SIEM

2025-11-20 10:42:06 +01:00
commit cfac75516b
7 changed files with 119 additions and 0 deletions
--- a/siem-elastic-template/elastic/docker-compose.yml
+++ b/siem-elastic-template/elastic/docker-compose.yml
@@ -0,0 +1,44 @@
+services:
+  elastic:
+    image: docker.elastic.co/elasticsearch/elasticsearch:7.17.29
+    container_name: elasticsearch
+    environment:
+      - xpack.security.enabled=true
+      - xpack.security.authc.anonymous.username=anonymous_user
+      - xpack.security.authc.anonymous.roles=superuser
+      - xpack.security.authc.anonymous.authz_exception=true
+      - xpack.security.authc.api_key.enabled=true
+      - discovery.type=single-node
+      - ES_JAVA_OPTS=-Xms512m -Xmx512m
+    volumes:
+      - esdata:/usr/share/elasticsearch/data
+    ports:
+      - "9200:9200"
+
+  kibana:
+    image: docker.elastic.co/kibana/kibana:7.17.29
+    container_name: kibana
+    environment:
+      - elasticsearch.username=kibana
+      - elasticsearch.password=Burek123!
+      - XPACK_ENCRYPTEDSAVEDOBJECTS_ENCRYPTIONKEY="min-32-byte-long-NEW-encryption-key"
+      - ELASTICSEARCH_HOSTS=http://elastic:9200
+    ports:
+      - "5601:5601"
+    depends_on:
+      - elastic
+
+  fluent:
+    image: fluent/fluent-bit:latest
+    container_name: fluent-bit
+    ports:
+      - "24224:24224"
+      - "24224:24224/udp"
+    volumes:
+      - ./fluent-bit.conf:/fluent-bit/etc/fluent-bit.conf
+      - ./parsers.conf:/fluent-bit/etc/parsers.conf
+    depends_on:
+      - elastic
+
+volumes:
+  esdata:
--- a/siem-elastic-template/elastic/fluent-bit.conf
+++ b/siem-elastic-template/elastic/fluent-bit.conf
@@ -0,0 +1,24 @@
+[SERVICE]
+    log_level debug
+    Parsers_File /fluent-bit/etc/parsers.conf
+
+[INPUT]
+    Name forward
+    Listen 0.0.0.0
+    port 24224
+
+[FILTER]
+    Name parser
+    Match **
+    Key_Name log
+    Parser http_access_custom
+    Reserve_Data  On
+
+[OUTPUT]
+    Name es
+    Match **
+    Host elastic
+    Port 9200
+    Logstash_Format True
+    tls Off
+    Suppress_Type_Name On
--- a/siem-elastic-template/elastic/parsers.conf
+++ b/siem-elastic-template/elastic/parsers.conf
@@ -0,0 +1,7 @@
+[PARSER]
+    Name        http_access_custom
+    Format      regex
+    Regex       ^(?<host>\S+)\s+(?<ident>\S+)\s+(?<user>\S+)\s+\[(?<time>[^\]]+)\]\s+"(?<method>\S+)\s+(?<path>\S+)\s+(?<protocol>[^"]+)"\s+(?<code>\d{3})\s+(?<size>\S+)$
+    Time_Key    time
+    Time_Format %d/%b/%Y %H:%M:%S
+    Types       code:integer