Updated files; log2timeline parser push

Author: 505Forensics

README.md

@@ -15,6 +15,7 @@ Related Posts
 
 Changelog
 =============
+02 Mar 2014 - Added log2timeline logstash config
 
 01 Mar 2014 - Added apache-combined logstash config
 

conf_files/logstash-apache-combined.conf

@@ -1,11 +1,11 @@
 ########################
-# LogStash Configuration Files - Common Apache Files
+# logstash Configuration Files - Combined Apache Files
 # Created by 505Forensics (http://www.505forensics.com)
 # MIT License, so do what you want with it!
 #
-# For the use with logstash, elasticsearch, and kibana to analyze logs
+# For use with logstash, elasticsearch, and kibana to analyze logs
 #
-# Usage: Reference this config file for your instance of logstash to parse common Apache log files
+# Usage: Reference this config file for your instance of logstash to parse combined Apache log files
 #
 # Limitations: This file will parse raw text, not .gz log files. For .gz files, utilize a 'tcp' input, and zcat the files to netcat
 #

conf_files/logstash-apache-common.conf

@@ -1,9 +1,9 @@
 ########################
-# LogStash Configuration Files - Common Apache Files
+# logstash Configuration Files - Common Apache Files
 # Created by 505Forensics (http://www.505forensics.com)
 # MIT License, so do what you want with it!
 #
-# For the use with logstash, elasticsearch, and kibana to analyze logs
+# For use with logstash, elasticsearch, and kibana to analyze logs
 #
 # Usage: Reference this config file for your instance of logstash to parse common Apache log files
 #

conf_files/logstash-log2timeline.conf

@@ -0,0 +1,48 @@
+########################
+# logstash Configuration Files - Log2timeline Output Files
+# Created by 505Forensics (http://www.505forensics.com)
+# MIT License, so do what you want with it!
+#
+# For use with logstash, elasticsearch, and kibana to analyze logs
+#
+# Usage: Reference this config file for your instance of logstash to parse already-created log2timeline supertimelines
+#
+# Limitations: This file will parse raw text, and there must be a delimiter provided if not the default comma
+#
+#######################
+
+input {
+  file {
+    type => "log2timeline-perl"
+    start_position => "beginning"
+    sincedb_path => "/dev/null"
+
+    #Edit the following path to reflect the location of your timeline files. You can also change the extension if you use something else
+    path => "/path/to/your/timelines/*.csv"
+  }
+}
+
+filter {
+  if [type] == "log2timeline-perl" {
+    csv {
+      columns => ["date","time","timezone","MACB","source","sourcetype","type","user","host","short","desc","version","filename","inode","notes","format","extra"]
+      
+      #If you use a custom delimiter, change the following value in between the quotes to your delimiter. Otherwise, leave the next line alone.
+      separator => ","
+    }
+
+    mutate {
+      replace => [ "date" , "%{date} %{time}" ]
+    }
+    
+    if [timezone] == "timezone" {
+      drop { }
+    }
+  }  
+}
+
+output {
+  elasticsearch {
+    embedded => true
+  }
+}