bmaeuser/pfsense-analytics
1
0
Fork 0
mirror of https://github.com/lephisto/pfsense-analytics.git synced 2025-12-06 04:19:19 +01:00
Code Issues Packages Projects Releases Wiki Activity

Initial Changes to get this running

Browse Source
This commit is contained in:
root
2019-11-07 12:23:02 +00:00
parent d47452bff0
commit 886c2975f1
4 changed files with 155 additions and 6249 deletions
Download Patch File Download Diff File Expand all files Collapse all files

260
Elasticsearch_pfsense_custom_template/pfsense_custom_template.json
View File

@@ -1,260 +0,0 @@
{
"order": -1,
"template": "pfsense_*",
"settings": {
"index": {
"analysis": {
"analyzer": {
"analyzer_keyword": {
"filter": "lowercase",
"tokenizer": "keyword"
}
}
},
"max_result_window": "1000000"
}
},
"mappings": {
"message": {
"properties": {
"PFSENSE_ICMP_DATA": {
"type": "keyword"
},
"PFSENSE_ICMP_ECHO_REQ_REPLY": {
"type": "keyword"
},
"PFSENSE_ICMP_RESPONSE": {
"type": "keyword"
},
"PFSENSE_ICMP_TYPE": {
"type": "keyword"
},
"PFSENSE_ICMP_UNREACHPORT": {
"type": "keyword"
},
"PFSENSE_IGMP_DATA": {
"type": "keyword"
},
"PFSENSE_IP_DATA": {
"type": "keyword"
},
"PFSENSE_IP_SPECIFIC_DATA": {
"type": "keyword"
},
"PFSENSE_IPv4_SPECIFIC_DATA": {
"type": "keyword"
},
"PFSENSE_LOG_DATA": {
"type": "keyword"
},
"PFSENSE_LOG_ENTRY": {
"type": "keyword"
},
"PFSENSE_PROTOCOL_DATA": {
"type": "keyword"
},
"PFSENSE_TCP_DATA": {
"type": "keyword"
},
"PFSENSE_UDP_DATA": {
"type": "keyword"
},
"ack_number": {
"type": "keyword"
},
"action": {
"type": "keyword"
},
"data_length": {
"type": "keyword"
},
"dest_ip": {
"type": "keyword"
},
"dest_ip_city_name": {
"type": "keyword"
},
"dest_ip_country_code": {
"type": "keyword"
},
"dest_ip_geolocation": {
"type": "text",
"copy_to": "dst_location"
},
"dst_location": {
"type": "geo_point"
},
"dest_port": {
"type": "keyword"
},
"direction": {
"type": "keyword"
},
"ecn": {
"type": "keyword"
},
"facility": {
"type": "keyword"
},
"flags": {
"type": "keyword"
},
"full_message": {
"type": "text",
"analyzer": "standard"
},
"gl2_remote_ip": {
"type": "keyword"
},
"gl2_remote_port": {
"type": "keyword"
},
"gl2_source_input": {
"type": "keyword"
},
"gl2_source_node": {
"type": "keyword"
},
"icmp_echo_id": {
"type": "keyword"
},
"icmp_echo_sequence": {
"type": "keyword"
},
"icmp_type": {
"type": "keyword"
},
"icmp_unreachport_dest_ip": {
"type": "keyword"
},
"icmp_unreachport_dest_ip_city_name": {
"type": "keyword"
},
"icmp_unreachport_dest_ip_country_code": {
"type": "keyword"
},
"icmp_unreachport_dest_ip_geolocation": {
"type": "keyword"
},
"icmp_unreachport_port": {
"type": "keyword"
},
"icmp_unreachport_protocol": {
"type": "keyword"
},
"id": {
"type": "keyword"
},
"iface": {
"type": "keyword"
},
"ip_ver": {
"type": "keyword"
},
"length": {
"type": "keyword"
},
"level": {
"type": "long"
},
"message": {
"type": "text",
"analyzer": "standard"
},
"offset": {
"type": "keyword"
},
"proto": {
"type": "keyword"
},
"proto_id": {
"type": "keyword"
},
"reason": {
"type": "keyword"
},
"rule": {
"type": "keyword"
},
"sequence_number": {
"type": "keyword"
},
"source": {
"type": "text",
"analyzer": "analyzer_keyword",
"fielddata": true
},
"src_ip": {
"type": "keyword"
},
"src_ip_city_name": {
"type": "keyword"
},
"src_ip_country_code": {
"type": "keyword"
},
"src_ip_geolocation": {
"type": "string",
"copy_to": "src_location"
},
"src_location": {
"type": "geo_point"
},
"src_port": {
"type": "keyword"
},
"streams": {
"type": "keyword"
},
"tcp_flags": {
"type": "keyword"
},
"tcp_options": {
"type": "keyword"
},
"tcp_window": {
"type": "keyword"
},
"timestamp": {
"type": "date",
"format": "yyyy-MM-dd HH:mm:ss.SSS"
},
"real_timestamp": {
"type": "date",
"format": "yyyy-MM-dd HH:mm:ss"
},
"tos": {
"type": "keyword"
},
"tracker": {
"type": "keyword"
},
"ttl": {
"type": "keyword"
}
},
"dynamic_templates": [
{
"internal_fields": {
"match": "gl2_*",
"mapping": {
"type": "keyword"
}
}
},
{
"store_generic": {
"match": "*",
"mapping": {
"index": "not_analyzed"
}
}
}
],
"_source": {
"enabled": true
}
}
},
"aliases": {}
}

84
docker-compose.yml Normal file
View File

@@ -0,0 +1,84 @@
version: '2'
services:
# MongoDB: https://hub.docker.com/_/mongo/
mongodb:
image: mongo:3
volumes:
- mongo_data:/data/db
# Elasticsearch: https://www.elastic.co/guide/en/elasticsearch/reference/6.x/docker.html
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.8.4
mem_limit: 4g
restart: always
volumes:
- es_data:/usr/share/elasticsearch/data
# - ./jvm.options:/usr/share/elasticsearch/config/jvm.options
environment:
- http.host=0.0.0.0
- transport.host=0.0.0.0
- network.host=0.0.0.0
- "ES_JAVA_OPTS=-Xms1g -Xmx1g"
- ES_HEAP_SIZE=2g
ulimits:
memlock:
soft: -1
hard: -1
ports:
- 9200:9200
# Graylog: https://hub.docker.com/r/graylog/graylog/
graylog:
image: graylog/graylog:3.1
volumes:
- graylog_journal:/usr/share/graylog/data/journal
- ./service-names-port-numbers.csv:/etc/graylog/server/service-names-port-numbers.csv
- ./GeoLite2-City_20191022/GeoLite2-City.mmdb:/etc/graylog/server/GeoLite2-City.mmdb
environment:
# CHANGE ME (must be at least 16 characters)!
- GRAYLOG_PASSWORD_SECRET=somepasswordpepperzzz
# Password: admin
- GRAYLOG_ROOT_PASSWORD_SHA2=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
- GRAYLOG_HTTP_EXTERNAL_URI=http://turing.home:9000/
- GRAYLOG_TIMEZONE=Europe/Berlin
links:
- mongodb:mongo
- elasticsearch
depends_on:
- mongodb
- elasticsearch
ports:
# Netflow
- 2055:2055/udp
# Syslog Feed
- 5442:5442/udp
# Graylog web interface and REST API
- 9000:9000
# Syslog TCP
- 1514:1514
# Syslog UDP
- 1514:1514/udp
# GELF TCP
- 12201:12201
# GELF UDP
- 12201:12201/udp
kibana:
image: docker.elastic.co/kibana/kibana-oss:6.8.4
# volumes:
# - ./kibana.yml:/usr/share/kibana/config/kibana.yml
environment:
- ELASTICSEARCH_URL=http://elasticsearch:9200
depends_on:
- elasticsearch
ports:
- 5601:5601
# Volumes for persisting data, see https://docs.docker.com/engine/admin/volumes/volumes/
volumes:
mongo_data:
driver: local
es_data:
driver: local
graylog_journal:
driver: local

71
jvm.options Normal file
View File

@@ -0,0 +1,71 @@
## You should always set the min and max JVM heap
## size to the same value. For example, to set
## the heap to 4 GB, set:
##
## -Xms4g
## -Xmx4g
##
## See https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html
## for more information
##
################################################################
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
-Xms2g
-Xmx2g
################################################################
## Expert settings
################################################################
##
## All settings below this section are considered
## expert settings. Don't tamper with them unless
## you understand what you are doing
##
################################################################
## GC configuration
-XX:+UseConcMarkSweepGC
-XX:CMSInitiatingOccupancyFraction=75
-XX:+UseCMSInitiatingOccupancyOnly
## optimizations
# pre-touch memory pages used by the JVM during initialization
-XX:+AlwaysPreTouch
## basic
# force the server VM (remove on 32-bit client JVMs)
-server
# explicitly set the stack size (reduce to 320k on 32-bit client JVMs)
-Xss1m
# set to headless, just in case
-Djava.awt.headless=true
# ensure UTF-8 encoding by default (e.g. filenames)
-Dfile.encoding=UTF-8
# use our provided JNA always versus the system one
-Djna.nosys=true
# use old-style file permissions on JDK9
-Djdk.io.permissionsUseCanonicalPath=true
# flags to configure Netty
-Dio.netty.noUnsafe=true
-Dio.netty.noKeySetOptimization=true
-Dio.netty.recycler.maxCapacityPerThread=0
# log4j 2
-Dlog4j.shutdownHookEnabled=false
-Dlog4j2.disable.jmx=true
-Dlog4j.skipJansi=true
## heap dumps
# generate a heap dump when an allocation from the Java heap fails
# heap dumps are created in the working directory of the JVM
-XX:+HeapDumpOnOutOfMemoryError

5989
service-names-port-numbers/service-names-port-numbers.csv
View File

File diff suppressed because it is too large Load Diff