From 0d79b41985ece1344caa04de3f674b2faeff7df2 Mon Sep 17 00:00:00 2001 From: Fernando Silva Date: Tue, 10 Mar 2020 17:15:13 -0300 Subject: [PATCH] Adding statistics collection and sending to ELK --- files/conf.maldet | 21 +++++++++++++++++++++ files/internals/scan.etpl | 8 ++++++++ 2 files changed, 29 insertions(+) diff --git a/files/conf.maldet b/files/conf.maldet index 5a7d214..b3412e4 100644 --- a/files/conf.maldet +++ b/files/conf.maldet @@ -299,3 +299,24 @@ inotify_verbose="0" # [ string length in characters, default = 150000 ] string_length_scan="0" # [ 0 = disabled, 1 = enabled ] string_length="150000" # [ max string length ] + +## +# [ STATISTICAL ELK COLLECT ] +## +# Enable statistic to bring it into ELK stack +enable_statistic="0" + +# The host definition for the TCP input +# Must be define if enable_statistic=1 +# Example : 192.168.1.1 +elk_host="" + +# The port definition for the TCP input +# Must be define if enable_statistic=1 +# Example : 12345 +elk_port="" + +# The index definition for the Elasticsearch +# Must be define if enable_statistic=1 +# Example : maldet +elk_index="" diff --git a/files/internals/scan.etpl b/files/internals/scan.etpl index 576a9ce..b390bbe 100644 --- a/files/internals/scan.etpl +++ b/files/internals/scan.etpl @@ -76,6 +76,14 @@ if [ ! "$tot_hits" == "0" ]; then cat $hitlist_file | column -s ':' -t -o ':' >> $tmpf else cat $hitlist_file >> $tmpf + if [ "$enable_statistic" == "1" ]; then + export IFS=$(echo -en "\n\b") + for showhit in `cat $hitlist_file`; do + curl --output /dev/null --silent --show-error -XPOST "${elk_host}:${elk_port}/$(if [ $elk_index != '' ]; then echo "${elk_index}/message"; fi )" -H 'Content-Type: application/json' -d "$(echo $showhit|awk -v date=$(date +%s) -v hostname=$(hostname) '{print "{\"date\" : \""date"\", \"hit\" : \""$1"\", \"file\" : \""$3"\", \"hostname\" : \""hostname"\"}"}')" + done + export IFS=' ' + fi + fi fi fi