mirror of https://github.com/MISP/MISP
68 lines
1.6 KiB
Markdown
68 lines
1.6 KiB
Markdown
|
# It's possible to send all logs from MISP to an elasticsearch
|
||
|
|
# endpoint
|
||
|
|
|
||
|
|
# First, we'll need an ES PHP library
|
||
|
|
|
||
|
|
# Replace according to your requirements
|
||
|
|
export MISP_DIR=/var/www/MISP
|
||
|
|
cd $MISP_DIR/app
|
||
|
|
sudo -u www-data php composer.phar require elasticsearch/elasticsearch
|
||
|
|
|
||
|
|
# Ok now we need to configure where we log to
|
||
|
|
#
|
||
|
|
# In Administration -> Server Settings & Maintenance -> Plugin Settings
|
||
|
|
# Under the elasticsearch tab, enable elasticsearch logging, and input
|
||
|
|
# your connection string
|
||
|
|
# Note that explicitly specifying the port may be needed, e.g. for AWS instances
|
||
|
|
# running on 443.
|
||
|
|
# Also input a log index - all logs will be thrown at this index.
|
||
|
|
|
||
|
|
# Now give ES a template to work from
|
||
|
|
cat << EOF > misp_es_template.json
|
||
|
|
{
|
||
|
|
"template": "misp_logging",
|
||
|
|
"mappings": {
|
||
|
|
"log": {
|
||
|
|
"_source": {
|
||
|
|
"enabled": true
|
||
|
|
},
|
||
|
|
"properties": {
|
||
|
|
"Log.email": {
|
||
|
|
"type": "keyword"
|
||
|
|
},
|
||
|
|
"Log.title": {
|
||
|
|
"type": "text"
|
||
|
|
},
|
||
|
|
"Log.ip": {
|
||
|
|
"type": "ip"
|
||
|
|
},
|
||
|
|
"Log.created": {
|
||
|
|
"format": "YYYY-MM-dd HH:mm:ss",
|
||
|
|
"type": "date"
|
||
|
|
},
|
||
|
|
"Log.description": {
|
||
|
|
"type": "text"
|
||
|
|
},
|
||
|
|
"Log.org": {
|
||
|
|
"type": "text"
|
||
|
|
},
|
||
|
|
"Log.action": {
|
||
|
|
"type": "text"
|
||
|
|
},
|
||
|
|
"Log.model": {
|
||
|
|
"type": "text"
|
||
|
|
},
|
||
|
|
"Log.change": {
|
||
|
|
"type": "text"
|
||
|
|
}
|
||
|
|
}
|
||
|
|
}
|
||
|
|
}
|
||
|
|
}
|
||
|
|
EOF
|
||
|
|
|
||
|
|
# And put it to ES
|
||
|
|
curl -XPUT https://my_es/_template/misp_logging --data-binary @misp_es_template.json
|
||
|
|
|
||
|
|
# Now MISP will start sending logs to ES! Hooray!
|