Hello People , I have a doubt about my filter
I have this content in my log file
{"other_logs": "127.0.0.1|28614|2018-11-28 23:51:57|srcport 50389 mwtype AvalancheBotnet-andromeda destaddr 2.2.2.2 destinyurl: dogs.ru|Moscou, RU", "source_port": "50389", "malware_name": "AvalancheBotnet-andromeda", "subject": "Host with malware malware"}
When I did the filter as below it works
if "|" in [other_logs] {
mutate {
split => ["other_logs", "|"]
add_field => { "ASN" => "%{[other_logs][1]}" }
add_field => { "teste3" => "%{[other_logs][3]}" }
}
grok {
match => { "teste3" => "%{IPV4:CC}" }
add_tag => ["contains_ip"]
}
grok {
match => { "teste3" => "\: %{GREEDYDATA:domain}" }
add_tag => ["contains_url"]
}
}
But when I try to do as below it does not work, the filter just get the C&C IP
...
grok {
match => { "teste3" => "%{IPV4:CC}%{SPACE}%{WORD}\:%{SPACE}%{DATA:domain}" }
Someone could help me ?
Thanks