Skip to content

Commit

Permalink
index template in config
Browse files Browse the repository at this point in the history
  • Loading branch information
tomrade committed Jul 24, 2020
1 parent a6cbcba commit 3a00a06
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 7 deletions.
15 changes: 10 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# evtx-nom
EVTX log file ingestion (no Windows required) using amazing ![evtx-rs](https://github.com/omerbenamram/evtx) lib. Current target is Elasticsearch with the hope of a modular output in the future.

* ECS common schema output (ive stayed close to winlogbeat however I use lowercase field names under winlog as I feel that is in spirit of ECS better than the Camel Case in winlogbeat)
* Elasticsearch output uses ECS common schema output (ive stayed close to winlogbeat however I use lowercase field names under winlog as I feel that is in the spirit of ECS better than the Camel Case used in winlogbeat)


## Usage
Expand All @@ -20,7 +20,9 @@ Finished Processing sample_logs/Security.evtx in 8 seconds. ingested 31828 out o

## Config File

So far I only have one outout plugin called "elastic_nom"
So far I only have one (real) output plugin called "elastic_nom", and a demo json stdout one

You add your input paths to the directory input and then choose one or more outputs.

``` json
{
Expand All @@ -43,7 +45,8 @@ So far I only have one outout plugin called "elastic_nom"
"es_user" : "USERNAME",
"es_pass" : "PASSWORD",
"es_api_key" : "APIKEY",
"es_scheme" : "http"
"es_scheme" : "http",
"index_template" : "es_stuff/index-template.json"
},
{
"name" : "stdout_nom",
Expand All @@ -69,7 +72,8 @@ So far I only have one outout plugin called "elastic_nom"
"es_user" : "USERNAME",
"es_pass" : "PASSWORD",
"es_api_key" : "APIKEY",
"es_scheme" : "http"
"es_scheme" : "http",
"index_template" : "es_stuff/index-template.json"
}
```

Expand All @@ -84,4 +88,5 @@ So far I only have one outout plugin called "elastic_nom"
| es_user | string | elasticsearch security username (for basic auth |
| es_pass | string | elasticsearch security password ( for basic auth)|
| es_api_key | string | base64 encoded api key (for api auth) |
| es_scheme| string | http or https (for security you will be using https) |
| es_scheme| string | http or https (for security you will be using https) |
| index_template | string | path to index template, ive included one under es_stuff/index-template.json, You do not need to edit this for a custom index name as it will be done by the plugin |
3 changes: 2 additions & 1 deletion config.json
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,8 @@
"es_user" : "USERNAME",
"es_pass" : "PASSWORD",
"es_api_key" : "APIKEY",
"es_scheme" : "http"
"es_scheme" : "http",
"index_template" : "es_stuff/index-template.json"
},
{
"name" : "stdout_nom",
Expand Down
9 changes: 8 additions & 1 deletion lib/nom.py
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@
from elasticsearch import helpers, Elasticsearch

# This file is parsing the evtx file and any default modules

# Example Standard Out Plugin
class stdout_nom():
def __init__(self,config):
self.name = "standard out JSON example"
Expand All @@ -14,6 +16,7 @@ def ingest_file(self,filename):
print("=" * 12)
print("Finished Shouting")

# Elasticsearch Plugin
class elastic_nom():
def __init__(self,config):
self.name = "elasticseach ingest"
Expand All @@ -25,6 +28,7 @@ def __init__(self,config):
self.es_pass = config['es_pass']
self.es_api_key = config['es_api_key']
self.scheme = config['es_scheme']
self.index_template = config['index_template']
self.prep_es()
def get_es(self):
if self.security == "basic":
Expand Down Expand Up @@ -57,8 +61,11 @@ def prep_es(self):
# connect to es
es = self.get_es()
# set/reset template
with open("es_stuff/index-template.json","r") as t_file:
with open(self.index_template,"r") as t_file:
template = json.load(t_file)
# If a non default index name add it to the template
if self.es_index != 'evtx_nom':
template['index_patterns'].append(self.es_index)
es.indices.put_template(name="evtx-nom",body=template)
return es
def ingest_file(self,filename):
Expand Down

0 comments on commit 3a00a06

Please sign in to comment.