Logstash
Integration instructions for Logstash (plugin version 1.0.0)
Step 1
Installation
On your server, use the Logstash integrated plugin installer:
logstash-plugin install logstash-filter-accesswatch
Step 2
Configuration
Now, edit your Logstash configuration.
First, activate the plugin and define your Api Key:
accesswatch {
api_key => "YOUR_REVEAL_API_KEY_HERE"
}
To get your Reveal API Key, just Sign Up.
Step 3
Source Configuration
Now, the plugin needs to know where to find the IP Address and User Agent.
So, if your logs are formatted like that:
{
"type": "nginx",
"clientip": "107.171.227.185",
"agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1",
"verb": "POST",
"request": "/wp-login.php",
"response": 200
}
You can use the following configuration:
accesswatch {
api_key => "YOUR_REVEAL_API_KEY_HERE"
ip_source => "clientip"
user_agent_source => "agent"
}
To get your Reveal API Key, just Sign Up.
Step 4
Destination Configuration
Finally, you need to tell the plugin where to put the augmented data:
accesswatch {
api_key => "YOUR_REVEAL_API_KEY_HERE"
ip_source => "clientip"
user_agent_source => "agent"
identity_destination => "identity"
reputation_destination => "reputation"
robot_destination => "robot"
}
To get your Reveal API Key, just Sign Up.
With that configuration, you'll then get this augmented request:
{
"type": "nginx",
"clientip": "107.171.227.185",
"agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1",
"verb": "POST",
"request": "/wp-login.php",
"response": 200,
"identity": {
"type": "robot"
},
"reputation": {
"status": "bad",
"threats": ["brute_force_login"]
},
"robot": {
"id": "4c0cb48f-fdb3-4ac3-b333-bebcf49e80d",
"name": "Mars",
"url": "https://access.watch/database/robots/bad/mars"
}
}
That was easy! If you need help, don't hesitate to contact us.