Finally got some grok filters working well for some custom snort logs. Quite often it fails due to the fact that in the message or the entire message has what I assume is either:
- Some unknown ASCII Charc
- Encrypted traffic
Example of the data:
Anyone handled this before either the unknown Charc set or how to handle (by handle I mean maybe set a tag saying encrypted) this type of "text".
Right now any thing that doesnt match about 8 different grok patterns gets a _Failure_Matching tag so I can filter them out in Kibana dashboard.
Would really help get some insight