It's possible to send all logs from MISP to an elasticsearch¶
endpoint¶
First, we'll need an ES PHP library¶
Replace according to your requirements¶
export MISP_DIR=/var/www/MISP cd $MISP_DIR/app sudo -u www-data php composer.phar require elasticsearch/elasticsearch
Ok now we need to configure where we log to¶
¶
In Administration -> Server Settings & Maintenance -> Plugin Settings¶
Under the elasticsearch tab, enable elasticsearch logging, and input¶
your connection string¶
Note that explicitly specifying the port may be needed, e.g. for AWS instances¶
running on 443.¶
Also input a log index - all logs will be thrown at this index.¶
Now give ES a template to work from¶
cat << EOF > misp_es_template.json
{
"template": "misp_logging",
"mappings": {
"log": {
"_source": {
"enabled": true
},
"properties": {
"Log.email": {
"type": "keyword"
},
"Log.title": {
"type": "text"
},
"Log.ip": {
"type": "ip"
},
"Log.created": {
"format": "YYYY-MM-dd HHss",
"type": "date"
},
"Log.description": {
"type": "text"
},
"Log.org": {
"type": "text"
},
"Log.action": {
"type": "text"
},
"Log.model": {
"type": "text"
},
"Log.change": {
"type": "text"
}
}
}
}
}
EOF
And put it to ES¶
curl -XPUT https://my_es/_template/misp_logging --data-binary @misp_es_template.json