Filter for Sidewinder syslog

mortueta · November 14, 2018, 8:01am

Hi all,

I am trying to figure out which is the best way to filter a log of a sidewinnder firewall. The situation is that depending the log type the message contains more or less fields. The pattern is that always we have: fieldname=value, . Here you have an example:

<46> Nov 14 08:48:02 fw auditd: date="2018-11-14 07:48:02 +0000",fac=f_ping_proxy,area=a_aclquery,type=t_aclallow,pri=p_major,pid=5441,logid=0,cmd=pingp,hostname=fw.x.com,event="ACL allow",srcip=192.168.10.10,srczone=internal,protocol=1,dst_geo=ES,dstip=8.8.8.88,dstzone=external,rule_name="int ext surfing",cache_hit=1,reason="Traffic allowed by policy.",application=ICMP

I have tryed buldind with grok filter but there are 25 possibilities, because depending on the type and subtype it contains more fields or less and I believe that the is some way that it is easier and that will increment the performance.

Kind regards!

mortueta · November 14, 2018, 11:49am

I have achieved this using the following combination with grok and kv

filter {

  grok {
    match => { "message" => "%{SYSLOG5424PRI}%{SYSLOGBASE} %{GREEDYDATA:message_kv}" }
    overwrite => [ "message" ]
  }

  kv {
    source => "message_kv"
    trim_value => "\""
    field_split => ","
    value_split => "="
    }
}

I tryed using ovewrwritte but it isn't working as expected, ineeded to create an auxiliary variable message_kv.

system · December 12, 2018, 11:49am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.