Elk snort

Hi i am configuring logstash for snort logs following few tutorials from web, but can not parse snort logs i have
[%{INT:ids_gid}:%{INT:ids_sid}:%{INT:ids_rev}].%{GREEDYDATA:ids_alert}.[Classification: %{DATA:ids_classification}].[Priority: %{INT:ids_priority}].{%{WORD:ids_proto}}.%{IP:src_ip}:%{INT:src_port} ->.%{IP:dst_ip}:%{INT:dst_port}

and tested it from console it is parsing logs, but when i implement it on filter is not working.

For example i have:

filter {
if "PFSense" in [tags] {
mutate {
add_tag => [ "firewall" ]
}

but If is not recognizing PFSense from logs?????

It's impossible to help without knowing what the logs look like. Please also post your full configuration and format it as preformatted text using Markdown notation or the </> toolbar button.

And exactly what isn't working? The first grok appears to work since you're getting the prog field.

There is snort parsing grok also it is not working. And i have :
filter {
if "PFSense" in [tags] {
mutate {
add_tag => [ "firewall" ]
} tag firewall is not adding

there is not any error in /var/log/logstash it shows working properly.

There is snort parsing grok also it is not working.

That's because you require the prog field to contain "snort", but it actually contains "snort[123]".

tag firewall is not adding

Both messages in your screenshot have a firewall tag.

1 Like

yes there is firewall tag here whenever i changed firewall tag to something else for example i changed it to test it is not adding, it adding again firewall there

filter {
if "PFSense" in [tags] {
mutate {
add_tag => [ "test" ]
}
}
}
i added test to check is it working or not i and it is not adding test tag, there is PFSense tag in tags i am sure.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.