Grok Filter For my Log file

sana1 · February 28, 2019, 6:00am

[] [1:1000039:0] updatelocation - Alert []
[Priority: 0]
02/27-14:29:46.412090 0A:01:01:01:01:01 -> 0A:02:02:02:02:02 type:0x800 len:0xC6
10.1.1.1 -> 10.2.2.2 SCTP TTL:255 TOS:0x0 ID:4660 IpLen:20 DgmLen:184

This is my log snort log file content, Please help me write the grok filter for logtsash
Thankyou in Adv, I tried myself but no luck

warkolm · February 28, 2019, 6:02am

Sharing what you have tried would be useful

sana1 · February 28, 2019, 6:28am

I am using Logstash 6.6.0, and I am newbie to grok Filters..

input {
beats{
port => 5044
}
}
filter {
if [type] == "snort" {
grok {
patterns_dir => ["misc.patterns"]
match => { "message" => "%{<?[?]:bracket} %{<?1:00:0?>:duration}" }
}
}
}
output {
elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
}

Ganesh2303 · February 28, 2019, 7:51am

can you place your log with prefromatted text so it will be helpful and explain do you have any recommended fields to store the value

sana1 · February 28, 2019, 11:10am

These are Snort Logs with no exact format, or predefined format.

these are four repetitive lines

[] [1:1000089:0] notifySS - Alert []
[Priority: 0]
01/15-11:32:33.917427 0A:01:01:01:01:01 -> 0A:02:02:02:02:02 type:0x800 len:0xA2
12.12.12.12 -> 11.11.11.11 SCTP TTL:255 TOS:0x0 ID:4660 IpLen:20 DgmLen:148

Ganesh2303 · February 28, 2019, 11:16am

In this 4 lines what all value you need to capture

sana1 · March 1, 2019, 7:53am

Source IP, Destination IP and Protocol
12.12.12.12 -> 11.11.11.11 SCTP

Ganesh2303 · March 1, 2019, 8:08am

i want to one more thing above message which you have mentioned each line is new line or multiple line message

Ganesh2303 · March 1, 2019, 8:42am

Try this grok pattern,

%{IP:Source} -> %{IP:Destination} %{WORD:Protocol}

sana1 · March 1, 2019, 9:16am

Thankyou Ganesh its working, Please tell me how to parse the first two lines in the logs as well, Each line is a new line and also log pattern repeats every every fourth line

first two lines
[ ] [1:1000089:0] notifySS - Alert [ ]
[Priority: 0]

Ganesh2303 · March 1, 2019, 9:18am

If you dont want to index those value mean you can ignore the line before it get indexed

sana1 · March 1, 2019, 9:28am

Thankyou Ganesh

Ganesh2303 · March 1, 2019, 9:57am

You welcome.. If your issue resolved mark the resolved solution

sana1 · March 3, 2019, 8:11am

Please tell me how to add the parsed into separate fields?

sana1 · March 4, 2019, 4:34am

I have done that Thankyou

system · April 1, 2019, 4:34am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.