Filter Grok

asalma · May 7, 2018, 7:12am

Please, is there any body who has an example of filter grok or fils .conf that can be use with logs that came from firwalls, I want him to separate all the fields.

Krunal_kalaria · May 7, 2018, 7:15am

Hi @asalma,

Can you more elaborate what is the format of your logs its CSV or JSON and so on. ?

Thanks & Regards,
Krunal.

MrNerd · May 7, 2018, 7:40am

Hi @Krunal_kalaria
If you could post into a CSV format will be great onto my files they are seppareted with Spaces

Thanks

MrNerd

MrNerd · May 7, 2018, 8:10am

thanks for your soon reply @asalma , but I was guessing if you could send me some real example like in this format of log how would you configure your CSV

Pablo msg_id="3000-3001" 07-05-2018 192.168.3.105

Thanks MrNerd

Christian_Dahlqvist · May 7, 2018, 8:18am

Syslog can contain a lot of different formats, so you will need to be more specific and show examples. See this post for some additional details.

asalma · May 7, 2018, 8:48am

Please I need a filter that can do this :

"timestamp" => May 3 11:39:58

"host" => fwghcadmin

"ciscotag" => Type d'équipement : %ASA

          Critisité : 6

          ID :302015

"connection_id" => 2356737924

"operation" => Built

"protoco" => UDP

"src_interface" => int-850-IntercoEXTCorporate1

"src_ip" => x.x.x.x

"src_port" => 161

"src_mapped_ip" => x.x.x.x

"src_mapped_port" => 161

"dst_interface" => int-148-GHCTechnicalInfra

"dst_ip" => x.x.x.x

"dst_port" => 34300

"dst_mapped_ip" => x.x.x.x

"dst_mapped_port" => 34300

MrNerd · May 7, 2018, 9:36am

@asalma follow this guide is so usefull:

https://qbox.io/blog/import-csv-elasticsearch-logstash-sincedb

MrNerd

system · June 4, 2018, 9:36am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.