I'm new to Logstash and I'm trying to filter my Sonicwall log
My logstash.conf:
input {
syslog {
type => Sonicwall
port => 9991
}
}filter {
if [type] == "Sonicwall" {
kv {
exclude_keys => [ "c", "id", "m", "n", "pri", "proto" ]
}
grok {
match => [ "src", "%{IP:srcip}:%{DATA:srcinfo}" ]
}
grok {
match => [ "dst", "%{IP:dstip}:%{DATA:dstinfo}" ]
}
grok {
remove_field => [ "srcinfo", "dstinfo" ]
}
geoip {
add_tag => [ "geoip" ]
source => "srcip"
database => "/etc/logstash/GeoLite2-City_20200616/GeoLite2-City.mmdb"
}
}
}output {
elasticsearch {
hosts => ["localhost:9200"]
index => "logstash-%{+YYYY.MM.dd}"
}
}
This code generates me some fieds in kibana, but I'm doing an integration with graphana. My question is also where I do this log filters, in elastic or in logstash.
That's right, but you give me little information. I need intrusions, viruses detected for example. Can anyone give me a light?
Sorry my english, i'm brazilian and i'm also new on the site