Code failure

PAU_SUREDA_COLL · March 21, 2018, 9:08am

I try to parse my code for fortigate logs.
I need to combine two fields in a new one, but i want Kibana show me only the values with some content inside. Can you explain me how to do it?

My code:
filter{
grok{
match => [
"message",
"%{SYSLOG5424PRI:syslog_index}%{GREEDYDATA:message}"
]
overwrite => ["message"]
tag_on_failure => [ "failure_grok_fortigate" ]

}
kv{
source => "message"
value_split => "="
field_split => ","
}
}
mutate {
add_field => { "IP_destino" => "%{remip} %{dstip}"
"Puerto_dest" => %{remport} %{dstport}”

}
rename => { "type" => "tipo" }
rename => { "subtype" => "subtipo" }
rename => { "devname" => "nombre_equipo" }
rename => { "devid" => "id_equipo" }
rename => { "logid" => "id_log" }
rename => { "level" => "nivel" }
rename => { "logdesc" => "descripcion_log" }
rename => { "locip" => "ip_locsl" }
rename => { "action" => "accion" }
rename => { "user" => "usuario" }
rename => { "group" => "grupo" }
rename => { "xauthuser" => "x_auth_usuario" }
rename => { "xauthgroup" => "x_auth_grupo" }
rename => { "assignip" => "ip_asignada" }
rename => { "vpntunnel" => "tunel_vpn" }
rename => { "status" => "estado" }
rename => { "mode" => "modo" }
rename => { "stage" => "fase" }
rename => { "role" => "rol" }
rename => { "result" => "resultado" }
rename => { "totalsesion" => "sesiones_totales" }
rename => { "bandwidth" => "ancho_banda" }
rename => { "tunnelid" => "tunel_id" }
rename => { "tunneltype" => "tunel_tipo" }
rename => { "tunnelip" => "tunel_ip" }
rename => { "duration" => "duracion" }
rename => { "sentbyte" => "byte_enviado" }
rename => { "rcvdbyte" => "byte_recibido" }
rename => { "srcip" => "ip_origen" }
rename => { "srcport" => "puerto_origen" }
rename => { "destinf" => "informscion_destino" }
rename => { "sessionid" => "id_sesion" }
rename => { "policyid" => "politica_id" }
rename => { "policytype" => "politica_tipo" }
rename => { "dstcountry" => "pais_destino" }
rename => { "srccountry" => "pais_origen" }
rename => { "service" => "servico" }
rename => { "sentpkt" => "pkt_enviado" }
rename => { "crscore" => "cr_puntuacion" }
rename => { "craction" => "cr_accion" }
rename => { "crlevel" => "cr_nivel" }
remove_field => [ "dstip", "dstport", "remip", "remport" ]
}

I try to make an "IF / ELSE" template but it doesn't work and i don't kwon why.

IF/ELSE code:
filter
{
grok
{
match =>
[
"message","%{SYSLOG5424PRI:syslog_index}%{GREEDYDATA:message}"
]
overwrite => ["message"]
tag_on_failure => [ "failure_grok_fortigate" ]

}
kv{
source => "message"
value_split => "="
field_split => " "
}
if [remip] {
mutate {
add_field => [
"IP_destino" => "%{remip}"
"Puerto_dest" => "%{remport}"
]
}
}
else if [dstip] {
mutate {
add_field => [
"IP_destino" => "%{dstip}"
"Puerto_dest" => "%{dstport}"
]
}
}
else {
remove_field => ["remip", "remport", "dstip", "dstport"]
}

mutate {
rename => { "type" => "tipo" }
rename => { "subtype" => "subtipo" }
rename => { "devname" => "nombre_equipo" }
rename => { "devid" => "id_equipo" }
rename => { "logid" => "id_log" }
rename => { "level" => "nivel" }
rename => { "logdesc" => "descripcion_log" }
rename => { "locip" => "ip_locsl" }
rename => { "action" => "accion" }
rename => { "user" => "usuario" }
rename => { "group" => "grupo" }
rename => { "xauthuser" => "x_auth_usuario" }
rename => { "xauthgroup" => "x_auth_grupo" }
rename => { "assignip" => "ip_asignada" }
rename => { "vpntunnel" => "tunel_vpn" }
rename => { "status" => "estado" }
rename => { "mode" => "modo" }
rename => { "stage" => "fase" }
rename => { "role" => "rol" }
rename => { "result" => "resultado" }
rename => { "totalsesion" => "sesiones_totales" }
rename => { "bandwidth" => "ancho_banda" }
rename => { "tunnelid" => "tunel_id" }
rename => { "tunneltype" => "tunel_tipo" }
rename => { "tunnelip" => "tunel_ip" }
rename => { "duration" => "duracion" }
rename => { "sentbyte" => "byte_enviado" }
rename => { "rcvdbyte" => "byte_recibido" }
rename => { "srcip" => "ip_origen" }
rename => { "srcport" => "puerto_origen" }
rename => { "destinf" => "informacion_destino" }
rename => { "sessionid" => "id_sesion" }
rename => { "policyid" => "politica_id" }
rename => { "policytype" => "politica_tipo" }
rename => { "dstcountry" => "pais_destino" }
rename => { "srccountry" => "pais_origen" }
rename => { "service" => "servico" }
rename => { "sentpkt" => "pkt_enviado" }
rename => { "crscore" => "cr_puntuacion" }
rename => { "craction" => "cr_accion" }
rename => { "crlevel" => "cr_nivel" }
remove_field => [ "dstip", "dstport", "remip", "remport" ]
}
}

magnusbaeck · March 22, 2018, 9:06pm

add_field => [
"IP_destino" => "%{remip}"
"Puerto_dest" => "%{remport}"
]

Use braces here, not square brackets.

add_field => {
"IP_destino" => "%{remip}"
"Puerto_dest" => "%{remport}"
}

PAU_SUREDA_COLL · March 23, 2018, 10:01am

Yes, I fixed it later, now i can see in kibana the logstash logs, but don't add fields
New code: input {
file {
path => "C:\entrada"
start_position => "beginning"
}
}

filter {
grok {
match => [ "message", "%{SYSLOG5424PRI:syslog_index} %{GREEDYDATA:message}" ]
overwrite => ["message"]
tag_on_failure => [ "failure_grok_fortigate" ]
}

kv{
	source => "message"
	value_split => "="
	field_split => " "
}

if [subtype] == "vpn" {
	if "10.*" in [remip] {
		mutate {
			add_field => {
				"ip_externa" => "%{locip}"
				"puerto_externo" => "%{locport}"
				"ip_interna" => "%{remip}"
				"puerto_interno" => "%{remport}"
				"sentido" => "recibir"
			}
			remove_field => [ "locip", "locport", "remip", "remport" ]
		}
	} else {
		if "10.*" in [locip] {
			mutate {
				add_field => {
					"ip_externa" => "%{remip}"
					"puerto_externo" => "%{remport}"
					"ip_interna" => "%{locip}"
					"puerto_interno" => "%{locport}"
					"sentido" => "enviar"
				}
				remove_field => [ "locip", "locport", "remip", "remport" ]
			}
		}
	}
} else { if [subtype] == "local" or "forward" or "webfilter" {
			if "10.*" in [dstip] {
				mutate {
					add_field => {
						"ip_externa" => "%{srcip}"
						"puerto_externo" => "%{srcport}"
						"ip_interna" => "%{dstip}"
						"puerto_interno" => "%{dstport}"
						"sentido" => "recibir"
					}
					remove_field => [ "srcip", "srcport", "dstip" , "dstport" ]
				}
			} else {
				if "10.*" in [srcip] {
					mutate {
						add_field => {
							"ip_externa" => "%{dstip}"
							"puerto_externo" => "%{dstport}"
							"ip_interna" => "%{srcip}"
							"puerto_interno" => "%{srcport}"
							"sentido" => "enviar"
						}
						remove_field => [ "locip", "locport", "remip", "remport" ]
					}
				}
			}
		} else { if [subtype] == "system" {
					mutate {
						remove_field => [ "srcip", "srcport", "dstip" , "dstport", "locip", "locport", "remip", "remport" ]
					}
				} else {}
			}
		}

mutate {
rename => { "time" => "tiempo" }
rename => { "poluuid" => "id_poluu" }
rename => { "catdesc" => "descripcion_cat" }
rename => { "direction" => "direccion" }
rename => { "eventtype" => "tipo_evento" }
rename => { "hostname" => "nombre_host" }
rename => { "method" => "metodo" }
rename => { "profile" => "perfil" }
rename => { "reqtype" => "tipo_peticion" }
rename => { "type" => "tipo" }
rename => { "subtype" => "subtipo" }
rename => { "devname" => "nombre_equipo" }
rename => { "devid" => "id_equipo" }
rename => { "logid" => "id_log" }
rename => { "level" => "nivel" }
rename => { "logdesc" => "descripcion_log" }
rename => { "locport" => "puerto_local" }
rename => { "locip" => "ip_local" }
rename => { "action" => "accion" }
rename => { "user" => "usuario" }
rename => { "group" => "grupo" }
rename => { "xauthuser" => "x_auth_usuario" }
rename => { "xauthgroup" => "x_auth_grupo" }
rename => { "assignip" => "ip_asignada" }
rename => { "vpntunnel" => "tunel_vpn" }
rename => { "status" => "estado" }
rename => { "mode" => "modo" }
rename => { "stage" => "fase" }
rename => { "role" => "rol" }
rename => { "result" => "resultado" }
rename => { "totalsesion" => "sesiones_totales" }
rename => { "bandwidth" => "ancho_banda" }
rename => { "tunnelid" => "tunel_id" }
rename => { "tunneltype" => "tunel_tipo" }
rename => { "tunnelip" => "tunel_ip" }
rename => { "duration" => "duracion" }
rename => { "sentbyte" => "byte_enviado" }
rename => { "rcvdbyte" => "byte_recibido" }
rename => { "srcip" => "ip_origen" }
rename => { "srcport" => "puerto_origen" }
rename => { "dstip" => "ip_destino" }
rename => { "dstport" => "puerto_destino" }
rename => { "remip" => "ip_remota" }
rename => { "destinf" => "informacion_destino" }
rename => { "sessionid" => "id_sesion" }
rename => { "policyid" => "politica_id" }
rename => { "policytype" => "politica_tipo" }
rename => { "dstcountry" => "pais_destino" }
rename => { "srccountry" => "pais_origen" }
rename => { "service" => "servicio" }
rename => { "sentpkt" => "pkt_enviado" }
rename => { "crscore" => "cr_puntuacion" }
rename => { "craction" => "cr_accion" }
rename => { "crlevel" => "cr_nivel" }
remove_field => [ "message", "tags" ]
}

}

output {
file {
path => "C:\salida"
}
}

magnusbaeck · March 24, 2018, 9:28am

So what do you get? Copy/paste from Kibana's JSON tab.

PAU_SUREDA_COLL · March 26, 2018, 8:40am

I've fixed the code looking another posts like this:
https://www.elastic.co/guide/en/logstash/current/config-examples.html

system · April 23, 2018, 8:40am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.