{"id":15879007,"url":"https://github.com/korenyoni/elastsec","last_synced_at":"2026-04-28T20:05:00.278Z","repository":{"id":88182827,"uuid":"119459920","full_name":"korenyoni/elastsec","owner":"korenyoni","description":"Machine-oriented ElasticSearch Alerts, written in Go","archived":false,"fork":false,"pushed_at":"2018-02-23T19:16:18.000Z","size":55,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-02-07T15:33:30.292Z","etag":null,"topics":["auditbeat","devops","elasticsearch","filebeat","golang","security"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/korenyoni.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-01-30T00:29:45.000Z","updated_at":"2018-06-01T21:04:43.000Z","dependencies_parsed_at":null,"dependency_job_id":"e354ee3d-9135-4357-b00c-d51ac300cebe","html_url":"https://github.com/korenyoni/elastsec","commit_stats":null,"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/korenyoni%2Felastsec","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/korenyoni%2Felastsec/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/korenyoni%2Felastsec/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/korenyoni%2Felastsec/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/korenyoni","download_url":"https://codeload.github.com/korenyoni/elastsec/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246730260,"owners_count":20824396,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["auditbeat","devops","elasticsearch","filebeat","golang","security"],"created_at":"2024-10-06T02:42:44.372Z","updated_at":"2026-04-28T20:05:00.224Z","avatar_url":"https://github.com/korenyoni.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ElastSec\n\nConnects to Elasticsearch, parses heartbeat writes, and creates the following host-oriented alerts:\n\n1. New Priviledge Escalation\n2. Failed file change attempt\n3. Failed file access attempt\n4. File permissions change\n5. New SSH connection\n6. Failed SSH connection attempt (password, invalid user)\n\n## Motivation\n\n[ElastAlert](https://github.com/Yelp/elastalert) was too heavyweight, carrying too many alerting features. Also, ElastAlert's enhancement modules did not play well\nwith query_keys.\n\nFurthermore it's more feasible to create machine-oriented event data by redoing ElastAlert's necessary work from the ground up.\n\n## Usage\n\n1. Set `ES_ADDR` to your ElasticSearch address, `ESEC_SLACK_WEBHOOK` to your slack webhook, and `STMP_SEND_ADDR` to the email you would like to notify.\n2. `ESEC_AGG_DURATION` and `ESEC_EMAIL_DURATION` can be optionally set (e.g. `2hr`,`24h`). It is recommended to add a couple extra more seconds for email as it will capture the aggregation events.\n3. Add `-w /etc/ -p wa` to your auditbeat.yml\n4. Use the following auditbeat configuration:\n```\n- module: audit\n  metricsets: [kernel]\n  kernel.audit_rules: |\n\n    # Identity changes.\n    -w /etc/group -p wa -k identity\n    -w /etc/passwd -p wa -k identity\n    -w /etc/gshadow -p wa -k identity\n    -w /etc/ -p wa\n\n    # Unauthorized access attempts.\n    -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access\n    -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access\n\n- module: audit\n  metricsets: [file]\n  file.paths:\n  - /bin\n  - /usr/bin\n  - /sbin\n  - /usr/sbin\n  - /etc\n\n```\n5. In filebeat.yml, under `filebeat.prospectors`, add: `scan_frequency: 1s`\n6. `make \u0026\u0026 ./elastsec`\n\n## Requirements\n\n1. [Elasticsearch](https://www.elastic.co/products/elasticsearch)\n2. [Filebeat](https://www.elastic.co/products/beats/filebeat)\n3. [Auditbeat](https://www.elastic.co/products/beats/auditbeat)\n4. `sendmail` configured via `ssmtp` (including revaliases) or another SMTP utility.\n\nYou will need a version of Go relatively recent to `1.9.3` to build the binary yourself. A glide configuration and lock-file is included.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkorenyoni%2Felastsec","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkorenyoni%2Felastsec","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkorenyoni%2Felastsec/lists"}