fluentbit ingest evtx and auditd files

codeyourweb · codeyourweb · commit 1d31e02340cc · 2025-11-09T20:11:59.000+01:00
diff --git a/.gitignore b/.gitignore
@@ -7,7 +7,10 @@
 /data/ftp_data/*
 /data/grafana/*
 /data/kibana/*
-/data/log_ingest_data/*
+/data/fluentbit_db/*
+/data/log_ingest_data/evtx/*
+/data/log_ingest_data/auditd/*
+/data/log_ingest_data/json/*
 /data/mysql_data/*
 /data/yara_triage_data/*
 /docs/graphs/*.bkp
diff --git a/clean-user-data.ps1 b/clean-user-data.ps1
@@ -2,5 +2,10 @@ Remove-Item ./data/caddy_logs/* -Recurse -Force
 Remove-Item ./data/ftp_data/* -Recurse -Force
 Remove-Item ./data/grafana/* -Recurse -Force
 Remove-Item ./data/kibana/* -Recurse -Force
+Remove-Item ./data/log_ingest_data/auditd/* -Recurse -Force
+Remove-Item ./data/log_ingest_data/evtx/* -Recurse -Force
+Remove-Item ./data/log_ingest_data/json/* -Recurse -Force
+Remove-Item ./data/fluentbit_db/* -Recurse -Force
 Remove-Item ./data/mysql_data/* -Recurse -Force
+Remove-Item ./data/yara_triage_data/* -Recurse -Force
 docker compose down -v
diff --git a/clean-user-data.sh b/clean-user-data.sh
@@ -2,5 +2,10 @@ rm -rf ./data/caddy_logs/*
 rm -rf ./data/ftp_data/*
 rm -rf ./data/grafana/*
 rm -rf ./data/kibana/*
+rm -rf ./data/log_ingest_data/evtx/*
+rm -rf ./data/log_ingest_data/auditd/*
+rm -rf ./data/log_ingest_data/json/*
+rm -rf ./data/fluentbit_db/*
 rm -rf ./data/mysql_data/*
+rm -rf ./data/yara_triage_data/*
 docker compose down -v
diff --git a/config/docker-config/Dockerfile.fluentbit b/config/docker-config/Dockerfile.fluentbit
@@ -0,0 +1,26 @@
+FROM ubuntu:24.04
+
+RUN mkdir -p fluent-bit /fluent-bit/etc /fluent-bit/scripts /fluent-bit/logs /fluent-bit/database
+WORKDIR /fluent-bit
+COPY config/docker-config/fluentbit-evtx-dump.sh /fluent-bit/scripts/fluentbit-evtx-dump.sh
+RUN chmod +x /fluent-bit/scripts/fluentbit-evtx-dump.sh
+
+RUN apt update && \
+    apt install -y curl ca-certificates dpkg gnupg dpkg-dev && \
+    curl -L -o /tmp/fluentbit.key https://packages.fluentbit.io/fluentbit.key && \
+    gpg --dearmor < /tmp/fluentbit.key > /usr/share/keyrings/fluentbit-keyring.gpg && \
+    rm /tmp/fluentbit.key && \
+    echo "deb [signed-by=/usr/share/keyrings/fluentbit-keyring.gpg] https://packages.fluentbit.io/ubuntu/noble noble main" > /etc/apt/sources.list.d/fluent-bit.list && \
+    apt update && \
+    apt install -y fluent-bit
+
+RUN curl -L -o /tmp/fd-musl_10.3.0_amd64.deb https://github.com/sharkdp/fd/releases/download/v10.3.0/fd-musl_10.3.0_amd64.deb && \
+    dpkg -i /tmp/fd-musl_10.3.0_amd64.deb && \
+    rm /tmp/fd-musl_10.3.0_amd64.deb && \
+    curl -L -o /usr/bin/evtx_dump https://github.com/omerbenamram/evtx/releases/download/v0.9.0/evtx_dump-v0.9.0-x86_64-unknown-linux-musl && \
+    chmod +x /usr/bin/evtx_dump && \
+    apt clean && rm -rf /var/lib/apt/lists/*
+
+COPY config/fluentbit_server/fluent-bit.conf /fluent-bit/etc/fluent-bit.conf
+ENTRYPOINT ["/opt/fluent-bit/bin/fluent-bit"] 
+CMD ["-c", "/fluent-bit/etc/fluent-bit.conf"]
diff --git a/config/docker-config/fluentbit-evtx-dump.sh b/config/docker-config/fluentbit-evtx-dump.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+EVTX_DIR="/fluent-bit/logs/evtx"
+PROCESSED_DIR="/fluent-bit/logs/evtx/processed"
+
+mkdir -p "$PROCESSED_DIR"
+
+find "$EVTX_DIR" -maxdepth 1 -name "*.evtx" -print0 | while IFS= read -r -d $'\0' evtx_file; do
+    filename=$(basename "$evtx_file" .evtx)
+    jsonl_file="${EVTX_DIR}/${filename}.jsonl"
+    echo "Converting $evtx_file to $jsonl_file"
+    
+    /usr/bin/evtx_dump -f "$jsonl_file" -o jsonl "$evtx_file"
+    
+    if [ $? -eq 0 ]; then
+        echo "Conversion successful. Moving original..."
+        mv "$evtx_file" "$PROCESSED_DIR/"
+    else
+        echo "Error occurred during evtx_dump for $evtx_file." >&2
+    fi
+done
diff --git a/config/fluentbit_server/add_timestamp.lua b/config/fluentbit_server/add_timestamp.lua
@@ -1,8 +1,31 @@
 function add_timestamp(tag, timestamp, record)
-    if record["@timestamp"] == nil then
-        local seconds = timestamp[1]
-        local formatted_time = os.date("!%Y-%m-%dT%H:%M:%S", seconds) .. string.format(".%03dZ", timestamp[2]/1000000)
-        record["@timestamp"] = formatted_time
+    
+    local event_timestamp = nil
+    
+    if record["Event"] ~= nil and record["Event"]["System"] ~= nil and 
+       record["Event"]["System"]["TimeCreated"] ~= nil and 
+       record["Event"]["System"]["TimeCreated"]["#attributes"] ~= nil and
+       record["Event"]["System"]["TimeCreated"]["#attributes"]["SystemTime"] ~= nil then
+       
+        event_timestamp = record["Event"]["System"]["TimeCreated"]["#attributes"]["SystemTime"]
+    end
+
+    
+    if record["@timestamp"] == nil and record["timestamp"] ~= nil then
+        event_timestamp = record["timestamp"]
+        record["timestamp"] = nil
+    end
+
+    if event_timestamp ~= nil and event_timestamp ~= "" then
+        record["@timestamp"] = event_timestamp
+    else
+        if record["@timestamp"] == nil then
+            local seconds = math.floor(timestamp)
+            local nanoseconds = (timestamp - seconds) * 1e9
+            local milliseconds = math.floor(nanoseconds / 1e6)
+            local formatted_time = os.date("!%Y-%m-%dT%H:%M:%S", seconds) .. string.format(".%03dZ", milliseconds)
+            record["@timestamp"] = formatted_time
+        end
     end
 
     return 1, timestamp, record
diff --git a/config/fluentbit_server/fluent-bit.conf b/config/fluentbit_server/fluent-bit.conf
@@ -1,3 +1,4 @@
+# Fluent Bit service configuration
 [SERVICE]
     Flush        1
     Daemon       off
@@ -7,46 +8,9 @@
     HTTP_Listen  0.0.0.0
     HTTP_Port    2020
     Health_Check On
+    HTTP_Buffer_Size 1048576
 
-[INPUT]
-    Name         http
-    Listen       0.0.0.0
-    Port         24224
-    Tag          http.logs
-
-[FILTER]
-    Name         parser
-    Match        http.logs
-    Key_Name     log
-    Parser       json_parser
-    Preserve_Key On
-    
-[FILTER]
-    Name         lua
-    Match        http.logs
-    Script       /fluent-bit/etc/add_timestamp.lua
-    Call         add_timestamp
-
-[FILTER]
-    Name         lua
-    Match        http.logs
-    Script       /fluent-bit/etc/set_target_index.lua
-    Call         set_target_index
-
-[OUTPUT]
-    Name         es
-    Match        http.logs
-    Host         sentinel-kit-db-elasticsearch-es01
-    Port         9200
-    Logstash_Format     On
-    Logstash_Prefix_Key target_index 
-    Logstash_DateFormat %Y.%m.%d
-    Type         _doc
-    Time_Key     @timestamp
-    Replace_Dots On
-    Suppress_Type_Name On
-    Retry_Limit  False
-    TLS           On
-    TLS.Verify    Off
-    HTTP_User     elastic
-    HTTP_Passwd   ${ELASTIC_PASSWORD}
+@include /fluent-bit/etc/logs-evtx.conf
+@include /fluent-bit/etc/logs-auditd.conf
+@include /fluent-bit/etc/logs-json.conf
+@include /fluent-bit/etc/logs-http.conf
diff --git a/config/fluentbit_server/logs-auditd.conf b/config/fluentbit_server/logs-auditd.conf
@@ -0,0 +1,34 @@
+[INPUT]
+    Name         tail
+    Path         /fluent-bit/logs/auditd/*.log
+    Tag          auditd.logs
+    Parser       auditd_line
+    DB           /fluent-bit/database/auditd_db.db
+    Read_from_Head true
+    Buffer_Chunk_Size 1M
+    Buffer_Max_Size 5M
+
+[FILTER]
+    Name         lua
+    Match       auditd.logs
+    script      /fluent-bit/etc/parse_audit_message.lua
+    call        parse_auditd_message
+
+[OUTPUT]
+    Name         es
+    Match        auditd.logs
+    Host         sentinel-kit-db-elasticsearch-es01
+    Port         9200
+    Buffer_Size   5M
+    Logstash_Format     On
+    Logstash_Prefix     ingest-auditd
+    Logstash_DateFormat %Y.%m.%d
+    Type         _doc
+    Time_Key     @timestamp
+    Replace_Dots On
+    Suppress_Type_Name On
+    Retry_Limit  False
+    TLS           On
+    TLS.Verify    Off
+    HTTP_User     elastic
+    HTTP_Passwd   ${ELASTIC_PASSWORD}
diff --git a/config/fluentbit_server/logs-evtx.conf b/config/fluentbit_server/logs-evtx.conf
@@ -0,0 +1,45 @@
+[INPUT]
+    Name          exec
+    Tag           evtx.converter.run
+    Interval_Sec  30
+    Interval_NSec 0
+    Buf_Size      128mb
+    Command       /fluent-bit/scripts/fluentbit-evtx-dump.sh
+    Oneshot       false
+    Threaded      true
+
+
+[INPUT]
+    Name         tail
+    Path         /fluent-bit/logs/evtx/*.jsonl
+    Tag          json_evtx.logs
+    DB           /fluent-bit/database/evtx_jsonl_db.db
+    Parser       json_parser
+    Read_from_Head true
+    Buffer_Chunk_Size 1M
+    Buffer_Max_Size 5M
+
+[FILTER]
+    Name         lua
+    Match        json_evtx.logs
+    Script       /fluent-bit/etc/add_timestamp.lua
+    Call         add_timestamp
+
+[OUTPUT]
+    Name         es
+    Match        json_evtx.logs
+    Host         sentinel-kit-db-elasticsearch-es01
+    Port         9200
+    Buffer_Size   5M
+    Logstash_Format     On
+    Logstash_Prefix     ingest-evtx
+    Logstash_DateFormat %Y.%m.%d
+    Type         _doc
+    Time_Key     @timestamp
+    Replace_Dots On
+    Suppress_Type_Name On
+    Retry_Limit  False
+    TLS           On
+    TLS.Verify    Off
+    HTTP_User     elastic
+    HTTP_Passwd   ${ELASTIC_PASSWORD}
diff --git a/config/fluentbit_server/logs-http.conf b/config/fluentbit_server/logs-http.conf
@@ -0,0 +1,43 @@
+[INPUT]
+    Name         http
+    Listen       0.0.0.0
+    Port         24224
+    Tag          http.logs
+
+[FILTER]
+    Name         parser
+    Match        http.logs
+    Key_Name     log
+    Parser       json_parser
+    Preserve_Key On
+
+[FILTER]
+    Name         lua
+    Match        http.logs
+    Script       /fluent-bit/etc/add_timestamp.lua
+    Call         add_timestamp
+
+[FILTER]
+    Name         lua
+    Match        http.logs
+    Script       /fluent-bit/etc/set_target_index.lua
+    Call         set_target_index
+
+[OUTPUT]
+    Name         es
+    Match        http.logs
+    Host         sentinel-kit-db-elasticsearch-es01
+    Port         9200
+    Buffer_Size     480K
+    Logstash_Format     On
+    Logstash_Prefix_Key target_index 
+    Logstash_DateFormat %Y.%m.%d
+    Type         _doc
+    Time_Key     @timestamp
+    Replace_Dots On
+    Suppress_Type_Name On
+    Retry_Limit  False
+    TLS           On
+    TLS.Verify    Off
+    HTTP_User     elastic
+    HTTP_Passwd   ${ELASTIC_PASSWORD}
diff --git a/config/fluentbit_server/logs-json.conf b/config/fluentbit_server/logs-json.conf
@@ -0,0 +1,28 @@
+[INPUT]
+    Name         tail
+    Path         /fluent-bit/logs/json/*.json
+    Tag          json.logs
+    Parser       json_parser
+    DB           /fluent-bit/database/json_db.db
+    Read_from_Head true
+    Buffer_Chunk_Size 1M
+    Buffer_Max_Size 5M
+
+[OUTPUT]
+    Name         es
+    Match        json.logs
+    Host         sentinel-kit-db-elasticsearch-es01
+    Port         9200
+    Buffer_Size   5M
+    Logstash_Format     On
+    Logstash_Prefix     ingest-json
+    Logstash_DateFormat %Y.%m.%d
+    Type         _doc
+    Time_Key     @timestamp
+    Replace_Dots On
+    Suppress_Type_Name On
+    Retry_Limit  False
+    TLS           On
+    TLS.Verify    Off
+    HTTP_User     elastic
+    HTTP_Passwd   ${ELASTIC_PASSWORD}
diff --git a/config/fluentbit_server/parse_audit_message.lua b/config/fluentbit_server/parse_audit_message.lua
@@ -0,0 +1,25 @@
+function parse_auditd_message(tag, timestamp, record)
+    local message = record["message"]
+    
+    if not message or message == "" then
+        return 0, timestamp, record
+    end
+
+    local auditd_fields = {}
+
+    for key, value in string.gmatch(message, "([%w_]+)=\"([^\"]*)\"") do
+        auditd_fields[key] = value
+    end
+    
+    for key, value in string.gmatch(message, "([%w_]+)=([%w%d%.%-%+]+)") do
+        auditd_fields[key] = value
+    end
+    
+    for k, v in pairs(record) do
+        auditd_fields[k] = v
+    end
+
+    auditd_fields["auditd_raw_message"] = record["message"]
+    
+    return 1, timestamp, auditd_fields
+end
diff --git a/config/fluentbit_server/parsers.conf b/config/fluentbit_server/parsers.conf
diff --git a/docker-compose.yml b/docker-compose.yml
