v0.1.2-alpha08062018

Updated Logstash output templates to replace _doc mappings to doc.
Cyb3rWard0g · Aug 7, 2018 · b9daa4c · b9daa4c
1 parent 1b87af3
commit b9daa4c
Show file tree

Hide file tree

Showing 21 changed files with 35 additions and 26 deletions.
diff --git a/docker/docker-compose-elk-trial.yml b/docker/docker-compose-elk-trial.yml
@@ -34,7 +34,7 @@ services:
     entrypoint: /usr/share/logstash/scripts/logstash-entrypoint.sh
     restart: always
     depends_on:
-      - helk-elasticsearch
+      - helk-kibana
     networks:
       helk:
         aliases:

diff --git a/docker/helk-logstash/output_templates/10-logs-all-default.json b/docker/helk-logstash/output_templates/10-logs-all-default.json
@@ -13,7 +13,7 @@
     "refresh_interval": "30s"
   },
   "mappings": {
-    "_doc": {
+    "doc": {
       "dynamic": "true",
       "dynamic_templates": [
         {

diff --git a/docker/helk-logstash/output_templates/50-logs-winevent-all.json b/docker/helk-logstash/output_templates/50-logs-winevent-all.json
@@ -55,7 +55,7 @@
     "refresh_interval": "30s"
   },
   "mappings": {
-    "_doc":{
+    "doc":{
       "properties":{
         "process_id":{"type":"integer"},
         "event_id":{"type":"integer"},

diff --git a/docker/helk-logstash/output_templates/60-powershell-direct-template.json b/docker/helk-logstash/output_templates/60-powershell-direct-template.json
@@ -3,7 +3,7 @@
   "index_patterns" : "logs-endpoint-powershell-direct-*",
   "version": 2018080101,
   "mappings":{
-    "_doc":{
+    "doc":{
       "properties":{
         "process_id":{"type":"integer"}
       }

diff --git a/docker/helk-logstash/output_templates/60-winevent-application-template.json b/docker/helk-logstash/output_templates/60-winevent-application-template.json
@@ -3,7 +3,7 @@
   "index_patterns": [ "logs-endpoint-winevent-application-*" ],
   "version": 2018080101,
   "mappings":{
-    "_doc":{
+    "doc":{
       "properties":{
         "spp_restart_scheduled":{"type":"date"}
       }

diff --git a/docker/helk-logstash/output_templates/60-winevent-powershell-template.json b/docker/helk-logstash/output_templates/60-winevent-powershell-template.json
@@ -3,7 +3,7 @@
   "index_patterns": [ "logs-endpoint-winevent-powershell-*" ],
   "version": 2018080201,
   "mappings":{
-    "_doc": {
+    "doc": {
       "properties": {
         "powershell": {
           "dynamic": "false",

diff --git a/docker/helk-logstash/output_templates/60-winevent-security-template.json b/docker/helk-logstash/output_templates/60-winevent-security-template.json
@@ -3,7 +3,7 @@
   "index_patterns": "logs-endpoint-winevent-security-*",
   "version": 2018080101,
   "mappings":{
-    "_doc":{
+    "doc":{
       "properties":{
         "@date_new_time":{"type":"date"},
         "@date_previous_time":{"type":"date"},

diff --git a/docker/helk-logstash/output_templates/60-winevent-sysmon-template.json b/docker/helk-logstash/output_templates/60-winevent-sysmon-template.json
@@ -6,7 +6,7 @@
     "index.refresh_interval": "5s"
   },
   "mappings":{
-    "_doc":{
+    "doc":{
       "properties":{
         "@date_creation":{"type":"date"},
         "@date_creation_previous":{"type":"date"},

diff --git a/docker/helk-logstash/output_templates/82-logs-not-ip.json b/docker/helk-logstash/output_templates/82-logs-not-ip.json
@@ -3,7 +3,7 @@
   "index_patterns": [ "logs-*" ],
   "version": 2018080101,
   "mappings": {
-    "_doc": {
+    "doc": {
       "properties": {
         "not_ip_dst": {
           "type": "keyword"

diff --git a/docker/helk-logstash/output_templates/91-logs-ip-dst-nat.json b/docker/helk-logstash/output_templates/91-logs-ip-dst-nat.json
@@ -3,7 +3,7 @@
   "index_patterns": [ "logs-*" ],
   "version": 2018052301,
   "mappings": {
-    "_doc": {
+    "doc": {
       "properties": {
         "dst_nat_ip_addr": {
           "type": "ip",

diff --git a/docker/helk-logstash/output_templates/91-logs-ip-dst.json b/docker/helk-logstash/output_templates/91-logs-ip-dst.json
@@ -3,7 +3,7 @@
   "index_patterns": [ "logs-*" ],
   "version": 2018052301,
   "mappings": {
-    "_doc": {
+    "doc": {
       "properties": {
         "dst_ip_addr": {
           "type": "ip",

diff --git a/docker/helk-logstash/output_templates/91-logs-ip-src-nat.json b/docker/helk-logstash/output_templates/91-logs-ip-src-nat.json
@@ -3,7 +3,7 @@
   "index_patterns": [ "logs-*" ],
   "version": 2018052301,
   "mappings": {
-    "_doc": {
+    "doc": {
       "properties": {
         "src_nat_ip_addr": {
           "type": "ip",

diff --git a/docker/helk-logstash/output_templates/91-logs-ip-src.json b/docker/helk-logstash/output_templates/91-logs-ip-src.json
@@ -3,7 +3,7 @@
   "index_patterns": [ "logs-*" ],
   "version": 2018052301,
   "mappings": {
-    "_doc": {
+    "doc": {
       "properties": {
         "src_ip_addr": {
           "type": "ip",

diff --git a/docker/helk-logstash/output_templates/93-logs-ipv6-dst-nat.json b/docker/helk-logstash/output_templates/93-logs-ipv6-dst-nat.json
@@ -3,7 +3,7 @@
   "index_patterns": [ "logs-*" ],
   "version": 2018080101,
   "mappings": {
-    "_doc": {
+    "doc": {
       "properties": {
         "dst_nat_ipv6_addr": {
           "type": "ip",

diff --git a/docker/helk-logstash/output_templates/93-logs-ipv6-dst.json b/docker/helk-logstash/output_templates/93-logs-ipv6-dst.json
@@ -3,7 +3,7 @@
   "index_patterns": [ "logs-*" ],
   "version": 2018080101,
   "mappings": {
-    "_doc": {
+    "doc": {
       "properties": {
         "dst_ipv6_addr": {
           "type": "ip",

diff --git a/docker/helk-logstash/output_templates/93-logs-ipv6-src-nat.json b/docker/helk-logstash/output_templates/93-logs-ipv6-src-nat.json
@@ -3,7 +3,7 @@
   "index_patterns": [ "logs-*" ],
   "version": 2018080101,
   "mappings": {
-    "_doc": {
+    "doc": {
       "properties": {
         "ipv6_src_nat_addr": {
           "type": "ip",

diff --git a/docker/helk-logstash/output_templates/93-logs-ipv6-src.json b/docker/helk-logstash/output_templates/93-logs-ipv6-src.json
@@ -3,7 +3,7 @@
   "index_patterns": [ "logs-*" ],
   "version": 2018080101,
   "mappings": {
-    "_doc": {
+    "doc": {
       "properties": {
         "src_ipv6_addr": {
           "type": "ip",

diff --git a/docker/helk-logstash/output_templates/99-logs-any-fields.json b/docker/helk-logstash/output_templates/99-logs-any-fields.json
@@ -3,7 +3,7 @@
   "index_patterns": [ "logs-*" ],
   "version": 2018080101,
   "mappings": {
-    "_doc": {
+    "doc": {
       "properties": {
         "any_ip_addr": {
           "type": "ip"

diff --git a/docker/helk-logstash/scripts/logstash-entrypoint.sh b/docker/helk-logstash/scripts/logstash-entrypoint.sh
@@ -32,7 +32,7 @@ do
 done
 
 # ********** Install Plugin *****************
-echo "[HELK-DOCKER-INSTALLATION-INFO] Installing Logstsh plugins.."
+echo "[HELK-DOCKER-INSTALLATION-INFO] Installing Logstash plugins.."
 logstash-plugin install logstash-filter-prune
 
 # ********** Starting Logstash *****************

diff --git a/docker/helk-logstash/trial/scripts/logstash-entrypoint.sh b/docker/helk-logstash/trial/scripts/logstash-entrypoint.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# HELK script: logstash-setup.sh
+# HELK script: logstash-entrypoint.sh
 # HELK script description: Pushes output templates to ES and starts Logstash
 # HELK build Stage: Alpha
 # Author: Roberto Rodriguez (@Cyb3rWard0g)
@@ -16,20 +16,29 @@ else
     export LS_JAVA_OPTS="-Xms${LS_MEMORY}g -Xmx${LS_MEMORY}g"
 fi
 
-ELASTICSEARCH_ACCESS=http://elastic:"elasticpassword"@helk-elasticsearch:9200
 # *********** Looking for ES ***************
+ELASTICSEARCH_ACCESS=http://elastic:"elasticpassword"@helk-elasticsearch:9200
 echo "[HELK-DOCKER-INSTALLATION-INFO] Waiting for elasticsearch URI to be accessible.."
 until curl -s $ELASTICSEARCH_ACCESS -o /dev/null; do
     sleep 1
 done
 
+echo "[HELK-DOCKER-INSTALLATION-INFO] Uploading templates to elasticsearch.."
 DIR=/usr/share/logstash/output_templates
 for file in ${DIR}/*.json
-    do
-        template_name=$(echo $file | sed -r ' s/^.*\/[0-9]+\-//');
-        curl -H 'Content-Type: application/json' -XPUT "$ELASTICSEARCH_ACCESS/_template/$template_name" -d@${file};
+do
+    template_name=$(echo $file | sed -r ' s/^.*\/[0-9]+\-//');
+    echo "[HELK-DOCKER-INSTALLATION-INFO] Uploading $template_name template to elasticsearch..";
+    curl -s -H 'Content-Type: application/json' -XPUT $ELASTICSEARCH_ACCESS/_template/$template_name -d@${file};
+    sleep 1
 done
 
-exec "$@"
+# ********** Install Plugin *****************
+echo "[HELK-DOCKER-INSTALLATION-INFO] Installing Logstash plugins.."
+logstash-plugin install logstash-filter-prune
+
+# ********** Starting Logstash *****************
+echo "[HELK-DOCKER-INSTALLATION-INFO] Running docker-entrypoint script.."
+/usr/local/bin/docker-entrypoint
 
 
diff --git a/docker/helk_install.sh b/docker/helk_install.sh
@@ -262,7 +262,7 @@ show_banner(){
     echo "**          HELK - THE HUNTING ELK          **"
     echo "**                                          **"
     echo "** Author: Roberto Rodriguez (@Cyb3rWard0g) **"
-    echo "** HELK build version: v0.1.2-alpha08032018 **"
+    echo "** HELK build version: v0.1.2-alpha08062018 **"
     echo "** HELK ELK version: 6.3.2                  **"
     echo "** License: GPL-3.0                         **"
     echo "**********************************************"