misp_fetch_in_filter.conf

input {
  # Schedule the generator to run at 3 AM every day
  generator {
    count => 1
    message => "trigger"
    schedule => "0 3 * * *"
  }
}

filter {
  if [message] == "trigger" {
    ruby {
      init => "
        require 'net/http'
        require 'uri'
        require 'json'
        require 'time'
        require 'date'
      "
      code => "
        now = Time.now.utc
        start_of_last_day = (now - 86400).strftime('%Y-%m-%dT00:00:00Z')
        end_of_last_day = (now - 86400).strftime('%Y-%m-%dT23:59:59Z')

        uri = URI.parse('https://your-misp-instance/events/restSearch')
        request = Net::HTTP::Post.new(uri)
        request['Authorization'] = 'YOUR_API_KEY'
        request['Content-Type'] = 'application/json'

        request.body = {
          'returnFormat' => 'json',
          'page' => 1,
          'publish_timestamp' => [start_of_last_day, end_of_last_day]
        }.to_json

        response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: uri.scheme == 'https') do |http|
          http.request(request)
        end

        if response.code.to_i == 200
          events = JSON.parse(response.body)
          events.each do |event|
            new_event = LogStash::Event.new(event)
            new_event.tag('_ruby_http_poller')
            event.cancel
            @logger.info('Created new event', :new_event => new_event.to_hash)
            @output_func.call(new_event)
          end
        else
          @logger.error('Failed to fetch MISP events', :code => response.code, :body => response.body)
        end
      "
    }
  }
}

output {
  if "_ruby_http_poller" in [tags] {
    # Output the MISP events to Elasticsearch
    elasticsearch {
      hosts => ["http://localhost:9200"]
      index => "misp_events_%{+YYYY.MM.dd}"
    }

    # Debug the incoming events from MISP
    stdout {
      codec => rubydebug
    }
  }
}