Hi i am configuring logstash for snort logs following few tutorials from web, but can not parse snort logs i have
[%{INT:ids_gid}:%{INT:ids_sid}:%{INT:ids_rev}].%{GREEDYDATA:ids_alert}.[Classification: %{DATA:ids_classification}].[Priority: %{INT:ids_priority}].{%{WORD:ids_proto}}.%{IP:src_ip}:%{INT:src_port} ->.%{IP:dst_ip}:%{INT:dst_port}
and tested it from console it is parsing logs, but when i implement it on filter is not working.
For example i have:
filter {
if "PFSense" in [tags] {
mutate {
add_tag => [ "firewall" ]
}
It's impossible to help without knowing what the logs look like. Please also post your full configuration and format it as preformatted text using Markdown notation or the </> toolbar button.
There is snort parsing grok also it is not working. And i have :
filter {
if "PFSense" in [tags] {
mutate {
add_tag => [ "firewall" ]
} tag firewall is not adding
yes there is firewall tag here whenever i changed firewall tag to something else for example i changed it to test it is not adding, it adding again firewall there
filter {
if "PFSense" in [tags] {
mutate {
add_tag => [ "test" ]
}
}
}
i added test to check is it working or not i and it is not adding test tag, there is PFSense tag in tags i am sure.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.