Filter for Sidewinder syslog


#1

Hi all,

I am trying to figure out which is the best way to filter a log of a sidewinnder firewall. The situation is that depending the log type the message contains more or less fields. The pattern is that always we have: fieldname=value, . Here you have an example:

<46> Nov 14 08:48:02 fw auditd: date="2018-11-14 07:48:02 +0000",fac=f_ping_proxy,area=a_aclquery,type=t_aclallow,pri=p_major,pid=5441,logid=0,cmd=pingp,hostname=fw.x.com,event="ACL allow",srcip=192.168.10.10,srczone=internal,protocol=1,dst_geo=ES,dstip=8.8.8.88,dstzone=external,rule_name="int ext surfing",cache_hit=1,reason="Traffic allowed by policy.",application=ICMP

I have tryed buldind with grok filter but there are 25 possibilities, because depending on the type and subtype it contains more fields or less and I believe that the is some way that it is easier and that will increment the performance.

Kind regards!


#2

I have achieved this using the following combination with grok and kv

filter {

  grok {
    match => { "message" => "%{SYSLOG5424PRI}%{SYSLOGBASE} %{GREEDYDATA:message_kv}" }
    overwrite => [ "message" ]
  }

  kv {
    source => "message_kv"
    trim_value => "\""
    field_split => ","
    value_split => "="
    }
}

I tryed using ovewrwritte but it isn't working as expected, ineeded to create an auxiliary variable message_kv.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.