mirror of https://github.com/MISP/MISP
1.6 KiB
1.6 KiB
It's possible to send all logs from MISP to an elasticsearch
endpoint
First, we'll need an ES PHP library
Replace according to your requirements
export MISP_DIR=/var/www/MISP cd $MISP_DIR/app sudo -u www-data php composer.phar require elasticsearch/elasticsearch
Ok now we need to configure where we log to
In Administration -> Server Settings & Maintenance -> Plugin Settings
Under the elasticsearch tab, enable elasticsearch logging, and input
your connection string
Note that explicitly specifying the port may be needed, e.g. for AWS instances
running on 443.
Also input a log index - all logs will be thrown at this index.
Now give ES a template to work from
cat << EOF > misp_es_template.json { "template": "misp_logging", "mappings": { "log": { "_source": { "enabled": true }, "properties": { "Log.email": { "type": "keyword" }, "Log.title": { "type": "text" }, "Log.ip": { "type": "ip" }, "Log.created": { "format": "YYYY-MM-dd HH:mm:ss", "type": "date" }, "Log.description": { "type": "text" }, "Log.org": { "type": "text" }, "Log.action": { "type": "text" }, "Log.model": { "type": "text" }, "Log.change": { "type": "text" } } } } } EOF
And put it to ES
curl -XPUT https://my_es/_template/misp_logging --data-binary @misp_es_template.json