\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"ServerLatency\"}}],\"listeners\":{}}", 112 | "uiStateJSON": "{}", 113 | "description": "", 114 | "version": 1, 115 | "kibanaSavedObjectMeta": { 116 | "searchSourceJSON": "{\"index\":\"logstash-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 117 | } 118 | } 119 | }, 120 | { 121 | "_id": "88d725a0-f867-11e6-9d3c-996cef895d77", 122 | "_type": "visualization", 123 | "_source": { 124 | "title": "ASM Attacks", 125 | "visState": "{\"title\":\"ASM Attacks\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"DosL7AttackID.raw\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 126 | "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"asc\"}}}}", 127 | "description": "", 128 | "version": 1, 129 | "kibanaSavedObjectMeta": { 130 | "searchSourceJSON": "{\"index\":\"logstash-*\",\"query\":{\"query_string\":{\"query\":\"DosL7AttackID.raw != \\\"0\\\"\",\"analyze_wildcard\":true}},\"filter\":[{\"meta\":{\"index\":\"logstash-*\",\"key\":\"DosL7AttackID.raw\",\"value\":\"0\",\"disabled\":false,\"negate\":true,\"alias\":null},\"query\":{\"match\":{\"DosL7AttackID.raw\":{\"query\":\"0\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}" 131 | } 132 | } 133 | }, 134 | { 135 | "_id": "406bcbf0-ed03-11e6-8ec9-13ff70145b5e", 136 | "_type": "visualization", 137 | "_source": { 138 | "title": "Top Virtual Servers", 139 | "visState": "{\"title\":\"Top Virtual Servers\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"VSName.raw\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 140 | "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", 141 | "description": "", 142 | "version": 1, 143 | "kibanaSavedObjectMeta": { 144 | "searchSourceJSON": "{\"index\":\"logstash-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 145 | } 146 | } 147 | }, 148 | { 149 | "_id": "5908cea0-f88f-11e6-95fd-65efa0e6b33d", 150 | "_type": "visualization", 151 | "_source": { 152 | "title": "Attack Client IP", 153 | "visState": "{\"title\":\"Attack Client IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ip_client.raw\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 154 | "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", 155 | "description": "", 156 | "version": 1, 157 | "kibanaSavedObjectMeta": { 158 | "searchSourceJSON": "{\"index\":\"logstash-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 159 | } 160 | } 161 | }, 162 | { 163 | "_id": "0ff4d7c0-f882-11e6-964e-eb7e77dfee64", 164 | "_type": "visualization", 165 | "_source": { 166 | "title": "Transaction Outcome", 167 | "visState": "{\"title\":\"Transaction Outcome\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"TransactionOutcome.raw\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 168 | "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", 169 | "description": "", 170 | "version": 1, 171 | "kibanaSavedObjectMeta": { 172 | "searchSourceJSON": "{\"index\":\"logstash-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"filter\":[]}" 173 | } 174 | } 175 | }, 176 | { 177 | "_id": "e78eee40-f88d-11e6-95fd-65efa0e6b33d", 178 | "_type": "visualization", 179 | "_source": { 180 | "title": "Attack Type", 181 | "visState": "{\"title\":\"Attack Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"attack_type.raw\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 182 | "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", 183 | "description": "", 184 | "version": 1, 185 | "kibanaSavedObjectMeta": { 186 | "searchSourceJSON": "{\"index\":\"logstash-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 187 | } 188 | } 189 | }, 190 | { 191 | "_id": "4eb8d7c0-f88e-11e6-95fd-65efa0e6b33d", 192 | "_type": "visualization", 193 | "_source": { 194 | "title": "Application Attacks Title Bar", 195 | "visState": "{\n \"title\": \"Application Attacks Title\",\n \"type\": \"markdown\",\n \"params\": {\n \"markdown\": \"### Application Attacks \\n___\"\n },\n \"aggs\": [],\n \"listeners\": {}\n}", 196 | "uiStateJSON": "{}", 197 | "description": "", 198 | "version": 1, 199 | "kibanaSavedObjectMeta": { 200 | "searchSourceJSON": "{\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true\n }\n },\n \"filter\": []\n}" 201 | } 202 | } 203 | }, 204 | { 205 | "_id": "9e250c70-f802-11e6-9423-5deed3ff2b0f", 206 | "_type": "visualization", 207 | "_source": { 208 | "title": "Server Latency Graph - Per Pool Member", 209 | "visState": "{\"title\":\"Server Latency Graph - Per Pool Member\",\"type\":\"line\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"ServerLatency\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"significant_terms\",\"schema\":\"group\",\"params\":{\"field\":\"POOLIP.raw\",\"size\":5}}],\"listeners\":{}}", 210 | "uiStateJSON": "{}", 211 | "description": "", 212 | "version": 1, 213 | "kibanaSavedObjectMeta": { 214 | "searchSourceJSON": "{\"index\":\"logstash-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"filter\":[]}" 215 | } 216 | } 217 | }, 218 | { 219 | "_id": "37ebfb10-f890-11e6-95fd-65efa0e6b33d", 220 | "_type": "visualization", 221 | "_source": { 222 | "title": "Attack Request Status", 223 | "visState": "{\"title\":\"Attack Request Status\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"request_status.raw\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 224 | "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", 225 | "description": "", 226 | "version": 1, 227 | "kibanaSavedObjectMeta": { 228 | "searchSourceJSON": "{\"index\":\"logstash-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 229 | } 230 | } 231 | }, 232 | { 233 | "_id": "9a054ff0-f88f-11e6-95fd-65efa0e6b33d", 234 | "_type": "visualization", 235 | "_source": { 236 | "title": "Attack Signature Names", 237 | "visState": "{\"title\":\"Attack Signature Names\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sig_names.raw\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 238 | "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", 239 | "description": "", 240 | "version": 1, 241 | "kibanaSavedObjectMeta": { 242 | "searchSourceJSON": "{\"index\":\"logstash-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 243 | } 244 | } 245 | }, 246 | { 247 | "_id": "c1d86480-f921-11e6-9c17-8bbfac242221", 248 | "_type": "visualization", 249 | "_source": { 250 | "title": "Server Statistics Title", 251 | "visState": "{\"title\":\"Server Statistics Title\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### Server Statistics\\n___\"},\"aggs\":[],\"listeners\":{}}", 252 | "uiStateJSON": "{}", 253 | "description": "", 254 | "version": 1, 255 | "kibanaSavedObjectMeta": { 256 | "searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 257 | } 258 | } 259 | }, 260 | { 261 | "_id": "d18915a0-f890-11e6-95fd-65efa0e6b33d", 262 | "_type": "visualization", 263 | "_source": { 264 | "title": "DoS Attacks Title", 265 | "visState": "{\"title\":\"DoS Attacks Title\",\"type\":\"markdown\",\"params\":{\"markdown\":\"## DoS Attacks\\n___\"},\"aggs\":[],\"listeners\":{}}", 266 | "uiStateJSON": "{}", 267 | "description": "", 268 | "version": 1, 269 | "kibanaSavedObjectMeta": { 270 | "searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 271 | } 272 | } 273 | }, 274 | { 275 | "_id": "f40f98d0-ecfe-11e6-b943-156675487da4", 276 | "_type": "visualization", 277 | "_source": { 278 | "title": "Hit Counter", 279 | "visState": "{\"title\":\"Hit Counter\",\"type\":\"metric\",\"params\":{\"fontSize\":\"29\",\"handleNoResults\":true},\"aggs\":[{\"id\":\"2\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"HIt Count\"}}],\"listeners\":{}}", 280 | "uiStateJSON": "{}", 281 | "description": "", 282 | "version": 1, 283 | "kibanaSavedObjectMeta": { 284 | "searchSourceJSON": "{\"index\":\"logstash-*\",\"query\":{\"query_string\":{\"query\":\"URLString\",\"analyze_wildcard\":true}},\"filter\":[]}" 285 | } 286 | } 287 | }, 288 | { 289 | "_id": "110031e0-f801-11e6-9423-5deed3ff2b0f", 290 | "_type": "visualization", 291 | "_source": { 292 | "title": "Client Geo", 293 | "visState": "{\"title\":\"Client Geo\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Heatmap\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":\"15\",\"heatMinOpacity\":\"0.84\",\"heatRadius\":\"17\",\"heatBlur\":\"23\",\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[15,5],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"geoip.location\",\"autoPrecision\":true}}],\"listeners\":{}}", 294 | "uiStateJSON": "{}", 295 | "description": "", 296 | "version": 1, 297 | "kibanaSavedObjectMeta": { 298 | "searchSourceJSON": "{\"index\":\"logstash-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 299 | } 300 | } 301 | } 302 | ] -------------------------------------------------------------------------------- /license.txt: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 tuckner 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | --------------------------------------------------------------------------------