I try to parse my code for fortigate logs.
I need to combine two fields in a new one, but i want Kibana show me only the values with some content inside. Can you explain me how to do it?
My code:
filter{
grok{
match => [
"message",
"%{SYSLOG5424PRI:syslog_index}%{GREEDYDATA:message}"
]
overwrite => ["message"]
tag_on_failure => [ "failure_grok_fortigate" ]
}
kv{
source => "message"
value_split => "="
field_split => ","
}
}
mutate {
add_field => { "IP_destino" => "%{remip} %{dstip}"
"Puerto_dest" => %{remport} %{dstport}”
}
rename => { "type" => "tipo" }
rename => { "subtype" => "subtipo" }
rename => { "devname" => "nombre_equipo" }
rename => { "devid" => "id_equipo" }
rename => { "logid" => "id_log" }
rename => { "level" => "nivel" }
rename => { "logdesc" => "descripcion_log" }
rename => { "locip" => "ip_locsl" }
rename => { "action" => "accion" }
rename => { "user" => "usuario" }
rename => { "group" => "grupo" }
rename => { "xauthuser" => "x_auth_usuario" }
rename => { "xauthgroup" => "x_auth_grupo" }
rename => { "assignip" => "ip_asignada" }
rename => { "vpntunnel" => "tunel_vpn" }
rename => { "status" => "estado" }
rename => { "mode" => "modo" }
rename => { "stage" => "fase" }
rename => { "role" => "rol" }
rename => { "result" => "resultado" }
rename => { "totalsesion" => "sesiones_totales" }
rename => { "bandwidth" => "ancho_banda" }
rename => { "tunnelid" => "tunel_id" }
rename => { "tunneltype" => "tunel_tipo" }
rename => { "tunnelip" => "tunel_ip" }
rename => { "duration" => "duracion" }
rename => { "sentbyte" => "byte_enviado" }
rename => { "rcvdbyte" => "byte_recibido" }
rename => { "srcip" => "ip_origen" }
rename => { "srcport" => "puerto_origen" }
rename => { "destinf" => "informscion_destino" }
rename => { "sessionid" => "id_sesion" }
rename => { "policyid" => "politica_id" }
rename => { "policytype" => "politica_tipo" }
rename => { "dstcountry" => "pais_destino" }
rename => { "srccountry" => "pais_origen" }
rename => { "service" => "servico" }
rename => { "sentpkt" => "pkt_enviado" }
rename => { "crscore" => "cr_puntuacion" }
rename => { "craction" => "cr_accion" }
rename => { "crlevel" => "cr_nivel" }
remove_field => [ "dstip", "dstport", "remip", "remport" ]
}
I try to make an "IF / ELSE" template but it doesn't work and i don't kwon why.
IF/ELSE code:
filter
{
grok
{
match =>
[
"message","%{SYSLOG5424PRI:syslog_index}%{GREEDYDATA:message}"
]
overwrite => ["message"]
tag_on_failure => [ "failure_grok_fortigate" ]
}
kv{
source => "message"
value_split => "="
field_split => " "
}
if [remip] {
mutate {
add_field => [
"IP_destino" => "%{remip}"
"Puerto_dest" => "%{remport}"
]
}
}
else if [dstip] {
mutate {
add_field => [
"IP_destino" => "%{dstip}"
"Puerto_dest" => "%{dstport}"
]
}
}
else {
remove_field => ["remip", "remport", "dstip", "dstport"]
}
mutate {
rename => { "type" => "tipo" }
rename => { "subtype" => "subtipo" }
rename => { "devname" => "nombre_equipo" }
rename => { "devid" => "id_equipo" }
rename => { "logid" => "id_log" }
rename => { "level" => "nivel" }
rename => { "logdesc" => "descripcion_log" }
rename => { "locip" => "ip_locsl" }
rename => { "action" => "accion" }
rename => { "user" => "usuario" }
rename => { "group" => "grupo" }
rename => { "xauthuser" => "x_auth_usuario" }
rename => { "xauthgroup" => "x_auth_grupo" }
rename => { "assignip" => "ip_asignada" }
rename => { "vpntunnel" => "tunel_vpn" }
rename => { "status" => "estado" }
rename => { "mode" => "modo" }
rename => { "stage" => "fase" }
rename => { "role" => "rol" }
rename => { "result" => "resultado" }
rename => { "totalsesion" => "sesiones_totales" }
rename => { "bandwidth" => "ancho_banda" }
rename => { "tunnelid" => "tunel_id" }
rename => { "tunneltype" => "tunel_tipo" }
rename => { "tunnelip" => "tunel_ip" }
rename => { "duration" => "duracion" }
rename => { "sentbyte" => "byte_enviado" }
rename => { "rcvdbyte" => "byte_recibido" }
rename => { "srcip" => "ip_origen" }
rename => { "srcport" => "puerto_origen" }
rename => { "destinf" => "informacion_destino" }
rename => { "sessionid" => "id_sesion" }
rename => { "policyid" => "politica_id" }
rename => { "policytype" => "politica_tipo" }
rename => { "dstcountry" => "pais_destino" }
rename => { "srccountry" => "pais_origen" }
rename => { "service" => "servico" }
rename => { "sentpkt" => "pkt_enviado" }
rename => { "crscore" => "cr_puntuacion" }
rename => { "craction" => "cr_accion" }
rename => { "crlevel" => "cr_nivel" }
remove_field => [ "dstip", "dstport", "remip", "remport" ]
}
}