Hi Guys, i am trying to sort my Suricata logs on pfsense, got it working but one issue i cant seperate Priority from the number and proto from the {}.. below is the sample log need your help.
[1:2210045:2] SURICATA STREAM Packet with invalid ack [Classification: Generic Protocol Command Decode] [Priority: 3]: {TCP} 111.2.1.1:24999 -> 5.21.229.226:443
The best i could come up with .. Grok Debugger
%{SYSLOG5424SD:evenID} %{CISCO_REASON:Suricata_Trigger} %{SYSLOG5424SD:Classification} %{SYSLOG5424SD}: %{NOTSPACE:service} %{NOTSPACE:proto} %{NOTSPACE:Destination_ip}:%{INT:destination_port} %{NOTSPACE} %{NOTSPACE:Source_ip}:%{INT:Source_port}
The issue is below, i cant seperate Priority and number.
%{SYSLOG5424SD}:
"[Priority: 3]"
how to separate Protocol from {}
"proto":
"{TCP}"
You mean you want proto to contain "TCP" instead of "{TCP}" and service to contain "3" instead of "[Priority: 3]"? To avoid misunderstandings an example of what you have and what you want to get would help.
Yes sir you are right, i want TCP without curly brasses {} and 3 instead of Priority : 3 ....
this is my suricata Log example from PFSense Firewall. i sorted out everything via grok filter but dont know how to remove brasses from protocol and Priority from the numeric number for example 3.
[1:2210045:2] SURICATA STREAM Packet with invalid ack [Classification: Generic Protocol Command Decode] [Priority: 3]: {TCP} 111.2.1.1:24999 -> 5.21.229.226:443
Replace
%{NOTSPACE:service} %{NOTSPACE:proto}
with
\[Priority: %{NUMBER:service}\] \{%{WORD:proto}\}
Thanks a Million Magnusbaeck ... worked well with some tweaking 
[Priority: 3]
[%{NOTSPACE:Priority}: %{NOTSPACE:Priority_Number}]