Elk snort

Elastic Stack Logstash
1

Hi i am configuring logstash for snort logs following few tutorials from web, but can not parse snort logs i have
[%{INT:ids_gid}:%{INT:ids_sid}:%{INT:ids_rev}].%{GREEDYDATA:ids_alert}.[Classification: %{DATA:ids_classification}].[Priority: %{INT:ids_priority}].{%{WORD:ids_proto}}.%{IP:src_ip}:%{INT:src_port} ->.%{IP:dst_ip}:%{INT:dst_port}

and tested it from console it is parsing logs, but when i implement it on filter is not working.

For example i have:

filter {
if "PFSense" in [tags] {
mutate {
add_tag => [ "firewall" ]
}

but If is not recognizing PFSense from logs?????

2

It's impossible to help without knowing what the logs look like. Please also post your full configuration and format it as preformatted text using Markdown notation or the </> toolbar button.

4

And exactly what isn't working? The first grok appears to work since you're getting the prog field.

5

There is snort parsing grok also it is not working. And i have :
filter {
if "PFSense" in [tags] {
mutate {
add_tag => [ "firewall" ]
} tag firewall is not adding

6

there is not any error in /var/log/logstash it shows working properly.

7

There is snort parsing grok also it is not working.

That's because you require the prog field to contain "snort", but it actually contains "snort[123]".

tag firewall is not adding

Both messages in your screenshot have a firewall tag.

1 Like
8

yes there is firewall tag here whenever i changed firewall tag to something else for example i changed it to test it is not adding, it adding again firewall there

9

filter {
if "PFSense" in [tags] {
mutate {
add_tag => [ "test" ]
}
}
}
i added test to check is it working or not i and it is not adding test tag, there is PFSense tag in tags i am sure.

10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.