input {
    file {
        path => "/home/ninja/log-samples/ddos.log"
        start_position => "beginning"
        ignore_older => 0
    }
}

filter {


grok {
    add_tag => [ "valid" ]

    match => [
      "message", "%{SYSLOGTIMESTAMP:syslog_date} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT}\])?: %{WORD:login} password for %{USERNAME:username} from %{IP:ip} %{GREEDYDATA}",
      "message", "%{SYSLOGTIMESTAMP:syslog_date} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT}\])?: message repeated 2 times: \[ %{WORD:login} password for %{USERNAME:username} from %{IP:ip} %{GREEDYDATA}",
      "message", "%{SYSLOGTIMESTAMP:syslog_date} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT}\])?: %{WORD:login} password for invalid user %{USERNAME:username} from %{IP:ip} %{GREEDYDATA}",
      "message", "%{SYSLOGTIMESTAMP:syslog_date} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT}\])?: %{WORD:login} %{WORD:auth_method} for %{USERNAME:username} from %{IP:ip} %{GREEDYDATA}"
    ]
  }

  mutate {
    remove_tag => [ "valid" ]
    lowercase => [ "login" ]
  }
  

  date {
    match => [ "syslog_date", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601" ]
    timezone => "Europe/Helsinki"
  }

  geoip {
    source => "ip"
  }

  throttle {
    before_count => 0
    after_count => 5
    period => 5
    key => "%{ip}"
    add_tag => "throttled"
  }
}

output {
  if "throttled" in [tags] {
    email {
        subject => "DDoS attack on %{host}"
        to => "root"
        via => "sendmail"
        body => "Alert on %{host} from %{ip} :\n\n%{message}"
        #options => { "location" => "/usr/sbin/sendmail" }

    }
  }
    elasticsearch { 
    hosts => ["localhost:9200"]
    index => "DDoS"
} 
}