noodlemctwoodle / pf-azure-sentinel Goto Github PK

Hello,

I have the following error when logstash is starting:

[2022-02-24T17:28:18,845][INFO ][logstash.runner ] Log4j configuration path used is: /etc/logstash/log4j2.properties
[2022-02-24T17:28:18,854][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"7.17.0", "jruby.version"=>"jruby 9.2.20.1 (2.5.8) 2021-11-30 2a2962fbd1 OpenJDK 64-Bit Server VM 11.0.13+8 on 11.0.13+8 +indy +jit [linux-x86_64]"}
[2022-02-24T17:28:18,855][INFO ][logstash.runner ] JVM bootstrap flags: [-Xms1g, -Xmx1g, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djruby.compile.invokedynamic=true, -Djruby.jit.threshold=0, -Djruby.regexp.interruptible=true, -XX:+HeapDumpOnOutOfMemoryError, -Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true]
[2022-02-24T17:28:19,974][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
[2022-02-24T17:28:21,606][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \t\r\n], "#", "input", "filter", "output" at line 2, column 1 (byte 37) after ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:189:in initialize'", "org/logstash/execution/JavaBasePipelineExt.java:72:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:47:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:52:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:383:in block in converge_state'"]}
[2022-02-24T17:28:21,704][INFO ][logstash.runner ] Logstash shut down.
[2022-02-24T17:28:21,712][FATAL][org.logstash.Logstash ] Logstash stopped processing because of an error: (SystemExit) exit
org.jruby.exceptions.SystemExit: (SystemExit) exit
at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:747) ~[jruby-complete-9.2.20.1.jar:?]
at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:710) ~[jruby-complete-9.2.20.1.jar:?]
at usr.share.logstash.lib.bootstrap.environment.

can anyone help?

With my limited knowledge and experience with Elasticsearch for SIEM usage, I am looking forward to getting this set up to send the logs to Sentinel. Thank you for putting this together. Going through the steps in:

https://github.com/noodlemctwoodle/pf-azure-sentinel/tree/main/Logstash-Configuration

There are some mismatches in the steps vs the actual file name for example Step 10:

Update firewall interfaces

Amend the 05-firewall.conf file

sudo nano /etc/logstash/conf.d/40-interfaces.conf
(there is no 40-interfaces.conf file recommended to download, it is now 20-interfaces.conf?)

How do you permanently set the subnets & thresholds fields? I've changed them to reflect my subnets and saved them but when I hit refresh it uses the default nets.