Filter for Sidewinder syslog

mortueta · November 14, 2018, 8:01am

Hi all,

I am trying to figure out which is the best way to filter a log of a sidewinnder firewall. The situation is that depending the log type the message contains more or less fields. The pattern is that always we have: fieldname=value, . Here you have an example:

<46> Nov 14 08:48:02 fw auditd: date="2018-11-14 07:48:02 +0000",fac=f_ping_proxy,area=a_aclquery,type=t_aclallow,pri=p_major,pid=5441,logid=0,cmd=pingp,hostname=fw.x.com,event="ACL allow",srcip=192.168.10.10,srczone=internal,protocol=1,dst_geo=ES,dstip=8.8.8.88,dstzone=external,rule_name="int ext surfing",cache_hit=1,reason="Traffic allowed by policy.",application=ICMP

I have tryed buldind with grok filter but there are 25 possibilities, because depending on the type and subtype it contains more fields or less and I believe that the is some way that it is easier and that will increment the performance.

Kind regards!

mortueta · November 14, 2018, 11:49am

I have achieved this using the following combination with grok and kv

filter {

  grok {
    match => { "message" => "%{SYSLOG5424PRI}%{SYSLOGBASE} %{GREEDYDATA:message_kv}" }
    overwrite => [ "message" ]
  }

  kv {
    source => "message_kv"
    trim_value => "\""
    field_split => ","
    value_split => "="
    }
}

I tryed using ovewrwritte but it isn't working as expected, ineeded to create an auxiliary variable message_kv.

system · December 12, 2018, 11:49am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to Logstash gork filter with different infos in syslog message field Logstash	6	657	April 8, 2018
Sidewinder Firewall Syslog Logstash	4	535	May 23, 2018
Grok filter for cyberoam syslogs Logstash	3	2106	July 6, 2017
[SOLVED] Syslog filter additional filtering Logstash	6	2455	December 8, 2016
Filter Logs from Firewall Logstash	4	1849	April 22, 2019

Filter for Sidewinder syslog

Related topics