mactime.conf

# vim: syntax=python

# Please check https://github.com/cvandeplas/ELK-forensics for more information.
# Created by Christophe Vandeplas <christophe@vandeplas.com>

# Import a mactime output file to your Elasticsearch database.
# To generate the mactime file:
# - first run 'fls' and output to a bodyfile
# - then use 'mactime' to output to csv
# - transfer the csv to logstash
# Example:
# fls -r -m  "/" –i win7-64-nfury-c-drive/win7-64-nfury-c-drive.E01  > win7-64-nfury-10.3.58.6-bodyfile.txt 
# mactime -b win7-64-nfury-10.3.58.6-bodyfile.txt -d  > win7-64-nfury-10.3.58.6-mactime.csv
# cat win7-64-nfury-10.3.58.6-mactime.csv | nc -vv 127.0.0.1 18001

# Search examples: 
# - ext:.pf
# - deleted


input {
  tcp {
    type => "mactime"
    port => 18001
  }
}

filter {
  if [type] == "mactime" {
    csv { 
       separator => ","
       columns => ["timestamp", "size", "macb", "perms", "uid", "gid", "inode", "path"]
    }
    date {
      match => [ "timestamp", "EEE MMM dd YYYY HH:mm:ss" ]
    }
    # extract deleted info (deleted) and (deleted-realloc)
    if (" (deleted" in [path] ) { 
      mutate { 
        add_tag => ["deleted"]
        gsub => ["path", " \(deleted.*$", ""]
      }
    }
    # extract macb info
    if ("m" in [macb]) { mutate { add_tag => ["modified"] } }
    if ("a" in [macb]) { mutate { add_tag => ["accessed"] } }
    if ("c" in [macb]) { mutate { add_tag => ["changed"] } }
    if ("b" in [macb]) { mutate { add_tag => ["birth"] } }
    # extract file extension
    grok {
      match => ["path", "(?<filename>[^/]+?)?$"]
    }
    grok {
      match => ["filename", "((\.(?<ext>[^./]+))?)?$"]
    }
    mutate { 
      lowercase => ["ext"]
      remove_field => ["message", "perms", "uid", "gid"]
    }
  }
}

output { 
  if [type] == "mactime" {
    elasticsearch {
      index => "logstash-mactime"
      host => localhost
    }
  }
}