SIEM

2025-11-20 10:42:06 +01:00
commit cfac75516b
7 changed files with 119 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1 @@
+.DS_Store
--- a/siem-elastic-template/app/Dockerfile
+++ b/siem-elastic-template/app/Dockerfile
@@ -0,0 +1,7 @@
+FROM python:alpine
+
+RUN pip install flask
+
+COPY ./app.py ./app.py
+
+CMD ["python", "app.py"]
--- a/siem-elastic-template/app/app.py
+++ b/siem-elastic-template/app/app.py
@@ -0,0 +1,24 @@
+from flask import Flask
+import logging
+
+logging.basicConfig(level=logging.INFO)
+
+app = Flask(__name__)
+logger = logging.getLogger('burek')
+
+@app.route('/')
+def home():
+    logger.info("Home endpoint accessed")
+    return "Hello World"
+
+@app.route('/data', methods=['POST'])
+def data():
+    logger.info("Data endpoint accessed with data: %s", request.json)
+    return {
+        "message": "Data received successfully",
+        "data": request.json
+    }
+
+if __name__ == '__main__':
+    app.run(host='0.0.0.0', port=8000)
+
--- a/siem-elastic-template/app/docker-compose.yml
+++ b/siem-elastic-template/app/docker-compose.yml
@@ -0,0 +1,12 @@
+services:
+  app:
+    image: app
+    build: .
+    ports:
+      - "8000:8000"
+    logging:
+      driver: "fluentd"
+      options:
+        fluentd-address: localhost:24224
+        tag: jufka
+
--- a/siem-elastic-template/elastic/docker-compose.yml
+++ b/siem-elastic-template/elastic/docker-compose.yml
@@ -0,0 +1,44 @@
+services:
+  elastic:
+    image: docker.elastic.co/elasticsearch/elasticsearch:7.17.29
+    container_name: elasticsearch
+    environment:
+      - xpack.security.enabled=true
+      - xpack.security.authc.anonymous.username=anonymous_user
+      - xpack.security.authc.anonymous.roles=superuser
+      - xpack.security.authc.anonymous.authz_exception=true
+      - xpack.security.authc.api_key.enabled=true
+      - discovery.type=single-node
+      - ES_JAVA_OPTS=-Xms512m -Xmx512m
+    volumes:
+      - esdata:/usr/share/elasticsearch/data
+    ports:
+      - "9200:9200"
+
+  kibana:
+    image: docker.elastic.co/kibana/kibana:7.17.29
+    container_name: kibana
+    environment:
+      - elasticsearch.username=kibana
+      - elasticsearch.password=Burek123!
+      - XPACK_ENCRYPTEDSAVEDOBJECTS_ENCRYPTIONKEY="min-32-byte-long-NEW-encryption-key"
+      - ELASTICSEARCH_HOSTS=http://elastic:9200
+    ports:
+      - "5601:5601"
+    depends_on:
+      - elastic
+
+  fluent:
+    image: fluent/fluent-bit:latest
+    container_name: fluent-bit
+    ports:
+      - "24224:24224"
+      - "24224:24224/udp"
+    volumes:
+      - ./fluent-bit.conf:/fluent-bit/etc/fluent-bit.conf
+      - ./parsers.conf:/fluent-bit/etc/parsers.conf
+    depends_on:
+      - elastic
+
+volumes:
+  esdata:
--- a/siem-elastic-template/elastic/fluent-bit.conf
+++ b/siem-elastic-template/elastic/fluent-bit.conf
@@ -0,0 +1,24 @@
+[SERVICE]
+    log_level debug
+    Parsers_File /fluent-bit/etc/parsers.conf
+
+[INPUT]
+    Name forward
+    Listen 0.0.0.0
+    port 24224
+
+[FILTER]
+    Name parser
+    Match **
+    Key_Name log
+    Parser http_access_custom
+    Reserve_Data  On
+
+[OUTPUT]
+    Name es
+    Match **
+    Host elastic
+    Port 9200
+    Logstash_Format True
+    tls Off
+    Suppress_Type_Name On
--- a/siem-elastic-template/elastic/parsers.conf
+++ b/siem-elastic-template/elastic/parsers.conf
@@ -0,0 +1,7 @@
+[PARSER]
+    Name        http_access_custom
+    Format      regex
+    Regex       ^(?<host>\S+)\s+(?<ident>\S+)\s+(?<user>\S+)\s+\[(?<time>[^\]]+)\]\s+"(?<method>\S+)\s+(?<path>\S+)\s+(?<protocol>[^"]+)"\s+(?<code>\d{3})\s+(?<size>\S+)$
+    Time_Key    time
+    Time_Format %d/%b/%Y %H:%M:%S
+    Types       code:integer