This is meant to be used as a general idea for sending events to elasticsearch using logstash confirguations for:

• TippingPoint IPS
• Bro NSM/IDS files (specifically conn, dns, dhcp, dpd, files, http, kerberos, notice, rdp, ssh, smtp, ssl, x509)
• Windows event logs (sent via nxlog) and also sysmon logs if it is installed
• Juniper SSL VPN logs (note may need to change username regex field a bit, but was extremely useful to visualize where users were logging in from geo map in kibana and also for tracking down users if they were compromised while VPN'ed in)
• Suricata IDS
• FireEye (not parsed but just sent)
• PaloAlto Traffic and Threat logs
• Add GeoIP to all source/destination IPs
• Add AS Name and AS Number to all source/destination IPs (this has been extremely useful for whitelisting/blacklisting/filtering)

I would tailor this file to your environment and please note I never got around to normalizing all the time stamp fields.

Bro HTTP has additional client headers added such as "X-FLASH-VERSION" as "flash_version", "RANGE" as "content_range", "ACCEPT-LANGUAGE" as "accept_language", "X-REQUESTED-WITH" as "x_requested_with".

As I was a literally a one man security shop, for over a year, its a fairly rough looking file.. However security is not pretty and I had great success using this file to collect pretty much everything I needed for an opensource SIEM.

There are still shops out there with a lot more than 1 person that could not even tell you processes spawned on their servers (whether it is used as a DC or point of sales).

So this file was still a great victory for me despite how f'ed up it might be.