From cfac75516ba356ae16f3a46599cfaa6f7bfd1b50 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ga=C5=A1per=20Dobrovoljc?= <gasper.dobrovoljc1@gmail.com>
Date: Thu, 20 Nov 2025 10:42:06 +0100
Subject: [PATCH] SIEM

---
 .gitignore                                    |  1 +
 siem-elastic-template/app/Dockerfile          |  7 +++
 siem-elastic-template/app/app.py              | 24 ++++++++++
 siem-elastic-template/app/docker-compose.yml  | 12 +++++
 .../elastic/docker-compose.yml                | 44 +++++++++++++++++++
 siem-elastic-template/elastic/fluent-bit.conf | 24 ++++++++++
 siem-elastic-template/elastic/parsers.conf    |  7 +++
 7 files changed, 119 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 siem-elastic-template/app/Dockerfile
 create mode 100644 siem-elastic-template/app/app.py
 create mode 100644 siem-elastic-template/app/docker-compose.yml
 create mode 100644 siem-elastic-template/elastic/docker-compose.yml
 create mode 100644 siem-elastic-template/elastic/fluent-bit.conf
 create mode 100644 siem-elastic-template/elastic/parsers.conf

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..e43b0f9
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.DS_Store
diff --git a/siem-elastic-template/app/Dockerfile b/siem-elastic-template/app/Dockerfile
new file mode 100644
index 0000000..52520ac
--- /dev/null
+++ b/siem-elastic-template/app/Dockerfile
@@ -0,0 +1,7 @@
+FROM python:alpine
+
+RUN pip install flask
+
+COPY ./app.py ./app.py
+
+CMD ["python", "app.py"]
diff --git a/siem-elastic-template/app/app.py b/siem-elastic-template/app/app.py
new file mode 100644
index 0000000..94f494c
--- /dev/null
+++ b/siem-elastic-template/app/app.py
@@ -0,0 +1,24 @@
+from flask import Flask
+import logging
+
+logging.basicConfig(level=logging.INFO)
+
+app = Flask(__name__)
+logger = logging.getLogger('burek')
+
+@app.route('/')
+def home():
+    logger.info("Home endpoint accessed")
+    return "Hello World"
+
+@app.route('/data', methods=['POST'])
+def data():
+    logger.info("Data endpoint accessed with data: %s", request.json)
+    return {
+        "message": "Data received successfully",
+        "data": request.json
+    }
+
+if __name__ == '__main__':
+    app.run(host='0.0.0.0', port=8000)
+
diff --git a/siem-elastic-template/app/docker-compose.yml b/siem-elastic-template/app/docker-compose.yml
new file mode 100644
index 0000000..e9738f5
--- /dev/null
+++ b/siem-elastic-template/app/docker-compose.yml
@@ -0,0 +1,12 @@
+services:
+  app:
+    image: app
+    build: .
+    ports:
+      - "8000:8000"
+    logging:
+      driver: "fluentd"
+      options:
+        fluentd-address: localhost:24224
+        tag: jufka
+
diff --git a/siem-elastic-template/elastic/docker-compose.yml b/siem-elastic-template/elastic/docker-compose.yml
new file mode 100644
index 0000000..a932564
--- /dev/null
+++ b/siem-elastic-template/elastic/docker-compose.yml
@@ -0,0 +1,44 @@
+services:
+  elastic:
+    image: docker.elastic.co/elasticsearch/elasticsearch:7.17.29
+    container_name: elasticsearch
+    environment:
+      - xpack.security.enabled=true
+      - xpack.security.authc.anonymous.username=anonymous_user
+      - xpack.security.authc.anonymous.roles=superuser
+      - xpack.security.authc.anonymous.authz_exception=true
+      - xpack.security.authc.api_key.enabled=true
+      - discovery.type=single-node
+      - ES_JAVA_OPTS=-Xms512m -Xmx512m
+    volumes:
+      - esdata:/usr/share/elasticsearch/data
+    ports:
+      - "9200:9200"
+
+  kibana:
+    image: docker.elastic.co/kibana/kibana:7.17.29
+    container_name: kibana
+    environment:
+      - elasticsearch.username=kibana
+      - elasticsearch.password=Burek123!
+      - XPACK_ENCRYPTEDSAVEDOBJECTS_ENCRYPTIONKEY="min-32-byte-long-NEW-encryption-key"
+      - ELASTICSEARCH_HOSTS=http://elastic:9200
+    ports:
+      - "5601:5601"
+    depends_on:
+      - elastic
+
+  fluent:
+    image: fluent/fluent-bit:latest
+    container_name: fluent-bit
+    ports:
+      - "24224:24224"
+      - "24224:24224/udp"
+    volumes:
+      - ./fluent-bit.conf:/fluent-bit/etc/fluent-bit.conf
+      - ./parsers.conf:/fluent-bit/etc/parsers.conf
+    depends_on:
+      - elastic
+
+volumes:
+  esdata:
diff --git a/siem-elastic-template/elastic/fluent-bit.conf b/siem-elastic-template/elastic/fluent-bit.conf
new file mode 100644
index 0000000..8c0e55e
--- /dev/null
+++ b/siem-elastic-template/elastic/fluent-bit.conf
@@ -0,0 +1,24 @@
+[SERVICE]
+    log_level debug
+    Parsers_File /fluent-bit/etc/parsers.conf
+
+[INPUT]
+    Name forward
+    Listen 0.0.0.0
+    port 24224
+
+[FILTER]
+    Name parser
+    Match **
+    Key_Name log
+    Parser http_access_custom
+    Reserve_Data  On
+
+[OUTPUT]
+    Name es
+    Match **
+    Host elastic
+    Port 9200
+    Logstash_Format True
+    tls Off
+    Suppress_Type_Name On
diff --git a/siem-elastic-template/elastic/parsers.conf b/siem-elastic-template/elastic/parsers.conf
new file mode 100644
index 0000000..ef5dd4f
--- /dev/null
+++ b/siem-elastic-template/elastic/parsers.conf
@@ -0,0 +1,7 @@
+[PARSER]
+    Name        http_access_custom
+    Format      regex
+    Regex       ^(?<host>\S+)\s+(?<ident>\S+)\s+(?<user>\S+)\s+\[(?<time>[^\]]+)\]\s+"(?<method>\S+)\s+(?<path>\S+)\s+(?<protocol>[^"]+)"\s+(?<code>\d{3})\s+(?<size>\S+)$
+    Time_Key    time
+    Time_Format %d/%b/%Y %H:%M:%S
+    Types       code:integer