Filter GROK (Fortigate + ASA )


(Salma Ait Lhaj) #1

Please, Iwant to make a config file of two filter one for cisco asa and the other for fortgate, I done this, but the configuration is not Ok, can someone correct me ?

input {
        beats {
        port => "5044"
        }
}

filter {
        date {
                match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
        }


        grok { match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{HOSTNAME:hostname} %{DATA:cisco_tag}: %{GREEDYDATA:cisco_message}"}
        }

        grok {
        match => [
          "cisco_message", "%{CISCOFW106001}",
          "cisco_message", "%{CISCOFW106006_106007_106010}",
          "cisco_message", "%{CISCOFW106014}",
          "cisco_message", "%{CISCOFW106015}",
          "cisco_message", "%{CISCOFW106021}",
          "cisco_message", "%{CISCOFW106023}",
          "cisco_message", "%{CISCOFW106100}",
          "cisco_message", "%{CISCOFW110002}",
          "cisco_message", "%{CISCOFW302010}",
          "cisco_message", "%{CISCOFW302013_302014_302015_302016}",
          "cisco_message", "%{CISCOFW302020_302021}",
          "cisco_message", "%{CISCOFW305011}",
          "cisco_message", "%{CISCOFW313001_313004_313008}",
          "cisco_message", "%{CISCOFW313005}",
          "cisco_message", "%{CISCOFW402117}",
          "cisco_message", "%{CISCOFW402119}",
          "cisco_message", "%{CISCOFW419001}",
          "cisco_message", "%{CISCOFW419002}",
          "cisco_message", "%{CISCOFW500004}",
          "cisco_message", "%{CISCOFW602303_602304}",
          "cisco_message", "%{CISCOFW710001_710002_710003_710005_710006}",
          "cisco_message", "%{CISCOFW713172}",
          "cisco_message", "%{CISCOFW733100}",
          "cisco_message", "%{WORD:action} %{WORD:protocol} %{CISCO_REASON:reason} from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}$
          "cisco_message", "%{CISCO_ACTION:action} %{WORD:protocol} %{CISCO_REASON:reason}.*(%{IP:src_ip}).*%{IP:dst_ip} on interface %{GREEDYDATA:interface}",
          "cisco_message", "Connection limit exceeded %{INT:inuse_connections}/%{INT:connection_limit} for input packet from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:$
          "cisco_message", "TCP Intercept %{DATA:threat_detection} to %{IP:ext_nat_ip}/%{INT:ext_nat_port}.*(%{IP:int_nat_ip}/%{INT:int_nat_port}).*Average rate of %{INT:syn_av$
          "cisco_message", "Embryonic connection limit exceeded %{INT:econns}/%{INT:limit} for %{WORD:direction} packet from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:$
        ]
      }

        grok { match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{HOSTNAME:hostname} %{GREEDYDATA:source_data}"}}

        kv { source => "data" }


}

output {
        elasticsearch {
                hosts => [ "localhost:9200"]
        }
        #stdout { codec => rubydebug }
}

(Magnus B├Ąck) #2

What problem are you encountering?


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.