[DEFAULT] # デフォルトの設定を上書き index_rotation = auto # ECS 上のコンテナで動作している apache のログを取り込む例 [apache-ecs] index_name = log-web-apache via_firelens = True s3_key = firelens file_format = text timestamp_key = datetime timestamp_format = %d/%b/%Y:%H:%M:%S %z log_pattern = (?P.*) (?P.*) (?P.*) \[(?P.*?)\] \"(-|(?P.*) (?P.*) HTTP/(?P.*))\" (?P.*) (-|(?P.*)) ecs = http.request.method http.response.body.bytes http.response.status_code http.version source.ip url.path http.request.method = request_method http.response.body.bytes = response_bytes http.response.status_code = response_status http.version = request_version source.ip = remotehost url.path = request_path static_ecs = @log_type @log_type = apache geoip = source [deepsecurity] # https://cloudone.trendmicro.com/docs/workload-security/event-syslog-message-formats/ # See README for more details # https://github.com/aws-samples/siem-on-amazon-elasticsearch/blob/main/docs/contributed/deepsecurity_ja.md index = log-deepsecurity s3_key = ds_agent format = json script_ecs = event.action destination.ip destination.port destination.mac destination.bytes source.ip source.port source.mac source.bytes network.transport event.action server.name file.path event.count rule.category host.id event.original event.action = act destination.ip = dst destination.port = dpt destination.mac = dmac destination.bytes = out source.ip = src source.port = spt source.mac = smac source.bytes = in network.transport = proto server.name = hostname file.path = fname event.count = cnt rule.category = cs1 host.id = cn1 event.original = msg [okta] s3_key = okta-logs index_rotation = monthly index_time = @timestamp index_tz = +09:00 timestamp_key = published timestamp_format = iso8601 index_name = log-intra-audit-okta file_format = json script_ecs = user.name user.domain user.email event.outcome client.user.full_name client.user.id source.user.full_name source.user.id related.user ecs = user_agent.original client.ip source.ip event.action client.as.number client.as.organization.name client.domain source.domain log.level client.geo.location client.geo.city_name client.geo.region_name client.geo.country_name source.address client.address client.ip = client.ipAddress client.address = ${client.ip} client.as.number = securityContext.asNumber client.as.organization.name = securityContext.asOrg client.domain = securityContext.domain client.geo.location = client.geographicalContext.geolocation client.geo.city_name = client.geographicalContext.city client.geo.region_name = client.geographicalContext.state client.geo.country_name = client.geographicalContext.country event.action = eventType log.level = severity source.ip = client.ipAddress source.address = ${source.ip} source.domain = securityContext.domain user_agent.original = client.userAgent.rawUserAgent static_ecs = event.kind event.category event.kind = event event.category = web geoip = source