MISP/docs/CONFIG.elasticsearch-loggin...

1.6 KiB

It's possible to send all logs from MISP to an elasticsearch

endpoint

First, we'll need an ES PHP library

Replace according to your requirements

export MISP_DIR=/var/www/MISP cd $MISP_DIR/app sudo -u www-data php composer.phar require elasticsearch/elasticsearch

Ok now we need to configure where we log to

In Administration -> Server Settings & Maintenance -> Plugin Settings

Under the elasticsearch tab, enable elasticsearch logging, and input

your connection string

Note that explicitly specifying the port may be needed, e.g. for AWS instances

running on 443.

Also input a log index - all logs will be thrown at this index.

Now give ES a template to work from

cat << EOF > misp_es_template.json { "template": "misp_logging", "mappings": { "log": { "_source": { "enabled": true }, "properties": { "Log.email": { "type": "keyword" }, "Log.title": { "type": "text" }, "Log.ip": { "type": "ip" }, "Log.created": { "format": "YYYY-MM-dd HH:mm:ss", "type": "date" }, "Log.description": { "type": "text" }, "Log.org": { "type": "text" }, "Log.action": { "type": "text" }, "Log.model": { "type": "text" }, "Log.change": { "type": "text" } } } } } EOF

And put it to ES

curl -XPUT https://my_es/_template/misp_logging --data-binary @misp_es_template.json

Now MISP will start sending logs to ES! Hooray!