Elk snort


(Pirate Trkmn) #1

Hi i am configuring logstash for snort logs following few tutorials from web, but can not parse snort logs i have
[%{INT:ids_gid}:%{INT:ids_sid}:%{INT:ids_rev}].%{GREEDYDATA:ids_alert}.[Classification: %{DATA:ids_classification}].[Priority: %{INT:ids_priority}].{%{WORD:ids_proto}}.%{IP:src_ip}:%{INT:src_port} ->.%{IP:dst_ip}:%{INT:dst_port}

and tested it from console it is parsing logs, but when i implement it on filter is not working.

For example i have:

filter {
if "PFSense" in [tags] {
mutate {
add_tag => [ "firewall" ]
}

but If is not recognizing PFSense from logs?????


(Magnus Bäck) #2

It's impossible to help without knowing what the logs look like. Please also post your full configuration and format it as preformatted text using Markdown notation or the </> toolbar button.


(Magnus Bäck) #4

And exactly what isn't working? The first grok appears to work since you're getting the prog field.


(Pirate Trkmn) #5

There is snort parsing grok also it is not working. And i have :
filter {
if "PFSense" in [tags] {
mutate {
add_tag => [ "firewall" ]
} tag firewall is not adding


(Pirate Trkmn) #6

there is not any error in /var/log/logstash it shows working properly.


(Magnus Bäck) #7

There is snort parsing grok also it is not working.

That's because you require the prog field to contain "snort", but it actually contains "snort[123]".

tag firewall is not adding

Both messages in your screenshot have a firewall tag.


(Pirate Trkmn) #8

yes there is firewall tag here whenever i changed firewall tag to something else for example i changed it to test it is not adding, it adding again firewall there


(Pirate Trkmn) #9

filter {
if "PFSense" in [tags] {
mutate {
add_tag => [ "test" ]
}
}
}
i added test to check is it working or not i and it is not adding test tag, there is PFSense tag in tags i am sure.


(system) #10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.