f5.conf

input {
  syslog {
    port => 5046
  }
}

filter {
  grok {
    match => {
      "message" => [
        "attack_type=\"%{DATA:attack_type}\"",
        ",blocking_exception_reason=\"%{DATA:blocking_exception_reason}\"",
        ",date_time=\"%{DATA:date_time}\"",
        ",dest_port=\"%{DATA:dest_port}\"",
        ",ip_client=\"%{DATA:ip_client}\"",
        ",is_truncated=\"%{DATA:is_truncated}\"",
        ",method=\"%{DATA:method}\"",
        ",policy_name=\"%{DATA:policy_name}\"",
        ",protocol=\"%{DATA:protocol}\"",
        ",request_status=\"%{DATA:request_status}\"",
        ",response_code=\"%{DATA:response_code}\"",
        ",severity=\"%{DATA:severity}\"",
        ",sig_cves=\"%{DATA:sig_cves}\"",
        ",sig_ids=\"%{DATA:sig_ids}\"",
        ",sig_names=\"%{DATA:sig_names}\"",
        ",sig_set_names=\"%{DATA:sig_set_names}\"",
        ",src_port=\"%{DATA:src_port}\"",
        ",sub_violations=\"%{DATA:sub_violations}\"",
        ",support_id=\"%{DATA:support_id}\"",
        "unit_hostname=\"%{DATA:unit_hostname}\"",
        ",uri=\"%{DATA:uri}\"",
        ",violation_rating=\"%{DATA:violation_rating}\"",
        ",vs_name=\"%{DATA:vs_name}\"",
        ",x_forwarded_for_header_value=\"%{DATA:x_forwarded_for_header_value}\"",
        ",outcome=\"%{DATA:outcome}\"",
        ",outcome_reason=\"%{DATA:outcome_reason}\"",
        ",violations=\"%{DATA:violations}\"",
        ",violation_details=\"%{DATA:violation_details}\"",
        ",request=\"%{DATA:request}\""
      ]
    }
    break_on_match => false
  }

  mutate {
    split => { "attack_type" => "," }
    split => { "sig_ids" => "," }
    split => { "sig_names" => "," }
    split => { "sig_cves" => "," }
    split => { "staged_sig_ids" => "," }
    split => { "staged_sig_names" => "," }
    split => { "staged_sig_cves" => "," }
    split => { "sig_set_names" => "," }
    split => { "threat_campaign_names" => "," }
    split => { "staged_threat_campaign_names" => "," }
    split => { "violations" => "," }
    split => { "sub_violations" => "," }
  }

  if [x_forwarded_for_header_value] != "N/A" {
    mutate { add_field => { "source_host" => "%{x_forwarded_for_header_value}"}}
  } else {
    mutate { add_field => { "source_host" => "%{ip_client}"}}
  }

  geoip {
    source => "source_host"
    target => "geoip"  # Aqui, estamos armazenando os resultados no campo "geoip"
}
  date {
    match => ["date_time", "yyyy-MM-dd'T'HH:mm:ss.SSSZ"]
    target => "@timestamp"
    timezone => "America/Porto_Velho"
  }
}

output {
  elasticsearch {
    index => "big_ip-waf-logs-%{+YYYY.MM.dd}"
    hosts => "${ELASTIC_HOSTS}"
    user => "${ELASTIC_USER}"
    password => "${ELASTIC_PASSWORD}"
    cacert => "certs/ca/ca.crt"
  }
}