Charc Set in Logstash

Hi all,

Finally got some grok filters working well for some custom snort logs. Quite often it fails due to the fact that in the message or the entire message has what I assume is either:

  1. Some unknown ASCII Charc
  2. Encrypted traffic

Example of the data:

Anyone handled this before either the unknown Charc set or how to handle (by handle I mean maybe set a tag saying encrypted) this type of "text".

Right now any thing that doesnt match about 8 different grok patterns gets a _Failure_Matching tag so I can filter them out in Kibana dashboard.

Would really help get some insight

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.