Hub configuration

More info

opensearch-dashboard-logs Log Parser

« opensearch-dashboard-logs »
v0.1 by bouddha-fr
Attack scenario

Parse OpenSearch web interface logs for failed login attempts

Installation

cscli parsers install bouddha-fr/opensearch-dashboard-logs

Description

Parser for Opensearch Dashboard.

Typically you may find other software using this such as Wazuh.

Example acquistion:

1filenames:
2 - /path/to/log.txt
3labels:
4  type: opensearch-dashboards

1filenames:
2 - /var/log/syslog
3labels:
4  type: syslog

1source: journalctl
2journalctl_filter:
3 - "_SYSTEMD_UNIT=opensearch-dashboards.service"
4labels:
5  type: syslog

YAML Configuration

1name: bouddha-fr/opensearch-dashboard-logs
2description: "Parse OpenSearch web interface logs for failed login attempts"
3filter: "evt.Parsed.program == 'opensearch-dashboards' && UnmarshalJSON(evt.Parsed.message, evt.Unmarshaled, 'opensearch') in ['', nil]"
4onsuccess: next_stage
5statics:
6  - meta: service
7    value: opensearch
8  - meta: source_ip
9    expression: evt.Unmarshaled.opensearch.req.remoteAddress
10  - meta: log_type
11    expression: |
12        (
13          evt.Unmarshaled.opensearch.type == 'response' &&
14          evt.Unmarshaled.opensearch.method == 'post' &&
15          evt.Unmarshaled.opensearch.statusCode in [401, '401'] &&
16          evt.Unmarshaled.opensearch.req.url == '/auth/login?dataSourceId='
17        ) ? 'opensearch_failed_auth' : ''
18  - meta: timestamp
19    expression: evt.Unmarshaled.opensearch['@timestamp']
20  - meta: status_code
21    expression: evt.Unmarshaled.opensearch.statusCode
22  - meta: url
23    expression: evt.Unmarshaled.opensearch.req.url
24  - target: evt.StrTime
25    expression: evt.Unmarshaled.opensearch['@timestamp']
26

Hub configuration

« opensearch-dashboard-logs »v0.1 by bouddha-frAttack scenario

« opensearch-dashboard-logs »
v0.1 by bouddha-fr
Attack scenario