Log Analysis and Visualization
Log Analysis and Visualization
Implement log analysis dashboards:
# Install Elastic Stack for log analysis
# Elasticsearch
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
sudo apt-get install apt-transport-https
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
sudo apt-get update && sudo apt-get install elasticsearch
# Configure Elasticsearch
sudo cat >> /etc/elasticsearch/elasticsearch.yml << EOF
network.host: localhost
http.port: 9200
discovery.type: single-node
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
EOF
# Logstash configuration for web server logs
sudo cat > /etc/logstash/conf.d/webserver.conf << EOF
input {
file {
path => "/var/log/nginx/security.json"
start_position => "beginning"
codec => "json"
type => "nginx-security"
}
file {
path => "/var/log/apache2/access.log"
start_position => "beginning"
type => "apache-access"
}
}
filter {
if [type] == "apache-access" {
grok {
match => {
"message" => "%{COMBINEDAPACHELOG} %{NUMBER:request_time} %{NOTSPACE:ssl_protocol} %{NOTSPACE:ssl_cipher}"
}
}
geoip {
source => "clientip"
target => "geoip"
}
# Detect attacks
if [request] =~ /(?i)(union.*select|<script|\.\.\/|;.*&&|sqlmap|nikto)/ {
mutate {
add_tag => [ "security_alert", "attack" ]
add_field => { "alert_severity" => "high" }
}
}
}
# Add threat intelligence
translate {
field => "clientip"
destination => "threat_intel"
dictionary_path => "/etc/logstash/threat_intel.yml"
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "webserver-security-%{+YYYY.MM.dd}"
}
# Alert on attacks
if "security_alert" in [tags] {
email {
to => "[email protected]"
subject => "Security Alert: %{alert_severity} - %{host}"
body => "Attack detected from %{clientip}: %{request}"
}
}
}
EOF