# Bernat Mut plugin
# Author: Bernat Mut  berni.emerald@gmail.com
# Plugin elasticsearch-example id:9998 version: 0.0.1
# Last modification: 2017-12-22 23:40
#
# END-HEADER
# Accepted products:
# Elasticsearch (tested on 5.2)
# Description:
# 
#
#
[DEFAULT]
plugin_id=9998

[config]
type=detector
enable=yes
custom_functions_file=/etc/ossim/agent/plugins/custom_functions/elk.cfg 


source=elasticsearch
elastic_url=https://elastic.local

# HTTP BASIC AUTH
elastic_user=
elastic_password=


# store_index index in elastic to store ossim info
# If not exists it will be created
store_index=ossim_index


# Check valid ssl certificate
verify_certs=no


#################
# RULES SECTION #
#################
[0000 - oauth]
query="environment: production AND operation: token AND NOT trace.statusCode_int: 200"
fields="@timestamp,domain,geoip.ip,trace.parameters_object.username_string,host"
data_index="logstash-business-security-oauth-production-*"
plugin_sid=1
date={:parse_date($0)}
src_ip={resolv($2)}
username={$3}
dst_ip="{resolv($4)}"
userdata1={$1}

##################
#       END      #
##################