Grok Filter help needed with Suricata Logs

Hi Guys, i am trying to sort my Suricata logs on pfsense, got it working but one issue i cant seperate Priority from the number and proto from the {}.. below is the sample log need your help.

[1:2210045:2] SURICATA STREAM Packet with invalid ack [Classification: Generic Protocol Command Decode] [Priority: 3]: {TCP} 111.2.1.1:24999 -> 5.21.229.226:443

The best i could come up with .. Grok Debugger
%{SYSLOG5424SD:evenID} %{CISCO_REASON:Suricata_Trigger} %{SYSLOG5424SD:Classification} %{SYSLOG5424SD}: %{NOTSPACE:service} %{NOTSPACE:proto} %{NOTSPACE:Destination_ip}:%{INT:destination_port} %{NOTSPACE} %{NOTSPACE:Source_ip}:%{INT:Source_port}

The issue is below, i cant seperate Priority and number.
%{SYSLOG5424SD}:
"[Priority: 3]"
how to separate Protocol from {}
"proto":
"{TCP}"

You mean you want proto to contain "TCP" instead of "{TCP}" and service to contain "3" instead of "[Priority: 3]"? To avoid misunderstandings an example of what you have and what you want to get would help.

Yes sir you are right, i want TCP without curly brasses {} and 3 instead of Priority : 3 ....

this is my suricata Log example from PFSense Firewall. i sorted out everything via grok filter but dont know how to remove brasses from protocol and Priority from the numeric number for example 3.

[1:2210045:2] SURICATA STREAM Packet with invalid ack [Classification: Generic Protocol Command Decode] [Priority: 3]: {TCP} 111.2.1.1:24999 -> 5.21.229.226:443

Replace

%{NOTSPACE:service} %{NOTSPACE:proto}

with

\[Priority: %{NUMBER:service}\] \{%{WORD:proto}\}

Thanks a Million Magnusbaeck ... worked well with some tweaking

[Priority: 3]
[%{NOTSPACE:Priority}: %{NOTSPACE:Priority_Number}]

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.