Grok Filter For my Log file

sana1 · February 28, 2019, 6:00am

[] [1:1000039:0] updatelocation - Alert []
[Priority: 0]
02/27-14:29:46.412090 0A:01:01:01:01:01 -> 0A:02:02:02:02:02 type:0x800 len:0xC6
10.1.1.1 -> 10.2.2.2 SCTP TTL:255 TOS:0x0 ID:4660 IpLen:20 DgmLen:184

This is my log snort log file content, Please help me write the grok filter for logtsash
Thankyou in Adv, I tried myself but no luck

warkolm · February 28, 2019, 6:02am

Sharing what you have tried would be useful

sana1 · February 28, 2019, 6:28am

I am using Logstash 6.6.0, and I am newbie to grok Filters..

input {
beats{
port => 5044
}
}
filter {
if [type] == "snort" {
grok {
patterns_dir => ["misc.patterns"]
match => { "message" => "%{<?[?]:bracket} %{<?1:00:0?>:duration}" }
}
}
}
output {
elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
}

Ganesh2303 · February 28, 2019, 7:51am

can you place your log with prefromatted text so it will be helpful and explain do you have any recommended fields to store the value

sana1 · February 28, 2019, 11:10am

These are Snort Logs with no exact format, or predefined format.

these are four repetitive lines

[] [1:1000089:0] notifySS - Alert []
[Priority: 0]
01/15-11:32:33.917427 0A:01:01:01:01:01 -> 0A:02:02:02:02:02 type:0x800 len:0xA2
12.12.12.12 -> 11.11.11.11 SCTP TTL:255 TOS:0x0 ID:4660 IpLen:20 DgmLen:148

Ganesh2303 · February 28, 2019, 11:16am

In this 4 lines what all value you need to capture

sana1 · March 1, 2019, 7:53am

Source IP, Destination IP and Protocol
12.12.12.12 -> 11.11.11.11 SCTP

Ganesh2303 · March 1, 2019, 8:08am

i want to one more thing above message which you have mentioned each line is new line or multiple line message

Ganesh2303 · March 1, 2019, 8:42am

Try this grok pattern,

%{IP:Source} -> %{IP:Destination} %{WORD:Protocol}

sana1 · March 1, 2019, 9:16am

Thankyou Ganesh its working, Please tell me how to parse the first two lines in the logs as well, Each line is a new line and also log pattern repeats every every fourth line

first two lines
[ ] [1:1000089:0] notifySS - Alert [ ]
[Priority: 0]

Ganesh2303 · March 1, 2019, 9:18am

If you dont want to index those value mean you can ignore the line before it get indexed

sana1 · March 1, 2019, 9:28am

Thankyou Ganesh

Ganesh2303 · March 1, 2019, 9:57am

You welcome.. If your issue resolved mark the resolved solution

sana1 · March 3, 2019, 8:11am

Please tell me how to add the parsed into separate fields?

sana1 · March 4, 2019, 4:34am

I have done that Thankyou

system · April 1, 2019, 4:34am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash Snort Log Parse Error Logstash	3	538	October 26, 2018
Grok filter for log files in logstash Logstash	14	2479	February 7, 2020
Need help on grok filter Logstash	16	414	July 23, 2018
Problem with Grok filter with my logfile Logstash	2	600	July 6, 2017
Filter Sonicwall Logstash Logstash	1	812	July 20, 2020

Grok Filter For my Log file

Related topics